Breaches and hacks can affect any network in any organization. This is truer now than ever, given the pace at which black-hat hackers and other malicious online actors are devising new exploits of existing vulnerabilities — and even brand-new zero-day attacks. According to the Identity Theft Resource Center, the total number of data compromises in the first half of 2021 (846) amounted to 76 percent of the total compromises in all of 2020. Additionally, there were 38% more breaches in the second quarter of 2021 than the first.
The specific vectors and causes of breaches and cyberattacks vary widely. But it is increasingly common to see cyberthreats strike organizations that have relied for too long on legacy applications or hardware. Java-based apps can be particularly vulnerability-prone, but they are not the only source of such weaknesses.
Major vulnerabilities in common applications
A comprehensive report by Security Boulevard, covering vulnerabilities affecting many organizations throughout 2021, found that applications experienced an increased percentage of vulnerabilities classified as "Critical" or "High" by RiskScore in May and June, compared to the prior March-April period (a jump from 38% to 41%).
Java was a notable factor in many of these hazards, including custom-code vulnerabilities (which affected nearly all applications examined in the report) and flaws that led to attacks on the application layer. Unsurprisingly, Java apps were more often compromised by serious vulnerabilities than .NET apps during May and June of 2021 — with rates of 28% and 24%, respectively. (Both of those figures were a single percentage point higher than they had been for March and April of 2021.)
What IT personnel, cybersecurity team members and company leaders might find especially alarming is the frequency with which legacy Java applications were targeted by specific, particularly hazardous types of cyberattacks. For example, the Security Boulevard report determined that more than 75% of Java apps had been hit by SQL injections, XSS, broken access control and command injection attacks. By contrast, although 84% of .NET applications were victimized by broken access control exploits during May and June of 2021, these apps were much less frequently targeted with SQL injections and other attack types to which Java had been extremely vulnerable.
Linux becomes a legacy hazard
While Linux has certainly not been anywhere near as popular among personal users or enterprises as Windows or Mac, the open-source operating system has been in consistent use by a dedicated customer base since the early 1990s. (As some examples, the Google Chrome OS that runs on the company's Chromebook laptops is based on Linux, and the system is also the foundation of nearly all of the supercomputers used in a wide variety of complex scientific fields.)
But the very nature of technology means that everything eventually becomes "legacy" at some point — it's only a question of how long that takes. According to the Linux Threat Report from Trend Micro covering the first half of 2021, the older versions of Linux are beginning to pose noteworthy security risks: Researchers compiling the report found that 44% of all security breach detections affecting Linux systems had hit CentOS — specifically, versions 7.4 through 7.9. CentOS 7 debuted in 2014 and its phaseout in favor of CentOS 8 began in 2019, with the older OS losing full company support in August of that year.
CentOS Linux, in all of its iterations, was also the Linux distribution where TrendMicro analysts most often found exploits belonging to the top four malware families affecting Linux: coinminers, web shells, ransomware and trojans. About 51% of CentOS systems had been hit with one or more of these attacks. Meanwhile, such hazards affected 31% of CloudLinux Server deployments. Ubuntu, one of the most frequently updated Linux OS models, was relatively safe by comparison, with only 9.56% of its systems suffering attacks from those malware families.
Manufacturers less likely to offer patches for legacy software or hardware
IT admins are used to occasions where computer and software companies stop offering support for older operating systems and applications. They prepare for it and transition to new versions as far in advance as possible. Yet a manufacturer's refusal to offer a patch for an unprecedented zero-day vulnerability, even one affecting a legacy tool, is perhaps more surprising. According to an advisory released Aug. 18, 2021, Cisco Small Business RV–series routers (specifically the RV110W, RV130, RV130W and RV215W) are affected by a critical vulnerability. If exploited, it could allow unauthorized remote access of the kind that would facilitate a denial-of-service attack via remote shutdown.
In an interview with Teiss, Dean Ferrando, lead systems engineer for Tripwire's EMEA-region operations, noted that most businesses using legacy devices aren't solely relying on them, but rather keeping them running in the background as last-ditch support for newer tools. Nevertheless, the older products still pose risks. The importance of moving away from legacy systems and devices cannot be overstated, given the cyberattack risks they pose.