Sergey Nivens -

Hackers embrace 5-day workweeks, unpatched vulnerabilities

Bad guys are taking the weekends off too, according to Barracuda Networks, and old bugs that should have been patched months ago continue to be the most-targeted vulnerabilities.

Just as many office workers tend to log off on the weekend, the attackers targeting enterprise networks prefer to operate during the workweek while focusing on unpatched vulnerabilities.

New research from security vendor Barracuda Networks found that Monday through Friday are by far the most common days for cyber attacks as criminals also prefer to keep normal operating hours.

"Earlier we saw that bots follow the course of a workday to perform their attacks, and now we also see the pattern that the workweek is the same whether you are an attacker or a defender," Barracuda said in its report.

"Both these insights show that most attackers seem to take the weekend off, even when running automated tasks," according to Barracuda.

The schedule, it seems, is less about maintaining work-life balance than it is about hiding in plain sight. The researchers believe that by limiting their attacks to times when workers are online, hackers can better traverse networks with less risk of being spotted or raising alarms.

Big bugs lingering

Despite having been out of the news cycle, major unpatched vulnerabilities publicized earlier this year remain extremely popular with attackers. Among the top targets for exploitation over recent months has been CVE-2021-26855, the Microsoft Exchange server-side request forgery bug exploited by a Chinese threat group dubbed Hafnium.

The researchers believe that by limiting their attacks to times when workers are online, hackers can better traverse networks with less risk of being spotted or raising alarms.

While Microsoft publicized the flaw and issued a patch for the bug and three other related vulnerabilities in March, enough companies and users are far enough behind on their patch installation that criminals continue to probe for the flaw as an exploit target. The White House this week formally attributed the initial Exchange Server attacks to the Chinese government, but security researchers have warned that other threat groups and cybercriminals have targeted and exploited the flaws.

Similarly, the Barracuda researchers noted heavy levels of scanning for CVE-2021-21972, a remote code execution flaw in VMware vCenter Server. Despite having been patched in February, the bug continues to be a reliable one for those looking to gain a foothold within a network.

While getting security patches installed as quickly as possible remains a recommended best practice, the Barracuda team noted that it is not always so simple, particularly for larger networks; organizations need to test patches and downtime for critical servers can be hard to schedule.

"These two data points show that software vulnerabilities, especially hard-hitting ones, continue being scanned for and exploited for quite some time after the release of patches and mitigations," Barracuda noted. "Attackers understand that defenders don't always have the time or bandwidth to keep up with patches all the time and things slide -- providing them with an easy way into the network."

Next Steps

Four-day workweek reactions range from warm to cool

Dig Deeper on Application and platform security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing