Attack Surface Analysis Of Lebanon - 761 Critical Vulnerabilities

Announcement, Article or Vulnerability

Innovation and Effectiveness in Cyber Security


Summary of Findings

The Lebanon Cybersecurity Empowering Research Team presents hereby a fourth attack surface evaluation of the Lebanese perimeter.
Selected 25 critical software vulnerabilities were chosen based on their high or critical rating according to the Mitre CVSS scoring system, and because they have been actively exploited by threat actors. 612 608 IP Addresses (all IPs assigned to Lebanon), 27 473 main domains (all main domains ending with com.lb, net.lb, edu.lb, org.lb and gov.lb as well as additional main domains gathered from Lebanese business databases) and 45 ports were analyzed. This resulted in 105 853 live IPs and 198 354 domains, on which reconnaissance with respect to the selected vulnerabilities was performed.
The study focused on the second semester of 2021 (Q3 and Q4) to mainly identify the vulnerable systems during that period. It was found that 761 systems are vulnerable affecting the majority of Lebanon's sectors with Consumer Discretionary followed by Industrials and Health Care being the most impacted sectors.

Key Takeaways

The key takeaways of this attack surface evaluation are manyfold.

  • Critical Vulnerabilities: More than 50% of previously discovered vulnerabilities in the first semester (“old” vulnerabilities) are still open. This especially holds for servers and network security devices of businesses, in spite of notification by our team. Even worse, new systems suffering from these old vulnerabilities have emerged. 
    Apart from that, the results of the second semester show that Lebanon is highly affected by new security vulnerabilities (e.g., vulnerabilities in Cisco ASA VPN, Microsoft Exchange or Log4j). These are affecting sectors directly related to citizens like Consumer Discretionary and Health Care. Moreover, the majority of the affected systems (more than 89%) are located on the Lebanese territory. That is, there is a non-negligible probability that they are internally connected to other lebanese systems, which would even further increase the criticality at the national level.

  • Compliance Violations: The large number of unpatched software is noteworthy with respect to security compliance violations, which confirms the first takeaway. The relatively large number of unencrypted logins puts an additional question mark. Unencrypted user credentials are being sent from the user's browser to the target server through all network elements around the world in cleartext. This allows anyone with access to network elements to “see” this sensitive data!

Perhaps what is more dangerous than the aforementioned points is that the results are identical with those of the previous study (with a slight difference in ratios) despite notifications campaign carried out by our team. This raises serious concerns about the cyber security awareness in Lebanon and stresses the need for a national body that keeps folks updated on new security vulnerabilities in order to address them appropriately and in a timely manner.

Thereby, we consider this study and the previous ones as a first practical step towards a more secure cyber space in Lebanon. We invite all concerned parties in the governmental and private sectors to collaborate with these efforts or build on them in order to establish a foundation for an integrated lebanese cyber security framework.

Ethical Considerations

We take various steps to follow research best practices during our attack surface analysis. Among others, we stick to the following.

  • Scan: Lebanon Cybersecurity Empowering Research Team performs only unauthenticated scans to systems exposed to the Internet. The scan itself is not intrusive and doesn’t introduce any denial of service, denial of access, or a risk of interruption of business. 
  • Data Collection: Information systems are queried on a quarter basis, typically looking for open ports and Internet facing system information on the discovered ports.
  • Information Sharing: Risky collected information is made available only to the system owners and not shared with any third party but law enforcement.

[1] Lebanon CERT, Jul. 2021, https://lebanoncert.org/study-q2-2021
[2] Aljadeed TV, Jan. 2021, https://www.aljadeed.tv/arabic/news/lebanoncert/critical-vulns
[3] Lebanon CERT, Jan. 2021, https://lebanoncert.org/study-q4-2020
[4] Ali Awad, Al Akhbar, Sep. 2020, https://al-akhbar.com/lebanoncert/critical-vulns
[5] Lebanon CERT, Jun. 2020, https://lebanoncert.org/study-q1-2020