Our Blog

Palo Alto Networks XPanse Attack Surface Threat Report

4 Nov 2022

XPanse Surface Threat Report

Even lower-skilled attackers can perform a rough scan of the internet to uncover assets ripe for compromise. While some may take a shot at breaching that exposure, far more enterprising threat actors sell this scan data on the dark web to bidders who can then launch more sophisticated attacks.

Luckily, attackers aren’t the only ones able to scan the entire internet and discover exposures —Cortex Xpanse can too. To help organizations fight fire with fire, the Xpanse research team studied the public-facing internet attack surface of some of the world’s largest organizations.

The XPanse Research 2022 Takeaways 

What follows are key findings on the state of the global attack surface based on observed scan data, not self-reported surveys, to help organizations find exposures before adversaries do. The team monitored scans of 50 million IP addresses—over 1% of the entire internet—associated with 100+ global enterprises to understand how quickly adversaries can identify vulnerable systems for fast exploitation.

Takeaways 1 through 5 were based on data collected from March 2021 to September 2021, while part of takeaway 5 and all of takeaway 6 were based on data collected from December 2021 to June 2022. Here is a summary of the key findings:

  • Cloud continues to be a big target.
  • Low-hanging fruit continues to hang.
  • End-of-life software means end-of-life for your security.
  • Issues are complex and unique across industries.
  • What is new becomes old on attack surfaces.
  • RDP and cloud exposures are persistent.

Key Findings

The data continues to show that overall cloud issues continue to be a problem, and so do exposed RDP servers. When looking at fundamental issues of poor security, the team discovered a troubling amount of exposures in administrative login pages as well as in internet-facing end-of-life (EOL) software. According to the data, risks and exposures are persistent because modern attack surfaces are inherently dynamic, constantly shifting, moving, and growing. All too often, this means without the right visibility and processes, more threats arise as you remediate current issues.

The Takeaways from the XPanse report:

Takeaway 1: Cloud continues to be a BIG target.

According to 2021 data, just under 80% of all observed issues were present in cloud infrastructures, and this increased to 91% of all observed issues in the data gathered from December 2021 to June 2022. This should come as no surprise given the aggressive move to the cloud that was accelerated by the pandemic.

The sheer volume of issues found on the cloud as opposed to on-premises indicates that deploying to the cloud is easy to do but difficult to secure. There are myriad reasons for this, from cloud assets being created outside of security controls to insecure defaults, or just the sheer amount of assets in the cloud that can overwhelm under resourced security teams. The cloud is the modern attack surface in a microcosm: moving and changing at such a rapid pace that traditional security practices often can’t keep up.

Takeaway 2: Low-hanging Fruit Continues to Hang

If an attacker is looking for an open door, they often don’t need to look very far. On the internet, leaving an administrative login page exposed publicly is akin to having a neon sign inviting attackers to knock.

Nearly one out of every four issues we found on the attack surface was related to an exposed RDP server, but even looking at the second most common issue, networking and security, the end result was often an exposed system administration login portal.

 In the case of RDP, breaching that exposed login gives an attacker rights equivalent to logging in with legitimate user credentials. The networking and security-related issues revealed IT admin portals, which would give an attacker even more privileges and access to an organization’s core networking infrastructure. Beyond that, Xpanse research uncovered over 700 unencrypted login pages for several IT services that were unencrypted and publicly exposed to the internet.

Unencrypted logins make it dramatically easy for attackers to steal credentials, so organizations should identify these and shut them down. If those same credentials can be used on another exposed portal, that just makes the attacker’s job all the easier.

 But any exposed portal leaves an organization open to simple brute-force attacks if multifactor authentication isn’t used, and in the case of unpatched systems, they can be accessed by exploiting known vulnerabilities. Worse, these exposures are preventable by placing these login portals behind a VPN or firewall.

Close to 3,000 database storage and analytics systems were also frequently left exposed to the public internet. These systems can contain critical customer data or intellectual property and were never meant to be accessed from the public internet, but these were still showing up likely on account of accidental misconfigurations.

Research also uncovered over 2,500 critical building control systems (BCS) accessible from the public internet, which indicates that in a remote-first world, organizations should be not only concerned about their IT assets but also their Operational Technology (OT) assets. These assets are frequently operated and managed by facilities or office divisions and are thus not necessarily tracked or monitored by IT security systems.

Takeaway 3: End-of-Life Software means End-of-Life for your Security

If exposed remote access or remote login protocols are like neon signs inviting attackers to knock, end-of-life software is like leaving your valuables in a straw house in autumn. It may survive the rainy season if it was well-built, but winter is coming, and no one is around to patch all the inevitable holes. During the course of observation, the team saw organizations across industries running end-of-life versions of software.

Additionally, organizations are still running unpatched versions of software with active observed exploits. Despite patches being available for between four and five months at the time of detection, Xpanse research discovered the following based on the application’s self-reported version:

  • 11,511 instances of Apache Web Servers running unsecured on the public internet were vulnerable to CVE-2021-41773 and CVE-2021-42013
  • 2,700 instances were vulnerable to CVE-2021-26084 (Atlassian Confluence)
  • 74% of instances of Zoho ManageEngine ServiceDesk Plus software (3,400 total) were vulnerable to two critical CVEs (CVE-2021-44077 and CVE-2021-44526), one of which was actively being exploited in the wild.

Exploits like these can allow malicious actors to gain access to a victim’s network, escalate privileges, move laterally, and execute remote code.

Business Impact Takeaway:

 Attackers don’t need to preselect victims because it is all too easy to find exploitable weaknesses, and nothing presents more weaknesses than end-of-life software. There is no reason why any asset running end-of-life software should ever be internet-facing. If an asset cannot be updated to secure versions of software, it should be isolated or decommissioned altogether.

The opportunist attacker can find potential victims by simply scanning the internet for assets or services exposed to accidents or misconfigurations. Organizations need to automatically discover end-of-life software, misconfigurations, and unknown assets to identify all non-zero-day vulnerabilities on their attack surface.

Takeaway 4: Issues Are Complex and Unique Across Industries

Common security wisdom often results in something like victim-blaming, where organizations are asked to consider why you might be the target of an attacker. Adversaries may want your data if you’re in financial services, or they might know you’re more likely to give in to demands because to risk downtime would extoll a cost far too high, such as in healthcare.

Knowing why you might be a target should help in terms of isolating data and systems that don’t need to be publicly accessible, but when it comes to internet-connected devices, the more important task is to identify exposures and vulnerabilities. So, from an attacker’s perspective, organizations are often more similar than different.

Xpanse research showed similar types of issues across industries, but what issues were most common varied dramatically. So, organizations often had exposures falling into some combination of RDP server exposures, networking and security, or data storage and analytics, but the specific details regarding assets, types of exposure, and the reasons why they might be targeted by an attacker make situations unique.

Looking at industry verticals in broad terms, there are two general reasons why attackers might target certain organizations: operational disruption or stealing high-value data. The first category includes industries like utilities and energy, healthcare, transportation, and logistics, and (sometimes) wholesale and retail. The aim of attackers here is to disrupt or threaten to disrupt the business operations of the organizations, either under political motives or because attackers hope the ransom demanded is a substantially smaller loss for the organization to incur than the disruption caused or threatened.

Takeaway 5: What Is New Becomes Old on Attack Surfaces

If we’ve imparted nothing else up until this point, it should be that the global attack surface is a living thing that grows and changes constantly. This highlights a reality for security practitioners, which is that the work is never done. Worse, the work that doesn’t get done becomes a seemingly insurmountable backlog of issues and exposures.

The unfortunate truth of attack surfaces is that there is a constant stream of new issues—new vulnerabilities, changing configurations leading to exposure, expiring certificates, etc.—and each one of those new issues that aren’t fixed then becomes the low-hanging fruit discussed in takeaway 2.

 In the initial study of the global attack surface in 2021, we focused on the four specific vulnerabilities which had observed exploits in the wild and were mentioned in several federal advisories:

  • Insecure Apache Web Server
  • Insecure Microsoft Exchange Server
  • Insecure Microsoft IIS Web Server


During the course of analysis of these four issue types, the team observed them on an unmanaged attack surface over the course of a month. These four issue types only constitute a small sliver (<1%) of the overall issue types seen on an attack surface. So, as part of new research based on data collected from December 2021 through June.

2022, the team widened the scope to look at the rate at which all new issues of high and critical severity were discovered on attack surfaces.

The team discovered that regardless of the industry, new issues are constant; not one industry studied showed success in reducing its attack surface.

Secure IT Consult (SITC) works with Palo Alto Networks to provide both licensing and professional services across the entire Palo Alto Networks portfolio, and their solution range, and SITC can provide everything you need from start to finish on your cybersecurity projects; installation, integration, planning, deployment, and managed services – everything you need for your cybersecurity and cloud computing in one partner, with Palo Alto Networks Consultants capable of delivering the whole range.

With SITC, you can find Security Consultants with the capability to deliver for your cybersecurity solutions across a wide range of scenarios and projects, to the highest standards, in every way. For all things Palo Alto Networks, look no further than SITC.