Beyond CVEs: 5 Real-World Cyberattacks Due to Non-CVEs & How to Not Be the Next One

Amazon. Citrix. T-Mobile. NASA. Microsoft. What do these big names have in common?

Each of them experienced a cyberattack that they could never see coming!

But hey, aren’t cyberattacks pretty common nowadays? Unfortunately, yes.

Cyberattacks have become the bane for every security professional out there, but the type of cyberattacks experienced by these enterprises was not your usual cup of tea.

So, what was different? How did cyber attackers breach these organizations?

‘Risks beyond CVEs’ is the answer.

Previously, software vulnerabilities were the biggest culprits and the point of exploitation for cyber attackers. But times have changed, and with digital transformation on the rise, cyberattackers find different ways to enter and exploit your network.

Leveraging risks beyond CVEs, like misconfigurations, exposures, anomalies, and missing patches, hackers can cause devastating damage to you and your enterprise.

In this ebook, we’ll take you through 5 of the biggest cyberattacks that happened due to risks beyond CVEs and how you can prevent similar attacks from happening to you.

Are non-CVEs Real Threats to Your Infrastructure? Yes!

In today’s digitally transformed world, do you still think hackers are exploiting CVEs alone?

Here’s an alarming statistic we found out in our survey with ESG, where we interviewed more than 350+ security professionals. 31% of all respondents experienced a ransomware attack where a security misconfiguration was the initial point of attack.

The threat from security risks beyond CVEs is real, and it's just the beginning.

Hackers are increasingly focusing on overlooked areas like misconfigurations, exposures and anomalies. A reason why hackers are targeting these risks is that these non-CVE risks don’t have enough awareness about them. Attackers leverage this non-awareness as these risks often slip through traditional vulnerability management processes, allowing attackers to exploit them with minimal resistance.

Let’s dig into 5 of the biggest attacks that happened due to the exploitation of non-CVEs and understand the entire process.

A Deep Dive into 5 Real-world Cyberattacks Due to Risks Beyond CVES

The Citrix Attack:

In 2019, Citrix was targeted in an attack that led to the exposure of sensitive data, despite no CVE-listed vulnerabilities being involved. The attack was widespread and caused significant data leakage. Here’s a deep dive into how it actually happened.

How it Happened: From October 13th, 2018, to March 8th, 2019, cyberattackers intermittently accessed Citrix’s network, exploiting weaknesses in its remote-access system.

With very weak passwords set and a lack of strict password policies, attackers leveraged this weakness with a technique called “password spraying.” It involves brute-forcing a single password into different accounts with the hopes of cracking one open. Next, the cyberattackers bypassed authentication controls and gained access to sensitive files stored on the internal network.

What was the cause of the attack?

Weak password policy misconfiguration in the Citrix network.

What was the Impact?

Over 6 TB of sensitive data was exfiltrated.

What’s the Lesson for us?

Implement stronger password policies to ensure password spraying can’t be an effective method of exploitation of risks.

The Microsoft Power Apps Portal Attack

In 2021, a significant misconfiguration in Microsoft Power Apps led to massive data exposure for several organizations using the platform. Microsoft is basically used by everyone, including state and local governments, private companies, and healthcare providers, and all of them were affected.

How It Happened:

Many organizations and enterprises use Microsoft’s Power Apps platform to create custom apps and portals, as it is pretty easy to build apps in it. Power Apps portals are often configured to share data with the public. However, the portal had a default setting that made data stored in the app’s API endpoints publicly accessible unless users manually configured it to require authentication.

The default setting was a misconfiguration, as attackers could access sensitive info without any gates. And that’s exactly what they did. Attackers discovered this misconfiguration and accessed exposed API endpoints that contained sensitive information. Because the configuration setting was public by default, sensitive records like COVID-19 contact tracing information, Social Security numbers, and personal health information were left unprotected and easily accessible.

What was the cause of the attack?

Misconfiguration in Power Apps portal settings, with ‘default public access’ to API endpoints.

What was the Impact?

More than 38 million sensitive records were exposed, impacting government agencies, private enterprises, and healthcare providers. The leak also exposed personal and health-related information for millions!

What’s the Lesson for us?

Enterprises and security teams should verify configuration settings for third-party applications, especially those handling sensitive data. Default settings are often not secure, and reviewing and customizing them is essential to reduce exposure risks.

The NASA – JIRA Incident

In 2018, NASA suffered a data leak due to a misconfiguration in its JIRA project management software. The leak exposed internal project data and sensitive information about employees, highlighting the importance of proper permission settings in internal tools.

How It Happened:

NASA used JIRA, a project management tool popular among development and engineering teams, to organize internal projects and collaborate on sensitive tasks. While a great management tool, it had issues. Within the app existed a misconfiguration in the permission settings; certain internal projects were inadvertently set to public access. Here, the public access meant it was available to everyone in the world, not the team!

This configuration error meant that anyone with internet access and the right link could view these internal JIRA pages. Attackers or unauthorized users could, therefore, access details about NASA’s projects and employee information without needing to bypass any authentication.

What was the cause of the attack?

Misconfiguration of JIRA permissions, allowing internal project data to be publicly accessible.

What was the Impact?

Sensitive project details and employee information were exposed, potentially compromising NASA’s operational security and exposing internal workflows to unauthorized individuals.

What’s the Lesson for us?

Organizations should perform regular permission audits on all software tools, especially those handling sensitive internal information. Proper access control is critical to ensure that only authorized users can access confidential data.

The T-Mobile Data Breach

In 2021, T-Mobile was hit with a massive data breach that compromised sensitive information for millions of customers. The breach was traced back to weaknesses in T-Mobile’s API security, which allowed attackers to exploit unsecured endpoints and extract valuable data.

How It Happened:

The attackers reportedly gained access by exploiting weak security in T-Mobile’s public-facing APIs. These APIs were insufficiently protected, lacking strong authentication and rate-limiting controls, which allowed attackers to repeatedly query the API and retrieve large amounts of customer data.

Using this method, the attackers accessed a treasure trove of personal information, including names, Social Security numbers, phone numbers, driver’s license information, and other sensitive customer details. The attack was prolonged, as T-Mobile’s security monitoring failed to detect the unusual API activity in time to stop the data exfiltration.

What was the cause of the attack?

Weak API security and lack of authentication and monitoring controls on publicly accessible endpoints.

What was the Impact?

Over 40 million customers' personal information, including Social Security numbers and driver’s license information, was exposed, posing serious risks for identity theft.

What’s the Lesson for us?

Enterprise security teams must ensure that public APIs are protected with strong authentication and monitored effectively. Additionally, we must also schedule regular API security reviews to detect and address risks before they turn into threats.

The Amazon AWS S3 Misconfiguration Attack

Amazon S3 buckets are some of the most used cloud buckets in the world. But at the same time have become a common source of data breach incidents due to their frequent misconfiguration. Hundreds of enterprises around the world have faced breaches due to this misconfiguration.

How It Happened:

Many enterprises store sensitive data in Amazon S3 buckets for easy access and collaboration. However, by default, S3 buckets can be configured to allow public access, making all data stored within them accessible to anyone with a link. In multiple incidents, companies either accidentally configured their S3 buckets to be public or were unaware of the setting, allowing sensitive data to be accessible over the internet.

These incidents have exposed everything from customer data to intellectual property. Attackers frequently scan the internet for publicly accessible S3 buckets, making it easy for them to find and access misconfigured buckets with sensitive information.

What was the cause of the attack?

Misconfiguration in Amazon S3 container permissions, leaving buckets publicly accessible by default.

What was the Impact?

Exposure of sensitive data such as personal information, proprietary business data, and even software code. These breaches have led to reputational damage and potential regulatory fines for affected organizations.

What’s the Lesson for us?

Organizations using cloud storage should rigorously review their access permissions, especially on public cloud platforms like Amazon S3. Misconfigured cloud storage permissions are a major source of data breaches, and security teams must enforce strict access controls on sensitive data.

So, How do we Stop Attacks Due to Risks Beyond CVEs

The modern cybersecurity landscape is a reactive one. Here’s a workflow that encapsulates it.

In simple terms, you get attacked and then try to mitigate and reduce its impact. Only then do you actually look for the vulnerability or risk that got exploited!

So, is it the right way to actually approach cyberattack prevention?

Continuous Vulnerability & Exposure Management: The Proactive Approach to Managing Risks

Continuous Vulnerability and Exposure Management brings a fresh perspective to cybersecurity by evaluating an organization’s IT infrastructure security status from a Weakness Perspective and allowing it to strengthen its security posture, which can defend against cyberattacks.

Every Attacker Leverages a Weakness: That is the crux under which the CVEM framework is based.

Why is CVEM the Right Approach?

CVEM provides 4 key benefits over the reactive approach to vulnerability management.

• CVEM Detects Broader Set of Risks: Non-CVEs are the new risks being exploited right now! And the 5 real-world attacks are the best examples of the same! CVEM incorporates exposures, misconfigurations and anomalies along with vulnerabilities to ensure you get maximum visibility and coverage.
• CVEM Integrates Risk Remediation: A key challenge for IT Security administrators is the lack of a single unified approach to remediating risks. Using different tools to scan, prioritize, and remediate risks is challenging, and CVEM overcomes this limitation with its natively integrated approach.
• CVEM Automates Risk Management: Today’s vulnerability management is still Closely linked to the integration, CVEM enhances your risk management process by multi-folds by automating the scanning and remediation process.

Conclusion

The harsh truth about today’s attack surface is that CVEs represent only part of the risk. Non-CVE vulnerabilities—like misconfigurations, API exposures, and insecure cloud settings—can pose significant threats if left unaddressed.

Today’s cyberattack landscape is not what it was before. Hackers are not who they were before. So, why should we still leverage traditional tools and frameworks?

Leveraging cutting-edge frameworks, CVEM will ensure that you do not become another enterprise in the long list of cyberattacked victims!

Cybersecurity and vulnerability management, especially, is no longer just about patching known vulnerabilities; it’s about going beyond into unknown risks and mitigating them too!