Digital exposure of telecom companies: protective measures lag behind the growth of IT assets

Researchers from Ethiac analyzed publicly accessible resources of 591 telecom companies in Europe and concluded that weak control over the external attack surface is a widespread problem in this sector. The study covered countries of the European Union as well as the United Kingdom, Norway, Iceland, and Switzerland.

Key findings:

🔍 On average, each company has 85 external assets (resources accessible from external networks). Large organizations (10,000+ employees) have around 371 external assets. This indicates not just an increase in the number of available hosts but an exponential rise in the complexity of interconnections between them and in the potential paths for lateral movement by attackers.

Even small telecom companies have an extensive attack surface that cannot be effectively protected through manual processes alone. This is due to the need to maintain both legacy and modern communication technologies simultaneously, as well as the large number of integrations with partners and vendors, which significantly increases the number of external access points into the infrastructure.

🌐 The technology stack is fairly uniform across companies. The most common technologies are nginx (48%), Apache (18%), Cloudflare (7%), and IIS (~4%). This amplifies the impact of mass attacks since a single exploit can be scaled across a significant portion of the industry.

🔐 Noticeable issues realted to SSL usage were discovered. 37% of external assets use invalid or outdated certificates (~17% excluding several large operators with the highest number of vulnerable external assets). The larger the company, the more difficult the control: among operators with more than 500 external assets, 33% use poor SSL practices, while for companies with fewer than 50 assets, this figure averages 14%.

🫆 Almost half of web servers disclose service information. 47% of web servers reveal software version details and other configuration information. For large organizations, this figure reaches 77%. This makes attackers' work easier: to find a weak spot, it is often enough to match the disclosed version with known CVEs.

Overall, the highest number of external assets with SSL issues was found among operators in Switzerland (90.5%), Malta (38.0%), and France (33.6%). Estonia and Croatia have the highest proportions of external assets disclosing configuration information — 72.1% and 48.1%, respectively.

It is worth noting that even if these shortcomings may not seem critical, they indicate weak control over the external attack surface among European telecom companies. Given the shrinking time-to-exploit (as discussed earlier), this becomes critical: organizations have less and less time between the appearance of a vulnerability on a public resource and its exploitation. The more external assets and interconnections there are, the higher the likelihood that at least one of them will eventually become an entry point — and that alone may be enough to trigger a serious attack. Under such conditions, control of the external perimeter must be as automated as possible.