Image: ZDNet
Two US cyber-security agencies published this week a list of the top 10 most commonly exploited software vulnerabilities across the last four years, between 2016 and 2019.
The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Federal Bureau of Investigation (FBI), urges organizations in the public and private sector to apply necessary updates in order to prevent the most common forms of attacks encountered today.
This includes attacks carried out by state-sponsored, non-state, and unattributed threat actors.
US government officials argue that applying patches could degrade the cyber arsenal of foreign actors targeting US entities, as they’d have to invest resources into developing new exploits, rather then relying on old and tested bugs.
“Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” US officials said.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective.”
Other observations from the joint CISA & FBI security alert include:
- The most commonly attacked was Microsoft’s Object Linking and Embedding (OLE), a technology that allows Office documents to embed content from other applications.
- OLE vulnerabilities like CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158, were the most exploited bugs by foreign nation-state sponsored groups, from countries like China, Iran, North Korea, and Russia.
- Apache Struts was the second most attacked technology. This is in line with a recent RiskSense report.
- The most commonly exploited vulnerabilities in 2020 were CVE-2019-19781 (bug in Citrix VPN appliances) and CVE-2019-11510 (bug in Pulse Secure VPN servers).
- During the coronavirus outbreak, many organizations shifting to work from home setups have misconfigured Office 365 deployments.
The list of the top 10 most exploited vulnerabilities, in no particular order, is available below. It includes the likes of CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
- Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
- Associated Malware: JexBoss
- Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
- More Detail:
- Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
- Associated Malware: Dridex
- Mitigation: Update affected Microsoft products with the latest security patches
- More Detail:
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o
- Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
- Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
- Mitigation: Update affected Microsoft products with the latest security patches
- More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0143
- Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
- Associated Malware: Toshliph, UWarrior
- Mitigation: Update affected Microsoft products with the latest security patches
- More Detail: https://nvd.nist.gov/vuln/detail/CVE-2015-1641
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m
- Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
- Associated Malware: Kitty
- Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
- More Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-7600