The FBI and the Cybersecurity and Infrastructure Security Agency recently published a joint public service announcement describing the top ten most exploited vulnerabilities from 2016 to 2019. Sophisticated nation-state hackers are exploiting these vulnerabilities to attack companies both in the public and private industries to access their systems to steal sensitive information.
Hacking groups connected to China, Russia, Iran, and North Korea widely exploit the vulnerabilities in the list. Their cyber actors still perform attacks taking advantage of the vulnerabilities, although patches were already available to correct the vulnerabilities. In certain instances, patches were available for over 5 years, but a number of companies have yet to apply the patches.
If attackers exploit the vulnerabilities included in the top 10 list, fewer resources are required as compared to zero-day exploits. That means they could conduct more attacks. If companies apply the patches to resolve the top 10 vulnerabilities, it will force nation-state hackers to create new exploits that will restrict their ability to perform attacks.
CISA and FBI explain in the announcement that a determined campaign to patch the vulnerabilities would bring in friction into foreign adversaries’ operational tradecraft and compel them to create or obtain exploits that are more expensive and less extensively effective. A determined patching campaign will additionally strengthen network security by concentrating hard to find defensive solutions on the detected activities of foreign adversaries.
CISA and the FBI expect the list will direct companies to prioritize patching and urge all companies to spend more time and means into patching and create a program that will update all system patching moving forward.
Top 10 Consistently Exploited Vulnerabilities
The consistently exploited vulnerabilities in the top ten list include vulnerabilities in Adobe Flash Player, Microsoft SharePoint, Microsoft Windows, Microsoft Office, Microsoft .NET Framework, Apache Struts, and Drupal. From the ten listed vulnerabilities, the majority of nation-state hacking groups have focused on only three vulnerabilities that concern Microsoft’s OLE technology – CVE-2017-11882, CVE-2012-0158 and CVE-2017-0199. Microsoft’s Object Linking and Embedding (OLE) enables the embedding of content from other applications in Word Documents. The number 4 most frequently exploited vulnerability is CVE-2017-5638, which is found in the Apache Struts web framework. These vulnerabilities were exploited to set up a variety of different malware payloads such as Loki, Pony/FAREIT, FormBook, FINSPY, LATENTBOT, JexBos, Dridex, China Chopper, DOGCALL, FinFisher, WingBird, and Kitty.
- Vulnerability CVE-2017-11882 affects Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
- Vulnerability CVE-2017-0199 affects Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
- Vulnerability CVE-2017-5638 affects Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
- Vulnerability CVE-2012-0158 affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; BizTalk Server 2002 SP1; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; Visual Basic 6.0; and Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2;
- Vulnerability CVE-2019-0604 affects Microsoft SharePoint
- Vulnerability CVE-2017-0143 affects Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
- Vulnerability CVE-2018-4878 affects Adobe Flash Player before 28.0.0.161
- Vulnerability CVE-2017-8759 affects Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
- Vulnerability CVE-2015-1641 affects Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
- Vulnerability CVE-2018-7600 affects Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
A warning was also issued regarding two vulnerabilities – Citrix vulnerability CVE-2019-19781 and Pulse Secure VPN vulnerability CVE-2019-11510 – which were exploited in the 2020 attacks. Nation-state hackers and cybercriminal groups exploit these vulnerabilities that both involve Virtual Private Network (VPN) solutions.
The haste to use cloud collaboration services like Microsoft Office 365 to enable employees to do remote work because of COVID-19 has provided hackers new alternatives to attacking companies. Rash deployments of these options have resulted in oversights in security settings that made them susceptible to attack. Cybersecurity weaknesses are likewise being exploited, including poor employee training with regards to phishing and social engineering. Insufficiency of system recovery and backup plans has additionally put companies in danger of ransomware attacks.