The US Govt., this Tues. outlined the top ten most used vulnerabilities from 2016-2019 & cautioned as to how 2020 is developing as regards to vulnerability.
Also, the US Govt. is now instructing IT admins, if they are not already, to ‘double down’ efforts to make secure Virtual Private Networks (VPNs) & Microsoft Office 365 environments.
FBI
According to the Cybersecurity & Infrastructure Security Agency (CISA) & the Federal Bureau of Investigation (FBI), the work-from-home widespread change in March, made necessary by the virus, brought with it a deluge of attacks targeting VPN vulnerabilities in Citrix VPN appliances, i.e. CVE-2019-19781, Pulse Secure VPN servers, CVE-2019-11510, & lax O365 deployments.
Social Engineering
It was added that because of lack of employee education regarding ‘social engineering attacks’ & lack of system recovery & contingency plans, orgs have become much more vulnerable to ‘ransomware attacks’ during 2020.
CISA did warn about vulnerabilities before – it warned about the Pulse vulnerabilities twice already this year, once in Jan, & once in April – but reiterated the danger of the threats again on Tuesday, in a recap of the top 10 most exploited vulnerabilities from 2016-2019.
Vulnerabilities
Those vulnerabilities, attributed to US states, non-state, & unattributed cyber actors, are as follows:
- CVE-2017-11882 – Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products. Commonly associated with Loki, FormBook, & Pony malware strains
- CVE-2017-0199 – Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. Commonly associated with FINSPY, LATENTBOT, and Dridex
- CVE-2017-5638 – Apache Struts 2 2.3.x before 2.3.32 & 2.5.x before 2.5.10.1. Commonly associated with JexBoss malware.
- CVE-2012-0158 – Microsoft Office 2003 SP3, 2007 SP2 & SP3, & 2010 Gold & SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, & 2008 SP2, SP3, & R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, & 2009 Gold & R2; Visual FoxPro 8.0 SP1 & 9.0 SP2; & Visual Basic 6.0. Commonly associated with Dridex.
- CVE-2019-0604 – Present in Microsoft SharePoint. Commonly associated with China Chopper.
- CVE-2017-0143 – Present in Microsoft Windows Vista SP2; Windows Server 2008 SP2 & R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold & R2; Windows RT 8.1; & Windows 10 Gold, 1511, & 1607; & Windows Server 2016
- CVE-2018-4878 – Present in Adobe Flash Player before 28.0.0.161. Commonly associated with DOGCALL
- CVE-2017-8759 – Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 & 4.7. Commonly associated with FINSPY, FinFisher, WingBird.
- CVE-2015-1641 – Present in Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 & 2013 SP1, & Office Web Apps Server 2010 SP2 & 2013 SP1. Commonly associated with Toshliph, UWarrior.
- CVE-2018-7600 – Present in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, & 8.5.x before 8.5.1. Commonly associated with Kitty.
Mitigations
All of the CVEs do have mitigations available. In many cases, just updating the affected products – applying Microsoft’s patches, updating Flash Player, or what version of Struts you are running – will rectify the issue.
This is not always easy, however, – often a balance of time & urgency is required,
Patches
“Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running & ensuring installed patches are compatible with other software,” CISA’s guidance reads, “This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.”
OLE
As described by the US Govt, attackers targeted Microsoft’s Object Linking & Embedding (OLE) technology more than the others between 2016-2019. OLE has been around since 1990 & lets embedding & linking to documents & to other objects, making it a preferred weapon for attackers looking to utilise it to download malware via embedding scripts.
The technique has been noted in attacks from groups in China, Iran, North Korea, & Russia, using CVE-2017-11882, CVE-2017-0199, & CVE-2012-0158 in particular, according to CISA.
Apache Struts
Later on, it was Apache Struts, which is the same web framework that eventually led to 2017’s Equifax data breach.
CISA in the US also provides additional data for IT admins on its site. Included are additional vulnerability details, indicators of compromise (IOCs) & directions to mitigate each CVE.
All valuable information for professionals.