Patch or Perish: Nation-State Hacker EditionTop 10 Vulnerabilities Exploited by Sophisticated Foreign Hackers Detailed by CISA
Which flaws should organizations patch first?
See Also: The Essential Guide to Security
Vulnerability management programs enable organizations to stay on top of prioritizing security updates, patching them proactively and driving down remediation times. But one way to check the health of an organization's efforts is to ensure that they have correctly remediated the biggest and baddest bugs.
Enter the Top 10 Most Exploited Vulnerabilities 2016-2019 released by the U.S. Cybersecurity and Infrastructure Security Agency and the FBI on Tuesday.
The list is intended to help all organizations "place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors," they say. Typically, "sophisticated nation-state hackers" refers to those who work for, or on behalf of, China, Iran, North Korea and Russia.
"Foreign cyber actors continue to exploit publicly known - and often dated - software vulnerabilities against broad target sets, including public and private sector organizations," the guide says. "Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available."
All hackers - be they pursuing cybercrime, nation-state efforts or even low-level "script kiddy" defacements - have tended to use the easiest tool for the job. If exploiting a simple flaw gives attackers remote access, why waste time or burn more sophisticated tactics that can be saved for tougher targets?
Indeed, the most recent of the top 10 flaws included in the document is CVE-2019-0604, a Microsoft SharePoint vulnerability that dates from March 5, 2019 - and which was patched two days later. Many of the other flaws are much older. The most-exploited flaws involve vulnerabilities in Adobe Flash Player, Apache Struts, Drupal, Microsoft .NET Framework, Microsoft Office and numerous other types of Windows software. All of them have been patched.
Efficiency Trumps Sophistication
The top 10 most-exploited list highlights that experienced attackers "prioritize efficiency instead of technical sophistication," says Marco Rottigni, chief technical security officer for Europe, the Middle East and Africa at vulnerability management vendor Qualys.
So long as organizations have yet to patch older flaws, attackers will keep targeting them. "The value of leveraging existing weaponization of older vulnerabilities is much higher than investing time and skilled resources in building new exploits, unless for very specific and numerically limited reasons," Rottigni tells Information Security Media Group.
Cybersecurity expert Alan Woodward, a professor of computer science at England's University of Surrey, says this is a long-running trend. "It's not surprising that not everything is a very recent exploit - and of course this doesn't necessarily highlight the human factor," he says, referring to social-engineering attacks, which many attackers will try before they target unpatched, old flaws (see: Nation-State Spear Phishing Attacks Remain Alive and Well).
"Studies suggest most hacks - some stats show up to 90% - are not down to fancy technical exploits, but humans making a mistake - for example, falling victim to a phishing attack or using weak passwords," he tells ISMG. "These are the top 10 technical exploits, but criminals are quite lazy, and they still find low-hanging fruit by tricking us all into letting them in. Why pick the lock when you can scam your way past the front door?"
3 Flaws Targeted Above All Others
The guide says that of the 10 most targeted vulnerabilities, attackers associated with China, Iran, North Korea and Russia most often target just three of them: CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158. All involve vulnerabilities in Microsoft's object linking and embedding - OLE - technology. "OLE allows documents to contain embedded content from other applications such as spreadsheets," the guide notes. "After OLE the second-most reported vulnerable technology was ... Apache Struts." (See: What Went Wrong at Equifax? We Have Good Answers)
Rottigni says not only nation-state attackers continue to target these flaws, as the guide makes clear. "It lists technologies and solutions that are commonly used and easily compromised by common malware such as Dridex, a banking credentials stealer in use since 2015; Loki, an infostealer first detected in 2016; Kitty, a cryptojacker that first appeared in 2018; and others that are easily available on the market or even offered as a service," he says, referring to malware-as-a-service offerings available via the cybercrime ecosystem.
In all cases, the solution for mitigating the risk posed by the 10 vulnerabilities remains clear: Update or upgrade all versions of the software present in an organization to a version that includes patches.
Of course, the 10 vulnerabilities are only a fraction of the flaws that need fixing in any given organization, and which grow with every day that goes by. That's why having a robust remediation program in place is so essential.
Products and services can help organizations automate and enforce this process, from discovering vulnerabilities to ensuring they've been remediated. Gartner designates this space as vulnerability assessment, and says vendors include Arctic Wolf, Aurea SMB Solutions (GFI Software), Beyond Security, BeyondTrust, BreachLock, Digital Defense, F-Secure, Greenbone Networks, Positive Technologies, Qualys, Rapid7, SaltStack, Tenable and Tripwire.
Is the Message Getting Through?
Nation-state attack watchers say that when a government cybersecurity or intelligence agency issues a warning about attacks, it's because it's been seeing a sufficient volume of them to cause concern (see: Turla Teardown: Why Attribute Nation-State Attacks?). So no matter what else organizations might be patching, the time is now to ensure the 10 most-exploited vulnerabilities included in the CISA and FBI list have been fixed.
Unfortunately, many organizations haven't been getting this message. For example, one of the top 10 vulnerabilities that was most exploited by sophisticated nation-state attackers, CVE-2012-0158, was being active exploited by "Chinese state cyber actors" in December 2019, the CISA and FBI guide notes. That's the same vunerability most commonly used by those actors back in 2015.
"This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational trade craft as long as they remain effective," the guide notes. As the top 10 vulnerabilities remain unpatched, expect nation-state actors and criminal groups to keep targeting them.
Here are the 10 most-exploited flaws cited in the CISA and FBI guide.
- CVE-2017-11882: Present in versions of Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1 and 2016. Has also been exploited by Loki, FormBook and Pony (aka Fareit) malware.
- CVE-2017-0199: Present in versions of Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, 2016, as well as Windows Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. Has also been exploited by FinSpy, Latentbot and Dridex malware.
- CVE-2017-5638: Present in versions of Apache Struts 2 2.3.x before 2.3.32, and 2.5.x before 126.96.36.199. Also exploited by JexBoss malware.
- CVE-2012-0158: Present in versions of Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0. Also exploited by Dridex malware.
- CVE-2019-0604: Present in versions of Microsoft SharePoint. Also targeted by China Chopper malware.
- CVE-2017-0143: Present in versions of Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. Targeted by WannaCry and numerous other strains of malware that have made use of the so-called EternalSynergy and EternalBlue exploit kits.
- CVE-2018-4878: Present in versions of Adobe Flash Player prior to 188.8.131.52. Exploited too by Dogcall malware.
- CVE-2017-8759. Present in versions of Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7. Also exploited by FinSpy, FinFisher and WingBird malware.
- CVE-2015-1641: Present in versions of Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1. Also exploited by Toshliph and UWarrior malware.
- CVE-2018-7600: Present in the following versions of Drupal: 7.x before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Also exploited by Kitty malware.