A joint alert has been issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to raise awareness about the most commonly exploited vulnerabilities to help organizations strengthen security and prevent attacks by sophisticated foreign threat actors.
Patches should always be applied as soon as possible, but the number of patches now being released makes that a challenge. Patching is a never ending and time-consuming process, but it is one of the most effective ways of preventing cyberattacks. CISA/FBI are advising all organizations to increase their efforts to patch vulnerabilities and develop a program to ensure that system patching is kept up to date.
The list of the most commonly exploited vulnerabilities has been produced to help organizations prioritize patching and address the vulnerabilities that are most likely to be exploited. Many of the vulnerabilities included in the list are old but patches still haven’t been applied at many organizations to correct the flaws.
Over the past four years, most cyberattacks that have exploited vulnerabilities to gain access to corporate networks have taken advantage of unpatched flaws in Microsoft Office (CVE-2017-11882, CVE-2017-0199, CVE-2015-1641, and CVE-2012-0158), Microsoft SharePoint (CVE-2019-0604), Microsoft .NET Framework (CVE-2017-8759), Microsoft Windows (CVE-2017-0143), Apache Struts (CVE-2017-5638), Drupal (CVE-2018-7600), and Adobe Flash Player (CVE-2018-4878).
These flaws have been exploited to deploy a wide range of different malware variants to steal data and gain persistent access to corporate networks. Nation state hackers in China, North Korea, and Iran have concentrated on three vulnerabilities in Microsoft Office – CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158. Patches to fix these vulnerabilities have been available for several years yet may organizations have still not applied the patches and are vulnerable to attack. CISA issued an alert in 2015 stating the Microsoft Office vulnerability CVE-2012-0158 was the most common vulnerability to be exploited by Chinese threat. 5 years on and the vulnerability is still being exploited.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective,” explains CISA/FBI in the alert. “A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
CISA has also warned that in 2020 threat actors have increased attacks targeting vulnerabilities in virtual private network (VPN) solutions such as Citrix VPN appliances (CVE-2019-19781) and Pulse Secure VPN servers (CVE-2019-11510). Patches have been released to address both of these flaws, but there are still many businesses that have yet to apply the patches. These should also be prioritized.
CISA also warns that the rapid transition to a largely at-home workforce due to COVID-19 has forced many organizations to rapidly deploy cloud collaboration services such as Microsoft Office 365. Malicious cyber actors are taking advantage of oversights in the security configurations of these solutions to conduct attacks and poor employee education on social engineering attacks has made organizations susceptible to ransomware attacks.