Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/13/2020
01:40 PM
50%
50%

Attackers Routinely Use Older Vulnerabilities to Exploit Businesses, US Cyber Agency Warns

Security issues in Microsoft products dominate the US government's top 10 list of commonly exploited vulnerabilities, but Apache Struts, Adobe Flash, and Drupal are also routinely targeted.

Cybercriminals and state actors continue to exploit a collection of older vulnerabilities — in some cases, more than 5 years old — to compromise companies and organizations that have poorly maintained systems, the US government warned in an advisory released on May 12.

In its "Top 10 Routinely Exploited Vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other US government cybersecurity responders warned companies and agencies that publicly known vulnerabilities are far more commonly targeted by nation-state, cybercriminal, and unattributed attackers than zero-day vulnerabilities. All of the vulnerabilities are associated with popular malware frameworks — such as Dridex, FinSpy, China Chopper, and EternalBlue exploit kits — used by attackers in ongoing campaigns.

Failure to patch these vulnerabilities — all of which are more than a year old — puts organizations at significantly higher risk of compromise, the advisory stated.

"The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date," the advisory stated. "A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

Patching is the most basic way that companies can improve their cybersecurity posture, but old versions of software still exist in organizations' IT environments. The problems with patching are highlighted by the fact that one vulnerability on the CISA's top 10 list of commonly exploited vulnerabilities was first disclosed in 2012.

"The biggest risk associated with these vulnerabilities is that in some enterprises they remain unpatched even years after patches are released," Chris Rothe, co-founder and chief product officer at Red Canary, said in a statement. "The number one thing a company can do to protect against falling victim to exploitation of software and operating system vulnerabilities is to build a mature IT hygiene program with the ability to quickly test and deploy patches."

Microsoft patched the vulnerability in Windows Common Controls (CVE-2012-0158) on April 10, 2012, and at the time, the company was already aware of attacks aimed at the vulnerability.

In 2015, the US government warned organizations that the vulnerability had become the most popular vector in ongoing cyber operations. As recently as December 2019, Chinese state cyber actors continued to target the Windows Common Control issue for exploitation, the CISA advisory stated.

"This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective," CISA said.

The advisory also warns that the move to remote working during the coronavirus pandemic has resulted in additional cybersecurity weaknesses that attackers are exploiting. Both PulseSecure and Citrix virtual private networks are common targets of attack, according to the CISA advisory. In addition, attackers are scanning for misconfigured instances of Microsoft Office 365.

"March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365)," the agency stated in the advisory. "Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack."

The list highlighted the popularity of Microsoft products makes the software a common target among attackers. Seven of the top 10 vulnerabilities are in Microsoft Office, Microsoft SharePoint, Microsoft Windows, and Microsoft's .NET Framework. Microsoft's method of sharing data between different products, known as Object Linking & Embedding (OLE), is a common weakness targeted by attackers. The top three vulnerabilities targeted by state-sponsored cyber actors from China, Iran, North Korea, and Russia are all related to the technology, the CISA stated.

The focus on Microsoft technologies and the continued use of older exploits is not surprising, says Chris Clements, vice president of solutions architecture for Cerberus Sentinel, a cybersecurity firm.

"All computer software has security flaws but developing reliable attacks to exploit them takes time and effort by attackers," Clements says. "In order to make sure they get the most results from their effort, attackers understandably target the software that is most widely in use. In this case, Microsoft Office."

While Microsoft products are the most popular, three other applications made the list as well. The Apache Struts vulnerability that allowed attackers to breach Equifax is on the top 10 list as well. Adobe Flash, a perennial security problem child, continues to be a pathway for attackers, as well as the content management system Drupal, according to the CISA.

Whether the top 10 list will convince companies to put more efforts into patching is still up in the air, says Jonn Callahan, principal application security consultant at nVisium, an application security provider.

"Protecting against known vulnerabilities in particular products is simple: Keep the product patched — however, simple does not mean easy," he says. Yet, while patching can be difficult for some companies, "it is far more difficult to recover from [a breach]."

Companies need to recalculate their return on investment for modernizing applications and infrastructure to take into account the significant risk posed by outdated software, says Irfahn Khimji, country manager for Tripwire in Canada.

"While there can be significant cost to redeveloping applications, there are many significant benefits," he says. "Among them is that older systems are exploitable to some severe vulnerabilities that are actively and routinely being exploited. This list can be used to help businesses justify modernizing their platforms sooner rather than later."

Related Content

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...