Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/13/2020
01:40 PM
50%
50%

Attackers Routinely Use Older Vulnerabilities to Exploit Businesses, US Cyber Agency Warns

Security issues in Microsoft products dominate the US government's top 10 list of commonly exploited vulnerabilities, but Apache Struts, Adobe Flash, and Drupal are also routinely targeted.

Cybercriminals and state actors continue to exploit a collection of older vulnerabilities — in some cases, more than 5 years old — to compromise companies and organizations that have poorly maintained systems, the US government warned in an advisory released on May 12.

In its "Top 10 Routinely Exploited Vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other US government cybersecurity responders warned companies and agencies that publicly known vulnerabilities are far more commonly targeted by nation-state, cybercriminal, and unattributed attackers than zero-day vulnerabilities. All of the vulnerabilities are associated with popular malware frameworks — such as Dridex, FinSpy, China Chopper, and EternalBlue exploit kits — used by attackers in ongoing campaigns.

Failure to patch these vulnerabilities — all of which are more than a year old — puts organizations at significantly higher risk of compromise, the advisory stated.

"The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date," the advisory stated. "A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

Patching is the most basic way that companies can improve their cybersecurity posture, but old versions of software still exist in organizations' IT environments. The problems with patching are highlighted by the fact that one vulnerability on the CISA's top 10 list of commonly exploited vulnerabilities was first disclosed in 2012.

"The biggest risk associated with these vulnerabilities is that in some enterprises they remain unpatched even years after patches are released," Chris Rothe, co-founder and chief product officer at Red Canary, said in a statement. "The number one thing a company can do to protect against falling victim to exploitation of software and operating system vulnerabilities is to build a mature IT hygiene program with the ability to quickly test and deploy patches."

Microsoft patched the vulnerability in Windows Common Controls (CVE-2012-0158) on April 10, 2012, and at the time, the company was already aware of attacks aimed at the vulnerability.

In 2015, the US government warned organizations that the vulnerability had become the most popular vector in ongoing cyber operations. As recently as December 2019, Chinese state cyber actors continued to target the Windows Common Control issue for exploitation, the CISA advisory stated.

"This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective," CISA said.

The advisory also warns that the move to remote working during the coronavirus pandemic has resulted in additional cybersecurity weaknesses that attackers are exploiting. Both PulseSecure and Citrix virtual private networks are common targets of attack, according to the CISA advisory. In addition, attackers are scanning for misconfigured instances of Microsoft Office 365.

"March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365)," the agency stated in the advisory. "Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack."

The list highlighted the popularity of Microsoft products makes the software a common target among attackers. Seven of the top 10 vulnerabilities are in Microsoft Office, Microsoft SharePoint, Microsoft Windows, and Microsoft's .NET Framework. Microsoft's method of sharing data between different products, known as Object Linking & Embedding (OLE), is a common weakness targeted by attackers. The top three vulnerabilities targeted by state-sponsored cyber actors from China, Iran, North Korea, and Russia are all related to the technology, the CISA stated.

The focus on Microsoft technologies and the continued use of older exploits is not surprising, says Chris Clements, vice president of solutions architecture for Cerberus Sentinel, a cybersecurity firm.

"All computer software has security flaws but developing reliable attacks to exploit them takes time and effort by attackers," Clements says. "In order to make sure they get the most results from their effort, attackers understandably target the software that is most widely in use. In this case, Microsoft Office."

While Microsoft products are the most popular, three other applications made the list as well. The Apache Struts vulnerability that allowed attackers to breach Equifax is on the top 10 list as well. Adobe Flash, a perennial security problem child, continues to be a pathway for attackers, as well as the content management system Drupal, according to the CISA.

Whether the top 10 list will convince companies to put more efforts into patching is still up in the air, says Jonn Callahan, principal application security consultant at nVisium, an application security provider.

"Protecting against known vulnerabilities in particular products is simple: Keep the product patched — however, simple does not mean easy," he says. Yet, while patching can be difficult for some companies, "it is far more difficult to recover from [a breach]."

Companies need to recalculate their return on investment for modernizing applications and infrastructure to take into account the significant risk posed by outdated software, says Irfahn Khimji, country manager for Tripwire in Canada.

"While there can be significant cost to redeveloping applications, there are many significant benefits," he says. "Among them is that older systems are exploitable to some severe vulnerabilities that are actively and routinely being exploited. This list can be used to help businesses justify modernizing their platforms sooner rather than later."

Related Content

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...