Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/13/2020
01:40 PM
50%
50%

Attackers Routinely Use Older Vulnerabilities to Exploit Businesses, US Cyber Agency Warns

Security issues in Microsoft products dominate the US government's top 10 list of commonly exploited vulnerabilities, but Apache Struts, Adobe Flash, and Drupal are also routinely targeted.

Cybercriminals and state actors continue to exploit a collection of older vulnerabilities — in some cases, more than 5 years old — to compromise companies and organizations that have poorly maintained systems, the US government warned in an advisory released on May 12.

In its "Top 10 Routinely Exploited Vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other US government cybersecurity responders warned companies and agencies that publicly known vulnerabilities are far more commonly targeted by nation-state, cybercriminal, and unattributed attackers than zero-day vulnerabilities. All of the vulnerabilities are associated with popular malware frameworks — such as Dridex, FinSpy, China Chopper, and EternalBlue exploit kits — used by attackers in ongoing campaigns.

Failure to patch these vulnerabilities — all of which are more than a year old — puts organizations at significantly higher risk of compromise, the advisory stated.

"The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date," the advisory stated. "A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

Patching is the most basic way that companies can improve their cybersecurity posture, but old versions of software still exist in organizations' IT environments. The problems with patching are highlighted by the fact that one vulnerability on the CISA's top 10 list of commonly exploited vulnerabilities was first disclosed in 2012.

"The biggest risk associated with these vulnerabilities is that in some enterprises they remain unpatched even years after patches are released," Chris Rothe, co-founder and chief product officer at Red Canary, said in a statement. "The number one thing a company can do to protect against falling victim to exploitation of software and operating system vulnerabilities is to build a mature IT hygiene program with the ability to quickly test and deploy patches."

Microsoft patched the vulnerability in Windows Common Controls (CVE-2012-0158) on April 10, 2012, and at the time, the company was already aware of attacks aimed at the vulnerability.

In 2015, the US government warned organizations that the vulnerability had become the most popular vector in ongoing cyber operations. As recently as December 2019, Chinese state cyber actors continued to target the Windows Common Control issue for exploitation, the CISA advisory stated.

"This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective," CISA said.

The advisory also warns that the move to remote working during the coronavirus pandemic has resulted in additional cybersecurity weaknesses that attackers are exploiting. Both PulseSecure and Citrix virtual private networks are common targets of attack, according to the CISA advisory. In addition, attackers are scanning for misconfigured instances of Microsoft Office 365.

"March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365)," the agency stated in the advisory. "Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack."

The list highlighted the popularity of Microsoft products makes the software a common target among attackers. Seven of the top 10 vulnerabilities are in Microsoft Office, Microsoft SharePoint, Microsoft Windows, and Microsoft's .NET Framework. Microsoft's method of sharing data between different products, known as Object Linking & Embedding (OLE), is a common weakness targeted by attackers. The top three vulnerabilities targeted by state-sponsored cyber actors from China, Iran, North Korea, and Russia are all related to the technology, the CISA stated.

The focus on Microsoft technologies and the continued use of older exploits is not surprising, says Chris Clements, vice president of solutions architecture for Cerberus Sentinel, a cybersecurity firm.

"All computer software has security flaws but developing reliable attacks to exploit them takes time and effort by attackers," Clements says. "In order to make sure they get the most results from their effort, attackers understandably target the software that is most widely in use. In this case, Microsoft Office."

While Microsoft products are the most popular, three other applications made the list as well. The Apache Struts vulnerability that allowed attackers to breach Equifax is on the top 10 list as well. Adobe Flash, a perennial security problem child, continues to be a pathway for attackers, as well as the content management system Drupal, according to the CISA.

Whether the top 10 list will convince companies to put more efforts into patching is still up in the air, says Jonn Callahan, principal application security consultant at nVisium, an application security provider.

"Protecting against known vulnerabilities in particular products is simple: Keep the product patched — however, simple does not mean easy," he says. Yet, while patching can be difficult for some companies, "it is far more difficult to recover from [a breach]."

Companies need to recalculate their return on investment for modernizing applications and infrastructure to take into account the significant risk posed by outdated software, says Irfahn Khimji, country manager for Tripwire in Canada.

"While there can be significant cost to redeveloping applications, there are many significant benefits," he says. "Among them is that older systems are exploitable to some severe vulnerabilities that are actively and routinely being exploited. This list can be used to help businesses justify modernizing their platforms sooner rather than later."

Related Content

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29440
PUBLISHED: 2020-11-30
Tesla Model X vehicles before 2020-11-23 do not perform certificate validation during an attempt to pair a new key fob with the body control module (BCM). This allows an attacker (who is inside a vehicle, or is otherwise able to send data over the CAN bus) to start and drive the vehicle with a spoof...
CVE-2020-29441
PUBLISHED: 2020-11-30
An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronou...
CVE-2020-4127
PUBLISHED: 2020-11-30
HCL Domino is susceptible to a Login CSRF vulnerability. With a valid credential, an attacker could trick a user into accessing a system under another ID or use an intranet user's system to access internal systems from the internet. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 F...
CVE-2020-11867
PUBLISHED: 2020-11-30
Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there.
CVE-2020-16849
PUBLISHED: 2020-11-30
An issue was discovered on Canon MF237w 06.07 devices. An "Improper Handling of Length Parameter Inconsistency" issue in the IPv4/ICMPv4 component, when handling a packet sent by an unauthenticated network attacker, may expose Sensitive Information.