For the third year in a row, cybercriminals employed vulnerabilities in Microsoft products far more so than security flaws in any other technology, new data for 2019 shows.
Eight out of the 10 most exploited vulnerabilities in 2019 in fact impacted Microsoft products. The other two—including the most exploited flaw—involved Adobe Flash Player, the previous top attacker favorite, according to analysis by Recorded Future.
Like it has done for past several years, Recorded Future analyzed data gathered from vulnerability databases and other sources to try and identify the vulnerabilities that were most used in phishing attacks, exploit kits, and remote access Trojans.
The threat intelligence firm considered data on some 12,000 vulnerabilities that were reported and rated through the Common Vulnerabilities and Exposure (CVE) system last year. Vulnerabilities related to nation-state exploits were specifically excluded from the list because such flaws are not typically offered for sale or even mentioned much on underground forums, according to Recorded Future.
The 2019 analysis showed a continued—and unsurprising—preference among cybercriminals for flaws impacting Microsoft software.
The most exploited vulnerability in 2019 itself was CVE-2018-15982, a so-called use-after-free issue impacting Adobe Flash Player 220.127.116.11 and earlier, and 18.104.22.168 and earlier. Exploits for the remote code execution flaw was distributed widely through at least ten exploits kits including RIG, Grandsoft, UnderMiner, and two newcomers, Capesand and Spelevo. But this vulnerability, and another use-after-free issue impacting multiple Adobe Flash Player versions (CVE-2018-4878), were the only ones in Recorded Future's top 10 list unrelated to Microsoft.
Four of the remaining eight vulnerabilities in Recorded Future's top 10 most exploited list impacted Internet Explorer. One of them—CVE-2018-8174—a remote code execution flaw in the Windows VBScripting engine, was the second-most abused flaw this year—and the most exploited issue in 2018. Exploits for the flaw were distributed through multiple exploit kits including RIG, Fallout, Spelevo, and Capesand.
Troublingly, as many as six of the vulnerabilities in this year's list, were present in the 2018 top 10 as well. One of them—a critical remote code execution flaw in Microsoft Office/Wordpad (CVE-2017-0199)—has been on the list for three years. In fact only one security vulnerability in Recorded Future's 2019 top 10 list was disclosed the same year—CVE-2019-0752—a "Scripting Engine Memory Corruption Vulnerability" in Internet Explorer 10 and 11.
"The number of repeated vulnerabilities is significant because it reveals the long-term viability of certain vulnerabilities," says Kathleen Kuczma, sales engineer at Recorded Future. Vulnerabilities that are easy to exploit or impact a common technology are often incorporated into exploit kits and sold on criminal underground forums, she notes.
CVE-2017-0199, for instance, continues to be heavily exploited because it impacted multiple Microsoft products, specifically Microsoft Office 2007-2016, Windows Server 2008, and Windows 7 and 8. "The number of products impacted coupled with its inclusion in multiple exploit kits makes it a viable vulnerability to continue to exploit. Kuczma says.
Another reason criminals continue exploiting certain vulnerabilities is simply because they work. Organizations often can take a long time to address known vulnerabilities even when the flaws are being actively exploited or being distributed through exploit kits. Common reasons for delays in patching include concern over downtime and operational disruptions and concern over patches not working or breaking applications. Other reasons include a lack of visibility and an inability to identify potentially vulnerable systems on a network.
"Many in security, primarily those that don't work on blue teams for large organizations, like to look through rose-tinted glasses," says Brian Martin, vice president of vulnerability intelligence at Risk Based Security. "The unfortunate reality is that patching all of the systems in a large organization is brutal."
It's not uncommon at all for penetration testers to discover systems on a target network that the hiring organization was not even aware about, he says.
Recorded Future's analysis showed a continuing decline in the use and availability of new exploit kits. At one time, exploit kits were extremely popular because they allowed even cybercriminals with relatively little skills the opportunity to execute sophisticated attacks. In 2016, Recorded Future counted at least 62 new exploit kits in underground markets. In 2019, they were just four new entrants.
The decline, which numerous security vendors and researchers have reported over the last two years or more, is primarily the result of multiple successful law enforcement action against the groups selling exploit kits.
The 2016 arrests of dozens of individuals in Russia behind the Angler exploit kit operations, is just one example, Kuczma says. Another factor is the relatively scarcity of zero-day flaws which were what exploit kits primarily relied on to be successful. "With less zero-days, companies are better able to shore up their defenses against potential exploit kit usage," she notes.
Harrison Van Riper, strategy and research analyst at Digital Shadows, says another factor is the planned end-of-life of Adobe Flash this year. Adobe Flash used to be an extremely common attack vector and therefore popular among exploit kit-makers. But with the technology scheduled for termination this year and modern browsers not running Flash automatically any more, interest in exploit kits has dwindled.
Lists like those from Recorded Future can help organizations identify the biggest immediate threats so remedial action can be prioritized. According to Recorded Future, less than 1% of all disclosed vulnerabilities are immediately weaponized. So by having information on the ones that are being actively exploited organizations can gain a better understanding of the specific issues impacting their technology stack.
"Vulnerabilities that are being actively exploited should be considered priorities for patching," Van Riper says. "Keeping up to date with newly-disclosed vulnerabilities and exploits, can also help with prioritizing patch processes."
Organizations need to realize that often, known vulnerabilities are exploited actively before a CVE number is assigned to it, says Martin from Risk Based Security.
According to the company, the CVE and National Vulnerability Database system often does not include many security vulnerabilities that researchers discover and disclose in various ways. In a report last year, Risk Based Security warned that organizations relying solely on the CVS/NVD system likely are not getting information on nearly one-third of all disclosed vulnerabilities. Risk Based Security has said its researchers found 5,970 more vulnerabilities last year than reported in the NVD. Of that, over 18% had a severity rating of between 9 and 10.
"While such a list is interesting and helpful, a more interesting nuance for the list would be to note the vulnerabilities but show a 'time to CVE assignment' metric," he says. This can help determine how long a security bug went from first recorded exploitation to the CVE being assigned to the CVE being opened and made public.
For organizations, the key takeaway is to pay attention to patching. "Vulnerability management has become a major priority recently, given the proliferation of attacks that rely on exploits that have existing patches," says Rui Lopes, engineering and technical support director at Panda Security. "A rock-solid process for assessing and deploying patches should be the bedrock of every organization’s vulnerability management plan."