Cybercriminals and state actors continue to exploit a collection of older vulnerabilities — in some cases, more than 5 years old — to compromise companies and organizations that have poorly maintained systems, the US government warned in an advisory released on May 12.
In its "Top 10 Routinely Exploited Vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other US government cybersecurity responders warned companies and agencies that publicly known vulnerabilities are far more commonly targeted by nation-state, cybercriminal, and unattributed attackers than zero-day vulnerabilities. All of the vulnerabilities are associated with popular malware frameworks — such as Dridex, FinSpy, China Chopper, and EternalBlue exploit kits — used by attackers in ongoing campaigns.
Failure to patch these vulnerabilities — all of which are more than a year old — puts organizations at significantly higher risk of compromise, the advisory stated.
"The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date," the advisory stated. "A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."
Patching is the most basic way that companies can improve their cybersecurity posture, but old versions of software still exist in organizations' IT environments. The problems with patching are highlighted by the fact that one vulnerability on the CISA's top 10 list of commonly exploited vulnerabilities was first disclosed in 2012.
"The biggest risk associated with these vulnerabilities is that in some enterprises they remain unpatched even years after patches are released," Chris Rothe, co-founder and chief product officer at Red Canary, said in a statement. "The number one thing a company can do to protect against falling victim to exploitation of software and operating system vulnerabilities is to build a mature IT hygiene program with the ability to quickly test and deploy patches."
Microsoft patched the vulnerability in Windows Common Controls (CVE-2012-0158) on April 10, 2012, and at the time, the company was already aware of attacks aimed at the vulnerability.
In 2015, the US government warned organizations that the vulnerability had become the most popular vector in ongoing cyber operations. As recently as December 2019, Chinese state cyber actors continued to target the Windows Common Control issue for exploitation, the CISA advisory stated.
"This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective," CISA said.
The advisory also warns that the move to remote working during the coronavirus pandemic has resulted in additional cybersecurity weaknesses that attackers are exploiting. Both PulseSecure and Citrix virtual private networks are common targets of attack, according to the CISA advisory. In addition, attackers are scanning for misconfigured instances of Microsoft Office 365.
"March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365)," the agency stated in the advisory. "Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack."
The list highlighted the popularity of Microsoft products makes the software a common target among attackers. Seven of the top 10 vulnerabilities are in Microsoft Office, Microsoft SharePoint, Microsoft Windows, and Microsoft's .NET Framework. Microsoft's method of sharing data between different products, known as Object Linking & Embedding (OLE), is a common weakness targeted by attackers. The top three vulnerabilities targeted by state-sponsored cyber actors from China, Iran, North Korea, and Russia are all related to the technology, the CISA stated.
The focus on Microsoft technologies and the continued use of older exploits is not surprising, says Chris Clements, vice president of solutions architecture for Cerberus Sentinel, a cybersecurity firm.
"All computer software has security flaws but developing reliable attacks to exploit them takes time and effort by attackers," Clements says. "In order to make sure they get the most results from their effort, attackers understandably target the software that is most widely in use. In this case, Microsoft Office."
While Microsoft products are the most popular, three other applications made the list as well. The Apache Struts vulnerability that allowed attackers to breach Equifax is on the top 10 list as well. Adobe Flash, a perennial security problem child, continues to be a pathway for attackers, as well as the content management system Drupal, according to the CISA.
Whether the top 10 list will convince companies to put more efforts into patching is still up in the air, says Jonn Callahan, principal application security consultant at nVisium, an application security provider.
"Protecting against known vulnerabilities in particular products is simple: Keep the product patched — however, simple does not mean easy," he says. Yet, while patching can be difficult for some companies, "it is far more difficult to recover from [a breach]."
Companies need to recalculate their return on investment for modernizing applications and infrastructure to take into account the significant risk posed by outdated software, says Irfahn Khimji, country manager for Tripwire in Canada.
"While there can be significant cost to redeveloping applications, there are many significant benefits," he says. "Among them is that older systems are exploitable to some severe vulnerabilities that are actively and routinely being exploited. This list can be used to help businesses justify modernizing their platforms sooner rather than later."
- EternalBlue Longevity Underscores Patching Problem
- Website Attacks Become Quieter & More Persistent
- Companies Struggle for Effective Cybersecurity
- Attackers Shift From Adobe Flaws to Microsoft Products
- How Data Breaches Affect the Enterprise