The Cybersecurity and Infrastructure Security Agency (CISA), together with the Federal Bureau of Investigation (FBI), and the broader U.S. Government have released an alert detailing the 10 most exploited vulnerabilities in the period between 2016 and 2019, and also so far in 2020.
CISA says that foreign threat actors continue to exploit publicly known and usually old software vulnerabilities against both public and private organizations. These older vulnerabilities seem to be more trivial to exploit when compared to zero-day vulnerabilities.
The public and private sectors could reduce the risk of cyber threats against the U.S. infrastructure through an increased effort to patch their systems, CISA says. This piece of advice is eligible to any country, really.
A well-organized patching campaign would introduce friction into malicious hacking groups, and would force them to develop or acquire more sophisticated exploits that typically cost more.
“A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” CISA adds.
Vulnerabilities Most Exploited in 2016-2019
According to data gathered with the help of U.S. government reporting, the top 10 most exploited vulnerabilities by state, non-state, and unattributed threat actors in 2016-2019 are:
Q CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
Let’s take the first vulnerability from that list – CVE-2017-11882. Last year, we reported that cybercriminal collectives have been found leveraging an old vulnerability tracked in the CVE-2017-11882 advisory. This is a bug in the equation editor that is a part of Microsoft Office used to view documents. The vulnerability was used in attacks that dropped the Agent Tesla malware on infected systems.
Vulnerabilities Most Exploited in 2020
What vulnerabilities have been routinely exploited by sophisticated threat actors in 2020? It seems that cybercriminals are increasingly targeting unpatched VPN vulnerabilities such as:
- CVE-2019-19781, an arbitrary code execution bug in Citrix VPN solutions;
- CVE-2019-11510, an arbitrary file reading bug in Pule Secure VPN servers.
With the coronavirus pandemic and the widely-adopted remote work, and with it, many organizations had to deploy cloud collaboration services, such Microsoft Office 365 (O365). As a result of this shift, threat actors are now targeting organizations whose abrupt deployment of Microsoft O365 may have led to oversights in security configurations, making them vulnerable to attack, CISA says.
In addition, general cybersecurity weaknesses, such as poor employee education and a lack of system recovery and contingency plans, have continued to make organizations more vulnerable to ransomware attacks in 2020.
More information is available in CISA’s alert.