The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a list of the top ten vulnerabilities exploited by "sophisticated foreign cyber actors" to enable IT security professionals to secure their networks optimally and reduce the risk from cyber threats.
The two agencies said foreign cyber actors have been exploiting a number of publicly known, and often dated, software vulnerabilities to target U.S. organisations and entities as exploiting these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.
They added that organisations can prevent foreign state actors from exploiting these vulnerabilities by continuously patching their devices and networks and by implementing programmes to keep system patching up to date. The list of the most-exploited top ten vulnerabilities between 2016 and 2019 are CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
Top three exploited vulnerabilities related to Microsoft’s OLE technology
According to the FBI and CISA, three of these vulnerabilities (CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158) are routinely exploited by state-sponsored cyber actors from China, Iran, North Korea, and Russia and all three are related to Microsoft’s OLE technology that allows documents to contain embedded content from other applications such as spreadsheets.
Out of these three vulnerabilities, CVE-2012-0158 has been the most exploited one, especially by Chinese hackers since 2015 as many organisations have not implemented patches for this vulnerability to date, enabling hackers to incorporate the vulnerability into their operational tradecraft as long as it remains effective.
Aside from Microsoft’s OLE technology, state-sponsored foreign cyber actors have also been exploiting vulnerabilities associated with a widespread Web framework known as Apache Struts (CVE-2017-5638) as well as those associated with widely-used technologies such as Microsoft and Adobe Flash products.
With the COVID-19 pandemic forcing a large number of organisations to switch to remote working, the two agencies observed that state-sponsored hackers are now targeting organisations that have adopted cloud collaboration services such as Microsoft Office 365 and may have not optimised security configurations to prevent all kinds of cyber threats.
While poor employee education on social engineering attacks have made remote workers succeptible to phishing attacks, a lack of system recovery and contingency plans have also rendered organisations unable to respond to ransomware attacks in 2020, the two agencies noted.
This year, hackers have also started exploiting vulnerabilities in VPNs, such as CVE-2019-19781, an arbitrary code execution vulnerability in Citrix VPN appliances and CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Secure VPN servers.
Timely patching the best response to state-sponsored cyber attacks
"The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date," said US-CERT in a blog post.
"A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries," it added.
Commenting on the list of the top ten vulnerabilities announced by CISA and FBI, Eoin Keary, founder and CEO of Edgescan, said that common vulnerabilities used to exploit systems are years old and not "zero day" issues and can be mitigated with good patching and/or maintenance procedures.
However, Keary added that web application vulnerabilities should also be mentioned as they open organisations up to code injection attacks and client-side browser attack. "Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape," he said.
"In the CISA Top 10 Vulnerabilities Report we see confirmation that attackers do indeed exploit vulnerabilities in older software, and that the “long-tail” patch problem we’ve seen within open source is as prevalent within IT organisations using Microsoft software," said Tim Mackey, principal security strategist at the Synopsys CyRC.
"This speaks to a need across all levels of government and within industry to fully understand precisely what software is running within their organisations, and develop a patch strategy which not only addresses ensuring systems are kept up to date, but also that if a legacy system must remain operational, that additional protections around these legacy systems be applied," he added.