There are patches or remediations for all of them, but they’re still being picked apart. Why should attackers stop if the flaws remain unpatched, as so many do?
In a perfect world, CISA would laminate cards with the year’s top 30 vulnerabilities: You could whip it out and ask a business if they’ve bandaged these specific wounds before you hand over your cash.
This is not a perfect world. There are no laminated vulnerability cards.
But at least we have the list: In a joint advisory (PDF) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the vulnerabilities that were “routinely” exploited in 2020, as well as those that are most often being picked apart so far this year.
The vulnerabilities – which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian – include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.
“Cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” according to the advisory. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
So far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.
All of the vulnerabilities have received patches from vendors. That doesn’t mean those patches have been applied, of course.
Repent, O Ye Patch Sinners
According to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was patched at the age of 17 in 2017.
Why would they stop? As long as systems remain unpatched, it’s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.
Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. —Advisory
In fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.
The top four:
- CVE-2019-19781, a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent – about one in five of the 80,000 companies affected – hadn’t patched.
- CVE 2019-11510: a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for Active Directory accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.
- CVE 2018-13379: a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.
- CVE 2020-5902: a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.
The cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can’t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).
If IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.
2020 Top 12 Exploited Vulnerabilities
Here’s the full list of the top dozen exploited bugs from last year:
|Citrix||CVE-2019-19781||arbitrary code execution|
|Pulse||CVE 2019-11510||arbitrary file reading|
|Fortinet||CVE 2018-13379||path traversal|
|F5- Big IP||CVE 2020-5902||remote code execution (RCE)|
|Microsoft||CVE-2020-0787||elevation of privilege|
|Netlogon||CVE-2020-1472||elevation of privilege|
Most Exploited So Far in 2021
CISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a patching frenzy. The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to ProxyLogon.
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, to attack U.S. defense targets, among others.
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including on Shell. Around 100 Accellion FTA customers, including the Jones Day Law Firm, Kroger and Singtel, were affected by attacks tied to FIN11 and the Clop ransomware gang.
- VMware: CVE-2021-21985: A critical bug in VMware’s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company’s affected system.
The advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they’re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.
Can Security Teams Keep Up?
Rick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an “influential tool to help teams stay above water and minimize their attack surface.”
The CVEs highlighted in Wednesday’s alert “continue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,” he told Threatpost on Thursday.
Recent research (PDF) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it’s become ever more vital for enterprise IT security stakeholders to make “meaningful changes to their cyber hygiene efforts.” That means “prioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.”
Granted, vulnerability management is “one of the most difficult aspects of any security program,” he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. “Taking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.”
072921 15:02 UPDATE: Corrected misattribution of quotes.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.