The Top 10 Most Exploited Vulnerabilities: Parsing an Important Recent National Cyber Awareness System Alert

• By Syed Abdur
• Jul 06, 2020

The National Cyber Awareness System (NCAS) issued its Alert numbered AA20-133A last month, which identified the 10 most exploited vulnerabilities from 2016 to 2019. The research, which came out of work done by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government, is surprising, due mostly to its utter lack of surprise. Old vulnerabilities persevere and continue to be exploited at a high rate; windows systems remain a big target for attackers; and malicious actors adapt rapidly to take advantage of changes such as the recent shift to work from home. What can InfoSec organizations learn from these observations?

First, the facts

According to NCAS, a combination of state, nonstate and unattributed cyber actors exploited the following vulnerabilities the most between 2016 and 2019: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641 and CVE-2018-7600. Highlights of the alert include:

Malicious actors exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology most frequently.

CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158 were the most-often-used vulnerabilities by China, Iran, North Korea and Russia. These vulnerabilities are all related to Microsoft’s OLE technology.

Chinese hackers exploited CVE-2012-0158 many times. This is the same vulnerability the US Government publicly assessed in 2015 as the most used in their cyber operations.

Two older vulnerabilities, CVE-2012-0158 and CVE-2015-1641, were included in the list.

Why do old vulnerabilities continue to be exploited?

Why is it that old vulnerabilities, with known exploits and fixes, continue to be successfully exploited at a high rate? To get an answer, it’s worth looking beyond the headlines of last month’s NCAS alert. While the notice is ostensibly about the top 10 vulnerabilities, it highlights some systemic problems with the current state of vulnerability management.

Vulnerability prioritization should be a continuous, ongoing process

For many organizations, vulnerability prioritization is a static, one-time process. Vulnerabilities are analyzed when they are initially reported and measures such as CVSS score or scanner severity are used to identify the vulnerabilities that are targeted for remediation. While vulnerability assessment tools are continuously looking to improve and expand the details they provide, relying on just these systems can often leave organizations vulnerable. Vulnerability management programs must incorporate threat intelligence feeds, vendor advisories, and notices from government and private research organizations as part of their decision-making process. In the case of CVE-2012-0158, it was included in another NCAS alert ‘Top 30 Targeted High Risk Vulnerabilities’ issued in 2015. The fact that it continued to be exploited at a very high rate during the next 3 years points to a critical flaw in the vulnerability management processes of impacted organizations.

Remediating vulnerabilities is a non-trivial task

The remediation process typically requires major investments of time and effort. At the same time, security professionals are under pressure to balance vulnerability mitigation with the mandate to keep systems running. We see this dilemma frequently. People ask, usually in an exasperated tone, “Why can’t you patch this?” The problem is that patching system A might cause systems B, C and D to crash.

Even if a system can be patched, it can take a while to perform the process. As the Ponemon study “Costs and Consequences of Gaps in Vulnerability Response” revealed, 60 percent of organizations they surveyed had suffered a data breach that exploited a known vulnerability for which a patch existed—but was just not installed. Indeed, patch implementation can lag behind patch releases due to a lack of resources. Organizations can alleviate some of these challenges through automation and better threat response policies. Requiring analysts to take subjective decisions about SLAs, ownership, escalation chains, etc., adds delays that can be avoided through codified policies that are implemented automatically. Organizations should also strive to make remediation more efficient by reducing the volume of tickets through intelligent consolidation based on targeted systems, common solutions and ownership.

Microsoft…still a huge target

The fact that Microsoft products figure into seven of the top 10 vulnerabilities should not be a big surprise. Microsoft products are just so pervasive and essential to IT that it’s logical that they would be attacked often. IT and security organizations need to develop a better understanding of the technology components that populate their IT infrastructures—and track them much more carefully.

Robust vulnerability management programs should provide rapid insights into the prevalence and impact of known risks, such as the ones listed in the NCAS alert. With effective processes (and tooling) in place, IT and security managers should be able know how many if their IT assets have these most vulnerable products and frameworks installed.

Malicious actors quickly adapt to changes

In addition to the top 10 exploited vulnerabilities between 2016 – 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid-19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. This trend in expected to continue as businesses may have little choice but to keep workers at home. As noted in a recent study by Cybersecurity Insiders, 84 percent of businesses are set to increase work-from-home capacity due to the pandemic—despite their concerns about security. A separate study found that a third of home-based employees use corporate Zoom accounts for online socializing with friends, potentially exposing the organization to social engineering attacks and unauthorized access to corporate information.

Security practitioners should expect malicious actors to respond to changes in the status quo more quickly than software and security vendors. IT and security managers need to pay special attention to the rapid rollouts they are conducting of Microsoft O365, Zoom and other remote work tools. Attackers are poised to take advantage of vulnerabilities exposed during this transition to nearly universal home-based work. The situation also reveals the serious need for strong employee cybersecurity education along with robust cyber risk, system recovery and contingency plans.

Conclusion

This timely alert from NCAS and other federal agencies is a valuable opportunity for InfoSec organizations to improve their existing vulnerability management programs. Organizations should respond quickly to ensure that they are not vulnerable to the risks highlighted in the alert. More importantly, they should strive to identify and address any underlying systemic weaknesses that exist in their vulnerability management process, and that could be putting them at risk of a catastrophic breach.