The Top 10 Most Exploited Vulnerabilities: Parsing an Important Recent National Cyber Awareness System Alert

  • By Syed Abdur
  • Jul 06, 2020

The National Cyber Awareness System (NCAS) issued its Alert numbered AA20-133A last month, which identified the 10 most exploited vulnerabilities from 2016 to 2019. The research, which came out of work done by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government, is surprising, due mostly to its utter lack of surprise. Old vulnerabilities persevere and continue to be exploited at a high rate; windows systems remain a big target for attackers; and malicious actors adapt rapidly to take advantage of changes such as the recent shift to work from home. What can InfoSec organizations learn from these observations?

First, the facts

According to NCAS, a combination of state, nonstate and unattributed cyber actors exploited the following vulnerabilities the most between 2016 and 2019: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641 and CVE-2018-7600. Highlights of the alert include:

Malicious actors exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology most frequently.

CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158 were the most-often-used vulnerabilities by China, Iran, North Korea and Russia. These vulnerabilities are all related to Microsoft’s OLE technology.

Chinese hackers exploited CVE-2012-0158 many times. This is the same vulnerability the US Government publicly assessed in 2015 as the most used in their cyber operations.

Two older vulnerabilities, CVE-2012-0158 and CVE-2015-1641, were included in the list.

Why do old vulnerabilities continue to be exploited?

Why is it that old vulnerabilities, with known exploits and fixes, continue to be successfully exploited at a high rate? To get an answer, it’s worth looking beyond the headlines of last month’s NCAS alert. While the notice is ostensibly about the top 10 vulnerabilities, it highlights some systemic problems with the current state of vulnerability management.

Vulnerability prioritization should be a continuous, ongoing process

For many organizations, vulnerability prioritization is a static, one-time process. Vulnerabilities are analyzed when they are initially reported and measures such as CVSS score or scanner severity are used to identify the vulnerabilities that are targeted for remediation. While vulnerability assessment tools are continuously looking to improve and expand the details they provide, relying on just these systems can often leave organizations vulnerable. Vulnerability management programs must incorporate threat intelligence feeds, vendor advisories, and notices from government and private research organizations as part of their decision-making process. In the case of CVE-2012-0158, it was included in another NCAS alert ‘Top 30 Targeted High Risk Vulnerabilities’ issued in 2015. The fact that it continued to be exploited at a very high rate during the next 3 years points to a critical flaw in the vulnerability management processes of impacted organizations.

Remediating vulnerabilities is a non-trivial task

The remediation process typically requires major investments of time and effort. At the same time, security professionals are under pressure to balance vulnerability mitigation with the mandate to keep systems running. We see this dilemma frequently. People ask, usually in an exasperated tone, “Why can’t you patch this?” The problem is that patching system A might cause systems B, C and D to crash.

Even if a system can be patched, it can take a while to perform the process. As the Ponemon study “Costs and Consequences of Gaps in Vulnerability Response” revealed, 60 percent of organizations they surveyed had suffered a data breach that exploited a known vulnerability for which a patch existed—but was just not installed. Indeed, patch implementation can lag behind patch releases due to a lack of resources. Organizations can alleviate some of these challenges through automation and better threat response policies. Requiring analysts to take subjective decisions about SLAs, ownership, escalation chains, etc., adds delays that can be avoided through codified policies that are implemented automatically. Organizations should also strive to make remediation more efficient by reducing the volume of tickets through intelligent consolidation based on targeted systems, common solutions and ownership.

Microsoft…still a huge target

The fact that Microsoft products figure into seven of the top 10 vulnerabilities should not be a big surprise. Microsoft products are just so pervasive and essential to IT that it’s logical that they would be attacked often. IT and security organizations need to develop a better understanding of the technology components that populate their IT infrastructures—and track them much more carefully.

Robust vulnerability management programs should provide rapid insights into the prevalence and impact of known risks, such as the ones listed in the NCAS alert. With effective processes (and tooling) in place, IT and security managers should be able know how many if their IT assets have these most vulnerable products and frameworks installed.

Malicious actors quickly adapt to changes

In addition to the top 10 exploited vulnerabilities between 2016 – 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid-19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. This trend in expected to continue as businesses may have little choice but to keep workers at home. As noted in a recent study by Cybersecurity Insiders, 84 percent of businesses are set to increase work-from-home capacity due to the pandemic—despite their concerns about security. A separate study found that a third of home-based employees use corporate Zoom accounts for online socializing with friends, potentially exposing the organization to social engineering attacks and unauthorized access to corporate information.

Security practitioners should expect malicious actors to respond to changes in the status quo more quickly than software and security vendors. IT and security managers need to pay special attention to the rapid rollouts they are conducting of Microsoft O365, Zoom and other remote work tools. Attackers are poised to take advantage of vulnerabilities exposed during this transition to nearly universal home-based work. The situation also reveals the serious need for strong employee cybersecurity education along with robust cyber risk, system recovery and contingency plans.

Conclusion

This timely alert from NCAS and other federal agencies is a valuable opportunity for InfoSec organizations to improve their existing vulnerability management programs. Organizations should respond quickly to ensure that they are not vulnerable to the risks highlighted in the alert. More importantly, they should strive to identify and address any underlying systemic weaknesses that exist in their vulnerability management process, and that could be putting them at risk of a catastrophic breach.

Featured

  • Freedom of Choice

    In today's security landscape, we are witnessing a fundamental transformation in how organizations manage digital evidence. Law enforcement agencies, campus security teams, and large facility operators face increasingly complex challenges with expanding video data, tightening budget constraints and inflexible systems that limit innovation. Read Now

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • Midtown Manhattan Shooting Kills 4, Including NYPD Officer

    Four people were killed, including a NYPD officer, in a midtown Manhattan shooting on Monday. That’s according to CNN. Read Now

Most   Popular

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.