Security firm Verint analyzed the top 20 vulnerabilities to patch now that are under active attack and exploited by cyber attack groups worldwide. The report is aimed at assisting security teams in prioritizing and enhancing their organization’s patch management efforts.
Organizations face a daunting task trying to patch thousands of existing vulnerabilities in the wild.
This is especially true given most organizations have limited staff to deal with up to hundreds of new vulnerabilities released each month.
Given this challenge, the latest report published by Verint’s Cyber Threat Intelligence (CTI) Group can add good threat intelligence and value to your organization’s patch remediation program.
According to National Vulnerability Database (NVD), nearly 45 new vulnerabilities get discovered on average every day.
Since 2016, NVD has seen an increase of 130% in the total number of disclosed vulnerabilities. Furthermore, 60% of the vulnerabilities are rated Critical or High severity and 45% impact Microsoft products.
Even while we try to keep up with the new ones, older vulnerabilities (going back to 2012) are still used to carry out successful cyber attacks.
Verint cautions organizations to just look at the CVSS score. They should also take into account whether vulnerabilities are being under active exploit by hackers.
As one example, one High severity WinRAR vulnerability (CVE-2018-20250) has been actively exploited by five different APT groups. To add, the attacks were launched against multiple targets within a wide range of industries.
“This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching,” Verint warned in the blog post.
Top 20 vulnerabilities to patch now
Verint has analyzed over 5,300 cyber intelligence feeds, 800 CVEs and other data over the past two and a half years to compile the list of top 20 most exploited vulnerabilities.
According to Verint, here are the top 20 patches (sorted by the highest number of attacks from top to bottom).
1) CVE-2017-11882: Microsoft Office memory corruption
Patched in November of 2017, an attacker could exploit this Microsoft Office memory corruption vulnerability CVE-2017-11882 to run arbitrary code. Security researchers observed a malware campaign as recently as June of 2019.
2) CVE-2018-8174: Microsoft Windows remote code execution
Patched in May of 2018, this Microsoft Windows VBScript Engine vulnerability CVE-2018-8174 could result in remote code execution (patched in May 2018). BabyShark malware campaign used exploit code targeting this vulnerability as recently as April 2019.
3) CVE-2017-0199: Microsoft Windows, Office remote code execution
Microsoft patched this Microsoft Office/WordPad vulnerability CVE-2017-0199 in April of 2017. Microsoft warned this vulnerability could also result in remote code execution. Bad actors also exploited this vulnerability as part of a LinkedIn’s messenger service attack in August of 2017.
4) CVE-2018-4878: Adobe Flash Player; Red Hat Enterprise Linux
Adobe Flash Player and Red Hat Enterprise Linux vulnerability CVE-2018-4878 was patched in February 2018. South Korea’s Computer Emergency Response Team also found malicious code hidden in MS documents that exploited this Flash bug as part of North Korean threat actor campaign.
5) CVE-2017-10271: Oracle WebLogic Server
6) CVE-2019-0708: Microsoft Windows “BlueKeep”
7) CVE-2017-5638: Apache Struts
8) CVE-2017-5715: ARM, Intel (“Spectre and Meltdown”)
9) CVE-2017-8759: Microsoft .NET Framework
10) CVE-2018-20250: RARLAB WinRAR
Microsoft researchers revealed details on this RARLAB WinRAR issues CVE-2018-20250 in April 2019 on how cyber attackers were able to exploit the 19 year old WinRar vulnerability “using a complex attack chain and multiple code execution techniques.”
11) CVE-2018-7600: Debian, Drupal
12) CVE-2018-10561: DASAN Networks
It was reported back on May 2018, that DASAN Networks released a zero-day “unofficial” patch for CVE-2018-10561. In a May 2019 report, a new Mirai variant was spotted exploiting this vulnerability (and 12 others) on vulnerable IoT devices.
13) CVE-2017-17215: Huawei.
14) CVE-2012-0158: Microsoft Common Controls
Microsoft patched this Common Controls vulnerability CVE-2012-0158 way back in April 2012. Note how old this patch is.
15) CVE-2014-8361: D-Link, Realtek
D-Link, Realtek patched this D-Link vulnerability CVE-2014-8361 back in May of 2015. As reported by researchers in May 2019, this bug was also one of the 13 unique IoT vulnerabilities exploited by Mirai.
16) CVE-2017-8570: Microsoft Office
Microsoft patched this Office vulnerability CVE-2017-8570 in July 2017. Just this August, researchers from Trend Micro discovered attackers exploiting this RCE vulnerability to download high-profile malware such as Loki and Nanocore.
17) CVE-2018-0802: Microsoft Office
At the time of the January 2018 patch, Microsoft warned of exploits in the wild on this Microsoft Office RCE vulnerability CVE-2018-0802
18) CVE-2017-0143: Microsoft SMB
As part of March 2017 patch updates, Microsoft said exploits of this vulnerability SMB vulnerability CVE-2017-0143 were likely.
19) CVE-2018-12130: Fedora
As part of May 2019 patch updates, Microsoft patched this Microarchitectural Data Sampling (MDS) vulnerability CVE-2018-12130 and three others.
20) CVE-2019-2725: Oracle WebLogic Server.
Patched in April 2019, the Center of Internet Security (CIS) issued an urgent advisory of active exploits of this Oracle WebLogic Server vulnerability CVE-2019-2725 that could result in remote code execution (RCE).
In July 2019, Kaspersky researchers said they had discovered bad actors exploiting this WebLogic vulnerability as part of Sodin ransomware campaign.
It is important to note that only 2 of the 20 most exploited vulnerabilities were patched in 2019. The majority have had patches available for several years, to include one from 2014 and even another as far back as 2012.
Organizations should run targeted vulnerability scans to help detect these 20 vulnerabilities and help IT teams and system owners prioritize patches. Special priority should be placed on externally-facing systems, web servers or end-user devices that could be easy prime targets for attackers.