U.S. government cybersecurity experts are providing guidance on the “top 10” most commonly exploited vulnerabilites. The alert helps highlight the importance of patching and prioritizing vulnerabilities with known exploits.
In a joint alert by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government, experts warn attackers routinely exploit well known vulnerabilities.
Many of those vulnerabilities are older and have been patched for years.
CISA described the threat in the alert:
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”CISA alert
The advisory breaks out the “Top 10” most routinely exploited vulnerabilities from 2016 through 2019. In addition, most recent vulnerabilities in 2020 were also provided.
Each of the Top 10 vulnerabilities are summarized in this article, along with associated malware and related news events.
1) CVE-2019-0604: SharePoint RCE
According to Microsoft, this remote code execution (RCE) vulnerability CVE-2019-0604 could allow an attacker to exploit and run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Earlier this year, security experts from Microsoft revealed threat actors were increasingly using web shell attacks in their campaigns to exploit known vulnerabilities like CVE-2019-0604 to implant web shells on internet-facing web servers.
Like one of the most widely used web shell names, China Chopper malware has been known to exploit this SharePoint RCE.
2) CVE-2018-7600: Drupalgeddon2
In October, 2019, cyber attackers were found exploiting an older Drupal remote code execution vulnerability CVE-2018-7600 dubbed Drupalgeddon2.
Drupal had patched the vulnerability on multiple Drupal versions in March of 2018. In addition, Palo Alto’s Unit 42 group also wrote a detailed analysis on the exploit in the wild in May of 2017.
Affected versions of Drupal include those before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1.
Kitty malware has also been associate with this vulnerability.
3) CVE-2018-4878: Flash Player 0-day
Adobe patched this Adobe Flash Player vulnerability CVE-2018-4878 in February 2018. This previously 0-day vulnerability had been exploited in the wild and used in limited, targeted attacks against Windows users.
Moreover, the attacks leverage Office documents with embedded malicious Flash content distributed via email.
Talos also spotted the use of ROKRAT, as well-known Remote Administration Tool, used as the download payload in the attacks. ROKRAT is typically used with cloud platforms in an effort to steal documents and manage/control infected systems.
DOGCALL malware has also been associate with this vulnerability.
4) CVE-2017-8759: .NET Framework RCE
According to FireEye, Zyklon has been observed in the wild since early 2016. FireEye further warned Zyklon provides a myriad of sophisticated capabilities, such as “full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal.”
Furthermore, FINSPY, FinFisher, and WingBird have each been associated with this vulnerability.
5) CVE-2017-5638: Apache Struts
Later in September of 2018, new variants of IoT botnets Mirai and Gafgyt increasingly targeted enterprise devices with unpatched Apache Struts vulnerability.
JexBoss malware has also been associated with the vulnerability.
6) CVE-2017-11882: Office and malware spam
Microsoft patched the Office memory corruption vulnerability CVE-2017-11882 in November of 2017 and later linked it to the Equation Editor component. However, this had not deterred attacks like this one from exploiting organizations not up to date on their patching.
In February, 2018, Trend Micro researchers also found attackers exploiting CVE-2017-11882 by abusing the Windows Installer service, msiexec.exe, to deliver LokiBot malware.
7) CVE-2017-0199: Microsoft Office/WordPad RCE
Patched in April, 2017, this remote code execution (RCE) vulnerability CVE-2017-0199 exists in the way that Microsoft Office and WordPad parse specially crafted files.
In August, 2017, Check Point identified a vulnerability in LinkedIn’s messenger service that could allow an attacker to exploit and then spread malicious files masquerading as a resume or other legitimate files (such as doc, xls, ppt files).
In one of the four LinkedIn flaws, an attacker could craft a malicious DOCX file containing an external object or OLE (taking advantage of CVE 2017-0199). This object could then be linked to an HTA file on the attacker’s server.
Associated Malware include: FINSPY, LATENTBOT and Dridex.
8) CVE-2017-0143: Microsoft SMB
As part of March 2017 patch updates, Microsoft said exploits of this vulnerability SMB vulnerability CVE-2017-0143 were likely.
According to Microsoft, a remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. As a result, a successful attacker could exploit and then execute code on the target server.
Similarly, Microsoft patched an SMB-related (SMBv3) RCE vulnerability CVE-2020-0796 dubbed SMBGhost this past March.
9) CVE-2015-1641: Office RCE
Microsoft patched this Office remote code execution (RCE) vulnerability CVE-2015-1641 more than five years ago.
An attacker could exploit this vulnerability to take control of affected systems and run arbitrary code.
Associated malware include Toshliph and UWarrior.
10) CVE-2012-0158: Microsoft Common Controls
Microsoft patched this Common Controls vulnerability CVE-2012-0158 way back in April 2012. Although nearly 8-years old, this vulnerability was still under active attack over the past several years.
Affected products include multiple versions of Microsoft Office, SQL Server, Commerce Server and others. Associated malware is Dridex.
Vulnerabilities under attack in 2020
The CIS advisory also highlights several common vulnerabilities under more recent attack in 2020.
For instance, an arbitrary code execution vulnerability CVE-2019-19781 in Citrix VPN appliances had been detected with known exploits in the wild.
Citrix originally released details on the vulnerability on December 17, 2019, but had no patch available for download until a month later. As a result, security experts soon thereafter widely reported exploits in the wild since early January 2020.
Finally, an arbitrary file reading vulnerability CVE-2019-11510 in Pulse Secure VPN servers was under active attack.
Juniper Networks patched the remote code execution vulnerability CVE-2019-11510 in April 2019.
However, multiple multiple cybersecurity experts issued a new warnings that attackers continue to target unpatched Pulse Secure VPN systems.
In conclusion, unpatched vulnerabilities have always been and will likely continue to be cost-effective method for bad actors to exploit systems and steal sensitive data.
Organizations should search for these vulnerabilities and prioritize the patching of each of these CVEs, if you haven’t already.
Readers can also check out Verint’s “Top 20 vulnerabilities to patch now (that are most under attack)” published last December.
- Threat actors are launching web shell attacks
- Drupalgeddon2 attack campaign
- Zyklon malware campaign targets Office vulnerabilities
- New Mirai, Gafgyt IoT botnet variants target systems with Apache Struts, SonicWall vulnerability exploits
- Attack abuses Windows Installer service to deliver LokiBot
- LinkedIn messenger vulnerability exploit
- Citrix patches Critical vulnerability exploited in the wild (updated)
- Attackers continue to target unpatched Pulse Secure VPN systems
- The top 20 vulnerabilities to patch now (that are most under attack)