Top 10 most exploited vulnerabilities list released by FBI, DHS CISA

When work-from-home became a sudden, urgent need in March, many organizations slapped together cloud-collaboration services such as Microsoft Office 365 for their newly locked-down staff.
Unfortunately and understandably, pressure was high. People were scrambling. Thus did a number of those services get put together with a wing, a prayer, and misconfigurations that set them up to be targeted by malicious threat actors.
According to a new report that covers the Top 10 Routinely Exploited Vulnerabilities from the US’s cybersecurity arms – the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI – the abrupt shift to work-from-home that came in March led to rapid, sometimes hasty deployment of cloud collaboration services. The resulting oversights in security configurations have left some organizations vulnerable to attack. That’s just one of the vulnerabilities that the agencies are seeing being exploited this year by what they say are sophisticated foreign cyber actors.
Another trend for 2020 is malicious cyber actors who are increasingly targeting unpatched Virtual Private Network (VPN) vulnerabilities. These are two of the specific VPN vulnerability attacks they’ve spotted:

• An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, that’s been detected in exploits in the wild. Citrix shipped patches as vulnerable servers came under attack in January. As we noted at the time, Citrix was vague about what the flaw would enable attackers to do, but based on analysis of Citrix’s proposed mitigations, the speculation was that the issue allows directory traversal: in other words, offering attackers a way to access nrestricted directories without having to authenticate.
• An arbitrary file-reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, that’s still attracting malicious actors. What’s sob-worthy is that in spite of patches having been available since April 2019, as of January 2020, attackers were still using the flaws to sneak onto unpatched servers, break into company networks and install the REvil (Sodinokibi) ransomware.

Unpatched systems grease the wheels for attackers

All that for 2020, and we still haven’t even gotten to the meat of the report: the 10 most exploited vulnerabilities for the years 2016 through 2019. Before we hit that list, though, take heed of what the US cybersecurity outfits are telling us: namely, that it’s vital for IT security pros at public and private sector organizations to place “an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.”
The rationale behind the report is to provide details on vulnerabilities that are routinely exploited by foreign cyber actors – primarily Common Vulnerabilities and Exposures (CVEs) – in order for organizations to reduce the risk of these foreign threats, according to the US.
Leaving systems unpatched is making it easy as pie for those foreign threat actors. From the report:

Foreign cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

In other words, there are ways to force attackers to work a lot harder: namely, by patching in a timely fashion, as soon as practicable when patches come out:

The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.

Top 10 exploits

The list below, in no particular order, is where to focus a concerted patching campaign: on the Top 10 Most Exploited Vulnerabilities for 2016-2019. Included are their CVE numbers, vulnerable products, associated malware, and mitigation strategies. I’ve also included a sample of just some of Naked Security’s coverage of each vulnerability.
The lists of associated malware corresponding to each CVE isn’t exhaustive. Rather, it’s intended to identify a malware family commonly associated with exploiting the CVE. You can also access the list as a PDF . As well, the US gave mitigations for vulnerabilities exploited in 2020.
CVE-2017-11882

• Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
• Associated Malware: Loki, FormBook, Pony/FAREIT
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133e
• Our coverage.

CVE-2017-0199

• Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
• Associated Malware: FINSPY, LATENTBOT, Dridex
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0199
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133g, https://www.us-cert.gov/ncas/analysis-reports/ar20-133h, https://www.us-cert.gov/ncas/analysis-reports/ar20-133p
• Our coverage.

CVE-2017-5638

• Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
• Associated Malware: JexBoss
• Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
• More Detail:
  • https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
  • https://nvd.nist.gov/vuln/detail/CVE-2017-5638
  • Our coverage.

CVE-2012-0158

• Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
• Associated Malware: Dridex
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail:
  • https://www.us-cert.gov/ncas/alerts/aa19-339a
  • https://nvd.nist.gov/vuln/detail/CVE-2012-0158
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o
• Our coverage.

CVE-2019-0604

• Vulnerable Products: Microsoft SharePoint
• Associated Malware: China Chopper
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2019-0604
• Our coverage.

CVE-2017-0143

• Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
• Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0143
• Our coverage.

CVE-2018-4878

• Vulnerable Products: Adobe Flash Player before 28.0.0.161
• Associated Malware: DOGCALL
• Mitigation: Update Adobe Flash Player installation to the latest version
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-4878
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d
• Our coverage.

CVE-2017-8759

• Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
• Associated Malware: FINSPY, FinFisher, WingBird
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-8759
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f
• Our coverage.

CVE-2015-1641

• Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
• Associated Malware: Toshliph, UWarrior
• Mitigation: Update affected Microsoft products with the latest security patches
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2015-1641
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m
• Our coverage.

CVE-2018-7600

• Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
• Associated Malware: Kitty
• Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
• More Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-7600
• Our coverage.

Mitigations for Vulnerabilities Exploited in 2020

CVE-2019-11510

• Vulnerable Products: Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15 and Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
• Mitigation: Update affected Pulse Secure devices with the latest security patches.
• More Detail:
  • https://www.us-cert.gov/ncas/alerts/aa20-107a
  • https://nvd.nist.gov/vuln/detail/CVE-2019-11510
  • https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

CVE-2019-19781

• Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
• Mitigation: Update affected Citrix devices with the latest security patches
• More Detail:
  • https://www.us-cert.gov/ncas/alerts/aa20-020a
  • https://www.us-cert.gov/ncas/alerts/aa20-031a
  • https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html
  • https://nvd.nist.gov/vuln/detail/CVE-2019-19781
  • https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

Oversights in Microsoft O365 Security Configurations

• Vulnerable Products: Microsoft O365
• Mitigation: Follow Microsoft O365 security recommendations
• More Detail: https://www.us-cert.gov/ncas/alerts/aa20-120a

Organizational Cybersecurity Weaknesses

• Vulnerable Products: Systems, networks, and data
• Mitigation: Follow cybersecurity best practices
• More Detail: https://www.cisa.gov/cyber-essentials

The report also includes resources that can help organizations fend off attackers, including several free screening and testing services from CISA, online resources and more.

Latest Naked Security podcast