Site icon Sophos News

Top 10 most exploited vulnerabilities list released by FBI, DHS CISA

When work-from-home became a sudden, urgent need in March, many organizations slapped together cloud-collaboration services such as Microsoft Office 365 for their newly locked-down staff.
Unfortunately and understandably, pressure was high. People were scrambling. Thus did a number of those services get put together with a wing, a prayer, and misconfigurations that set them up to be targeted by malicious threat actors.
According to a new report that covers the Top 10 Routinely Exploited Vulnerabilities from the US’s cybersecurity arms – the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI – the abrupt shift to work-from-home that came in March led to rapid, sometimes hasty deployment of cloud collaboration services. The resulting oversights in security configurations have left some organizations vulnerable to attack. That’s just one of the vulnerabilities that the agencies are seeing being exploited this year by what they say are sophisticated foreign cyber actors.
Another trend for 2020 is malicious cyber actors who are increasingly targeting unpatched Virtual Private Network (VPN) vulnerabilities. These are two of the specific VPN vulnerability attacks they’ve spotted:

Unpatched systems grease the wheels for attackers

All that for 2020, and we still haven’t even gotten to the meat of the report: the 10 most exploited vulnerabilities for the years 2016 through 2019. Before we hit that list, though, take heed of what the US cybersecurity outfits are telling us: namely, that it’s vital for IT security pros at public and private sector organizations to place “an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.”
The rationale behind the report is to provide details on vulnerabilities that are routinely exploited by foreign cyber actors – primarily Common Vulnerabilities and Exposures (CVEs) – in order for organizations to reduce the risk of these foreign threats, according to the US.
Leaving systems unpatched is making it easy as pie for those foreign threat actors. From the report:

Foreign cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

In other words, there are ways to force attackers to work a lot harder: namely, by patching in a timely fashion, as soon as practicable when patches come out:

The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.

Top 10 exploits

The list below, in no particular order, is where to focus a concerted patching campaign: on the Top 10 Most Exploited Vulnerabilities for 2016-2019. Included are their CVE numbers, vulnerable products, associated malware, and mitigation strategies. I’ve also included a sample of just some of Naked Security’s coverage of each vulnerability.
The lists of associated malware corresponding to each CVE isn’t exhaustive. Rather, it’s intended to identify a malware family commonly associated with exploiting the CVE. You can also access the list as a PDF . As well, the US gave mitigations for vulnerabilities exploited in 2020.
CVE-2017-11882

CVE-2017-0199

CVE-2017-5638

CVE-2012-0158

CVE-2019-0604

CVE-2017-0143

CVE-2018-4878

CVE-2017-8759

CVE-2015-1641

CVE-2018-7600

Mitigations for Vulnerabilities Exploited in 2020

CVE-2019-11510

CVE-2019-19781

Oversights in Microsoft O365 Security Configurations

Organizational Cybersecurity Weaknesses

The report also includes resources that can help organizations fend off attackers, including several free screening and testing services from CISA, online resources and more.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version