The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. government released a list of the top ten commonly exploited security vulnerabilities between 2016 and 2019. The agencies issued a security alert (AA20-133A) through the National Cyber Awareness System (NCAS) to help security professionals in public and private organizations prioritize patching the most common vulnerabilities in their security environments. The alert provides details on Common Vulnerabilities and Exposures (CVEs) that are routinely exploited by foreign threat actors.
“The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” CISA said.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” CISA added.
The CVE list includes:
|CVE-2017-11882||Loki, FormBook, Pony/FAREIT|
|FINSPY, LATENTBOT, Dridex|
|CVE-2017-0143||Multiple using the EternalSynergy and EternalBlue Exploit Kit|
|CVE-2017-8759||FINSPY, FinFisher, WingBird|
Data Source: us-cert.gov
Most Exploited Bugs
The alert stated that threat actors often exploited bugs in Microsoft’s Object Linking and Embedding (OLE) technology, with Apache Struts web framework being the second-most-reported vulnerable technology. “Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology,” CISA said.
Vulnerabilities Exploited in 2020
The U.S. government also reported vulnerabilities that are routinely exploited by state-sponsored actors in 2020, which include:
- CVE-2019-19781 – An arbitrary code execution vulnerability in Citrix VPN appliances
- CVE-2019-11510 – An arbitrary file reading vulnerability in Pulse Secure VPN servers, continues to be an attractive target for malicious actors.
Cybersecurity weaknesses like poor employee education on social engineering attacks and a lack of system recovery and contingency plans continue to make organizations susceptible to ransomware attacks in 2020.
“March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack,” CISA added.
CISA and NCSC Release Joint Advisory
In a recent development, the cybersecurity officials in the U.K. National Cyber Security Centre (NCSC), the U.S. Department of Homeland Security (DHS), and the CISA stated that cybercriminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a variety of ransomware and malware attacks, thereby exploiting the COVID-19 outbreak for their personal gain. The security agencies have released a joint advisory describing the growing number of attackers and other malicious groups in the U.K. and the U.S.