There are patches or remediations for all of them, but they’re still being picked apart. Why should attackers stop if the flaws remain unpatched, as so many do?
In a perfect world, CISA would laminate cards with 2021’s top 30 vulnerabilities: You could take it out & ask a business if they’ve sorted-out these specific issues before you hand over your cash.
This is not a perfect world. There are no laminated vulnerability cards.
At least there is a list: In a joint advisory (PDF) published last Wed., the FBI & US Cybersecurity & Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, & the UK’s National Cyber Security Centre (NCSC) listed the vulnerabilities that were “routinely” exploited in 2020, as well as those that are most often being picked apart so far this year.
The vulnerabilities – which hide in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft & Atlassian – include publicly known bugs, some of which are growing hair. One dates to 2000!
“Cyber actors continue to exploit publicly known & often dated – software vulnerabilities against broad target sets, including public & private sector organisations worldwide,” according to the advisory.
“However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
So far in 2021, cyber-attackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being given to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware & Fortinet.
All of the vulnerabilities have received patches from vendors. That doesn’t mean those patches have been applied, however.
According to the advisory, attackers are unlikely to stop coming after ancient vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already long in the tooth when it was patched at the age of 17 in 2017.
Why would they stop? As long as systems remain unpatched, it’s a win-win for adversaries, the joint advisory pointed out, as it saves bad players time & effort.
Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, & minimises risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. —Advisory
In fact, the top 4 preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organisations using the devices or technology in question to sidestep patching or remediation.
The top 4 are:
- CVE-2019-19781, a critical bug in the Citrix Application Delivery Controller (ADC) & Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of Dec. 2020, 17% – about 1 in 5 of the 80,000 companies affected – hadn’t patched.
- CVE 2019-11510: a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the US Department of Homeland Security (DHS) urged users to change their passwords for Active Directory accounts, given that the patches were deployed too late to stop bad players from compromising those accounts.
- CVE 2018-13379: a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 & which was actively being exploited as of a few months ago, in April 2021.
- CVE 2020-5902: a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware etc.
The cyber-security bodies urged organisations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can’t, the advisory encouraged organisations to check for the presence of indicators of compromise (IOCs).
If IOCs are found, kick off incident response & recovery plans, & let US CISA know: the advisory contains instructions on how to report incidents or request technical help.
2020 – Top 12 Exploited Vulnerabilities
Here’s the full list of the top 12 exploited bugs from last year:
|Citrix||CVE-2019-19781||arbitrary code execution|
|Pulse||CVE 2019-11510||arbitrary file reading|
|Fortinet||CVE 2018-13379||path traversal|
|F5- Big IP||CVE 2020-5902||remote code execution (RCE)|
|Microsoft||CVE-2020-0787||elevation of privilege|
|Netlogon||CVE-2020-1472||elevation of privilege|
Most Exploited as Yet – 2021
CISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: 4 flaws that can be chained together in the Proxy Logon group of security bugs that led to a patching frenzy. The frenzy was warranted: as of March, Microsoft warned that 92% of Exchange Servers were vulnerable to Proxy Logon.
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, & CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least 2 advanced persistent threat actors (APTs), likely linked to China, to attack US defence targets, among others.
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including on Shell. Around 100 Accellion FTA customers, including the Jones Day Law Firm, Kroger & Singtel, were affected by attacks tied to FIN11 & the Clop ransomware gang.
- VMware: CVE-2021-21985: A critical bug in VMware’s virtualisation management platform, vCenter Server, that allows a remote attacker to exploit the product & take control of a company’s affected system.
The advisory gave technical details for all these vulnerabilities along with guidance on mitigation & IOCs to help organisations figure out if they’re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.
Can Security Teams Keep Up?
Rick Holland, Digital Shadows CISO & VP of Strategy, called CISA vulnerability alerts an “influential tool to help teams stay above water & minimise their attack surface.”
The CVEs highlighted in Wed’s alert “continue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,” he cautioned.
Recent research (PDF) from Vulcan Cyber has found that more than 3-quarters of cyber-security leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs & the ability of security teams to mitigate risk?
Yaniv Bar-Dayan, CEO & Co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it’s become ever more vital for enterprise IT security stakeholders to make “meaningful changes to their cyber hygiene efforts.”
That means “prioritising risk-based cyber-security efforts, increasing collaboration between security & IT teams, updating vulnerability management tooling, & enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.”
Granted, vulnerability management is “one of the most difficult aspects of any security program,” he continued. If a given vulnerability is being exploited, that should move it up the priority list, Var-Dayan stated.
“Taking a risk-based approach to vulnerability management is the way forward; & teams should unquestionably be prioritising vulnerabilities that are actively being exploited.”