The hasty deployment of cloud services came with a dramatic shift to working in collaboration among workforces in Covid-19 lock down, the US FBI has said.
A dramatic shift in people working from home in March led to misconfigurations that set businesses up to be targeted by malicious threat actors, according to a list of the top 10 exploited vulnerabilities list released by the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA).
A new report also pointed to malicious attacks on unpatched Virtual Private Network (VPN) vulnerabilities, including an arbitrary code execution vulnerability in Citrix VPN appliances, CVE-2019-19781, that has been detected.
Citrix shipped patches as vulnerable servers came under attack in January, according to reports.
An arbitrary file-reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, is also still vulnerable.
Carl Wearn, head of e-crime at Mimecast says: “This reporting by US authorities corroborates activity Mimecast has seen and reported on consistently in recent months of Threat Reporting. VPN vulnerabilities are particularly key at this time given the necessary increases to staff working from home and we have highlighted them as requiring urgent patching since January.
“The specific CVE vulnerabilities noted are also a reflection of activity we have seen, particularly in relation to the top five, with the targeting of CVE-2017-11882 now being a significant focus of entire high-volume campaigns hitherto unseen before February.
“The benefit of cloud-based security and networking longer term will be a reduction in the need for on-site security to manually patch these vulnerabilities, but at present, all of these vulnerabilities should be identified as absolutely critical to patch as soon as possible.
“Many of these have been known and reported on heavily in recent years, with patches available for significant periods of time. They are being more heavily attacked now than ever before and any post-incident analysis or investigation of a breach which identifies these particular unpatched vulnerabilities is unlikely to be easily explained by those responsible for network security.”
The US CISA report is meant to give details on vulnerabilities that are routinely exploited by non-US cyber actors – usually Common Vulnerabilities and Exposures (CVEs) - to reduce the risk of foreign threats.
The report said: “Foreign cyber actors continue to exploit publicly known - and often dated - software vulnerabilities against broad target sets, including public and private sector organisations. The exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”
It also pointed to a concerted campaign to patch these vulnerabilities to “introduce friction into foreign adversaries’ operational tradecraft” to force them to develop or acquire exploits that are more costly and less widely effective.
To bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries and concerted patching campaign is also needed, it said.
The top 10 most exploited vulnerabilities between 2016 and 2019
US Government reporting identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019. They are: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
US Government technical analysis shows that malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.
OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
The report said that of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158.
All three of these vulnerabilities were related to Microsoft’s OLE technology.
By December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the US. Government publicly assessed in 2015 was the most used in their cyber operations, according to the report
The report said that trend suggests that organisations have “not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft” as long as they remain effective.
Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software, the report said.
In 2019, a US industry study similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.
Vulnerabilities exploited in 2020
As well as the top 10 vulnerabilities from 2016 to 2019, the US Government said the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:
Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
March 2020 brought an abrupt shift to work-from-home that necessitated, for many organisations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organisations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
Cybersecurity weaknesses, such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans - are still making organisations susceptible to ransomware attacks in 2020.