Getty Images/iStockphoto

DHS CISA, FBI Reveal The Top Exploited Vulnerabilities Since 2016

Organizations are being urged to prioritize patching and mitigation tactics for the top 10 exploited vulnerabilities between 2016 and 2019, and the three most exploited flaws from 2020, so far.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency, the FBI, and the US government recently unveiled the 10 most exploited vulnerabilities from 2016 and 2019, as well as the three most exploited flaws from 2020.

The flaws most commonly exploited by state, nonstate, and unattributed cyber actor between 2016 to 2019 are found in Microsoft’s Object Linking and Embedding (OLE) technology, Microsoft Office, Apache Struts, SharePoint, Adobe Flash Player, and other Microsoft products.

CISA provided details into each of these leading threats, which include CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

The three leading exploits of 2020 are found in unpatched Virtual Private Network (VPN) vulnerabilities, cloud collaboration services, and cybersecurity weaknesses, including “poor employee education on social engineering attacks and a lack of system recovery and contingency plans.”

“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations,” according to the alert. “Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”

The most often exploited vulnerabilities are found in Microsoft’s OLE tech, which enables documents to contain embedded content from other applications, like spreadsheets. The second most reported flaw was found in a popular web framework known as Apache Struts.

Meanwhile, the three vulnerabilities most frequently exploited by nation-state cyber actors from China, North Korea, Iran, and Russia were again tied to Microsoft’s OLE technology, and include CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158.

According to the alert, cyber actors tied to China have been frequently exploiting the CVE-2012-0158 flaw, publicly assessed in 2015 as China’s most leveraged flaw in their cyber operations. First published in 2012, the flaw is found in Microsoft Office 2003 and 2007, as well as 2003 web components.

“This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective,” officials explained.

“Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software,” they added. “This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.”

In 2019, a report showed vulnerabilities most consistently exploited by malicious cyber actors were found in Microsoft and Adobe Flash products, given the widespread use. To CISA, “US government and private-sector data sources may complement each other to enhance security.”

For the 2020 vulnerabilities, CISA repeated an earlier alert that showed cybercriminals are increasingly targeting unpatched VPN vulnerabilities, including flaws in Citrix and Pulse Secure, first disclosed in early 2019.

The abrupt shift into telework has also fueled a rapid deployment of cloud collaboration services, including Microsoft Office 365. Repeating an earlier warning, the alert reminds organizations that hackers are targeting those configurations in hopes that the “hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.”

CISA warns these threat actors are also targeting cybersecurity vulnerabilities, including poor employee education though social engineering attacks and the failure of enterprises to implemented system recovery and contingency plans. As a result, organizations are increasingly susceptible to ransomware attacks.

The agencies also recently released separate alerts on nation-state actors from the People’s Republic of China and North Korea.

Organizations are being urged to prioritize patching and review the technical guidance to shore up enterprise defenses against these sophisticated foreign cyber actors. In addition, organizations are being urged to transition away from any end-of-life software, which is a massive issue in the healthcare sector.

As of July 2019, more than half of healthcare providers were continue to rely on Windows 7, for which Microsoft ended support in January 2020. Further, the majority of medical devices operate on outdated platforms.

“Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations,” officials explained. “CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.”

CISA also urged the use of vulnerability scanning to improve cyber hygiene across the enterprise, by securing internet-facing systems from weak configuration and known flaws, while encouraging organizations to implement best practice security measures.

Lastly, CISA recommended its web application service, which checks publicly accessible web sites for potential flaws or weak configurations. The service will provide a “‘snapshot” of publicly accessible web applications and also checks functionality and performance in your application.”

Next Steps

Dig Deeper on Cybersecurity strategies