In computer security, a vulnerability is a flaw or weakness in a system or network that could be exploited by a threat actor, such as an attacker, to manipulate or cause damage to the system in some way. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. The way that a computer vulnerability is exploited depends on the nature of the vulnerability and the motives of the attacker. These vulnerabilities can exist because of unanticipated interactions of different software programs, system components, or basic flaws in an individual program. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data.
Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures. CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware. CVE provides a free dictionary for organizations to improve their cyber security. MITRE is a nonprofit that operates federally funded research and development centers in the United States. The goal of CVE is to make it easier to share information about known vulnerabilities across organizations.
CVE does this by creating a standardized identifier for a given vulnerability or exposure. CVE identifiers or CVE names allow security professionals to access information about specific cyber threats across multiple information sources using the same common name. For example, UpGuard is a CVE compatible product and its reports reference CVE IDs. This allows you to find fix information on any CVE compatible vulnerability database.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)1—to help organizations reduce the risk of these foreign threats.
Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available. The public and private sectors could degrade some foreign cyber threats to U.S. interests through an
increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive
resources on the observed activities of foreign adversaries.
Top 10 Most Exploited Vulnerabilities 2016–2019
U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
• According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-mostreported vulnerable technology was a widespread Web framework known as Apache Struts.
• Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology.
• As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations. This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their
operational tradecraft as long as they remain effective.
• Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.
• A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies. Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.
Vulnerabilities Exploited in 2020
In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:
• Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
o An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019- 19781, has been detected in exploits in the wild.
o An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
• March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
• Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020.
Different reasons explain the growing number of disclosed vulnerabilities.
WannaCry and NotPetya aggressive outbreaks were caused by the disclosure of EternalBlue zero-day. The National Vulnerability Database and the Common Vulnerabilities and Exposures database both recorded more than 6,000 new vulnerabilities in 2016 – a figure that pales in comparison to the 14,500 vulnerabilities discovered in 2017. ENISA adds that 2018 is on track for 24,000 disclosed vulnerabilities. While for the majority of vulnerabilities disclosed in 2017 (ca. 72%) there is a patch or update available, for ca. 23% there is no known fix available.
“Is today’s software more vulnerable?” asks the European Union Agency for Network and Information Security (ENISA). The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. Meltdown and Spectrum vulnerabilities have illustrated how important it is for the industry to rapidly react and release patches to fix disclosed flaws.
- Disruptive innovation and the continuously evolving technology landscape enable the deployment of growing number of new technology products and services. The commercial successes of mobile devices, cloud computing, social media, mobile applications, Internet-of-Things (IoT) – for example – opened opportunities for innovative businesses, albeit with relatively low maturity in software development and secure-coding skills.
- Innovation and strong competition in the technology space leads to more hard- and software products. The demand for shorter time-to-market is pressing vendors to releases products faster and reduce the resources required for quality assurance and testing.
- Modern software applications are increasingly complex due to the demand for interconnectivity, integration and platform compatibility. In fact, 80% to 90% of modern applications are built using open-source software components. This trend increases likelihood for the existence of vulnerabilities. Recent research has estimated that 1 in 18 open source components downloaded in 2017 had a known security vulnerability.
- The number of vendor-independent people and organizations involved in research and discovery of vulnerabilities is increasing. According to a recent study, this group is considered the largest contributor for the growing number of vulnerabilities disclosed. Bug bounty / research reward programs promoted by major industry vendors are intended to mobilize this group into testing the products in exchange of a reward. Examples of Google Vulnerability Reward Program (VRP) and Microsoft Security Research Centre recognize the value of this work.
- With cyber-crime becoming a profitable activity, the increasing number of threat actors is also involved in vulnerability research. A significant number of vulnerabilities is attributed to cyber criminals looking for new tools to support their attacks.
- With Cyber Security on top of the agenda, nation-states are also actively engaged in vulnerability research to support lawful interventions in IT-systems. Media reports on Nation States seeking for new vulnerabilities have been recently published.
- Vulnerability-by-design implemented by vendors leave backdoors in the software with the aim to explore them for various reasons: malicious purposes, hidden commercial agendas or surveillance programs. In 2015, the media reported that a Nation State has adopted new regulation requiring the inclusion of back-doors in hard- and software.
- Outdated system architectures that, for different reasons, are still in use and can be found in released products. Meltdown and Spectre are recently disclosed vulnerabilities that affected a big variety of microprocessor released since 1995 until today. ENISA recently published an Info Note describing these vulnerabilities.
- Without adequate legislation and regulation, to protect consumer rights with software defects and vulnerabilities, there is no incentive for the industry to invest in more secure products and assume liability for damages caused.
Mitigating software vulnerabilities
Vulnerabilities cause a significant risk exposure whose reduction can be achieved through coordinated action by different stakeholders. Below we address important activities to be performed per stakeholder group:
From an end-user perspective:
- Maintain an up-to-date inventory of digital assets and connected devices;
- Perform a regular review of security and privacy policies;
- Conduct regular software patching and updating;
- Implement automated security vulnerability scanners and;
- Leverage from vulnerability reporting databases.
From a vendor perspective:
- Adopt a security-by-design approach during the entire product development life-cycle;
- Invest in the recruitment/development of secure-coding skills;
- Introduce AI more specifically machine learning to automate product development testing cycles;
- Implement personal data protection systems and processes in accordance with data protection law;
- Allow consumers to delete their own personal data on devices and products;
- Make sure that credentials are securely stored within services and on devices and that hard-coded credentials are not used;
- Promote and incentive collaborative and responsible vulnerability disclosure in partnership with the various industry players and the security research community and;
- Respond to vulnerabilities reports in a timely manner. Implement vulnerability management systems and processes.
From a research community perspective:
- Adhere to responsible vulnerability disclosure in partnership with the industry and the research community;
- Facilitate the improvement of vendor maturity and;
- Setup infrastructures to coordinate the registration and maintenance of vulnerabilities.
From a policy maker perspective:
- Develop policies that subject the industry to software product liability laws and protect consumer rights;
- Develop a legal landscape to address the challenges faced by the different stakeholders involved in the vulnerability research and disclosure process and;
- Promote education in cyber security.