CISA’s Top 30 Bugs from oldest to recent : Get patch immediately

CISA’s Top 30 Bugs from oldest to recent : Get patch immediately

Government agencies in the US, UK, and Australia are encouraging public and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other internally connected devices are patched against the most widespread cyber threats.

Globally, cyber criminals continue to target a wide range of targets, including public and private sector organizations, by exploiting publicly known and often outdated software vulnerabilities. Companies can mitigate these vulnerabilities by applying patches and implementing a centralized patch management system to their systems worldwide.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the US FBI, “ Almost all of the top vulnerabilities that were exploited last year have been revealed in the past two years., A 2017 vulnerability is among the top 30 most exploited vulnerabilities in 2021, almost seven months later.”

Agencies says Cybercriminals will continue to exploit older known vulnerabilities, such as CVE-2017-11882, as long as they remain effective and unpatched systems are not patched. In addition to complicating attribution, the use of known vulnerabilities by potential actors reduces costs and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.”

CVE-2017-11882 gets the highest attention due to the stack buffer overflow in equation editor of Microsoft Office which leads to remote code execution (RCE). Vendors have been warning about this exploit for years. The frequency is so high for an organization in 2020 using their devices and technology connected to networks without patching leads to the top four most exploited vulnerabilities which were discovered between 2018 to 2020.

 

Top four Vulnerabilities:

CVE-2019-19781: a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. According to a report published in December 2020, 17 percent of companies were unpatched. That is about one in five of the 80,000 companies.
CVE 2019-11510: a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) advised users to change their passwords for Active Directory accounts, because the patches were released too late and bad actors were able to compromise those accounts.
CVE 2018-13379: a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.
CVE 2020-5902: a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware, and more.

2020 Top 13 Exploited Vulnerabilities:

1. Citrix: CVE-2019-19781 : The Citrix NetScaler RCE, which debuted over Christmas in 2019, is at the top of the list because of gaining access to a Defense recruitment database that hit close to home for Aussies.

2. Pulse: CVE-2019-11510 : Pulse Secure Connect where an attacker can run arbitrary scripts on any host that connects to the VPN once they have gained access to it. Anyone who connects to the VPN could be a potential target for a hacker.

3. Fortinet: CVE-2018-13379 : Fortinet’s version of a directory traversal bug can lead to an attacker gaining usernames and passwords. “Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cringe ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo),” the agencies warned.

4. F5- Big IP: CVE-2020-5902 : This CVE scored a perfect 10 when it was announced. Basically, it was a user interface for traffic management that allowed any old user to gain access to it.

5. MobileIron: CVE-2020-15505 : Security agencies have warned that state-backed hackers and organized crime are exploiting a vulnerability in MobileIron mobile device management software.

6. Microsoft Exchange: CVE-2020-0688 : This vulnerability happened when exchange servers failed to create a unique cryptographic key for the Exchange control panel at install time, which resulted in attackers being able to use malformed requests to run code under the SYSTEM context.

7. Atlassian Confluence: CVE-2019-3396 : The NSA tried to warn people about these vulnerabilities last October. This old Atlassian Confluence vulnerability adds a touch of server-side template injection to the path traversal and remote code execution antics of other vendors.

8. Atlassian Crowd: CVE-2019-11580 : Attackers can exploit this flaw to install arbitrary plugins, which can lead to remote code execution. This vulnerability was specifically mentioned by the agencies concerned.

9. Drupal: CVE-2018-7600 : Drupal’s hook-crazed codebase lacks input sanitation, which can allow an unauthenticated attacker to gain remote code execution.

10. Telerik: CVE-2019-18935 : The Telerik framework, which is used by ASP.NET apps, has a hole in refining the serialized input that can lead to RCE and crypto-jacking.

11. Microsoft Sharepoint: CVE-2019-0604 SharePoint had a vulnerability when deserializing XML due to a lack of proper refinement, which could lead to remote code execution.

12. Microsoft Windows Background Intelligent Transfer Service: CVE-2020-0787  : An attacker could exploit this vulnerability by mishandling symbolic links and executing arbitrary code with system-level privileges.

 13. Microsoft Netlogon: CVE-2020-1472 When it was first announced, it was commended as one of the worst bugs ever, and with a CVSS score of 10, it’s easy to see why

Most Exploited Vulnerabilites in 2021 :

 From 115.8 million ransomware attacks in Q1 to 188.9 million attacks in Q2, ransomware attacks are on the rise. “This will be the worst year for ransomware” SonicWall has recorded, even if no ransomware attempts are detected in the second half of 2021

This year’s flaws have also been actively exploited by CISA and other agencies:

  • Microsoft Trade: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: 4 flaws that can be chained collectively in the ProxyLogon group of security bugs that led to a patching frenzy. As of March, 92 p.c of the Trade Servers have been vulnerable to ProxyLogon, states Microsoft justifying the panic.
  • Pulse Protected: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was currently being applied by at least two state-of-the-art persistent threat actors (APTs), most likely joined to China, to attack U.S. protection targets, amid some others.
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These types resulted in a slew of attacks, including one on Shell. Around 100 Accellion FTA customers, including the Jones Working Day Law Firm, Kroger, and Singtel, were hit by FIN11 and the Clop ransomware gang.
  • VMware: CVE-2021-21985: A critical bug in VMware’s virtualization management platform, vCenter Server, that makes it possible for a remote attacker to exploit the merchandise and consider management of a company’s impacted procedure.

As a best practice, update systems with the latest software versions whenever they become available to minimize vulnerabilities. If the patch isn’t available, use the vendor’s temporary fixes to mitigate the risks. Prioritizing the fixation of critical vulnerabilities will aid in the prevention of potential cyber intrusions.

There are a variety of ways that cybercrime can affect companies around the world. Don’t worry we got your back, just register now to speak with one of our experts and learn how to think like an attacker.

 

Reference:

Vaas, A. L., & Vaas, L. (n.d.). CISA’s top 30 Bugs: One’s old enough to buy beer. Threatpost English Global threatpostcom. https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/.

Duckett, C. (2021, July 28). Get patching: US, UK, and Australia ISSUE joint advisory on top 30 exploited vulnerabilities. ZDNet. https://www.zdnet.com/article/get-patching-us-uk-and-australia-issue-joint-advisory-on-top-30-exploited-vulnerabilities/.