May 21, 2020
3 Observations from CISA Alert (AA20-133A) ‘Top 10 Routinely Exploited Vulnerabilities’
In a recent alert from the National Cyber Awareness System (NCAS) three government agencies — the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government came together to provide technical guidance to public and private sector organizations to prioritize the patching of commonly known vulnerabilities exploited by foreign cyber actors. As part of this guidance, the alert identifies the 10 most exploited vulnerabilities from 2016 – 2019. The alert also addresses emerging risks based on vulnerability exploit trends in 2020 so far. Here are 3 observations from the alert.
Old Vulnerabilities Persevere
In an analysis of the 10 most exploited vulnerabilities between 2016 and 2019, 2 older vulnerabilities (CVE-2012-0158 and CVE-2015-1641) made the cut. As indicated in the alert, this points to systemic problems with existing vulnerability management processes. It is difficult to rationalize why old vulnerabilities with known exploits and fixes continue to exist and be taken advantage of by malicious actors. Remediating vulnerabilities is certainly not a trivial task. Remediation can require a significant investment of time and effort, with security professionals having to balance the need to mitigate vulnerabilities with the mandate to keep systems running and ensure installed patches are compatible with other software. However, effective vulnerability management processes should make such vulnerabilities a top target for remediation, and guide practitioners with effective and efficient ways to implement remediation. The 2 older vulnerabilities mentioned are just the tip of the iceberg and the alert expects this trend to continue, citing that ‘state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective’.
Microsoft Remains a Big Target
It should be no surprise that Microsoft products, with their wide adoption across enterprise and personal users, are a big target for malicious actors. However, 7 out of the top 10 exploited vulnerabilities between 2016 – 2019 affecting Microsoft products should be a wakeup call for practitioners. 3 of these vulnerabilities are related to Microsoft’s Object Linking and Embedding (OLE) technology that allows documents to contain embedded content from other applications such as spreadsheets. This observation points to a widespread need for organizations to better understand and track the components that make up their IT infrastructure. While remediation can be time-consuming, robust vulnerability management programs should be able to provide instant insights into the prevalence and impact of these risks. How many of our IT assets have these vulnerable products or frameworks installed? What is the significance of these assets to our organization (what data do they store, what business processes do they support)? It should be possible for every vulnerability management program to answer these questions on demand, at a moment’s notice.
Malicious Actors Adapt to Changes FAST
In addition to the top 10 exploited vulnerabilities between 2016 – 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. We have all heard news reports about trouble makers being able to ‘bomb’ open zoom meetings. There has also been scrutiny of Zoom’s privacy and encryption policies. There have been reports of malicious actors targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations leaving them vulnerable to attacks. These reports point to some systemic cybersecurity challenges. Malicious actors are extremely resourceful, well-coordinated, and opportunistic. Security practitioners should always expect that malicious actors will respond to any change in the status quo faster than software and security vendors can. It takes time for software vendors to roll out patches and security practitioners should have a plan in place to manage the risk posed to them between vulnerability discovery and remediation. This also underscores the dire need for better employee cybersecurity education and effective system recovery and contingency plans.
Be sure to read to full alert notice here for mitigations and more details.
