Exploit Development

FBI, DHS & CISA report summarizes top 10 exploited vulnerabilities

August 24, 2020 by Daniel Brecht

Introduction: The US federal agencies helping to protect your systems from exploits

According to the Cybersecurity and Infrastructure Security Agency (CISA), foreign cyber actors often exploit software vulnerabilities that have been already addressed, banking on the fact that patches are not always timely applied. Public and private sector organizations can do much to impair foreign cyberthreats to US interests by simply implementing an effective program to keep software up-to-date. At the very least, they would force these malicious entities to spend more consistent resources on zero-day exploits for which no patches are yet available.

As the nation’s risk advisor, CISA is working with US government agencies and the Federal Bureau of Investigation (FBI) to provide timely information about vulnerabilities and exploits, as seen by Alert (AA20-133A). This Activity Alert provides insight on particular cyberthreats, as well as on mitigation activities that can be implemented.

The list of top 10 most exploited vulnerabilities

Below is a breakdown of vulnerabilities exploited in the period 2016-2019 by state, nonstate, and unattributed cyber actors; most are Common Vulnerabilities and Exposures (CVEs), as mentioned in the NIST National Vulnerability Database (NVD).

  • The Microsoft Office Memory Corruption Vulnerability, which uses memory corruption in MS Office’s Equation Editor to execute code without user interaction, allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. Microsoft warns that “exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software.”
  • Vulnerable products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 products
  • Associated malware: Loki, FormBook, Pony/FAREIT. For malware initial finding reports and malware analysis reports, see here. Microsoft Security Intelligence documented an active campaign that distributed RTF files carrying the CVE-2017-11882 exploit; attackers were able to automatically run malicious code without user interaction.
  • Mitigation: Update affected Microsoft products with the latest security patches. This vulnerability, in fact, was fixed in 2017 with a security update that corrected how the affected Office component handles objects in memory; but to this day, Microsoft Security Intelligence still observes the exploit in attacks.
  • CVSS Severity V3.0: 7.8 HIGH /V2.0: 9.3 HIGH
  • CISA lists this exploit as most frequently used by state-sponsored cyber actors from China, Iran, North Korea and Russia
  • More details: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
  • For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this alert, see here.

  • The Apache Struts exploit, as NIST states, has “incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header [that will be delivered to the target web server in a HTTP GET request], as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.”
  • Vulnerable products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  • Associated malware: JexBoss — JBoss Verify and EXploitation Tool
  • Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
  • CVSS Severity V3.0: 10.0 CRITICAL/V2.0: 10.0 HIGH
  • More details: https://nvd.nist.gov/vuln/detail/CVE-2017-5638
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/AR18-312A

  • The Microsoft SharePoint Remote Code Execution Vulnerability exists when the software fails to check the source markup of an application package. According to Microsoft, it works by a specially crafted SharePoint application package uploaded by a user to SharePoint.
  • Vulnerable products: Microsoft SharePoint (Server 2019 / Enterprise Server 2016 / Server 2013 Service Pack 1 / Foundation 2013 Service Pack 1 / Server 2010 Service Pack 2 / Foundation 2010 Service Pack 2
  • Associated malware: China Chopper
  • Mitigation: Microsoft patched this in February 2019 in order to stop attackers from running arbitrary code in the SharePoint application pool and the SharePoint server farm account.
  • CVSS Severity V3.0: 9.8 CRITICAL/V2.0: 7.5 HIGH
  • More details: https://nvd.nist.gov/vuln/detail/CVE-2019-0604

  • The Windows SMB Remote Code Execution Vulnerability allows remote attackers to execute arbitrary code via crafted packets on the target server.
  • Vulnerable products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
  • Associated malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
  • Mitigation: Update affected Microsoft products with the latest security patches
  • CVSS Severity V3.0: 8.1 HIGH/V2.0: 9.3 HIGH
  • More details: https://nvd.nist.gov/vuln/detail/CVE-2017-0143

  • The Microsoft Office Memory Corruption Vulnerability exploit exists in AKBuilder-generated documents; in fact, it uses a single exploit (AK-2) to spread malware and can allow remote attackers to execute arbitrary code via a crafted RTF document.
  • Vulnerable products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
  • Associated malware: Toshliph, UWarrior
  • Mitigation: Update affected Microsoft products with the latest security patches
  • CVSS Severity V3.0: N/A/V2.0: 9.3 HIGH
  • More details: https://nvd.nist.gov/vuln/detail/CVE-2015-1641
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m

How can CVEs help me?

The Common Vulnerabilities and Exposures (CVEs) is invaluable, as it offers a standardized way to report information about exploits and share or find information across compatible databases or security tools. The list of entries contains an identification number, a description of the exploit and references; it is not to be seen as simply another vulnerability list but rather as the place where interested parties can find information linked to those vulnerabilities and a valuable instrument to compare different services or security tools. 

The Common Vulnerability Scoring System (CVSS) — an open industry standard for assessing the severity of exploited computer systems — provides a way for professionals to prioritize their actions by identifying those that potentially are the most dangerous threats and carry out risk management.

Conclusion

The CVE entries are a great, publicly available reference tool that list the most common cybersecurity vulnerabilities to date and allows professionals to check their systems against their mitigation. The United States Computer Emergency Readiness Team (US-CERT) has recently published a list of security vulnerabilities affecting a variety of platforms from 2016-2019, associated with the CVE’s highlighted Alert (AA20-133A), to help organizations reduce the risk of foreign threats to systems. 

Even so, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI note how threats continue targeting remote workers through unpatched VPN vulnerabilities and cloud collaboration services. The document, in fact, also lists a few vulnerabilities specific to 2020 in the effort to provide timely mitigation information: CVE-2019-19781, for example, affects the Citrix Application Delivery Controller and Gateway, an application commonly used to provide remote workers access to needed resources.

 

Sources

  1. Alert (AA20-133A), US-CERT
  2. Search Vulnerability Database, NIST | NVD
  3. Vulnerability Metrics, NIST | NVD
  4. Search CVE List, MITRE Corporation
  5. CVE and NVD Relationship, MITRE Corporation
  6. Current CVSS Score Distribution For All Vulnerabilities, cvedetails.com
  7. Understanding Vulnerability Scoring: CVSS Explained, Security Boulevard
  8. Top 10 Routinely Exploited Vulnerabilities, US-CERT
  9. CISA, FBI Breakdown Most Exploited Vulnerabilities, Digital Guardian
  10. CISA Releases Top 10 Most Routinely Exploited Vulnerabilities, Nextgov
  11. CISA And FBI Alert: Top Vulnerabilities Exploited From 2016-2019 And Trends From 2020, Digital Shadows Ltd.
  12. DHS CISA and FBI share list of top 10 most exploited vulnerabilities, ZDNet
  13. Top 10 most exploited vulnerabilities list released by FBI, DHS CISA, Naked Security | Sophos Ltd.
Posted: August 24, 2020
Articles Author
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.