The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a list of the top 10 most exploited vulnerabilities for four years between 2016 and 2019. The two US Government agencies issued the AA20-133A alert through the National Cyber Awareness System. The published list includes system vulnerabilities exploited by state-sponsored cybercriminals, non-state, and unattributed threat actors. The state agencies advised organizations to patch these vulnerabilities to frustrate foreign threat actors from easily taking advantage of well-known software vulnerabilities to target computer systems in the United States.
List of the most exploited vulnerabilities
Microsoft Object Linking and Embedding (OLE) technology is the most exploited vulnerability, according to DHS CISA and the FBI. This feature of Microsoft products allows linking office documents with active content from other applications. Threat actors embed malicious dynamic objects that transfer dangerous applications on to their computer systems. The government agencies found OLE vulnerabilities CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 to be the most exploited vulnerability by state-sponsored threat actors such as China, Russia, Iran, and North Korea. Apache Struts was the second most exploited software vulnerability according to both the government agencies’ report and RiskSense Report. Citrix VPN appliances (CVE-2019-19781) and Pulse Secure VPN servers (CVE-2019-11510) were the most exploited vulnerabilities in 2020. Misconfigured Office 365 deployments also provided an attack landscape as people are shifting to work from home arrangements. The rapid deployments of these products may have contributed to oversights in security configurations, thus vulnerable to attack.
Microsoft software vulnerabilities were the most popular means of attacking systems by cybercriminals, while Adobe Flash Player vulnerabilities maintain their second position. Security flaws in Microsoft products accounted for eight out of the ten most exploited vulnerabilities, according to researchers at Recorded Future.
The most exploited vulnerability is known as Double Kill and resides on Microsoft Windows Operating System. The Windows VBScript vulnerability can be exploited through Microsoft’s legacy browser, Internet Explorer. This Microsoft vulnerability is included in top exploit kits such as Fallout, KaiXin, Magnitude, and RIG, and has been used in delivering trojans and conducting ransomware attacks.
The second most exploited vulnerability, CVE-2018-4878, was Adobe Flash Player zero-day identified early last year. Although Adobe released the security patch hours after the discovery of the flaw, most users ignored it, leaving their systems vulnerable to attacks. The exploit was included in the Fallout Exploitation Kit and used in GrandCrab Ransomware.
A third feature on the list of top exploited vulnerabilities belonged to Microsoft for Office products. CVE-2017-11882 enables the running of arbitrary code when a maliciously edited office document is opened. The vulnerability was included in QuasarRAT trojan and Andromeda botnet.
Despite ranking on the list of top exploited vulnerabilities, Adobe Flash Player-related faults are going out of fashion because of the fallen popularity of Flash content. Additionally, most browsers are dropping Flash Player in preference to HTML5 components. Consequently, it does not make economic sense for threat actors to invest in a technology nobody will be using in a few months and which users might be forced to uninstall.
Most of the existing Microsoft’s most exploited vulnerabilities have security patches, but many users ignore installing them, thus leaving their systems vulnerable to attacks. This users’ behavior, in addition to the widespread use of Microsoft products, makes the company’s products become crucial targets for cybercriminals.
Timothy Chiu, Vice President of Marketing at K2 Cyber Security, says the list helps keep users and organizations aware of the persistent danger posed by commonly known vulnerabilities.
“While Microsoft remains at the top of the list for exploited security vulnerabilities, this list reminds us that common exploits, like the ones found in the OWASP Top 10, are still in the top 10 exploits targeted by cybercriminals. This list, along with the recent NIST update to the standard SP 800-53 to include application security (RASP) as a requirement, is a good reminder that there’s more need than ever to have application security as part of the security framework for web applications and application workloads.”
Limiting intrusion by threat actors
U.S. officials said exploitation of these vulnerabilities requires less resources compared to zero-day vulnerabilities. They said concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. The security agencies advised organizations to transition from end-of-life software that may include the most exploited vulnerabilities but no longer supported by the production companies.
