Sikov -

Nation state APT groups prefer old, unpatched vulnerabilities

The Cybersecurity and Infrastructure Security Agency and the FBI have published details of the most commonly exploited vulnerabilities of recent years, and there are some “classics” on the list

Long-disclosed vulnerabilities in Microsoft’s object linking and embedding (OLE) technology and the Apache Struts web framework were the most commonly exploited by nation state-linked threat actors between 2016 and 2019, according to the US government’s Cybersecurity and Infrastructure Security Agency (CISA) – Washington’s equivalent of the UK’s National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation (FBI).

In a newly published disclosure, CISA and the FBI set out details on the most widely exploited common vulnerabilities and exposures (CVEs) of the past three years, and revealed some of the emerging threats they are seeing today.

Foreign cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organisations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” said CISA in its disclosure.

“The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”

CISA said its reporting had identified APTs linked to China, Iran, North Korea and Russia as the most frequently seen state-backed attackers and revealed that they used three vulnerabilities in particular. These are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158.

All three of these vulnerabilities relate to Microsoft’s OLE technology, which allows documents to contain embedded content from other applications, such as spreadsheets.

Inappropriate patching

As of December 2019, the oldest of these vulnerabilities, eight-year-old CVE-2012-0158, was being exploited by Chinese groups just as widely as it was in 2015, a clear signal that organisations are not bothering to patch their systems appropriately.

“Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time,” said the report.

Satnam Narang, staff research engineer at Tenable, declared himself unsurprised by the popularity of old Microsoft vulnerabilities.

“Cyber criminals go after low hanging fruit, which is often ubiquitous software with known but unpatched vulnerabilities. Many of the bad actors leverage flaws in Office when distributing spear phishing emails to their intended targets. These emails are tailored to their victim, using a lure designed to capture their interest in order to convince them to open the malicious attachment,” he said.

“This list is indicative of a trend we see time and time again: Cyber criminals prefer to leverage known but unpatched vulnerabilities. Finding or acquiring zero-day vulnerabilities is a costly endeavour, so leveraging unpatched flaws with publicly available exploit code gets them to their end goal in the fastest and cheapest way possible.”

Read more about APTs

  • New BlackBerry research shows how five APT groups operating on behalf of the Chinese government infiltrated enterprise Linux environments undetected for nearly a decade.
  • A dual cyber espionage and cyber crime group known as APT41 exploited vulnerabilities in Citrix NetScaler/ADC and other products in an extensive, global threat campaign.
  • Turla, the Kremlin-linked APT group that last year hijacked an Iranian group’s infrastructure, was likely to have been operating opportunistically, according to researchers.

Marco Rottigni, EMEA chief security technical officer at Qualys, said CISA and the FBI’s findings proved threat actors tend to ground their strategy on a value chain that prioritises business efficiency as opposed to technical sophistication.

“Looking at timeframe 2016-2019, the most recent of these vulnerabilities – CVE-2019-0604 – is dated 5 March 2019 which was patched two days later by Microsoft. The others are older. This means that the value of leveraging existing weaponisation of older vulnerabilities is much higher than investing time and skilled resources in building new exploits, unless for very specific (and numerically limited reasons.

“Hence, a good vulnerability prioritisation and remediation strategy is crucially important to greatly mitigate the exposure to older, well-known vulnerabilities,” said Rottigni.

“The second distinctive trait is about technologies and solutions that are commonly used and easily compromised by common malware such as Dridex (a banking credentials stealer in use since 2015), Loki (an Infostealer detected first in 2016), Kitty (a cryptojacker that first appeared in 2018), and others that are easily available on the market or even offered as a service.

“This proves that the focus for attackers is to build their attack more on the compromise strategy than on technical complexity or innovation. Again, a good vulnerability lifecycle management program able to cover from discovery to remediation would be the most effective vaccine to grant cyber resilience towards these attacks,” he said.

2020 trend alert

CISA and the FBI reported that so far in 2020, they have seen an uptick in attacks on unpatched virtual private network (VPN) vulnerabilities – the prevalence of remote working as a primary option across hundreds of thousands of companies during the Covid-19 coronavirus pandemic being an obvious cause of this.

The US agencies highlighted two particularly well-exploited vulnerabilities, an arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, and an arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, and likely the cause of the January 2020 breach of Travelex.

Tenable’s Narang said: “Vulnerabilities in VPN solutions are another area that has seen an increase in activity going back to 2019, when exploit code for several notable VPNs became publicly available. We anticipate that many of these flaws will continue to be leveraged by bad actors of all kinds, because as they say, if it ain’t broke, don’t fix it.

“This list is a solid reminder of the importance of basic cyber hygiene and systems maintenance. Knowing which vulnerabilities are being actively exploited by bad actors and prioritising their remediation is one of the most effective ways to reduce risk.”

Microsoft Office 365

Since March, CISA has also seen a rapid uptick in the targeting of organisations using Microsoft Office 365 that have ramped up their use of the service in haste during the pandemic, without necessarily making sure it was patched and up to date.

CISA added that other security weaknesses, in particular poor employee education on social engineering attacks, and a lack of forward contingency planning, continued to make organisations susceptible to very basic attacks, such as ransomware, usually delivered via a fraudulent email.

Qualys’ Rottigni said the new normality of working during the pandemic was exposing many attack vectors that were less considered before – in addition to VPN and cloud vulnerabilities – such as remote workers having to use their own unsecured devices.

“The recent diffusion of smart working increased enormously the adoption of SaaS solutions for office productivity, customer service, financial administration, and other processes. This urgency also increased as well the exposure of misconfigured or too permissive rights. All this has been leveraged by attackers to their advantage,” he said.

“A solid vulnerability management, detection, and response workflow that included the ability to validate cloud security posture and compliance with CIS benchmarks – while shortening the Time To Remediate (TTR) would have been a great help for security teams,” said Rottigni. “The mentioned vulnerabilities made their ways in these sad hit parades as the most exploited ones: a clear indicator of the huge room for improvement that organisations still have.”

“They can achieve this with properly orchestrated security programs, leveraging SaaS solutions that have the fastest adoption path, the shortest learning curve and the highest success rate in risk mitigation due to their pervasiveness across the newest and widest digital landscapes.”

The full list of CISA’s top 10 vulnerabilities, and information on how to mitigate their impacts – patching in other words – can be read online.

Read more on Hackers and cybercrime prevention

Data Center
Data Management