The US government has released new technical guidance highlighting the 10 most commonly exploited vulnerabilities of recent years, in a bid to improve awareness and patching among organizations.
It warned that “foreign cyber-actors” often choose to focus on known and often dated vulnerabilities as they require fewer resources to exploit than researching zero-days. Although the top 10 list is for flaws exploited in 2016-19, two of the featured CVEs date back even before this period, to 2012 and 2015.
“The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” the notice urged.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
Microsoft’s Object Linking and Embedding (OLE) technology was most commonly targeted between 2016 and 2019, featured in the top two most exploited CVEs: CVE-2017-11882 and CVE-2017-0199. Along with OLE-related CVE-2012-0158 they comprise the three bugs most frequently used by state-sponsored attackers from China, Iran, North Korea and Russia.
Chinese attackers were also still using CVE-2012-0158 in December 2019, highlighting that organizations have yet to patch, despite the vulnerability being flagged in 2015 as a common target for Beijing-backed hackers.
As for vulnerabilities exploited so far in 2020, the report warned of attacks targeting VPN systems made by Citrix and Pulse Secure, particularly in light of the rapid shift to home working due to COVID-19.
The same vulnerabilities are also thought to have been exploited by cyber-criminals in sophisticated APT-style ransomware attacks, according to Microsoft.
“The DHS report appears to align what we are seeing in the wild,” said Edgescan CEO, Eoin Keary. “Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.”