The Most Exploited Vulnerabilities by State Sponsored Actors, and the Easy Fix

This week saw the release of the FBI and Department of Homeland Security (DHS) report on the top vulnerabilities for 2016 to 2019.

Intended to provide information for administrators and security practitioners with information for “increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.”

The report claimed “foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations” and exploitation of these vulnerabilities often requires fewer resources.

As with all vulnerability advice, the recommendation is to make an increased effort to patch systems, and implement programs to keep system patching up to date. “A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective,” the report said.

“A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.” The top ten were as follows:

• CVE-2017-11882 - Microsoft Office Memory Corruption Vulnerability, where a remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. This would allow an attacker who successfully exploited the vulnerability to run an arbitrary code in the context of the current user.
• CVE-2017-0199 – A remote code execution vulnerability in the way Microsoft Office and WordPad parse specially crafted files. This would allow an attacker to take control of an affected system.
• CVE-2017-5638 – A vulnerability in Apache Struts to allow remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
• CVE-2012-0158 - This vulnerability could allow remote code execution if a user were to visit a website containing specially crafted content designed to exploit the vulnerability. 
• CVE-2019-0604 – A remote code execution vulnerability exists in Microsoft SharePoint, which would allow an attacker to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account when successfully exploited.
• CVE-2017-0143 – A remote code execution vulnerability in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute the code on the target server.
• CVE-2018-4878 – A vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack could lead to arbitrary code execution.
• CVE-2017-8759 – A remote code execution vulnerability in the Microsoft .NET Framework could allow an attacker, who successfully exploited this vulnerability in software, to install programs; view, change, or delete data; or create new accounts with full user rights
• CVE-2015-1641 - A remote code execution vulnerability exists in Microsoft Office software that is caused when the Office software improperly handles objects in memory while parsing specially crafted Office files. An attacker who successfully exploited the vulnerability could run an arbitrary code in the context of the current user.
• CVE-2018-7600 – This vulnerability is a remote command execution vulnerability which affects a Drupal CMS installed on the remote host. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.

Of this top ten, the most commonly exploited by state-sponsored cyber actors from China, Iran, North Korea, and Russia were CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158, and all relate to Microsoft’s OLE technology.

The FBI and DHS also said that CVE-2012-0158 was frequently exploited, four years after the US Government determined to be the most used in their own cyber operations. “This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective,” the report claimed.

Talking to Marco Rottigni, chief technical security officer EMEA at Qualys, he said there were two distinctive traits from the report. The first confirms these actors have a strategy that is grounded on a value chain, leveraging business efficiency as a value instead of technical sophistication.

He said: “Looking at timeframe 2016-2019, the most recent of these vulnerabilities - CVE-2019-0604 - is dated March 5th 2019 which has been patched two days later by Microsoft. This means that the value of leveraging existing weaponization of older vulnerabilities is much higher than investing time and skilled resources in building new exploits, unless for very specific (and numerically limited reasons).”

The second distinctive trait is about technologies and solutions that are commonly used and easily compromised by common malware such as Dridex (a banking credentials stealer in use since 2015), Loki (an Infostealer detected first in 2016), Kitty (a cryptojacker that first appeared in 2018), and others that are easily available on the market or even offered as a service.

“This proves that the focus for attackers is to build their attack more on the compromise strategy than on technical complexity or innovation,” he said.

Essentially, if you don’t patch the vulnerabilities where updates are made available, then you leave yourself potentially exposed to this type of attack.

We know the solution is to patch more readily, Rottigni recommended having a properly orchestrated security program, leveraging SaaS solutions that have the fastest adoption path, the shortest learning curve and the highest success rate in risk mitigation due to their pervasiveness across the newest and widest digital landscapes.

In terms of the older, well-known vulnerabilities, he recommended having a “good vulnerability prioritization and remediation strategy” to greatly mitigate the exposure, and this strategy should be grounded on excellent visibility, with a coverage of the entire IT landscape.

“It also needs to grant a continuous detection capability with high level of accuracy, to avoid being overwhelmed by false positives that lower the prioritization process efficiency.”

Will we look back in 2022 and see these same vulnerabilities still being exposed? Unless practices improve to remediate and remove them, I suspect so.