As the nation’s risk advisor, CISA is working with US government agencies and the Federal Bureau of Investigation (FBI) to provide timely information about vulnerabilities and exploits, as seen by Alert (AA20-133A). This Activity Alert provides insight on particular cyberthreats, as well as on mitigation activities that can be implemented.

The list of top 10 most exploited vulnerabilities

Below is a breakdown of vulnerabilities exploited in the period 2016-2019 by state, nonstate, and unattributed cyber actors; most are Common Vulnerabilities and Exposures (CVEs), as mentioned in the NIST National Vulnerability Database (NVD).

The Microsoft Office Memory Corruption Vulnerability, which uses memory corruption in MS Office’s Equation Editor to execute code without user interaction, allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. Microsoft warns that “exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software.” Vulnerable products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 products Associated malware: Loki, FormBook, Pony/FAREIT. For malware initial finding reports and malware analysis reports, see here. Microsoft Security Intelligence documented an active campaign that distributed RTF files carrying the CVE-2017-11882 exploit; attackers were able to automatically run malicious code without user interaction. Mitigation: Update affected Microsoft products with the latest security patches. This vulnerability, in fact, was fixed in 2017 with a security update that corrected how the affected Office component handles objects in memory; but to this day, Microsoft Security Intelligence still observes the exploit in attacks. CVSS Severity V3.0: 7.8 HIGH /V2.0: 9.3 HIGH CISA lists this exploit as most frequently used by state-sponsored cyber actors from China, Iran, North Korea and Russia More details: https://nvd.nist.gov/vuln/detail/CVE-2017-11882 For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this alert, see here.

The Microsoft Office exploit allows remote attackers to execute arbitrary code via a crafted document that contains an MS Office/WordPad remote code execution vulnerability. According to Microsoft, an attacker could take control of an affected system and install programs, as well as compromise data and even create new accounts with full user rights. Gábor Szappanos, Principal Malware Researcher at SophosLabs, outlined the sequence of events and noted how rather than taking months, this exploit works in an accelerated manner. Vulnerable products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 Associated malware: FINSPY, LATENTBOT, Dridex Mitigation: Update affected Microsoft products with the latest security patches CVSS Severity V3.0: 7.8 HIGH/V2.0: 9.3 HIGH CISA lists also this exploit as most frequently used by state-sponsored cyber actors from China, Iran, North Korea and Russia More details: https://nvd.nist.gov/vuln/detail/CVE-2017-0199 IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133g, https://www.us-cert.gov/ncas/analysis-reports/ar20-133h, https://www.us-cert.gov/ncas/analysis-reports/ar20-133p

The Apache Struts exploit, as NIST states, has “incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header [that will be delivered to the target web server in a HTTP GET request], as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.” Vulnerable products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 Associated malware: JexBoss — JBoss Verify and EXploitation Tool Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1 CVSS Severity V3.0: 10.0 CRITICAL/V2.0: 10.0 HIGH More details: https://nvd.nist.gov/vuln/detail/CVE-2017-5638 IOCs: https://www.us-cert.gov/ncas/analysis-reports/AR18-312A

The Microsoft exploit allows remote attackers to execute arbitrary code via a crafted web site, Office document, or .rtf file that triggers “system state” corruption, “MSCOMCTL.OCX RCE Vulnerability.” Though this is a very old vulnerability in MS Office and was patched in 2012, the exploit continues to be used in real world attacks, says Kaspersky Labs, which explains why CVE-2012-0158 is added to the list of top 10 most exploited vulnerabilities. Vulnerable products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Associated malware: Dridex Mitigation: Update affected Microsoft products with the latest security patches. Windows Defender, for example, detects and removes this threat. Vulnerability type: Execute Code. Can result in the entire system being compromised; the attacker can render the resource completely unavailable, gain total information disclosure or have files revealed. CVSS Severity V3.0: N/A/V2.0: 9.3 HIGH This exploit too is listed by CISA as most frequently used by state-sponsored cyber actors from China, Iran, North Korea and Russia More details: https://www.us-cert.gov/ncas/alerts/aa19-339a, https://nvd.nist.gov/vuln/detail/CVE-2012-0158 IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o

The Microsoft SharePoint Remote Code Execution Vulnerability exists when the software fails to check the source markup of an application package. According to Microsoft, it works by a specially crafted SharePoint application package uploaded by a user to SharePoint. Vulnerable products: Microsoft SharePoint (Server 2019 / Enterprise Server 2016 / Server 2013 Service Pack 1 / Foundation 2013 Service Pack 1 / Server 2010 Service Pack 2 / Foundation 2010 Service Pack 2 Associated malware: China Chopper Mitigation: Microsoft patched this in February 2019 in order to stop attackers from running arbitrary code in the SharePoint application pool and the SharePoint server farm account. CVSS Severity V3.0: 9.8 CRITICAL/V2.0: 7.5 HIGH More details: https://nvd.nist.gov/vuln/detail/CVE-2019-0604

The Windows SMB Remote Code Execution Vulnerability allows remote attackers to execute arbitrary code via crafted packets on the target server. Vulnerable products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 Associated malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit Mitigation: Update affected Microsoft products with the latest security patches CVSS Severity V3.0: 8.1 HIGH/V2.0: 9.3 HIGH More details: https://nvd.nist.gov/vuln/detail/CVE-2017-0143

The Adobe Flash Player exploit that appeared in January and February 2018 is a vulnerability that occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution, leading to use-after-free: Weakness ID: 416. Vulnerable products: Adobe Flash Player before 28.0.0.161 Associated malware: DOGCALL Mitigation: Update Adobe Flash Player installation to the latest version. Adobe addressed this vulnerability in version 28.0.0.161, released on February 6, 2018, being aware of CVE-2018-4878 that was used in limited, targeted attacks against Windows users. CVSS Severity V3.0: 9.8 CRITICAL / V2.0: 7.5 HIGH More details: https://nvd.nist.gov/vuln/detail/CVE-2018-4878 IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d

The .NET Framework Remote Code Execution Vulnerability is a serious flaw that can allow an attacker to execute code remotely via a malicious document or application and take control of the system. The infection was noted through malicious Microsoft Office RTF documents intended for Russian-speaking targets, but other document types could be used. Vulnerable products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 Associated malware: FINSPY, FinFisher, WingBird Mitigation: Update affected Microsoft products with the latest security patches. A pointed security update addressed the vulnerability by correcting how .NET validates untrusted input. CVSS Severity V3.0: 7.8 HIGH/V2.0: 9.3 HIGH More details: https://nvd.nist.gov/vuln/detail/CVE-2017-8759 IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f

The Microsoft Office Memory Corruption Vulnerability exploit exists in AKBuilder-generated documents; in fact, it uses a single exploit (AK-2) to spread malware and can allow remote attackers to execute arbitrary code via a crafted RTF document. Vulnerable products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 Associated malware: Toshliph, UWarrior Mitigation: Update affected Microsoft products with the latest security patches CVSS Severity V3.0: N/A/V2.0: 9.3 HIGH More details: https://nvd.nist.gov/vuln/detail/CVE-2015-1641 IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m

How can CVEs help me?

The Common Vulnerabilities and Exposures (CVEs) is invaluable, as it offers a standardized way to report information about exploits and share or find information across compatible databases or security tools. The list of entries contains an identification number, a description of the exploit and references; it is not to be seen as simply another vulnerability list but rather as the place where interested parties can find information linked to those vulnerabilities and a valuable instrument to compare different services or security tools.  The Common Vulnerability Scoring System (CVSS) — an open industry standard for assessing the severity of exploited computer systems — provides a way for professionals to prioritize their actions by identifying those that potentially are the most dangerous threats and carry out risk management.

Conclusion

The CVE entries are a great, publicly available reference tool that list the most common cybersecurity vulnerabilities to date and allows professionals to check their systems against their mitigation. The United States Computer Emergency Readiness Team (US-CERT) has recently published a list of security vulnerabilities affecting a variety of platforms from 2016-2019, associated with the CVE’s highlighted Alert (AA20-133A), to help organizations reduce the risk of foreign threats to systems.  Even so, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI note how threats continue targeting remote workers through unpatched VPN vulnerabilities and cloud collaboration services. The document, in fact, also lists a few vulnerabilities specific to 2020 in the effort to provide timely mitigation information: CVE-2019-19781, for example, affects the Citrix Application Delivery Controller and Gateway, an application commonly used to provide remote workers access to needed resources.  

Sources

Alert (AA20-133A), US-CERT Search Vulnerability Database, NIST | NVD Vulnerability Metrics, NIST | NVD Search CVE List, MITRE Corporation CVE and NVD Relationship, MITRE Corporation Current CVSS Score Distribution For All Vulnerabilities, cvedetails.com Understanding Vulnerability Scoring: CVSS Explained, Security Boulevard Top 10 Routinely Exploited Vulnerabilities, US-CERT CISA, FBI Breakdown Most Exploited Vulnerabilities, Digital Guardian CISA Releases Top 10 Most Routinely Exploited Vulnerabilities, Nextgov CISA And FBI Alert: Top Vulnerabilities Exploited From 2016-2019 And Trends From 2020, Digital Shadows Ltd. DHS CISA and FBI share list of top 10 most exploited vulnerabilities, ZDNet Top 10 most exploited vulnerabilities list released by FBI, DHS CISA, Naked Security | Sophos Ltd.