US CERTS Top 10 Exploits in the Wild
We love to think about security in terms of dark geniuses with hoodies, face tats and piercings lurking in scary places illuminated by flat panel displays and flickering fluorescent lights. We enjoy talk of zero day exploits and the fantastic toolkits put together by nation states – Stuxnet redux but bigger and badder. The reality is somewhat more prosaic. In the real world many breaches are done using old and well-known exploits that could easily have been patched before they were used to get in. There are also well-known and comprehensively documented steps to harden many enterprise systems including cloud services that can greatly enhance an organization’s security posture.
All this is nothing new, but was recently reinforced by US-CERT with Alert AA20-133A – Top 10 Routinely Exploited Vulnerabilities. The gist of this alert is that many of the exploits commonly seen in the wild are not only documented but are in some cases several years old with known mitigations, most involving security patches and updates.
To be fair to the beleaguered IT teams out there, patches and updates are not quite as clear cut as you might think – in a vacuum of course you would simply apply patches and updates when they become available but in the real world, as the report points out, you need to consider system availability (many updates will require a reboot or other downtime) and compatibility. Nothing like finding out that a key system is no longer compatible with another key system after you have done an irreversible update.
Recent events have seen widespread shifts to work from home and increases in VPN use. Beyond the additional risk introduced by many organizations turning to the pragmatic adoption of split tunnel approaches, these changes have not gone unnoticed by the bad guys. The bad guys have started targeting cloud based work and collaboration services such as Microsoft Office 365 – knowing that many instances may have been set up in haste in response to the WFH surge and things set up in haste may very well have security issues.
The good news is that organizations can take documented steps to better secure their O365 implementations including enabling Multi Factor Authentication (MFA) on admin accounts. Other recommended steps include using least privilege principles with admin accounts – including not using the main admin account for daily tasks. Turn on alerts and logs, including Unified Audit Log, use MFA for users, use the Microsoft Secure Score tool and follow recommendations. Finally, disable legacy protocols like IMAP, POP3 and LDAP where you can as they do not support MFA.
Additionally, the bad guys are going after VPNs, with CVE-2019-19781, an arbitrary code execution exploit vulnerability in certain Citrix VPN appliances, being seen in the wild. US CERT has also seen CVE-2019-11510, a vulnerability in Pulse Secure VPN servers, used as well.
When we look at a list of the top exploited CVEs from 2016-2020, recommended mitigations show a trend:
- CVE-2019-11510 – impacts certain Pulse Connect servers. Mitigation – update with latest patches
- CVE-2019-19781 – impacts certain Citrix gateways and controllers. Mitigation – update with latest patches
- CVE-2017-11882 – impacts certain MS Office products. Mitigation – update with latest patches
- CVE-2012-0158 – impacts certain MS Office products. Mitigation – update with latest patches
Note the date in the last one. 2012. Yes, of course there are zero day exploits out there – some known to nation states, some known to organized crime or individual bad actors. However, the reality is more like a low level street thug opening an unlocked front door than an elite SWAT team breaching an armored door with a C4 charge with old and documented exploits of old and documented vulnerabilities being used in cases where patches and updates are available.
While we are working on basics like this, one thing to consider is that while it is hard to keep up with all the patches and updates needed, one approach that you can take to help stack the cards in your favor for once is to hack yourself with a breach and attack simulation product like our Threat Simulator. Imagine running an automated audit and getting back not only a list of issues and gaps but also easy to follow, step by step instructions to help you remediate those issues? Actionable intelligence, whodathunk?
Thanks for reading.
Stay safe and flatten the curve.