Parsing an Important Recent National Cyber Awareness System Alert — Security Today
The Top 10 Most Exploited Vulnerabilities: Parsing an Important Recent National Cyber Awareness System Alert
The National Cyber Awareness System (NCAS) issued its Alert numbered AA20-133A last month, which identified the 10 most exploited vulnerabilities from 2016 to 2019. The research, which came out of work done by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government, is surprising, due mostly to its utter lack of surprise. Old vulnerabilities persevere and continue to be exploited at a high rate; windows systems remain a big target for attackers; and malicious actors adapt rapidly to take advantage of changes such as the recent shift to work from home. What can InfoSec organizations learn from these observations?
First, the facts
According to NCAS, a combination of state, nonstate and unattributed cyber actors exploited the following vulnerabilities the most between 2016 and 2019: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641 and CVE-2018-7600. Highlights of the alert include:
Malicious actors exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology most frequently.
CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158 were the most-often-used vulnerabilities by China, Iran, North Korea and Russia. These vulnerabilities are all related to Microsoft’s OLE technology.
Chinese hackers exploited CVE-2012-0158 many times. This is the same vulnerability the US Government publicly assessed in 2015 as the most used in their cyber operations.
Two older vulnerabilities, CVE-2012-0158 and CVE-2015-1641, were included in the list.
Why do old vulnerabilities continue to be exploited?
Why is it that old vulnerabilities, with known exploits and fixes, continue to be successfully exploited at a high rate? To get an answer, it’s worth looking beyond the headlines of last month’s NCAS alert. While the notice is ostensibly about the top 10 vulnerabilities, it highlights some systemic problems with the current state of vulnerability management.
Gloss