May 15, 2020 - CISA, the FBI, and the broader US Government released guidance along with their findings from a study into exploits seen in the wild. At Crimson Vista, we were interested to see that the most exploited technology is still vulnerable from an 8 year old CVE.

Although CVE stands for Common Vulnerabilities and Exploits, this doesn’t mean that CVEs are always seen being exploited in the wild. The study conducted here provides insights into which types of CVEs are actually being exploited.

2016-2019

The most commonly exploited technology for 2016-2019 was found to be Microsoft’s Object Linking and Embedding (OLE). OLE allows you to dynamically link files or to embed them within one another, for example adding an Excel table to a Word document. Many of these are mitigated by applying the most up-to-date security patches to Microsoft products. The study found that even in 2019, state actors were still taking advantage of CVE-2012-0158… from 2012! This suggests that widely deployed patch-enforcement within large enterprises may not yet be in place.

2020

The landscape looks significantly different in 2020 than it has in previous years given necessary adjustments due to COVID-19. CISA reports that malicious actors are taking advantage of three main things with the work-from-home trends of 2020:

  • VPN CVE’s such as those in Citric and Pulse Secure from 2019. This is effective because many employees are leveraging VPN software to connect to their company’s network.
  • Cloud software misconfiguration. Malicious actors realize that wide deployments of cloud-based systems can be complicated and require attention to detail so that the configuration is secure. They also have identified that the necessity for companies to move to cloud systems may have led to hasty and insecure deployments.
  • Operational weaknesses. Malicious actors have been able to successfully launch ransomware attacks due to a lack of employee awareness training and a lack of system recovery plans.

The moral of the story

  1. Patch, patch, patch! It can take careful planning to implement a patch management system in an expansive network system, or with devices that have uptime requirements. However, this should still be a priority. Old CVEs can be routine for malicious actors to exploit, so making sure that all security patches are applied can save you from unnecessary damage.
  2. Cloud-based offerings and Software-as-a-Service can be critical to enabling you to do what your business does best. These solutions can still require careful configuration and updates in order to function at its best.
  3. Cybersecurity awareness matters! Social engineering is tricky by design, and educating employees is one of the best lines of defense against malicious strategies.

You can read more about the study here, which also includes the top 10 exploited vulnerabilities list, along with the mitigation for each.

One of the reasons these are ‘common’ vulnerabilities even though many have been known for years is that many businesses, including small-to-medium businesses, lack the expertise or the bandwidth to effectively remediate the underlying problems. If you’d like more information on these vulnerabilities, the associated risks, and concrete strategies to ameliorate these potential problems, don’t hesitate to reach out to us.