Security firm Verint analyzed the top 20 vulnerabilities to patch now that are under active attack and exploited by cyber attack groups worldwide. The report is aimed at assisting security teams in prioritizing and enhancing their organization’s patch management efforts.
Organizations face a daunting task trying to patch thousands of existing vulnerabilities in the wild.
This is especially true given most organizations have limited staff to deal with up to hundreds of new vulnerabilities released each month.
Given this challenge, the latest report published by Verint’s Cyber Threat Intelligence (CTI) Group can add good threat intelligence and value to your organization’s patch remediation program.
According to National Vulnerability Database (NVD), nearly 45 new vulnerabilities get discovered on average every day.
Since 2016, NVD has seen an increase of 130% in the total number of disclosed vulnerabilities. Furthermore, 60% of the vulnerabilities are rated Critical or High severity and 45% impact Microsoft products.
Even while we try to keep up with the new ones, older vulnerabilities (going back to 2012) are still used to carry out successful cyber attacks.
To add, Verint cautions organizations to just look at the CVSS score. They should also take into account whether vulnerabilities are being under active exploit by hackers.
As one example, one High severity WinRAR vulnerability (CVE-2018-20250) has been actively exploited by five different APT groups. To add, the attacks were launched against multiple targets within a wide range of industries.
“This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching,” Verint warned in the blog post.
Top 20 vulnerabilities to patch now
Verint has analyzed over 5,300 cyber intelligence feeds, 800 CVEs and other data over the past two and a half years to compile the list of top 20 most exploited vulnerabilities.
According to Verint, here are the top 20 patches (sorted by the highest number of attacks from top to bottom).
1) CVE-2017-11882: Microsoft Office memory corruption
Patched in November of 2017, an attacker could exploit this Microsoft Office memory corruption vulnerability CVE-2017-11882 to run arbitrary code. To add, security researchers observed a malware campaign as recently as June of 2019.
2) CVE-2018-8174: Microsoft Windows remote code execution
Patched in May of 2018, this Microsoft Windows VBScript Engine vulnerability CVE-2018-8174 could result in remote code execution (patched in May 2018). Most noteworth, BabyShark malware campaign used exploit code targeting this vulnerability as recently as April 2019.
3) CVE-2017-0199: Microsoft Windows, Office remote code execution
Microsoft patched this Microsoft Office/WordPad vulnerability CVE-2017-0199 in April of 2017. Microsoft warned this vulnerability could also result in remote code execution.
As a consequence, bad actors began exploiting this vulnerability as part of a LinkedIn’s messenger service attack in August of 2017.
4) CVE-2018-4878: Adobe Flash Player; Red Hat Enterprise Linux
Adobe and Red Hat Enterprise patched a Flash Player and Linux vulnerability CVE-2018-4878 in February 2018. South Korea’s Computer Emergency Response Team also found malicious code hidden in MS documents that exploited this Flash bug as part of North Korean threat actor campaign.
5) CVE-2017-10271: Oracle WebLogic Server
Oracle patched this WebLogic Server vulnerability CVE-2017-10271 in October 2017. In addition, attackers also exploited this Oracle vulnerability to deliver dual Monero miners in February 2018.
6) CVE-2019-0708: Microsoft Windows “BlueKeep”
Microsoft patched a Windows “BlueKeep” CVE-2019-0708 RDP vulnerability in May 2019. In early November 2019, Microsoft warned of more BlueKeep attacks to come.
7) CVE-2017-5638: Apache Struts
Apache patched the Struts vulnerability CVE-2017-5638 in March 2017. This vulnerability was linked to the infamous Equifax data breach.
8) CVE-2017-5715: ARM, Intel (“Spectre and Meltdown”)
The ARM and Intel vulnerability CVE-2017-5715 is also known as microprocessor side-channel attacks (such as “Spectre and Meltdown” vulnerabilities) with mitigation guidance released in April 2018.
9) CVE-2017-8759: Microsoft .NET Framework
Microsoft patched this .NET Framework vulnerability CVE-2017-8759 in September 2017. In January, 2018, attackers exploited this Microsoft Office vulnerability to spread Zyklon HTTP malware.
10) CVE-2018-20250: RARLAB WinRAR
Microsoft researchers revealed details on this RARLAB WinRAR issues CVE-2018-20250 in April 2019 on how cyber attackers were able to exploit the 19 year old WinRar vulnerability “using a complex attack chain and multiple code execution techniques.”
11) CVE-2018-7600: Debian, Drupal
This Debian and Drupal vulnerability CVE-2018-7600 was fixed. In May 2018, a cryptomining campaign exploited this vulnerability dubbed Drupalgeddon 2.0.
12) CVE-2018-10561: DASAN Networks
It was reported back on May 2018, that DASAN Networks released a zero-day “unofficial” patch for CVE-2018-10561. In a May 2019 report, a new Mirai variant was spotted exploiting this vulnerability (and 12 others) on vulnerable IoT devices.
13) CVE-2017-17215: Huawei.
Huawei patched this bug CVE-2017-17215 in late 2017. In July 2018, it was reported that a hacker built an IoT botnet of 18,000 Huwei-based devices in just one day.
14) CVE-2012-0158: Microsoft Common Controls
Microsoft patched this Common Controls vulnerability CVE-2012-0158 way back in April 2012. Yes, you read that right. This nearly 8-year vulnerability is still under active attack.
15) CVE-2014-8361: D-Link, Realtek
D-Link and Realtek patched this D-Link vulnerability CVE-2014-8361 back in May of 2015. As reported by researchers in May 2019, this bug was also one of the 13 unique IoT vulnerabilities exploited by Mirai.
16) CVE-2017-8570: Microsoft Office
Microsoft patched this Office vulnerability CVE-2017-8570 in July 2017. Just this August, researchers from Trend Micro discovered attackers exploiting this RCE vulnerability to download high-profile malware such as Loki and Nanocore.
17) CVE-2018-0802: Microsoft Office
At the time of the January 2018 patch, Microsoft warned of exploits in the wild on this Microsoft Office RCE vulnerability CVE-2018-0802
18) CVE-2017-0143: Microsoft SMB
As part of March 2017 patch updates, Microsoft said exploits of this vulnerability SMB vulnerability CVE-2017-0143 were likely.
19) CVE-2018-12130: Fedora
As part of May 2019 patch updates, Microsoft patched this Microarchitectural Data Sampling (MDS) vulnerability CVE-2018-12130 and three others.
20) CVE-2019-2725: Oracle WebLogic Server.
Patched in April 2019, the Center of Internet Security (CIS) issued an urgent advisory of active exploits of this Oracle WebLogic Server vulnerability CVE-2019-2725 that could result in remote code execution (RCE).
In July 2019, Kaspersky researchers said they had discovered bad actors exploiting this WebLogic vulnerability as part of Sodin ransomware campaign.
It is important to note that only 2 of the 20 most exploited vulnerabilities were patched in 2019. The majority have had patches available for several years, to include one from 2014 and even another as far back as 2012.
Organizations should run targeted vulnerability scans to help detect these 20 vulnerabilities and help IT teams and system owners prioritize patches. Special priority should be placed on externally-facing systems, web servers or end-user devices that could be easy prime targets for attackers.