In early May 2020, US-CERT published an alert of the Top 10 vulnerabilities exploited by attackers from 2016 to 2019. The list reveals some patterns and attack methods preferred by malicious actors. We’re going to dig a bit deeper into these attacks in this article.
The underlying theme for defenders is a lack of proper patch and configuration management. There will always be compromises that exploit zero-day vulnerabilities; however, the blast radius increases over time as organizations struggle to keep up with patching their systems. This remains true in 2020 as much as it was in 2000.
Most of the exploited vulnerabilities between 2016 and 2019 are based on vulnerable software. This matches the pattern we've seen by looking at the vulnerabilities we've discovered for clients in the first part of 2020.
Analyzing the list of the most exploited vulnerabilities also yields an unsurprising view, one in which the majority of attacks have targeted business productivity tools, such as Microsoft Office or supporting services like Apache Tomcat. Microsoft operating systems and software will continue to be the most attacked software for the foreseeable future due to its nearly universal adoption, market share, and the many (?) lagging organizations that struggle to upgrade to the latest and arguably more secure versions. This will shift once Microsoft can natively mitigate attacks by adopting a secure by default approach.
Interestingly enough, specifically called out in the aforementioned US-CERT Alert is increased malicious activity against VPN technologies. This is not really a new tactic by malicious actors; however, with the workforce being more remote than ever, and especially with the present COVID-19 situation, attackers are like bees and following the honey. We've performed some recent technical analysis of such vulnerabilities, which you can read here: Pulse SSL VPN Arbitrary File Read Vulnerability (CVE-2019-11510) and ConnectWise Control 19.3.25270.7185 (Eight Vulnerabilities, Including Critical).
Targeting employees through social engineering remains a tried-and-true tactic, mainly because you can bypass technical controls due to a lack of proper employee training and awareness. Often, the easiest way to compromise an organization is not through overtly attacking it via technical means, but by focusing on soft targets – aka, its people. Over the past few years, we've noticed that ransomware attacks have succeeded by convincing employees to open emails and click on malicious links; however, we can’t neglect to mention the effectiveness of simply calling employees and exploiting their willingness to help someone.
There aren’t any fancy tricks or tips to avoid these issues. Lists like this one from the US-CERT are very useful for showing real-world attacks and reminding us that security basics and good overall hygiene will make a massive difference in an organization’s security profile. The emerging threats that make headlines in the press are worth monitoring and checking for within your attack surface, but don’t focus in only that one area at the expense of protecting the low-hanging fruit. Play good offense, hire reputable external security firms to run regular pen tests, explore continuous pen testing, which gives you a broader view of your real-time threats, and train your employees.