It doesn't matter how sophisticated a threat group is. They like low-hanging fruit as much as other dark web dwellers.
The most commonly exploited vulnerabilities are ones hidden in plain, everyday IT tools. The list of CVEs for 2020 and 2021, are dated and largely linked to remote work, according to a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the U.K.'s National Cyber Security Center (NCSC), and the Federal Bureau of Investigation (FBI) last week.
Uncovering initial access to a larger attack is not always straightforward. In some cases, companies have to look for a combination of actions used in an attack, because some malicious tactics often don't appear concerning or trigger an investigation. Others, however, are preventable in a patch.
When the public thinks of massive cyberattacks, the assumption is hackers were clever and used sophisticated techniques to gain entry. This is not always true. Even the most well-resourced APTs rely on gaps in security left by poor security hygiene.
Most common routinely exploited CVEs of 2020
| Vendor | CVE | Type | Patch available |
|---|---|---|---|
| Citrix | CVE-2019-19781 | arbitrary code execution | Critical |
| Pulse | CVE-2019-11510 | arbitrary file reading | Critical |
| Fortinet | CVE-2018-13379 | path traversal | Critical |
| F5-Big IP | CVE-2020-5902 | remote code execution | Critical (upgrade to secure version) |
| MobileIron | CVE-2020-15505 | remote code execution | Critical |
| Microsoft | CVE-2017-11882 | remote code execution | Critical |
| Atlassian | CVE-2019-11580 | remote code execution | Critical |
| Drupal | CVE-2018-7600 | remote code execution | Critical |
| Telerik | CVE-2019-18935 | remote code execution | Critical |
| Microsoft | CVE-2019-0604 | remote code execution | Critical |
| Microsoft | CVE-2020-0787 | elevation of privilege | High |
| Netlogon | CVE-2020-1472 | elevation of privilege | Critical |
SOURCE: CISA
CVEs dating back to 2017 indicate "companies have struggled to locate and patch vulnerable instances," said Claire Tills, senior research engineer at Tenable. Security teams may lack the authority to deploy updates if they stall business-critical IT tools, like VPNs.
"Threat actors prefer these vulnerabilities because they exist in ubiquitous products, increasing the likelihood that any sector they target will be vulnerable," said Tills.
Threat actors can obscure attribution when they use common CVEs as well as cut their access costs, CISA found. "They are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known."
Nation-state actors and other threat groups expect organizations to lack the resources or network visibility necessary to locate vulnerabilities. Highly sophisticated APTs know, "once you own the VPN, ransom deployment becomes trivial," especially if organization's haven't properly integrated the VPN with intrusion detection systems (IDS) or next-generation firewalls, Chris White, CSO of BlueVoyant, said.
2021's CVEs
CISA confirmed the mass remote work landscape challenged organizations' abilities to "conduct rigorous patch management." And if a company lacks the resources and ability to investigate an intrusion, threat actors become more brazen with their activity — even highly sophisticated threat groups become arrogant and pursue low-hanging fruit.
"The problem in the pre-COVID[-19] world was prioritization," said White. Companies often remediated threats hackers were exploiting in real time. "So to some extent, the pandemic actually eased the burden because the attack surface pivoted towards endpoints," including VPNs and email, he said. It gave security teams a more focused set of priorities.
However, companies that have the capacity and resources will be able to prioritize patching — it's more of a challenge for smaller security teams. In March 2020, companies caught off-guard by mass remote work focused on business continuity rather than protection. More than half of companies are still challenged by remote and hybrid management, according to a JumpCloud survey.
CVEs to prioritize in 2021
| Vendor/product | CVEs | Mitigation |
|---|---|---|
| Microsoft Exchange | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Update to servers from 2010, 2013, 2016, 2019 |
| Pulse Secure | CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900 | Update to latest software |
| Accellion | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 | Update versions of FTA |
| VMware | CVE-2021-21985 | Patches available |
| Fortinet | CVE-2018-13379, CVE-2020-12812, CVE-2019-5591 | Patches available |
SOURCE: CISA
Though the CVEs that defined 2020 were mostly in "perimeter-type devices," vulnerabilities from Q1 2021 had "aggressive exploitation" of Microsoft Exchange servers and Accellion File Transfer Appliance (FTA), according to data from Positive Technologies.
FireEye identified UNC2546, which has been linked to Clop ransomware, and FIN11 as having ties to the Accellion breach. Morgan Stanley, Kroger, University of Colorado and Jones Day were among the Accellion customers stemming from the breach.
"The most sophisticated APT organizations, however, are interested in privilege escalation and [remote code execution] vulnerabilities to gain deep persistence within strategic organizations — not for the purpose of ransom or direct attack but for the more impactful supply chain-based attacks," said White. "The way ransomware made its way onto everyone's radar over the past five to six years, the supply-chain-based attacks will do the same in the first half of this decade."
For now, however, the most dominant threat groups of 2021 specialize in ransomware.
Ransomware operators Black Kingdom and DearCry latched onto the ProxyLogon remote code execution exploit from Exchange servers, though the initial Exchange hack was conducted by China-based nation-state actors. The ransomware groups challenged the patches Microsoft issued for the original attack on Exchange. The threat of a secondary exploitation meant companies had to update their Exchange servers, and search for intrusions leading elsewhere in their environment.
At this point, security teams are opening an investigation. As the saying goes, "given enough eyeballs, all bugs are shallow," but not all companies have the resources to have enough eyeballs.
"Without the right intelligence, vulnerability management can sometimes feel like ghost hunting," said Tills. "Many organizations are likely haunted by CVEs based on their own unique IT history," depending on acquisitions or mergers, inventory and asset maintenance, and intelligence capabilities.
Most tactics that might trigger an investigation have to be found early in an attack, according to Sophos. Of the tactics Sophos MTR moved forward with an investigation, 31% involved suspicious execution detections, 17% had persistence detections and 16% were in initial access detections. Only 1% of tactics escalated to further investigation involved privilege escalation. In privilege escalation, the most common techniques include process injection, process hollowing and SID-history injection.
In September ransomware group Ryuk used CVE-2020-1472, or Zerologon, during the Microsoft Windows Netlogon Remote Protocol. The vulnerability allows for privilege escalation after a bad actor uses the Netlogon Remote Protocol to secure a channel connection to a domain controller.
It's a critical CVE, according to the NIST. The bug has been known since last year with an available patch, however CISA said companies that have found exploitation attempts in their Windows Events Logs will have to investigate further.
