U.S. Government Shares Most Exploited Vulnerabilities
The CISA and FBI have sent an alert to organizations about an increased priority on patching the most commonly exploited vulnerabilities.
CISA & FBI Want Organizations to Prioritize Patching
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government have provided a technical guidance to all public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilitiesexploited by sophisticated foreign cyber actors.
This is an unprecedented alert considering it addresses a number of separate vulnerabilities over the past eight years that foreign attackers appear to have been exploiting. It’s also interesting since it’s not just an advisory from CISA, but also directly from the FBI as well as the U.S. government.
“Foreign cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations,” the alert elaborated. “Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”
The alert continued with stating that all organizations could greatly alleviate such foreign threats to “U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective.”
In addition to the alert specifying a number of exploits among various operating systems and products, CISA, the FBI, and the U.S. Government recommend that all organizations transition away from any end-of-life software since these clearly receive no additional support or mitigation.
Most Exploited Vulnerabilities
The top most exploited vulnerabilities provided by CISA are (in chronological order):
“Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology.”
The alert went on to point out that the “flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.”
It’s no surprise to any industry that keeping all systems patched and up-to-date will mitigate any potential attack vectors; however, recent attacks made public in the last few years proves otherwise. In 2017, WannaCry and NotPetya attacks ran rampant causing billions of dollars lost across 200,000 devices among 150 countries.
Just last year, multinational organizations and U.S. city and county governments spent nearly $200 million responding to various ransomware events, all because of easily-exploitable vulnerabilities left unpatched. With a majority of organizations sending their workers home due to COVID-19, corporate endpoints are even more at risk since so many of these businesses lack a proper work-from-home plan. This includes on-premise systems that may or may not be receiving the same level of care since IT departments themselves are no longer on-site.