The U.S. government is instructing IT admins, if they’re not already, to double down efforts to secure virtual private networks and Microsoft Office 365 environments.
According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the work-from-home shift in March, necessitated by COVID-19, brought with it an onslaught of attacks targeting VPN vulnerabilities in Citrix VPN appliances, namely CVE-2019-19781, Pulse Secure VPN servers, CVE-2019-11510, and lax O365 deployments.
The agencies added that because of a lack of employee education around social engineering attacks and a lack of system recovery and contingency plans, orgs have become more susceptible to ransomware attacks in 2020.
CISA has warned about these vulnerabilities in the past – it warned about the Pulse vulnerabilities twice already this year, once in January, once in April – but reiterated the danger of the threats again on Tuesday, in a recap of the top 10 most exploited vulnerabilities from 2016-2019.
Those vulnerabilities, attributed to state, nonstate, and unattributed cyber actors, are as follows:
- CVE-2017-11882 – Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products. Commonly associated with Loki, FormBook, and Pony malware strains
- CVE-2017-0199 - Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. Commonly associated with FINSPY, LATENTBOT, and Dridex
- CVE-2017-5638 – Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1. Commonly associated with JexBoss malware.
- CVE-2012-0158 – Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0. Commonly associated with Dridex.
- CVE-2019-0604 – Present in Microsoft SharePoint. Commonly associated with China Chopper.
- CVE-2017-0143 – Present in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
- CVE-2018-4878 – Present in Adobe Flash Player before 28.0.0.161. Commonly associated with DOGCALL
- CVE-2017-8759 – Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7. Commonly associated with FINSPY, FinFisher, WingBird.
- CVE-2015-1641 – Present inMicrosoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1. Commonly associated with Toshliph, UWarrior.
- CVE-2018-7600 – Present in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Commonly associated with Kitty.
All of the CVEs have mitigations available. In many instances, just updating the affected products – applying Microsoft’s patches, updating Flash Player, or what version of Struts you’re running – will remedy the issue.
This isn’t always easy, however; it's often a balance of time and urgency.
“Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software,” CISA’s guidance reads, “This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.”
According to the government's reporting, attackers targeted Microsoft’s Object Linking and Embedding (OLE) technology more than any other from 2016-2019. OLE has existed since 1990 and allows embedding and linking to documents and other objects, making it a favored avenue for attackers looking to leverage it to download malware via embedding scripts. The technique has been observed in attacks via groups in China, Iran, North Korea, and Russia, leveraging CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 in particular, according to CISA.
After that, it was Apache Struts, the same web framework that ultimately led to 2017's Equifax data breach.
CISA provides further intelligence for IT admins on its site, including additional vulnerability details, indicators of compromise (IOCs) and directions to mitigate each CVE.
