Skip to main content

Top 10 Routinely Exploited Common Vulnerabilities & Exposures

Health-ISAC Vulnerability Bulletin

Date: May 14, 2020

Event: Top 10 Routinely Exploited Common Vulnerabilities & Exposures (CVEs)

Summary:

This alert provides details on vulnerabilities that are routinely being exploited by nation state cyber actors.  Organizations can greatly reduce the risk of these foreign threats by applying patches. 

On May 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government issued an alert (AA20-133A) to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. 

Analysis:

Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations, including the healthcare sector. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

Health-ISAC member organizations could reduce the threats from some sophisticated nation state actors through an increased effort to patch systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of nation state adversaries. For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see each entry within the Mitigations section below. Click button to the right for a PDF version of this report.

Technical Details:

Most Exploited Vulnerabilities during 2016-2019

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

  • According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
  • Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology. 
  • As of December 2019, Chinese nation state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158 that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations. This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese nation state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective. 
  • Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time. 
  • A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies. Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security. 

Most Exploited Vulnerabilities in 2020

In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020: 

  • Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. 
  • An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. 
  • An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. 
  • March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose expedited deployment of Microsoft O365 may have led to oversights in security configurations vulnerable to attack.
This site is registered on Toolset.com as a development site.