The Top 20 Vulnerabilities to Patch before 2020

Published first in Dark Reading by Kelly Sheridan.

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox” – common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches.

Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities that are currently exploited by attack groups worldwide. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

Key Findings:

  • 34% of the attacks exploiting these vulnerabilities, originated in China
  • 45% of the vulnerabilities affect Microsoft products
  • Vulnerabilities from as early as 2012 (!) are still used to carry out successful attacks

According to the National Vulnerability Database (NVD), since 2016 we have seen an increase of ~130% in the number of disclosed vulnerabilities, or in other words there is an average of ~45 new vulnerabilities per day as can be seen in the graph below. Additional statistics reveal that almost 60% of all vulnerabilities are classified as ‘Critical’ or ‘High’.

NVD_data

Recent threat intelligence gathered by Verint and Thales Group about 66 attack groups operating globally, revealed that advanced threat actors leverage old vulnerabilities that are left unpatched. To make things even more complicated, according to a recent study by Ponemon Institute for ServiceNow60% of breaches were linked to a vulnerability where a patch was available, but not applied.

So, How Can We Clean Up The Mess?

Operational Threat Intelligence – Each CVE is given a severity score. However, these scores do not necessarily represent the actual risk for the organization. For example, CVE-2018-20250 (WinRAR vulnerability) has a CVSS (Common Vulnerability Scoring System) base score of 7.8 (‘High’) in NVD and 6.8 (‘Medium’) in ‘CVE Details’. This vulnerability has been exploited by at least five different APT groups, from different locations, against targets in the U.S., South East Asia, Europe, and The Middle East and against a wide range of industries, including Government Agencies, Financial Services, Defense, Energy, Media and more. This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching.

Other contextual data that should influence your patching prioritization process is what vulnerabilities are currently discussed in the Dark Web by threat actors, or which exploits are currently developed? Threat intelligence is key when we try to determine what vulnerabilities are critical to our organization. Maintaining a knowledge base of exploited vulnerabilities according to the attack groups leveraging them, provides a solid starting point for vulnerability prioritization. In addition, having information about the attack groups – for example their capabilities, TTPs and the industries and countries they target – helps to better evaluate the risk and prioritize patching activities.

The Top 20 Vulnerabilities to Patch Now

Verint’s CTI Group constantly monitors different intelligence data sources and create daily CTI feeds, which include the latest daily cyber activities. The analysis below is based on over 5,300 feeds and other intelligence items the group has analyzed in the past 2.5 years, covering over 800 CVEs.

The 20 vulnerabilities were extracted based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low):

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days) Examples of Threat Actors
1 CVE-2017-11882 Microsoft Office 7.8 713 APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), FIN7 (Russia)
2 CVE-2018-8174 Microsoft Windows 7.5 558 Silent Group (Russia), Dark Hotel APT (North Korea)
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960 APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637 APT37 (North Korea), Lazarus Group (North Korea)
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578 Rocke Gang (Chinese Cybercrime)
6 CVE-2019-0708 Microsoft Windows 9.8 175 Kelvin SecTeam (Venezuela, Colombia, Peru)
7 CVE-2017-5638 Apache Struts 10 864 Lazarus Group (North Korea)
8 CVE-2017-5715 ARM, Intel 5.6 424 Unknown
9 CVE-2017-8759 Microsoft .net Framework 7.8 671 APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)
10 CVE-2018-20250 RARLAB WinRAR 7.8 189 APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)
11 CVE-2018-7600 Debian, Drupal 9.8 557 Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)
12 CVE-2018-10561 DASAN Networks 9.8 385 Kelvin SecTeam (Venezuela, Colombia, Peru)
13 CVE-2017-17215 Huawei 8.8 590 ‘Anarchy’ (Unknown)
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690 APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Cloud Atlas (Unknown), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644 ‘Anarchy’ (Unknown)
16 CVE-2017-8570 Microsoft Office 7.8 552 APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)
17 CVE-2018-0802 Microsoft Office 7.8 574 Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)
18 CVE-2017-0143 Microsoft SMB 8.1 959 APT3 (China), Calypso (China)
19 CVE-2018-12130 Fedora 5.6 167 Iron Tiger (China), APT3 (China), Calypso (China)
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144 Panda (China)
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204 APT41 (China), Rocke Gang (Chinese Cybercrime)

The Ultimate Threat Actor Landscape – Highlights and Key Findings from The Cyber Threat Actor Handbook

Verint and Thales have recently released The Cyber Threat Actor Handbook – a comprehensive analysis of the most prominent threat actors operating in the world today.

This research is a knowledge-based operational tool for security analysts, to better understand the relevancy and risk posed by different threat actors operating globally. Each threat actor has a score, and all profiles are aligned with the MITRE ATT&CK framework and include:

  • A brief description of the threat actor and its aliases
  • Associated malware campaigns, attack vectors and TTPs
  • Most used exploits and CVEs
  • Motivation and objectives (Nation-State, Cybercrime, Hacktivism, Cyber-Terrorism)
  • Targeted sectors and geographical areas

Based on the handbook, Verint’s Cyber Threat Intelligence group has created The Ultimate Threat Actor Landscape report, which highlights the key findings from the Cyber Threat Actor Handbook.

In this blog post we present some of the key findings of the report, which is based on a thorough analysis of:

  • 490 Attack Campaigns
  • 66 Attack Groups
  • 525 Attack Tools
  • 173 MITRE Techniques
  • 98 CVEs

Who’s Behind The Attacks?

Who's behind the attacks

Inside the report we dive deep into who is behind the attacks and reveal detailed analysis of each threat actor, including the attacker’s origin, motives, attack techniques, campaigns, CVEs, tools used and more.

Where Do Threat Actors Find Us Vulnerable?

find us vulnerable

The Most Exploited CVEs

Organizations tend to procrastinate, when it comes to updating systems, even critical ones. In the report, we reveal the threat actors’ most exploited CVEs. Leveraging threat intelligence for vulnerability prioritization is key for reducing risk.

most exploited

A combination of underestimation of the risks and the required resources, are the main contributors to the slow implementation of patches (also known as the ‘Patching Paradox’).

Threat Intelligence regarding the exploitation of disclosed vulnerabilities (in 2018 alone, 16,514 vulnerabilities were disclosed), helps answer questions such as: What vulnerabilities are currently discussed and perceived as easier to exploit? Which exploits are currently developed and traded on underground sources? and Which zero-day vulnerabilities are circulating in hacking communities? The answers will help prioritize patch installation and vulnerability fixes.
Look out for our upcoming report, where we list the top 20 vulnerabilities to patch before 2020.

Which Countries Are Being Targeted?

The following map indicates the most targeted countries:

targeted countries

Which Industries Are The Most Threatened?

The following statistics indicate the most targeted sectors – based on 66 attack groups

targeted industries

Top Used Techniques (Based On The MITRE ATT&CK Framework)

Mitre attack

To Summarize…

There is a connecting line between threat intelligence about attack groups with cyber resilience, and it goes through vigorous threat actor profiling and clustering, threat hunting and accurate scoping of threats and risks.

This type of strategic and operational intelligence gives the bigger picture, looking at how threats and attack groups are changing over time. With such intelligence, you can find the answers to questions such as, who is attacking my organization, my industry, my region and why? The answers will provide clues to future operations and tactics of potential threat actors.

A single knowledge base with a contextualized analysis of all the major parameters and distinctions that define the threat actors, their motives and objectives, their targets and their modes of operation, and their technical skills, as part of an ongoing profiling process, is an essential tool for any cyber threat intelligence operation. Given the knowledge and the operational value derived from contextual analysis of threat actors’ activities and contextual-based profiling, security teams can substantially improve investigation processes and enhance the overall security resilience, with much more accurate threat hunting and risk scoping.
As security and intelligence professionals we must remember that raw data only becomes valuable once it is analyzed, to deliver targeted, context-based, actionable intelligence, according to the organization’s needs and assets, industry, location and more.

Download the Full Report Here

THE CYBERTHREAT HANDBOOK: THALES AND VERINT RELEASE THEIR “WHO’S WHO” OF CYBERATTACKERS

ThreatActorHandbook

PARIS LA DÉFENSE–(BUSINESS WIRE)–Powered by the cutting-edge technologies and products of Thales and Verint, the two companies are pleased to present The Cyberthreat Handbook, a report of unprecedented scope designed to provide a classification and basis for further investigation of major groups of cyberattackers, including cybercriminals, cyberterrorists, hacktivist groups and state-sponsored hackers. As part of the strategic partnership to create a comprehensive, state-of-the art Cyber Threat Intelligence technologies, threat intelligence analysts from Thales and Verint have worked together to provide this unique 360° view of the cyberthreat landscape, with detailed descriptions of the activities of about sixty particularly significant groups, including their tactics and techniques, their motives and the sectors targeted from analysis of multiple data sources such as web and threat intelligence.

Read the full Press Release here.

Download the report here.

Significant Increase in Cloud-Based Attacks in the Last Year

According to a recently published report for the first quarter of 2017, there has been a significant rise in consumer and enterprise accounts in the Cloud. As more and more organizations migrate to the Cloud, the frequency and sophistication of Cloud-based attacks is growing. Continue reading “Significant Increase in Cloud-Based Attacks in the Last Year”

Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web

Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”

EclecticIQ Partners with SenseCy to Bring Leading Cyber Threat Intelligence Technology to the Israeli Cyber Community

We are very proud to announce our partnership with EclecticIQ, the industry-leading builder of analyst-centric technologies that turn cyber threat intelligence into business value.

In the partnership, SenseCy will deliver its unique cyber intelligence Continue reading “EclecticIQ Partners with SenseCy to Bring Leading Cyber Threat Intelligence Technology to the Israeli Cyber Community”

New Infographic – Tips on Avoiding Ransomware Attacks

Ransomware is emerging as a predominant online security threat to both home users and businesses, with numerous reports appearing every day on ransomware attacks against organizations across the globe. SenseCy analysts have prepared a short list of security measures recommended for any business to help avoid these attacks. Check out the tips and stay safe!

Defending against Ransomware

Terrogence, SenseCy and Sixgill Announce a Strategic Partnership

Terrogence, SenseCy and Sixgill have formed a strategic partnership to deliver next generation integrated big data analytics and cyber threat intelligence for Japanese clients. The new venture allows organizations to create their own personal collection lists and real-time threat alerts enhanced with actionable intelligence. We look forward to working together to produce high quality intelligence for our customers.

The full press release can be viewed here.

SenseCy Investigates The English-Language Underground

In 2015 we saw an active underground trading of exploits, botnets and spam tools. The number of Ransomware sales were much lower than it was expected by cyber security experts. Investigate the key trends in hacking tools commerce observed on the English-language underground in 2015 from our short Infographic.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report. https://www.sensecy.com/contact

English-language underground_2015

SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground
Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground
Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum
Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.