The Top 20 Vulnerabilities to Patch before 2020

Published first in Dark Reading by Kelly Sheridan.

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox” – common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches.

Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities that are currently exploited by attack groups worldwide. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

Key Findings:

  • 34% of the attacks exploiting these vulnerabilities, originated in China
  • 45% of the vulnerabilities affect Microsoft products
  • Vulnerabilities from as early as 2012 (!) are still used to carry out successful attacks

According to the National Vulnerability Database (NVD), since 2016 we have seen an increase of ~130% in the number of disclosed vulnerabilities, or in other words there is an average of ~45 new vulnerabilities per day as can be seen in the graph below. Additional statistics reveal that almost 60% of all vulnerabilities are classified as ‘Critical’ or ‘High’.

NVD_data

Recent threat intelligence gathered by Verint and Thales Group about 66 attack groups operating globally, revealed that advanced threat actors leverage old vulnerabilities that are left unpatched. To make things even more complicated, according to a recent study by Ponemon Institute for ServiceNow60% of breaches were linked to a vulnerability where a patch was available, but not applied.

So, How Can We Clean Up The Mess?

Operational Threat Intelligence – Each CVE is given a severity score. However, these scores do not necessarily represent the actual risk for the organization. For example, CVE-2018-20250 (WinRAR vulnerability) has a CVSS (Common Vulnerability Scoring System) base score of 7.8 (‘High’) in NVD and 6.8 (‘Medium’) in ‘CVE Details’. This vulnerability has been exploited by at least five different APT groups, from different locations, against targets in the U.S., South East Asia, Europe, and The Middle East and against a wide range of industries, including Government Agencies, Financial Services, Defense, Energy, Media and more. This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching.

Other contextual data that should influence your patching prioritization process is what vulnerabilities are currently discussed in the Dark Web by threat actors, or which exploits are currently developed? Threat intelligence is key when we try to determine what vulnerabilities are critical to our organization. Maintaining a knowledge base of exploited vulnerabilities according to the attack groups leveraging them, provides a solid starting point for vulnerability prioritization. In addition, having information about the attack groups – for example their capabilities, TTPs and the industries and countries they target – helps to better evaluate the risk and prioritize patching activities.

The Top 20 Vulnerabilities to Patch Now

Verint’s CTI Group constantly monitors different intelligence data sources and create daily CTI feeds, which include the latest daily cyber activities. The analysis below is based on over 5,300 feeds and other intelligence items the group has analyzed in the past 2.5 years, covering over 800 CVEs.

The 20 vulnerabilities were extracted based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low):

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days) Examples of Threat Actors
1 CVE-2017-11882 Microsoft Office 7.8 713 APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), FIN7 (Russia)
2 CVE-2018-8174 Microsoft Windows 7.5 558 Silent Group (Russia), Dark Hotel APT (North Korea)
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960 APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637 APT37 (North Korea), Lazarus Group (North Korea)
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578 Rocke Gang (Chinese Cybercrime)
6 CVE-2019-0708 Microsoft Windows 9.8 175 Kelvin SecTeam (Venezuela, Colombia, Peru)
7 CVE-2017-5638 Apache Struts 10 864 Lazarus Group (North Korea)
8 CVE-2017-5715 ARM, Intel 5.6 424 Unknown
9 CVE-2017-8759 Microsoft .net Framework 7.8 671 APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)
10 CVE-2018-20250 RARLAB WinRAR 7.8 189 APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)
11 CVE-2018-7600 Debian, Drupal 9.8 557 Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)
12 CVE-2018-10561 DASAN Networks 9.8 385 Kelvin SecTeam (Venezuela, Colombia, Peru)
13 CVE-2017-17215 Huawei 8.8 590 ‘Anarchy’ (Unknown)
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690 APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Cloud Atlas (Unknown), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644 ‘Anarchy’ (Unknown)
16 CVE-2017-8570 Microsoft Office 7.8 552 APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)
17 CVE-2018-0802 Microsoft Office 7.8 574 Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)
18 CVE-2017-0143 Microsoft SMB 8.1 959 APT3 (China), Calypso (China)
19 CVE-2018-12130 Fedora 5.6 167 Iron Tiger (China), APT3 (China), Calypso (China)
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144 Panda (China)
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204 APT41 (China), Rocke Gang (Chinese Cybercrime)

Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools

The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018. Continue reading “Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools”

Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry

In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc). Continue reading “Massive Cyber Attack Causing Chaos as World Still Recovers from WannaCry”

Updates about the Upcoming #OpIsrael Campaign

The number of participants in the event pages of the #OpIsrael campaign, as of the first week of April 2017, is approximately 600 Facebook users – a very low number of supporters compared to the same period in previous campaigns. In general, the response on social networks to the #OpIsrael campaign over the years since 2013 is constantly declining. Continue reading “Updates about the Upcoming #OpIsrael Campaign”

Russian Cyber Criminal Underground – 2015: The Prosperity of Ransomware and Office Exploits

The prominent products traded during 2015 on Russian underground forums were Ransomware programs and exploits targeting Microsoft Office. Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms. Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and Crypting malware to avoid detection were also extremely popular on Russian forums.

Check out the new Infographic from SenseCy illustrating key trends observed on Russian underground in 2015.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report: https://www.sensecy.com/contact

Russian_underground_final

The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

MacroExp – a Combined Social Engineering and Exploit Attack

Combining an executable, usually malicious file with a standard Word or Excel file, unbeknownst to the user, has always been an aspiration for cyber-criminals. With such an asset, they could make the victim unwittingly install the malware, without raising his suspicions or AV vendor alerts when running an executable file. For this reason, requests for such services are frequently posted on underground forums, as cyber criminals search for easy ways to spread their malware files. Occasionally, this demand meets a supply, usually highly priced due to the opportunities it provides.

On this occasion, while monitoring Russian underground forums, we came across an advertisement for an exploit that targets Microsoft Office Word via Visual Basic Scripting for Applications feature. The exploit, referred to as MacroExp v 1.0.5 by the seller, first appeared for sale two days ago (on August 11), for $1,000. The price includes the exploit builder, as well as further updates and technical support.

According to the description on the forum, the exploit binds an executable file with a .doc file, making the .exe invisible to the victim. It is compatible with all Microsoft Office Word versions (2000-2013), as well as Windows OS x86 and x64. Since the presence of the executable file is invisible, it is not detected by AV and IPS systems, or firewalls.

The disadvantage of the method, as described by the seller, is the pop-up of a macro-enabling alert required for the actual running of the executable file. He suggests overcoming this obstacle by using social engineering methods.

A week ago, CISCO reported this attack vector, detected by its researchers, in the wild. It was used in spear-phishing attacks in such industries as banking, oil, television and jewelry. The starting point involved sending a Word file written specifically for the recipient. When clicking on the document, a macro alert popped up. Once enabled, it led to the download of an executable malicious file and launched it on the victim’s computer.

It is difficult to say if the same perpetrators are behind the both attacks, or it is just the same vector that is used in the both cases. On the one hand, one of the CnC domains discovered by CISCO was registered seven years ago, which may indicate that the threat actor has been in operation since at least 2007. On the other hand, the seller connected himself to the CISCO report, claiming that the described attack is his project. Moreover, he mentioned that more than 20 clients were already using the exploit, and that this was not the first version since its release. The matter will become clearer as more cases are identified in the wild, combined with more feedback from buyers on the forum.

Screenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the seller

Cyber Intelligence Yearly Report

Executive Summary

The SenseCy Cyber Intelligence team, along with our partners ClearSky and Aman Computers, has been providing intelligence monitoring services for leading financial institutes in Israel for over a year. Our unique methodology of using “Virtual Entities” to infiltrate cyber-attack groups and the underground has proven successful in alerting regarding imminent cyber threats, as well as detecting new Malware types and monitoring broader cyber trends.

The following is an extract of an annual report sent to our customers. To receive a copy, please send a request to: info@sensecy.com

Main Findings

This report comprises an analysis of data amassed from major cyber incidents pertaining to financial institutions in Israel over the past year, as reflected in the alerts, weekly and monthly reports produced by our Cyber Intelligence team. The analysis can be summarized as follows:

  • The majority of Hacktivist campaigns were directed against the government and financial sectors.
  • Interestingly, we have found no correlation between the attack dates and any symbolically significant dates.
  • The main threat actors were political activists and political cyber warriors.
  • The more popular attack types were data leakage (exploitation) attacks, resource depletion attacks, injection attacks and social engineering attacks.

Additionally, the report includes an analysis of data collected on the sale of attack tools on underground forums (mostly Russian). The analysis comprises 42 tools and exploits, summarized as follows:

  • The most popular tools for sale on the underground are bots and exploits (some sold as exploit kits), followed by Trojan horses.
  • Their main purpose is stealing financial information.
  • The main functions of the tools sold included running Web injection attacks and grabbers, intercepting and forwarding SMS messages and calls from cell phones, Keyloggers, and DDoS attack tools.
  • Java was the program identified as most vulnerable to attack.
  • The most vulnerable Web browser was Internet Explorer, followed closely by FireFox.
  • The most vulnerable operating system was Windows.

Event Classification

This summary is based on major cyber events pertinent to the financial sector, as published in the various reports we issued throughout the year. The analysis is based on data from over 40 cyber events.

The majority of incidents reported are specifically relevant to the financial sector, but also include a category for general threats to Israeli websites, mainly from political threat elements. This classification is evident in the graph below, with the leading threats being financial, data loss, defacement and DDoS.

Classification

Timeline of Events 2013

Timeline

Classification of the Sale of Attack Tools on the Underground

The summary was based on all malware/exploit sales for the past year that appeared on underground forums, mainly Russian forums, monitored by us – more than 40 in total. The majority of tools for sale are bots, followed by exploits or exploit kits. Trojan horses are also offered for sale, but less frequently.

Underground