May 21, 2020
The Cybersecurity and Infrastructure Security Agency (“CISA”) at the U.S. Department of Homeland Security (“DHS”) says its simple: update your software with the latest security patches.
In a May 12 Alert CISA provided details concerning the top 10 vulnerabilities routinely exploited by sophisticated state-sponsored hackers. Most of these vulnerabilities are publicly known (and many are almost a decade old). Despite that, these known vulnerabilities are still effectively being used to effectuate data breaches (for sovereign and criminal purposes).
With the alert the CISA is encouraging a type of “cyber-herd immunity” against known vulnerabilities. Such known vulnerabilities require considerably less resources by foreign actors to penetrate data systems (as opposed to so called “zero day exploits”). By highlighting these vulnerabilities (and the simple patches required to mitigate them), the CISA hopes to make the hacking attempts of foreign actors more costly, more time intensive, and less productive (and the associated attacks and threats less likely). “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.” While the Alert primarily deals with state-sponsored attacks, the vulnerabilities addressed are so well known that less sophisticated criminal and amateur hackers can easily exploit them, and mitigation of these known attacks should really be at the top of every company’s IT “to do list”.
The alert is in two parts, the first being devoted to the top 10 most exploited vulnerabilities from 2016 to 2019 and the second to those vulnerabilities exploited in 2020. Earlier hacks (especially by state-sponsored actors in China, Iran, North Korea, and Russia) exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology, however the failure by US companies to implement the patches provided once the vulnerabilities were detected allowed continued exploitation by Chinese state cyber actors through December 2019 (for a vulnerability that was fully described in 2015). Other Microsoft and Adobe Flash products in wide commercial usage were noted points of penetration (as set out in a 2019 report titled “Criminal Underground Continues to Target Microsoft Products in Top 2019 Exploited Vulnerabilities List”). Disturbingly in this unprecedented era of “work from home”, new targeted intrusions are focusing on Virtual Private Network vulnerabilities, Office 365 systems deployed in new cloud collaboration service configurations and increasing social engineering schemes (playing on a bored “stay at home” work force) coupled with a lack of system recovery and contingency planning (making ransomware attacks increasingly prevalent and costly). All of the recent application level vulnerabilities noted have available patches — they just haven’t been consistently implemented by companies whose IT departments are straining to accommodate to the new “safer-at-home”/”stay-at-home” resource requirements. CISA also references its guide to Cyber Essentials for mitigation guidelines related to the social engineering vulnerabilities and the two services it offers for internet-facing vulnerability scanning and web application review “to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.” For today’s haggard IT professionals trying to explain, and beleaguered C-suite executives trying to understand, the threats and the necessary infra-structure for managing these cybersecurity threats, the Alert provides a simple infographic.
The Alert is important for three reasons. First, it highlights threats that can be quickly and cost effectively resolved once proper resources are allocated. Second, it demonstrates methodology used by state-sponsored hackers that can be easily adapted by criminals to gain access to company critical digital information. Third, it illustrates the simple ROI approach that both governments and criminals use in cyber-attacks: a “lazy man” exploit of known vulnerabilities that are quick, easy, and cheap because companies haven’t installed available patches (rather than expending significant sophisticated resources to look for new and novel ways to achieve their goal of compromising your company’s systems — which resources are only justified for high-value targets).
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.