In July, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) — in cooperation with its UK and Australian counterparts and the FBI — released its latest report on the most routinely exploited cyber vulnerabilities. Of the common vulnerabilities and exposures (CVEs) listed, some are old news, and others are more recent discoveries. CVEs are issued unique identifiers (IDs) based on the year and sequence of their discovery (i.e., CVE-20YY-SEQ#). Sequence numbers contain four or more digits and serve as the “unique” portion of unique IDs.
Whether brand new or old hat, CVEs should be addressed immediately to limit your company’s exposure. Review the CISA report, and take recommended action according to your system’s vulnerability. In the meantime, here are a few of the more notable and frequently exploited threats — and steps you should take to protect your company.
Old
Old is a relative term, but here it refers to any CVE known to exist prior to 2020. Older vulnerabilities are popular in cyberattacks because exploiting them is quicker and easier than searching out new weaknesses or building new exploits. And since they’ve remained CVEs for this long, malicious actors consider them “old reliables.”
One of the oldest and most used CVEs is CVE-2017-11882, also known as the “Microsoft Office Memory Corruption Vulnerability.” The ubiquity of Microsoft Office keeps this exploit effective four long years after its discovery. CVE-2017-11882 allows hackers to leverage a security flaw in Microsoft’s Equation Editor and use a remote code execution (RCE) that Office’s internal protections won’t stop. From there, they can embed commands in documents for victims to unwittingly open. Microsoft has released a patch specifically to address this vulnerability. They also provide instructions for disabling Microsoft Equation Editor if the patch is unattainable.
The most exploited cybersecurity flaw in 2020 was CVE-2019-19781 — a weak spot in Citrix’s Application Delivery Controller (ADC). Citrix servers are common, and CVE-2019-19781 can lead to a full system compromise. By taking advantage of weak access controls, cybercriminals can use commands to breach the operating system (OS) without permission. There is a patch available, and the vendor has provided guidance for mitigating the damage.
These “old” CVEs have been around for a few years — a lifetime in any technology field. Why are they still a problem? Because fixes depend on user awareness and application. Once again, your company’s data security depends on a proactive approach.
New
Newer CVEs are not as well-known or frequently used — which can make them more dangerous and more effective. According to the CISA, four of the twelve most popular CVEs used in 2020 were also discovered in 2020. In 2021, further data showed the most frequent targets of cybercriminal activity are Microsoft, Pulse, Accellion, VMware, and Fortinet, all of which feature at least one major CVE-2021- that requires patching.
One critical CVE from 2020 is CVE-2020-15505, an exploit in MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software. Leveraging this CVE, attackers can use mobile device management functions to execute code on a breached system. There is a patch available, but a key issue with CVE-2020-15505 is the absence of an automated detection method. Manual investigation is the only way to find out if a system is under attack.
What to do
First, know your enemy — or at least your enemy’s attack advantage. Stay up to date on CVEs, and patch your company’s systems as necessary. Follow vendor instructions to remediate vulnerabilities and mitigate potential damage. Follow these steps to fortify your company’s cybersecurity defenses:
- Check for patches and apply as necessary.
- Follow vendor instructions for CVE workarounds and damage mitigation.
- Monitor all your company’s systems for suspicious activity.
- Install an anti-malware program and keep it updated.
- Make sure stakeholders are aware of the risk.
As with any cybersecurity concern, it’s crucial to stay informed. Prevention is key to keeping your company data safe from cybercriminals and shoring up CVEs old and new.
