FBI, DHS CISA Publish Top Ten Cybersecurity ‘Hit List’ for State-Based and Non-State Based threat actors
Recently, two prominent US cybersecurity agencies disclosed, according to their internal metrics, the 10 most commonly exploited software vulnerabilities. The relevant time interval was 2016 through 2019, inclusive, as well as separate guidance listed for 2020.
The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Federal Bureau of Investigation (FBI), urges organizations in the public and private sector to apply all software patches and updates in order to prevent the most common forms of attacks encountered today.
This includes, but is not limited to, attacks carried out by state-sponsored, non-state, and unattributed threat actors.
US government officials have argued that applying patches could degrade the cyber arsenal of foreign actors targeting US entities, as they'd have to invest resources into developing new exploits, rather than relying on old and tested bugs.
"Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available," US officials said.
"A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are costly and less widely effective."
A summary of the FBI and CISA’s ‘Top 10 Vulnerabilities from 2016 through 2019’
OLE - According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are related to Microsoft’s OLE technology.
Apache Struts - After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
Windows Common Controls - As of December 2019, Chinese state cyber actors were frequently exploiting the same Windows OS vulnerability, an exploit in the Windows Common Controls that could allow for remote code execution.
Unpatched Devices - Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time. The FBI and CISA noted that this is a vulnerability as many organizations focus on their IT infrastructure as an area for cost-saving measure.
Microsoft and Adobe Flash products - A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.
A summary of the FBI and CISA’s top vulnerabilities from 2020
Bugs detected in Citrix VPN appliances, specifically the Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0; allows for directory traversal.
Bugs detected in Pulse Secure VPN servers; specifically, In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URL to perform an arbitrary file reading.
