The Top 20 Vulnerabilities to Patch before 2020

The Top 20 Vulnerabilities to Patch before 2020

Published first in Dark Reading by Kelly Sheridan

In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox” – common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches.

Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities that are currently exploited by attack groups worldwide. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.

Key findings:

  • 34% of the attacks exploiting these vulnerabilities, originated in China
  • 45% of the vulnerabilities affect Microsoft products
  • Vulnerabilities from as early as 2012 (!) are still used to carry out successful attacks

According to the National Vulnerability Database (NVD), since 2016 we have seen an increase of ~130% in the number of disclosed vulnerabilities, or in other words there is an average of ~45 new vulnerabilities per day as can be seen in the graph below. Additional statistics reveal that almost 60% of all vulnerabilities are classified as ‘Critical’ or ‘High’.

Recent threat intelligence gathered by Verint and Thales Group about 66 attack groups operating globally, revealed that advanced threat actors leverage old vulnerabilities that are left unpatched. To make things even more complicated, according to a recent study by Ponemon Institute for ServiceNow, 60% of breaches were linked to a vulnerability where a patch was available, but not applied.

So, How can We Clean Up the Mess ?

Operational Threat Intelligence – Each CVE is given a severity score. However, these scores do not necessarily represent the actual risk for the organization. For example, CVE-2018-20250 (WinRAR vulnerability) has a CVSS (Common Vulnerability Scoring System) base score of 7.8 (‘High’) in NVD and 6.8 (‘Medium’) in ‘CVE Details’. This vulnerability has been exploited by at least five different APT groups, from different locations, against targets in the U.S., South East Asia, Europe, and The Middle East and against a wide range of industries, including Government Agencies, Financial Services, Defense, Energy, Media and more. This information clearly indicates the criticality of the vulnerability and the urgency for immediate patching.

Other contextual data that should influence your patching prioritization process is what vulnerabilities are currently discussed in the Dark Web by threat actors, or which exploits are currently developed? Threat intelligence is key when we try to determine what vulnerabilities are critical to our organization. Maintaining a knowledge base of exploited vulnerabilities according to the attack groups leveraging them, provides a solid starting point for vulnerability prioritization. In addition, having information about the attack groups – for example their capabilities, TTPs and the industries and countries they target – helps to better evaluate the risk and prioritize patching activities.

The Top 20 Vulnerabilities to Patch NOW

Verint’s CTI Group constantly monitors different intelligence data sources and create daily CTI feeds, which include the latest daily cyber activities. The analysis below is based on over 5,300 feeds and other intelligence items the group has analyzed in the past 2.5 years, covering over 800 CVEs.

The 20 vulnerabilities were extracted based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low):

No.

CVE

Products Affected by CVE

CVSS Score (NVD)

First-Last Seen (#Days)

Examples of Threat Actors

1

CVE-2017-11882

Microsoft Office

7.8

713

APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), FIN7 (Russia)

2

CVE-2018-8174

Microsoft Windows

7.5

558

Silent Group (Russia), Dark Hotel APT (North Korea)

3

CVE-2017-0199

Microsoft Office, Windows

7.8

960

APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)

4

CVE-2018-4878

Adobe Flash Player, Red Hat Enterprise Linux

9.8

637

APT37 (North Korea), Lazarus Group (North Korea)

5

CVE-2017-10271

Oracle WebLogic Server

7.5

578

Rocke Gang (Chinese Cybercrime)

6

CVE-2019-0708

Microsoft Windows

9.8

175

Kelvin SecTeam (Venezuela, Colombia, Peru)

7

CVE-2017-5638

Apache Struts

10

864

Lazarus Group (North Korea)

8

CVE-2017-5715

ARM, Intel

5.6

424

Unknown

9

CVE-2017-8759

Microsoft .net Framework

7.8

671

APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)

10

CVE-2018-20250

RARLAB WinRAR

7.8

189

APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)

11

CVE-2018-7600

Debian, Drupal

9.8

557

Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)

12

CVE-2018-10561

DASAN Networks

9.8

385

Kelvin SecTeam (Venezuela, Colombia, Peru)

13

CVE-2017-17215

Huawei

8.8

590

‘Anarchy’ (Unknown)

14

CVE-2012-0158

Microsoft

N/A; 9.3 (according to cvedetails.com)

2690

APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Cloud Atlas (Unknown), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)

15

CVE-2014-8361

D-Link, Realtek

N/A; 10 (according to cvedetails.com)

1644

‘Anarchy’ (Unknown)

16

CVE-2017-8570

Microsoft Office

7.8

552

APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)

17

CVE-2018-0802

Microsoft Office

7.8

574

Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)

18

CVE-2017-0143

Microsoft SMB

8.1

959

APT3 (China), Calypso (China)

19

CVE-2018-12130

Fedora

5.6

167

Iron Tiger (China), APT3 (China), Calypso (China)

20

CVE-2019-2725

Oracle WebLogic Server

9.8

144

Panda (China)

BONUS

CVE-2019-3396

Atlassian Confluence

9.8

204

APT41 (China), Rocke Gang (Chinese Cybercrime)

Avatar

Author: Gilad Zahavi

Mr. Zahavi is Director of Cyber Threat Intelligence in Verint Systems, a world leader in Actionable Intelligence Technologies. Mr. Zahavi is a leading expert in threat intelligence, with more than 15 years of experience in intelligence and management positions. In his previous roles, Mr. Zahavi was VP Cyber Threat Intelligence (CTI) of SenseCy Cyber Intelligence Ltd. and a member of Terrogence Ltd. Management Team. Before joining SenseCy, Mr. Zahavi was an intelligence analyst and a team leader in the IDF Intelligence Corps (Unit 8200). Mr. Zahavi holds a Master degree in Near Middle Eastern Studies (Cum Laude) and a B.A. (Cum Laude) in Islamic Studies and Communications.