- The NSA has gathered enough cyber-attack data from Chinese hackers and has the list with the most exploited flaws.
- In many cases, we see vulnerabilities that were fixed with patches one, two, or even three years ago.
- Experts comment that most of these flaws indicate second-stage deployments.
The NSA (National Security Agency) has compiled a list with the top 25 most exploited vulnerabilities by Chinese state-supported hackers and released the relevant cybersecurity advisory to help agencies, companies, organizations, and web admins apply the corresponding mitigations.
- CVE-2019-11510: Pulse Secure VPN arbitrary file reading flaw leading to the exposure of keys and passwords.
- CVE-2020-5902: F5 BIG-IP remote code execution vulnerability.
- CVE-2019-19781: Citrix Application Delivery Controller and Gateway flaw, enabling remote code execution without credentials.
- CVE-2020-8193, CVE-2020-8195, CVE-2020-8196: Information disclosure flaws in Citrix ADC, Citrix Gateway, and Citrix SDWAN WAN-OP.
- CVE-2019-0708: RCE vulnerability in Windows XP, 7, and Server 2003 and 2008 Remote Desktop Services
- CVE-2020-15505: MobileIron flaw allowing remote code execution via unspecified vectors.
- CVE-2020-1350: Windows Domain Name System servers RCE based on improper request handling.
- CVE-2020-1472: Elevation of privilege flaw in Netlogon Remote Protocol.
- CVE-2019-1040: Microsoft Windows NTLM MIC man-in-the-middle enabling flaw.
- CVE-2018-6789: Exim mail flaw resulting in buffer overflow and RCE conditions.
- CVE-2020-0688: Microsoft Exchange validation key remote code execution flaw.
- CVE-2018-4939: Adobe ColdFusion vulnerability leading to arbitrary code execution.
- CVE-2015-4852: Oracle WebLogic Server bug exploited with a specially crafted Java object.
- CVE-2020-2555: Oracle Coherence flaw allowing an unauthenticated attacker to gain network access.
- CVE-2019-3396: Atlassian Confluence RCE through server-side template injection.
- CVE-2019-11580: Atlassian Crowd RCE, which results in arbitrary plugin installation.
- CVE-2020-10189: ZohoManage engine RCE flaw.
- CVE-2019-18935: Progress Telerik .NET vulnerability resulting in remote code execution.
- CVE-2020-0601: Spoofing vulnerability in Microsoft Windows 10 and Server 2016 – 2019.
- CVE-2019-0803: Elevation of privilege flaw in Windows 7, 10, and Server 2008 – 2019.
- CVE-2017-6327: Symantec Messaging Gateway remote code execution.
- CVE-2020-3118: Flaw in Cisco IOS XR, which results in arbitrary code execution from an unauthenticated attacker.
- CVE-2020-8515: DrayTek Vigor RCE with root privileges without authentication.
Oliver Tavakoli, CTO at Vectra, has shared the following comment with us on NSA’s list:
The breadth of products covered by this list of CVEs would indicate that the NSA has curated this list through the observation of many attacks undertaken by these actors. The exploits themselves also cover a broad range of steps in the cyberattack lifecycle, indicating that many of the attacks in which these exploits were observed were already pretty deep into the attack progression – and many were likely found only after-the-fact through deep forensic efforts rather than having been identified while the attacks were active.
Knowing what’s targeted is always valuable info, but in general, we can say that keeping your software up to date by applying all of the available patches and updates as soon as they become available is key.
The software vendors have fixed all of the above vulnerabilities - and in some cases, they were fixed since over a year ago. Thus, seeing them in lists like this indicates a lack of proper system maintenance practices and general negligence.