- The flaws that are being exploited the most concern MS Office and Windows tools.
- All of them have been addressed by fixing security updates or emergency patches.
- For 2020, threat actors have turned their attention to vulnerable corporate VPN tools.
According to a report by the CISA (Cybersecurity and Infrastructure Security Agency) and the Federal Bureau of Investigation (FBI), the ten most exploited vulnerabilities from 2016 and 2019 concern professional products. The agencies have listed them to help system administrations focus on their fixing and mitigation, and it’s important to mention that there are available patches that address all of the presented flaws.
CVE-2017-11882: A vulnerability targeting Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products. The malware tools that exploit it are Loki, FormBook, and Pony/FAREIT. Fixed in the latest available security patches.
CVE-2017-0199: A flaw affecting Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1. It is targeted by FINSPY, LATENTBOT, and Dridex. Fixed in the latest available security patches.
CVE-2017-5638: Vulnerability affecting Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 22.214.171.124. It is exploited by JexBoss and can be addressed by upgrading to Struts 2.3.32 or Struts 126.96.36.199
CVE-2012-0158: Concerns Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0. It is targeted by the Dridex malware and can be fixed by applying the latest available security patches.
CVE-2019-0604: This is a flaw in Microsoft SharePoint, which is targeted by “China Chopper.” Applying the most recent security patch addresses the flaw.
CVE-2017-0143: A vulnerability that affects Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. The malware tools that can take advantage of this flaw are those using the EternalSynergy and EternalBlue Exploit Kit. Fixed in the latest available security patches.
CVE-2018-4878: An Adobe Flash Player flaw exploited by the “DOGCALL” malware. Updating the software to version 188.8.131.52 or later addresses the issue.
CVE-2017-8759: Vulnerability in the Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7. It is generally targeted by the FINSPY, FinFisher, and WingBird. Fixed in the latest available security patches.
CVE-2015-1641: Flaw affecting Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1. This is targeted by the Toshliph and Uwarrior malware tools, but applying the latest available security patches resolves the problem.
CVE-2018-7600: Flaw in Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1, which is exploited by the “Kitty” malware. Updating to the most recent Drupal 7 or 8 version plugs the flaw.
As for 2020, the most exploited vulnerabilities are CVE-2019-11510 (Pulse Connect Secure) and CVE-2019-19781 (Citrix products). Both of these have been fixed by patches that were made available quite a few months ago, but we’re still seeing them appear on incident reports from security firms or victims.