This week CISA (The Cybersecurity and Infrastructure Security Agency) released Alert AA20-133A. This alert is more of a summary bulletin covering the most commonly exploited vulnerabilities, both for the current year and trends from 2016 to 2019. It is a well-documented reminder that attackers are not always going to gravitate towards new zero-days or ultra-fancy exploitation. Most of the time, they use what works reliably and well. And unfortunately, attackers can usually rely on targets not being up to date with every possible security patch for every possible vendor.
The top 10 routinely exploited vulnerabilities between 2016 and 2019 were found to be:
- CVE-2017-11882 – Microsoft Office
- CVE-2017-0199 – Microsoft Office
- CVE-2017-5638 – Apache Struts
- CVE-2012-0158 – Microsoft Office
- CVE-2019-0604 – Microsoft SharePoint
- CVE-2017-0143 – Microsoft Windows
- CVE-2018-4878 – Adobe Flash Player
- CVE-2017-8759 – Microsoft .NET Framework
- CVE-2015-1641 – Microsoft Office
- CVE-2018-7600 – Drupal
The top routinely exploited vulnerabilities (so far) in 2020 are:
- CVE-2019-19781 – Citrix Application Delivery Controller, Citrix Gateway, Citrix SDWAN WANOP
- CVE-2019-11510 – Pulse Connect Secure, Pulse Policy Secure
Those noted for 2020 are in addition to various MS Office 365, Teams, Zoom and other flaws that have come to attention as a result of the mass transition to work from home during the COVID-19 pandemic and resulting lockdown.
So, why is this good news? Accurate knowledge of attack trends is always a good thing. Environments that struggle to prioritize their assets and approach to risk management and mitigation can quickly use data like this to identify weaknesses in their environment and take appropriate action. The CISA alert also links to the various mitigation options for each CVE (vulnerability), allowing for quick action where needed.
This week it was reported that the Israeli security cabinet held meetings to discuss a cyberattack against Israel’s water infrastructure. The attacks, according to various media outlets, have been attributed to Iran. While current intelligence suggests that there was no damage or negative outcome from the attack, it does represent a significant escalation of tensions between Iran and Israel.
The attacks themselves were originally reported to the INCD (Israeli National Cyber Directorate) in late April 2020. At that time, multiple operators of civilian water facilities reported “abnormal equipment operation” and “unexpected process behavior”. The attack was specifically pointed at exposed (internet-connected) PLCs (programmable logic controllers) contained in multiple facilities.
It’s fortunate that no damage resulted from this attack (unlike something…Stuxnet). However, the initial entry vector should definitely raise some alarms. The exposed PLCs required no authentication. All that was required to connect was knowledge of the specific controllers management interface and required ports for connecting. Arguably, all of which is a quick Google search away from any potential attacker. It should be noted that the targeted PLCs spanned multiple vendors. The attackers would have needed to take their time and gather essential information via thorough recon prior to the attack. The attackers were able to modify the process logic of the targeted controllers, but as stated prior, the only result was “abnormal behavior”.
Infrastructure attacks often present us with a somewhat scary juxtaposition. Our most critical equipment is often the most exposed and simplest to compromise. That mindset should inform security teams as they work to secure these systems. Following guidelines from CISA and DOE (Department of Energy) are key in staving off these types of attacks. Proper use of VPNs, MFA, user management/control, and true network segmentation will go a long way to preventing more catastrophic scenarios. CISA also provides a number of tools that can be helpful in evaluating and strengthening your security posture.
We are all still dealing, in various ways, with our new pandemic-centric reality. This includes the continued use of collaboration and conferencing tools like Zoom to facilitate our ongoing business and communication needs. By now we are all familiar with “Zoom Bombing” and similar attacks. This week there was another high-profile incident of Zoom Bombing involving the Dallas ISD (Independent School District). During a graduation-based conference, which involved parents, teachers and students, the call was temporarily hijacked. The unwanted participant quickly displayed pornographic images to the audience. The following statement was issued shortly after the incident:
It’s worth remembering that organizations can never be complacent about security. While Zoom and other vendors have been rising to the occasion to remedy various flaws and concerns, there will always be the potential for attacks. We encourage readers to review our guidelines on the safety and security of applications like Zoom and Slack.