The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government released a list today of the top 10 vulnerabilities most commonly exploited by foreign cyber actors. Exploitation of these vulnerabilities often requires fewer resources compared to zero-day exploits for which no patches are available.
Here’s a comment from Satnam Narang, Staff Research Engineer at Tenable providing an analysis of a trend seen within these top 10 vulnerabilities.
“CISA’s list of the top 10 routinely exploited vulnerabilities from 2016 through 2019 primarily consists of flaws in Microsoft products, particularly in Microsoft Office. This comes as no surprise as cybercriminals go after low hanging fruit, which is often ubiquitous software with known but unpatched vulnerabilities. Many of the bad actors leverage flaws in Office when distributing spear-phishing emails to their intended targets. These emails are tailored to their victim, using a lure designed to capture their interest in order to convince them to open the malicious attachment.
This list is indicative of a trend we see time and time again: Cybercriminals prefer to leverage known but unpatched vulnerabilities. Finding or acquiring zero-day vulnerabilities is a costly endeavour, so leveraging unpatched flaws with publicly available exploit code gets them to their end goal in the fastest and cheapest way possible.
Vulnerabilities in Virtual Private Network (VPN) solutions are another area that has seen an increase in activity going back to 2019, when exploit code for several notable VPNs became publicly available. We anticipate that many of these flaws will continue to be leveraged by bad actors of all kinds, because as they say, if it ain’t broke, don’t fix it.
This list is a solid reminder of the importance of basic cyber hygiene and systems maintenance. Knowing which vulnerabilities are being actively exploited by bad actors and prioritizing their remediation is one of the most effective ways to reduce risk.” – Satnam Narang, Staff Research Engineer at Tenable.