Tag Archive for: Routinely

AA20-133A: Top 10 Routinely Exploited Vulnerabilities

/in

Original release date: May 12, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.

This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)[1]—to help organizations reduce the risk of these foreign threats.

Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.

For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.

Technical Details

Top 10 Most Exploited Vulnerabilities 2016–2019

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

  • According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
  • Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology.
  • As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[2] This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.
  • Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.
  • A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[3]  Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.

Vulnerabilities Exploited in 2020

In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:

  • Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
    • An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
    • An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
  • March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
  • Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020.

Mitigations

This Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.

Mitigations for the Top 10 Most Exploited Vulnerabilities 2016–2019

Note: The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. 

CVE-2017-11882

  • Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
  • Associated Malware: Loki, FormBook, Pony/FAREIT
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133e

CVE-2017-0199

  • Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
  • Associated Malware: FINSPY, LATENTBOT, Dridex
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0199
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133g, https://www.us-cert.gov/ncas/analysis-reports/ar20-133h, https://www.us-cert.gov/ncas/analysis-reports/ar20-133p

CVE-2017-5638

  • Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  • Associated Malware: JexBoss
  • Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
  • More Detail:
    • https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
    • https://nvd.nist.gov/vuln/detail/CVE-2017-5638  

CVE-2012-0158

  • Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
  • Associated Malware: Dridex
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:
    • https://www.us-cert.gov/ncas/alerts/aa19-339a
    • https://nvd.nist.gov/vuln/detail/CVE-2012-0158
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o

CVE-2019-0604

  • Vulnerable Products: Microsoft SharePoint
  • Associated Malware: China Chopper
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2019-0604

CVE-2017-0143

  • Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
  • Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0143

CVE-2018-4878

  • Vulnerable Products: Adobe Flash Player before 28.0.0.161
  • Associated Malware: DOGCALL
  • Mitigation: Update Adobe Flash Player installation to the latest version
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-4878
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d

CVE-2017-8759

  • Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
  • Associated Malware: FINSPY, FinFisher, WingBird
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-8759  
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f

CVE-2015-1641

  • Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
  • Associated Malware: Toshliph, UWarrior
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2015-1641
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m

CVE-2018-7600

  • Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
  • Associated Malware: Kitty
  • Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
  • More Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-7600

Mitigations for Vulnerabilities Exploited in 2020

CVE-2019-11510

  • Vulnerable Products: Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15 and Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
  • Mitigation: Update affected Pulse Secure devices with the latest security patches.
  • More Detail:
    • https://www.us-cert.gov/ncas/alerts/aa20-107a
    • https://nvd.nist.gov/vuln/detail/CVE-2019-11510
    • https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

CVE-2019-19781

  • Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
  • Mitigation: Update affected Citrix devices with the latest security patches
  • More Detail:
    • https://www.us-cert.gov/ncas/alerts/aa20-020a
    • https://www.us-cert.gov/ncas/alerts/aa20-031a
    • https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html
    • https://nvd.nist.gov/vuln/detail/CVE-2019-19781
    • https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/

Oversights in Microsoft O365 Security Configurations

  • Vulnerable Products: Microsoft O365
  • Mitigation: Follow Microsoft O365 security recommendations
  • More Detail: https://www.us-cert.gov/ncas/alerts/aa20-120a 

Organizational Cybersecurity Weaknesses

  • Vulnerable Products: Systems, networks, and data
  • Mitigation: Follow cybersecurity best practices
  • More Detail: https://www.cisa.gov/cyber-essentials

CISA’s Free Cybersecurity Services

Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.

Cyber Hygiene: Vulnerability Scanning helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you’ll begin receiving reports within two weeks.

Web Application Service checks your publicly accessible web sites for potential bugs and weak configurations. It provides a “snapshot” of your publicly accessible web applications and also checks functionality and performance in your application.
If your organization would like these services or want more information about other useful services, please email [email protected].

CISA Online Resources

The Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.

CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations: recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.

CISA’s Cyber Essentials: a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Contact Information

If you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.

  • You can find your local field offices at https://www.fbi.gov/contact-us/field
  • CyWatch can be contacted through e-mail at [email protected] or by phone at 1-855-292-3937

To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

 

References

  • [1] Cybersecurity Vulnerabilities and Exposures (CVE) list
  • [2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)
  • [3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)

Revisions

  • May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Alerts

NYT: Chinese and Russian spies routinely eavesdrop on Trump’s iPhone calls

/in
NYT: Chinese and Russian spies routinely eavesdrop on Trump’s iPhone calls

Enlarge (credit: Jaap Arriens/NurPhoto via Getty Images)

Chinese and Russian spies routinely eavesdrop on personal phone calls President Trump makes on his iPhones, one of which is no different from the smartphone millions of other people use. The US president’s casual approach to electronic security has several current and former officials so frustrated they leaked the details to The New York Times, which reported on the phone interceptions Wednesday evening.

Trump, Wednesday’s article reported, has two official iPhones that have been altered by the National Security Agency to limit the types of hacks they’re susceptible to. The president has a third iPhone with no modifications that he uses as a personal device, because unlike the official iPhones, he can store personal contacts on it. What’s more, while Trump is supposed to swap out his two official phones every 30 days for new ones, he rarely does. Trump did agree to give up his Android phone, which most security experts believe is more vulnerable than Apple’s iOS, and Trump has also agreed to the more cumbersome arrangement of having the two official iPhones. One is for Twitter and other apps, while the other handles calls.

Still, when Trump uses the cell phones to call friends, Chinese spies often listen in hopes of gaining insights about how to influence him on the long-simmering issue of trade. Russian spies also routinely eavesdrop on Trump’s calls, although the Russian spies don’t appear to be running as sophisticated an influence campaign as their Chinese counterparts. Aides have repeatedly warned the president that cell phone calls are especially susceptible to monitoring by adversaries. The aides have pressured him to use landlines instead, but he has refused to give up his devices.

Read 8 remaining paragraphs | Comments

Biz & IT – Ars Technica

South Carolina Drug Warriors Routinely Serving Regular Warrants Like No-Knock Warrants

/in

Radley Balko is uncovering more rights violations and more law enforcement falsehoods with his coverage of South Carolina resident Julian Betton’s lawsuit against the Myrtle Beach-area drug task force. Betton’s house was raided by the drug unit after a confidential informant made two pot purchases for a total of $ 100. The police didn’t have a no-knock warrant, but they acted like they did, going from zero to hail-of-gunfire in mere seconds. (via FourthAmendment.com)

On April 16, 2015, the task force battered Betton’s door open with a ram, then almost immediately opened fire, releasing at least 29 bullets, nine of which hit Betton. One bullet pierced a back wall in the building, sped across a nearby basketball court and landed in the wall of another house. (This was a multi-family building.)

Betton was hit several times. He didn’t die, but he doesn’t have much left in working order. He lost part of his gallbladder, colon, and rectum. His liver, pancreas and small intestine all suffered damage. His left leg was broken along with one of his vertebrae.

The cops immediately set about justifying their extreme tactics. First, they claimed Betton fired at them, but ballistics tests showed Betton’s gun hadn’t been fired. Then they claimed he pointed a gun at them, but did not fire it. This could have easily been proven if any of the task force had bothered to activate their body cameras before breaking Betton’s door down. But the footage shows no cameras were activated until after the task force stopped firing.

The task force used a regular search warrant, meaning the officers were supposed to knock and announce their presence. Nearly all of them said they followed these stipulations. Video from Betton’s home security camera (which can be seen at the Washington Post) caught all these officers in a lie.

These 11 seconds of footage from that camera show that no member of the task force knocked on Betton’s door.

The video lacks audio, but both the Myrtle Beach police chief and a federal magistrate have since concluded that the video also strongly suggests there was no announcement. None of the officers’ lips appear to be moving, and it all happens very quickly. At best, they announced themselves simultaneously or nearly simultaneously, with the battering ram hitting the door.

A neighbor who was on Betton’s sidewalk (and was told to lie on the ground by the task force on their way to Betton’s door) backs up the camera footage. No announcement was made before the door was breached.

This is apparently standard operating procedure in Myrtle Beach. Only in rare cases does the task force seek no-knock warrants. (Task force officials say no-knocks are only “1-2%” of warrants obtained.) But they apparently serve plenty of normal warrants without knocking or announcing their presence.

It seems clear from the testimony in depositions that the 15th Circuit Drug Enforcement Unit doesn’t know any of this. Officer Christopher Dennis, for example, said that the “reasonable” waiting period for someone to answer the door begins the moment police arrive on the scene, not after they knock and announce themselves. This is false. Officer Chad Guess — who, remember, planned the Betton raid — said in a deposition that it’s “not the law to knock and announce. You know, it’s just not. It’s the officer’s discretion, each dictate determines itself.” This, again, is wrong. Officer Belue said under oath that he had no idea how long officers are supposed to wait before forcing entry, and that no one had trained him on the matter.

It’s a convenient misunderstanding of the law. It’s made even more convenient by the task force’s lack of clearly-written policies on serving warrants. Since everyone of the task force remains as ignorant as possible, they’re more likely to be granted immunity when victims of unconstitutional drug raids take them to court.

But these officers may not get off so lightly. Their reports and testimony have been disproven by the 11 seconds of video captured by Betton’s security camera. Officers who swore they knocked and announced their presence now have to explain how those both occurred with zero officers knocking on Betton’s door or even moving their lips.

More lies can be found elsewhere in the report. Officers stated in police reports they heard the sound of Betton’s gun firing. Ballistics testing has shown Betton never fired his handgun, so everyone making that same claim about gunfire is either mistaken about what they heard or, more likely, aligning themselves with the narrative they created in the aftermath of the shooting.

Maybe these officers are hoping their professional ignorance will outweigh their bogus reports. The task force has made it incredibly easy for members to write their own rules when executing warrants. As Balko points, the single most invasive and dangerous thing the task force participates in (~150 times a year) — warrant service — has zero official policies dictating how task force members serve warrants. Apparently, all that time and effort went into creating a cool skull-and-crossbones logo for members to stitch on their not-very-coplike raid gear.

In any event, the court system is the last stop for justice. If any of these officers are ever going to be held accountable for their actions in the Betton raid, it will be here. Every level of oversight task force members answer to has already offered their official blessings for the knock-and-announce warrant that was carried out without knocks or announcements.

What happened to Julian Betton is an entirely predictable product of the failures, culture and mindset of the 15th Circuit Drug Enforcement Unit. And yet to date, state officials won’t even concede that this was a bad outcome, much less do anything to prevent it from happening again. Citing the SLED investigation, South Carolina solicitor Kevin Bracket cleared the officers of any wrongdoing within just a few months. In the three years since the raid, no officer involved has been disciplined, even internally. Nor has any officer has been asked to undergo additional training. No policies have been changed. The DEU never bothered with its own investigation, or even an after-action examination to determine what went wrong.

The police clear themselves of wrongdoing and a pending civil lawsuit has zero motivation effect on the drug unit. The task force is operating outside Constitutional boundaries with no internal guidance or effective oversight. Myrtle Beach-area drug warriors have no desire to clean up their act, and a large settlement paid by taxpayers is unlikely to result in a change of heart.

Permalink | Comments | Email This Story

Techdirt.