As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpatched, remote work-related vulnerabilities, while cyber defenders struggled to keep up with routine software patching. Once exploited, target computers would be controlled by attackers by using remote code execution (RCE), arbitrary code execution, path traversal, or other techniques.
Risks Rise as Remote Work Needs Surge
The 12 identified vulnerabilities on CISA’s list (Table 1) demonstrate that attackers often target recently discovered and remote work-related vulnerabilities. The top three flaws on the list are related to remote work, VPN, and cloud-based environments. Nine of the weaknesses were published in or after 2019.
Table 1: Top Exploited Vulnerabilities in 2020
Remote work-related vulnerabilities were attractive to attackers in 2020. The hasty deployment of cloud collaboration services easily led to an oversight in security configurations. The top three most exploited vulnerabilities, CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, all were discovered in VPN services.
As discussed in our 2020 annual security roundup, virtual private networks (VPNs) have become indispensable for enterprises that are aiming to extend and protect their internal network connections from external threats. Many organizations and ordinary users have adopted VPNs in offices and private homes. Usage spiked in early 2020 , and an early 2021 study indicated that 31% of internet users worldwide have used a VPN. However, although a VPN is a security tool, it can also be an entry vector for cyberthreats. In reality, unpatched and outdated VPNs can host critical vulnerabilities, and attackers can exploit these flaws to compromise targets’ systems.
Our data shows the detection numbers of some of the most notable and widespread VPN vulnerabilities in 2020 and the first half of 2021. We found that there was a sudden surge in detections for CVE-2018-13379 in January 2021, and although the numbers dipped in later months, they were markedly higher than the same time last year. CVE-2018-13379 is a vulnerability in the Fortinet VPN product that allows an unauthenticated user to download system files via specially crafted HTTP resource requests.
A comparison of the detection counts of notable VPN vulnerabilities in the first half of 2020 and the first half of 2021
Source: Trend Micro Digital Vaccine filters
Chart 1: The timeline of CVE-2019-19781
CVE-2019-19781 is a perfect example of how attackers leverage the unpatched window to exploit a vulnerability.
The Citrix Netscaler Application Delivery Control (ADC) vulnerability was the most exploited flaw in 2020. ADC is a load balancing application for web, application, and database servers widely used throughout the United States. Unpatched devices are vulnerable to RCE and entire system compromise due to poor access controls, thus allowing directory traversal.
CVE-2019-19781 was published at the end of 2019 and soon was under attack by multiple exploits. The exploits spread across multiple countries, including the United States, Colombia, Argentina, and Switzerland. The attacks ebbed in the first half of 2021, with less than 7,000 exploits detected by Trend Micro Intrusion Prevention System (IPS) solutions.
Chart 2: The timeline of CVE-2019-11510
The runner-up, CVE-2019-11510, shows how an unpatched vulnerability could suffer from cyber-attacks even if an official patch exists.
Frequently targeted by nation-state APTs, the Pulse Secure Connect vulnerability is susceptible to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
Even though Pulse Secure offered software updates when the vulnerability was announced, active exploitation still targeted the unpatched VPN servers, some with the intention to install REvil (Sodinokibi) ransomware. Trend Micro data shows most exploits targeted German organizations. Luckily, like CVE-2019-19781, CVE-2019-11510 exploit activities have appeared to ebb since February 2021.
Chart 3: The timeline of CVE-2018-13379
CVE-2018-13379, a vulnerability affecting Fortinet Secure Sockets Layer (SSL) VPN, is another remote work-related vulnerability targeted by attackers from 2020 through 2021. The weakness is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords.
Recent attacks peaked in January 2021, and Trend Micro detected nearly 500 thousand exploits in the first half of 2021. Most of the exploit attempts were made against targets in Germany and United States.
Old Vulnerabilities, Longtime Favorites
Even though fresh faces emerge, some old vulnerabilities are still popular with attackers. CVE-2017-11882, CVE-2018-7600 and CVE-2019-0604, which were on the top 10 list in the “Most Exploited Vulnerabilities 2016-2019”, also made it to the top 10 in 2020.
For example, CVE-2017-11882, a vulnerability related to Microsoft’s Object Linking and Embedding (OLE) technology, is a longtime favorite linked to suspected state-sponsored cyber actors from China, Iran, North Korea, and Russia. It is not only because Microsoft Office is used in every part of the world, but also because many people do not update Office regularly with the latest patches. This enables RCE on vulnerable systems. Though in the first half of 2021, while the number of exploits is much lower than its 2019 peak, it is still a weakness on a high patch priority.
Chart 4: The timeline of CVE-2017-11882
CVE-2018-7600 has been under a lot of ongoing threats from 2019 through 2021. It is a weakness that exists in the open-source content management system Drupal. The flaw exists in multiple Drupal versions. Attackers can exploit it and execute arbitrary code and hijack servers. Though the exploits have gone down from the previous peaks in 2019 and 2020, Trend Micro still detected more than 1.26 million exploits in the first half of 2021, with victims in the United States, Germany, and Canada.
Chart 5: The timeline of CVE-2018-7600
Protect Your Organization with IPS
As organizations shift to the cloud, and work from home becomes more mainstream due to the pandemic, businesses will need to improve their ability to defend their systems from exploited vulnerabilities. In addition, hybrid cloud environments will continue to be the norm, so a cybersecurity platform approach that can manage both on-premises and cloud-based workloads can help. To prevent organizations from being attacked in the new remote work era, Intrusion Prevention System (IPS) plays a significant role. IPS solutions can intercept traffic that is trying to exploit existing, unknown, or undisclosed vulnerabilities when patches are not ready to be installed. It identifies malicious software that is accessing the network, and increases visibility into, or control over, applications that are accessing the network.
The value an IPS brings is apparent. IPS solutions can buy organizations additional time to wait for the release of vendor patches or to get the patching work tested and applied. It reduces or eliminates time and money spent performing emergency patching. Also, it allows organizations to maintain a normal patching cycle.
Vulnerabilities and exploits sometimes used to mean the same thing but they are in reality very different. A vulnerability is a weakness within the software that leaves it open to attack -similar to leaving the back door open to your house or shop. In contrast, an exploit is the code or threat that is written to take advantage of the vulnerability. This is the method in which someone would go through the open door. There can be hundreds or thousands of exploits for a single vulnerability. At Trend Micro, we focus on virtually patching the vulnerability (shutting the door) using our IPS technology and detecting exploits at the anti-malware level, which in turn can block all the exploits.
Trend Micro TippingPoint and Trend Micro Cloud One – Workload Security, and Trend Micro Worry-Free Business Security offer all-around protection for organizations, from network security to hybrid-cloud environments with next-generation IPS.
Trend Micro TippingPoint runs real-time, automated inspection into corporate network traffic without impeding network performance for hybrid infrastructure – including on-premises, private, and public cloud. The complete visibility of all network traffic keeps network security ahead of potential attacks. In 2020, TippingPoint IPS solution was able to protect customers on average 81 days prior to a patch being disclosed for bugs submitted to our Zero-Day-Initiative (ZDI) program, the world’s largest vendor agnostic bug bounty program.
Trend Micro Cloud One – Workload Security, on the other hand, secures the mixed environment of virtual, physical, cloud, and containers. Trend Micro Cloud One - Workload Security proactively defends against network threats with intrusion prevention and firewall. It runs automated detection on every new workload and empowers organizations to control hybrid environments with a centralized portal, with hourly pricing flexibility.
For over 30 years, Trend Micro has defended enterprises against malicious cyber activities and has blocked both zero-day exploits and n-day vulnerabilities as early as possible. With the leading bug bounty program (ZDI) and next-generation IPS, Trend Micro provides network protection with low latency and no false positives.
To learn more about how Trend Micro can protect your business from vulnerabilities, please visit: https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/threat-intelligence.html