It has been reported that US cybersecurity agencies have outlined the top 10 most exploited software vulnerabilities across the past 4 years. The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI, urges organisations in the public and private sector to apply necessary updates in order to prevent the most common forms of attacks encountered today. This includes attacks carried out by state-sponsored, non-state, and unattributed threat actors. US government officials argue that applying patches could degrade the cyber arsenal of foreign actors targeting US entities, as they’d have to invest resources into developing new exploits, rather than relying on old and tested bugs.
This shows quite clearly that while many focus our attention on the “risks and vulnerabilities of tomorrow”, the ones that most frequently will end up hurting us are the ones of yesteryear which we have still not managed to identify and resolve.
Predictively most attackers are either using macro-based malware to reach their goals when the endpoints are users, either via tricking users to allow the execution or via massively outdated installations. Other risks that have been observed relate to exploitation of VPN services, this for the clear reason that this grants the initial foothold into customer environments. If organisations would have to prioritise just one system they would spend that extra love and attention on, the very first to start with, those VPN services constituting that system.
Struts exploitation should potentially get attackers an initial foothold on a DMZ or even more preferably on an isolated system, but based on how many networks today are still setup it is clear that targeting those webservers is still a viable path towards network access.
The DHS report appears to align what we are seeing in the wild, detailed in the Edgescan Vulnerability stats report. CVEs are an attack vector which should be mitigated with good patching and/or maintenance procedures. It’s also of importance to note that common vulnerabilities used to exploit systems are years old and not \”zero day\” issues.
Web application vulnerabilities should also be mentioned, as they open organisations up to code injection attacks and client-side browser attack. Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.