The US National Security Agency has published today an in-depth report detailing the top 25 vulnerabilities that are currently being consistently scanned, targeted, and exploited by Chinese state-sponsored hacking groups.
Organisations should have a vulnerability patch management system in place, but when it comes to multiple bugs being leveraged as entry points it becomes harder to prioritise their severity and the urgency to patch. Ideally, all software vulnerabilities would be addressed as soon as the vendor is made aware and releases a patch. This is especially true for high profile targets such as governmental agencies, but also healthcare providers and educational institutions.
However, operational reasons often dictate that the pace of update is sub-optimal when viewed through a cybersecurity lens. In these instances, wherever upgrading isn\’t possible, it is advisable to have a network monitoring system in place, which should be equipped to detect the signs of an attempt to exploit known vulnerabilities, and could also provide detailed visibility into lateral movement through an organization\’s network. This is also vital as a forensic tool should a security incident occur.
This in-depth report again emphasises the importance of having an enterprise-wide, comprehensive security program incorporating people, process and technical controls. To tackle vulnerabilities requires equal emphasis placed on collaboration between people across the organisation to prioritize and address the vulnerabilities, patch management processes as well as vulnerability assessment tooling that has the ability to highlight the classification of the information asset, where the vulnerability exists. CISOs should be speaking to their leadership teams about the security posture of their technology environment that delivers their key products and services, as well as provide assurance that exploitation risks associated with these identified vulnerabilities are patched.
The details published today by the NSA of the top 25 vulnerabilities being leveraged by state-sponsored hackers is a stark reflection on patching policies of organizations. There are vulnerabilities dating back over 3 years in the list, which should have been addressed by now.
It’s important to have a procedure in place to update vulnerable software as soon as possible from the date the fix has been released. Sometimes it is not always practical or possible to update software straight away as certain elements rely on a specific version or the update requires scheduling downtime, however, a plan and a timeline should be put in place. Organisations should be asking the questions:
1. Why it can’t be patched now?
Is the software we are using/system using the software so out of date that we need to change it?
2. What can we do to protect ourselves while unpatched?
Allow access to specific ports only from a predefined list of IPs by using a firewall, or block access to the system using the software from the internet completely
Is the current risk associated low enough to not patch – no sensitive information could be stolen, no other systems are connected, no possibility of leveraging the exposed vulnerability into something more nefarious? This risk assessment should be carried out by trained professionals
3. When will we patch?\”
People have the impression that cyber crime is sophisticated and difficult to protect against. But as this news demonstrates, even highly professional criminals are often just exploiting known vulnerabilities that organisations and the public haven\’t taken the time to address. Making sure software is up to date (and thus patches for known vulnerabilities are in place) is one of the five fundamental rules of cyber hygiene. The UK government has developed a scheme that covers these fundamentals to help all businesses and their staff understand and maintain basic security.
The excellent work from NSA on the Top 25 software security issues and exploits list operationalised by the state-sponsored actors from NSA is a great starting point, but it likely does not apply to all organisations in the same way. In particular, it is important to understand the types of technologies used by an organisation that are in-scope for the exploits, as well as how exactly the software security issues listed by NSA are leveraged by attackers operationally to better detect and mitigate them in your environments.
For instance, for the CVE-2020-5902, the known exploits targeting the issue typically enable attackers to spawn a reverse bash shell running as tomcat after sending a specially crafted JDBC request over tcp port 443 containing an unsafe serialization payload, which might need to be factored in both in terms of the detection and mitigation mechanisms that can be leveraged to effectively detect and protect against current and future variants of this attack.
Also, for some of the software security exploits mentioned, the corresponding log sources required, such as your Remote Access, VPN, or Web Services, often are not monitored properly by some organisations, so this is a good example of the importance of expanding your visibility in these areas and implementing the ability to effectively monitor the activity associated with these technologies and log sources to be able to detect the latest attacks as part of your defense- and detection-in-depth security strategy.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics