In April 2019, Fidelis Threat Research Team published a set of blog posts on the theme of what’s old is still new. In the series, we emphasized the importance of not only staying on top of new threats, but to ensure vigilance and focus remains on threats that are actually relevant and responding to them in a timely manner, regardless of being old or the new the flavor of the week.
Our latest blog here continues to look at these older, yet very relevant, risks and how they continue to play an important factor in risk management and intelligence collection, monitoring, and response.
Based off internal telemetry, as well as information reported by third-party research and organizations, Fidelis TRT observed the following:
- Exploitation of older, common vulnerabilities remain a constant risk
- Both eCrime and nation-state adversaries continue to leverage vulnerabilities that are two years or older in popular software as part of their campaigns
- Commodity malware like exploit kits and spyware frequently observed in lures and artifacts attempting to exploit well-documented and older vulnerabilities
Vulnerability Exploitation Trends
There was no shortage of vulnerabilities released in 2019. A monthly tally of vulnerabilities from the National Vulnerability Database’s website yields 18,938 vulnerabilities released in 2019. Researchers and analysts have a responsibility to protect their customers (including their own organization), and must be able to determine the relevant threats from the hyped stories of each week, and respond to these threats in a timely manner. Although this effort is based off qualitative and subjective analysis, using empirical data alongside proper risk management and analysis can help support baseline detections to protect organization against recurring threats.
TRT assembled a cursory weighted chart of the most common vulnerabilities exploited by, or leveraged to deliver, popular crimeware and commodity malware (see Figure 1). The data comprised of several sources including Fidelis telemetry, external research and reporting, as well as intelligence-driven assessments to help determine the relevance and level of risk from particular vulnerabilities. A list of the top vulnerabilities exploited by cyber-criminals in 2019, according to research by Recorded Future, was among the sources used to highlight how older, common vulnerabilities from 2018 and earlier continue to be favored by adversaries.
Figure 1: Vulnerabilities Commonly Exploited by Commodity Malware, 2019
Figure 1 takes into account vulnerability exploit attempts observed in Fidelis customer logs as well as information gathered from other reliable sources and vendors based off reports produced on specific malware families and infections. This chart is representative of selected malware families including banking Trojans, malware droppers, exploit kits, and ransomware in order to draw a general assessment of vulnerabilities commonly exploited in order to determine Adversary course of action and potential detection priorities for Fidelis.
The chart illustrates that older vulnerabilities from the past two or three years are still actively exploited by commodity malware, crimeware, and ransomware campaigns. Microsoft Office, Microsoft Internet Explorer, and Adobe Flash are among the top software and services targeted in malware compromises.
In Figure 2, below, the links were reversed to highlight the sample of popular malware associated with each of the vulnerabilities from Figure 1. The graph illustrates vulnerabilities that are exploited by, or leveraged to deliver, commodity malware and other malicious campaign. These links were derived from reported incidents, actual malware samples, and discussions on darkweb forums. Interestingly, the chart shows a significant number of exploit kits and malware families that have been around for several years.
Figure 2: Malware Families Associated with Commonly Exploited Vulnerabilities, 2019
TRT Assessment & Recommendations
In addition to Microsoft Office, Internet Explorer, and Adobe products, TRT assesses that critical vulnerabilities in other ubiquitous software and services will also continue to pose a significant risk, including Oracle WebLogic, various Apache frameworks, content management systems (e.g.: Drupal, Joomla, and WordPress, notably in their plugins and extensions), and VPN services. Going forward Fidelis TRT Intel assesses that common older vulnerabilities, including those mentioned earlier, will continue to be exploited in malicious campaigns. Additionally we assess that some more recently reported critical vulnerabilities in Microsoft services and products, including Sharepoint, Exchange Server, and SQL Reporting Service.
Fidelis’ TRT focuses on relevant threats that are assessed to be of high risk to our customers. These include tools and tactics that continue to be successfully leveraged by adversary groups to compromise their targets. While maintaining vigilance on fringe threats and the most dangerous potential courses of action, the tried and true tactics and likely courses of action that continue to be carried out help ensure that customers can be protected by the most common threats.