When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
From an examination of cybercrime forums between January 2020 and March 2021, Cognyte found these CVE vulnerabilities to be most shared among threat actors.
Although these may not be the most widely used, they are the most talked about on forums, so it does give a general idea of what threat actors are communicating.
Popular CVEs Among Threat Actors
CVE-2020-1472 (ZeroLogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
CVE-2020-0796 (SMBGhost) – A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
CVE-2019-19781 – An issue in the Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 can allow Directory Traversal.
CVE-2017-0708 (BlueKeep) – A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2017-11882 – A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative rights, an attacker could take control of the affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
CVE-2017-0199 – A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Many of the CVEs exploited above are older vulnerabilities which means basic patching could have prevented most of the attacks. The SMBGhost vulnerability was patched by Microsoft in March 2020, but since users fail to pay close attention to their systems, at least 100,000 Windows systems remain vulnerable.
Zerologon is another example of an old vulnerability being exposed time and time again. Microsoft was aware of users’ inability to patch over time, so they eventually started to block unpatched systems to prevent any further damage.
Old vulnerabilities allow threat actors to easily gain a foothold in environments, so imagine what zero-days can do to unaware users. It’s not enough for your organization to install antivirus tools and call it a day. Incorporate an experienced security team to watch over your networks and handle your patch management. It’s not the easiest task in the world, but that’s what makes our team so valuable for your organization.
SpearTip’s engineers are continuously staying in tune with the latest developments in the threat landscape. This gives our clients the constant stability they need to continue operating their businesses and not worry about the constant threats waiting to enter your environment.
Our proprietary endpoint detection and response tool, ShadowSpear, will detect threats and stop them in their tracks before they can ever reach your machines. This in conjunction with our 24/7 Security Operations Center provides your organization with everything it needs to remain fully operational and safe from cyber threats.
What are some effective ways to mitigate the risk of a cyberattack targeting popular CVEs?
Some effective ways to mitigate the risk of a cyber attack targeting popular CVEs include regularly patching and updating software systems, implementing strong network security measures such as firewalls and intrusion detection systems, conducting regular vulnerability assessments and penetration testing, and educating employees about the importance of cybersecurity and practicing safe online behaviors.
Are there any specific industries or organizations that are more vulnerable to these types of attacks?
Industries that handle sensitive data, such as finance, healthcare, and government sectors, are often targeted by threat actors due to the potential for financial gain or access to valuable information.
How do threat actors identify and select which popular CVEs to target?
Threat actors constantly monitor security vulnerabilities and exploit databases, security forums, and dark web platforms to gather information on popular CVEs. They may also conduct reconnaissance activities and analyze publicly available information to identify potential targets.
Stay Connected With SpearTip
Inside the SOC Newsletter
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
