From an examination of cybercrime forums between January 2020 and March 2021, Cognyte found these CVEs vulnerabilities to be most shared among threat actors.

Although, these may not be the most widely used, they are the most talked about on forums, so it does give a general idea of what threat actors are communicating.

Popular CVEs Among Threat Actors

CVE-2020-1472 (ZeroLogon) – An elevation of privliege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

CVE-2020-0796 (SMBGhost) – A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicius SMBv3 server and convince a user to connect to it.

CVE-2019-19781 – An issue in the Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 can allow Directory Traversal.

CVE-2017-0708 (BlueKeep) – A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary cod on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2017-11882 – A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative rights, an attacker could take control of the affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.

CVE-2017-0199 – A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Many of the CVEs exploited above are older vulnerabilities which means basic patching could have prevented most of the attacks. The SMBGhost vulnerability was patched by Microsoft in March 2020, but since users fail to pay close attention to their systems, at least 100,000 Windows systems remain vulnerable.

Zerologon is another example of an old vulnerability being exposed time and time again. Microsoft was aware of users’ inability to patch over time, so they eventually started to block unpatched systems to prevent any further damage.

Old vulnerabilities allow threat actors to easily gain a foothold in environments, so imagine what zero-days can do to unaware users. It’s not enough for your organization to install antivirus tools and call it a day. Incorporate an experienced security team to watch over your networks and handle your patch management. It’s not the easiest task in the world, but that’s what makes our team so valuable for your organization.

SpearTip’s engineers are continuously staying in tune with the latest developments in the threat landscape. This gives our partners the constant stability they need to continue operating their businesses and not worry about the constant threats waiting to enter your environment.

Our proprietary endpoint detection and response tool, ShadowSpear, will detect threats and stop them in their tracks before they can ever reach your machines. This in conjunction with our 24/7 Security Operations Center provides your organization with everything it needs to remain fully operational and safe from cyber threats.