Introduction

The last two weeks have seen the release of two interesting reports that give us some insights into what attackers have been up to. Firstly, Verizon released the 2020 edition of their Data Breach Investigations Report, containing their insights from analysing 3,950 confirmed data breaches. Here are some of what I think are noteworthy points from their data (caveat: it’s a 100-odd page document, so don’t take my eight bullet points as an exhaustive list):

• the vast majority of attacks are financially motivated and come from outside of the target organisation
• the second most likely motivation is positioning: attacking a system purely as a means to then attack other targets
• over 80% of breaches are driven by credential theft
• errors such as misconfiguration and incorrect delivery are more commonly part of a breach than malware
• in comparison to the 2019 report, incidents of malware, phishing and trojans are down; errors and ransomware are up
• phishing is still the most common threat action in breaches
• the most common type of malware are those designed to steal passwords, and malware typically arrives via email
• ransomware accounts for only 20% of malware

There’s an interesting point in the report about vulnerabilities and patching: their experiment showed that if a system is vulnerable to a new vulnerability, it’s because typically that system isn’t patched at all and will be vulnerable to lots of other things:

“You can just as easily exploit those vulnerable servers with that l33t 10-year-old exploit you got from your h4x0r friend on Usenet.” (Verizon Data Breach Investigations Report 2020, Page 22)

So, the release of new vulnerabilities often doesn’t make some people any more vulnerable, as they’re already at risk from a slew of older vulnerabilities. That same message is reinforced by the other interesting report released last week, from the US government, which looks at what vulnerabilities are being exploited by attackers.

Top vulnerabilities

The US report detailed the Top 10 Routinely Exploited Vulnerabilities during 2016–2019. Their research is presumably weighted towards government government departments, but they don’t offer any explanation of their methods. The preface makes clear that it’s an effort to encourage people to patch their systems, as the listed vulnerabilities are all publicly known and typically quite old, as opposed to being never-seen before zero-days.

There was some excellent analysis from Ben Hawkes of Project Zero on Twitter, which focused on what the list tells us about attackers and about offensive security research. He points out that six of the top ten were originally exploited as zero-days, and the rest are all trivially exploitable, which undoubtedly is the reason for their being targeted.

Regardless of the fact that some of the vulnerabilities originally being used as zero-days, the purpose of the report is to show the consequences of a low patching rate for some of these vulnerabilities leads to a continually large amount of exploitation. So, what can we learn from the listed vulnerabilities?

Let’s look at the numbers

Perhaps unsurprisingly, the most exploited technology is the Object Linking and Embedding (OLE) format, which is used by Microsoft Office to embed content into documents. It’s also, the report highlights, the target of the vulnerabilities most exploited by state-sponsored actors from China, Iran, North Korea and Russia. From a defensive perspective there are some easy fixes to help protect against a swathe of common document-based attacks: patch Windows and Office, use email filtering, use the browser versions of Office 365, enable Protected View, and lock down end-points.

Depressingly, the report highlights that they first warned about how the Chinese state was using one of the vulnerabilities (CVE-2012-0158) back in 2015, and it’s still in use now. To be clear: a vulnerability first exploited in the wild in April 2012 is still in the top ten vulnerabilities for the last three years. Patch your stuff, people.

For reference, the full list is:

1. CVE-2017-11882: Microsoft Office Remote Code Execution
2. CVE-2017-0199: Microsoft Office/WordPad Remote Code Execution
3. CVE-2017-5638: Apache Struts Command Execution
4. CVE-2012-0158: Microsoft Office Remote Code Execution
5. CVE-2019-0604: Microsoft SharePoint Remote Code Execution
6. CVE-2017-0143: Windows SMB Remote Code Execution (aka EternalSynergy)
7. CVE-2018-4878: Adobe Flash Player Remote Code Execution
8. CVE-2017-8759: .NET Framework Remote Code Execution
9. CVE-2015-1641: Microsoft Office Remote Code Execution
10. CVE-2018-7600: Drupal CMS Remote Code Execution

A criminal comparison

The US Government report references another vulnerability report covering 2019, Threat Intelligence provider Recorded Future’s 2019 vulnerability list. This report only has four vulnerabilities in common with the US Government list. This is at least partially explained by the Recorded Future list being focussed on criminals, as they state “vulnerabilities related to nation-state exploits (such as the ETERNAL[BLUE] vulnerabilities suite) have been removed”. More precisely, their list is focussed on vulnerabilities targeted by exploit kits and Remote Access Trojans (RATs).

Their list covers a broader set of technology than the previous one, including the Windows VBScript Engine, Internet Explorer and WinRAR on top of Flash Player and Office. Here’s the list:

1. CVE-2018-15982: Adobe Flash Player Remote Code Execution
2. CVE-2018-8174: Windows VBScript Engine Remote Code Execution
3. CVE-2017-11882: Microsoft Office Remote Code Execution (number 1 on the US gov list)
4. CVE-2018-4878: Adobe Flash Player Remote Code Execution (number 7 on the US gov list)
5. CVE-2019-0752: Internet Explorer Scripting Engine Remote Code Execution
6. CVE-2017-0199: Microsoft Office/WordPad Remote Code Execution (number 2 on the US gov list)
7. CVE-2015-2419: Internet Explorer JScript Remote Code Execution
8. CVE-2018-20250: WinRAR Path Traversal
9. CVE-2017-8750: Internet Explorer Remote Code Execution
10. CVE-2012-0158: Microsoft Office/WordPad Remote Code Execution (number 4 on the US gov list)

If we look at the CVE numbers, we’ve got vulnerabilities from 2012 to 2019, with only one numbered during 2019. So it’s the same story as with the government list: the routine exploitation of old vulnerabilities. Whilst being more varied than the government list, it does still lean towards document and file-based attacks, which reinforces what we say above about defensive measures.

Lessons

What are the top lessons from these vulnerability reports? Here is short list of thoughts:

1. There is some overlap between the capabilities of cyber criminals and nation-state actors. This shouldn’t be a surprise, as the line between some criminal groups and nation-state groups is a blurry one.
2. The battle over patching is still very much worth fighting, as vulnerabilities from 2012 are still being exploited. Again: patch your stuff.
3. The patch gap is not necessarily about individual patches, rather certain systems that have barely been patched at all. Stay on top of your attack surface – it shouldn’t be possible to forget about internet-facing systems.
4. The most attacked vulnerabilities don’t change that much, year-on-year (although the Recorded Future report states otherwise for 2019). So your defensive strategy doesn’t have to be constantly changing because of a perceived change in attacks.
5. Document-based attacks are still prevalent – check your email processes, end-point lockdown and phishing protections.
6. Don’t overlook internal mistakes, errors and misconfiguration as the cause of data breaches. For some industries, they may be more of a problem than malware and ransomware.

For our latest research, and for links and comments on other research, follow our Lab on Twitter.

Get in touch if you’d like to chat to us