The last two weeks have seen the release of two interesting reports that give us some insights into what attackers have been up to. Firstly, Verizon released the 2020 edition of their Data Breach Investigations Report, containing their insights from analysing 3,950 confirmed data breaches. Here are some of what I think are noteworthy points from their data (caveat: it’s a 100-odd page document, so don’t take my eight bullet points as an exhaustive list):
There’s an interesting point in the report about vulnerabilities and patching: their experiment showed that if a system is vulnerable to a new vulnerability, it’s because typically that system isn’t patched at all and will be vulnerable to lots of other things:
“You can just as easily exploit those vulnerable servers with that l33t 10-year-old exploit you got from your h4x0r friend on Usenet.” (Verizon Data Breach Investigations Report 2020, Page 22)
So, the release of new vulnerabilities often doesn’t make some people any more vulnerable, as they’re already at risk from a slew of older vulnerabilities. That same message is reinforced by the other interesting report released last week, from the US government, which looks at what vulnerabilities are being exploited by attackers.
The US report detailed the Top 10 Routinely Exploited Vulnerabilities during 2016–2019. Their research is presumably weighted towards government government departments, but they don’t offer any explanation of their methods. The preface makes clear that it’s an effort to encourage people to patch their systems, as the listed vulnerabilities are all publicly known and typically quite old, as opposed to being never-seen before zero-days.
There was some excellent analysis from Ben Hawkes of Project Zero on Twitter, which focused on what the list tells us about attackers and about offensive security research. He points out that six of the top ten were originally exploited as zero-days, and the rest are all trivially exploitable, which undoubtedly is the reason for their being targeted.
Regardless of the fact that some of the vulnerabilities originally being used as zero-days, the purpose of the report is to show the consequences of a low patching rate for some of these vulnerabilities leads to a continually large amount of exploitation. So, what can we learn from the listed vulnerabilities?
Perhaps unsurprisingly, the most exploited technology is the Object Linking and Embedding (OLE) format, which is used by Microsoft Office to embed content into documents. It’s also, the report highlights, the target of the vulnerabilities most exploited by state-sponsored actors from China, Iran, North Korea and Russia. From a defensive perspective there are some easy fixes to help protect against a swathe of common document-based attacks: patch Windows and Office, use email filtering, use the browser versions of Office 365, enable Protected View, and lock down end-points.
Depressingly, the report highlights that they first warned about how the Chinese state was using one of the vulnerabilities (CVE-2012-0158) back in 2015, and it’s still in use now. To be clear: a vulnerability first exploited in the wild in April 2012 is still in the top ten vulnerabilities for the last three years. Patch your stuff, people.
For reference, the full list is:
The US Government report references another vulnerability report covering 2019, Threat Intelligence provider Recorded Future’s 2019 vulnerability list. This report only has four vulnerabilities in common with the US Government list. This is at least partially explained by the Recorded Future list being focussed on criminals, as they state “vulnerabilities related to nation-state exploits (such as the ETERNAL[BLUE] vulnerabilities suite) have been removed”. More precisely, their list is focussed on vulnerabilities targeted by exploit kits and Remote Access Trojans (RATs).
Their list covers a broader set of technology than the previous one, including the Windows VBScript Engine, Internet Explorer and WinRAR on top of Flash Player and Office. Here’s the list:
If we look at the CVE numbers, we’ve got vulnerabilities from 2012 to 2019, with only one numbered during 2019. So it’s the same story as with the government list: the routine exploitation of old vulnerabilities. Whilst being more varied than the government list, it does still lean towards document and file-based attacks, which reinforces what we say above about defensive measures.
What are the top lessons from these vulnerability reports? Here is short list of thoughts:
For our latest research, and for links and comments on other research, follow our Lab on Twitter.