Over half of the most common security vulnerabilities exploited by criminals to conduct cyberattacks and distribute malware are more than a year old, and some are over five years old, demonstrating how failure to apply security updates is leaving organisations vulnerable to hacking and malicious compromise.
Researchers at Recorded Future analysed the top vulnerabilities, exploit kits and malware attacks deployed by cyber criminals during the course of 2019. There are patches from vendors to fix all of these bugs, but software patching is often forgotten or ignored by companies and individuals.
Recorded Future found that six of the most commonly exploited vulnerabilities for the year were repeats from 2018. All of these repeats are to do with vulnerabilities in Microsoft products, and in total eight of the top ten vulnerabilities are related to Microsoft software such as Internet Explorer and Microsoft Office.
However, the two other most common vulnerabilities in the top ten list both target Adobe Flash Player and one of these Flash flaws – CVE-2018-15982 – was the most commonly exploited during 2019.
This Flash zero-day has helped power GandCrab ransomware as well as various forms of malware powered with the Fallout exploit kit that provides criminals with a selection box of exploits. Such is the danger of the vulnerability that it was assigned a Common Vulnerability Scoring System (CVSS) score of 10 when it emerged – and was patched – in December 2018.
Behind this, the next three most common vulnerabilities exploited by cyber attackers are all repeats from the previous year with last year’s number one – CVE-2018-8174 – sliding to number two.
The vulnerability in Internet Explorer – known as Double Kill – is deployed in a wide variety of cyberattacks and is associated with hacking campaigns that deliver Trickbot trojan malware, as well as a number of common exploit kits. The vulnerability was patched in May 2018, but the way in which it is still exploited demonstrates that there are large numbers of users who haven’t applied it.
The same goes for CVE-2017-11882, a vulnerability in Microsoft Office that was disclosed in December 2016 and still ranks as the third most commonly exploited vulnerability in the list. It’s become associated with a large number of Trojans and keyloggers, as well as Emotet, one of the most prolific botnets in the world today.
Alarmingly, CVE-2012-0158 remains one of the most common vulnerabilities targeted by hackers, despite being almost eight years old. The critical bug in Microsoft Office can be exploited to conduct remote code execution attacks and despite slightly dropping in popularity, remains in the top ten.
CVE-2015-2419 – a vulnerability that allows attackers to execute arbitrary code via Internet Explorer also features in the top ten, despite being known about since 2015.
EternalBlue was one of the most potent vulnerabilities in recent years, helping to power the WannaCry ransomware attack and it’s still commonly used today. However, Recorded Future researchers haven’t included EternalBlue – or EternalRomance – in the report because they were first adopted by nation-state-backed hacking operations, rather than emerging through the cyber criminal underground.
All of the vulnerabilities in the list have received patches – but there are still enough users and enterprises that aren’t applying the updates and are therefore leaving the door open for cyber attackers.
The problem is that there are tens of thousands of people looking to exploit Microsoft products, simply because it’s such a large target.
The most effective thing that can be done to protect networks from falling victims to attacks that use these vulnerabilities is to ensure all products – particularly Microsoft ones – are up to date and that if a new security patch is released, to apply it as soon as possible.
And because the most commonly exploited vulnerability targets Adobe Flash, the advice from Recorded Future is simple: automatically disable it, especially as Adobe will be ending support on December 31 2020.
The top ten most commonly exploited vulnerabilities – and the technology they target – according to the Recorded Future Annual Vulnerability report are:
- CVE-2018-15982 – Adobe Flash Player
- CVE-2018-8174 – Microsoft Internet Explorer
- CVE-2017-11882 – Microsoft Office
- CVE-2018-4878 – Adobe Flash Player
- CVE-2019-0752 – Microsoft Internet Explorer
- CVE-2017-0199 – Microsoft Office
- CVE-2015-2419 – Microsoft Internet Explorer
- CVE-2018-20250 – Microsoft WinRAR
- CVE-2017-8750 – Microsoft Internet Explorer
- CVE-2012-0158 – Microsoft Office
related news
-
Cyber Risks and the Origins of the Vulnerability Flood
According to CVE Details, the number of vulnerabilities reported to date in 2022 (11.242) is on track to yet again bypass the total number of vulnerabilities reported in all of 2021 (20.168). If nothing dramatic changes, the list seems on track to at least match last year’s record of over 20K reported vulnerabilities, if not
15 juni 2022 -
Phishing Alert – ENGIE / Electrabel
24 mei 2022 -
Log4J kwetsbaarheid – patch ASAP !
Er zijn momenteel wereldwijd massaal scans op kwetsbare Log4j 2-implementaties door kwaadwillenden . Ook zijn er reeds succesvolle aanvallen gemeld! De BSI (Het Bundesamts für Sicherheit in der Informationstechnik, onderdeel van het Duitse ministerie van Binnenlandse Zaken) heeft code rood, oftewel de hoogste van vier alarmfasen, afgekondigd om de ernst van de situatie aan te
13 december 2021 -
Is your (cloud) mail infrastructure protected ?
9 april 2021 -
FRAUD ALERT – ONLINE-TRADINGPLATFORMEN & BITCOIN
De voorbije weken ontving de FSMA klachten van consumenten over nieuwe frauduleuze online-tradingplatformen die actief zijn op de Belgische markt. Deze tradingplatformen proberen potentiële slachtoffers nieuwsgierig te maken via nepadvertenties op sociale media. In deze nepadvertenties heeft een bekende persoon het vaak over een methode of project om snel rijk te worden. Vaak kaderen deze
17 februari 2021 -
Telefoon van Microsoft? Ophangen, hackers aan de lijn!
29 september 2020 -
The Five Biggest Contradictions About Intellectual Property Theft
4 september 2020 -
Building Blocks for Your IT Security Program
13 juni 2020