Report Identifies Vulnerabilities Popular on Criminal ForumsCognyte Identifies Top 6 Flaws, Including One That's 17 Years Old
Researchers at security analytics provider Cognyte identified the six common vulnerabilities and exposures - or CVEs - that were most frequently discussed by apparent cyberattackers on dark web forums between Jan. 1, 2020 and March 1, 2021. Five of these CVEs were for Microsoft products.
Cognyte examined discussions on 15 English, Russian, Turkish, Chinese and Spanish deep and dark web forums to determine the CVEs that had the most mentions and the widest distribution - mentions on multiple forums in different languages. It did not take into account replies to the posts.
The Microsoft flaws were:
- CVE-2020-1472, aka ZeroLogon: This critical elevation of privileges vulnerability exists in Netlogon, the protocol responsible for authenticating users against domain controllers and affects Windows servers. Exploitation could allow attackers to take over servers running as domain controllers in an organization’s network by obtaining domain admin privileges.
- CVE-2020-0796, aka SMBGhost: This buffer overflow vulnerability exists due to an error in the way the vulnerable Microsoft Server Message Block protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems.
- CVE-2019-0708, aka BlueKeep: This use-after-free vulnerability abuses Remote Desktop Services in Windows XP through Windows Server 2008. An exploitation may allow an attacker to run arbitrary code in the kernel level of the system or at least cause a denial of service. Alternatively, it could lead to a complete take-over of the attacked system. During 2019, it was spotted mainly being abused by cryptomining malware, such as Watchbog, or in campaigns distributing such malware families.
- CVE-2017-11882: This 17-year-old memory corruption issue in Microsoft Office resides within Equation Editor, which inserts or edits OLE objects in documents. By exploiting this flaw, attackers could execute remote code on a vulnerable machine, even without user interaction, after a malicious document is opened.
- CVE-2017-0199: Exploiting this vulnerability in Microsoft Office could allow remote attackers to execute arbitrary code via a crafted document. In 2020, an exploit attributed to North Korea targeted American and European defense and aerospace industries.
According to the FBI and the Department of Homeland Security, CVE-2017-11882 and CVE-2017-0199 are among the top 10 flaws exploited by nation-state actors from China, North Korea, Russia and Iran.
The sixth flaw highlighted in the Cognyte report, CVE-2019-19781, affects the Citrix Application Delivery Controller formerly known as NetScaler ADC. An exploit could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer.
This was the most popular CVE in Russian speaking forums, while CVE-2020-0796, which had the highest number of posts across forums at 52, was discussed most in Chinese forums.
Most CVEs on the list apparently were exploited by both nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns in various sectors, the report says.
"Our findings also showed that even a long time after relevant updates were released, CVEs are still popular on dark web platforms, such as CVE-2017-11882, which received the widest distribution with mentions in 12 out of 15 forums examined," the report says.
Cognyte did not immediately respond to Information Security Media Group's requests for further comment.
The list of commonly exploited CVEs shows cybercriminals can leverage a wide variety of attack vectors, says Dirk Schrader, global vice president of security research at telecommunications provider New Net Technologies.
"The attacks include remote code execution attacks on MS Office products (CVE-2017-11882 and CVE-2017-0199), on protocols such as RDP (CVE-2019-0708) and SMB (CVE-2020-0796), on systems that allow for further propagation of malicious code such as application delivery controller (CVE-2019-19781) or to expand their privileges to control a domain (CVE-2020-1472)," he says. They would all enable a relatively faster takeover of an attacked system, he adds.
Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center or CyRC, says that if exploiting a CVE grants administrative access to a large number of internet connected systems, leveraging the CVE will prove popular with attackers. "Similarly, if exploitation of a CVE enables a more sophisticated attack, then it too becomes more valuable. CVE-2017-0199 is a perfect example of what could be used as part of a ransomware attack, while CVE-2020-1472 would be valuable to criminals targeting data centers."
In addition to promptly applying patches, Mackey says the key prevention measures to take as part of a preparedness program include "having a detailed incident response plan, performing ongoing threat assessments for the software powering the business - independent of origin or deployment model - and having a comprehensive inventory of all software assets, not just those used in an office setting."
Organizations also should implement active detection, such as checking for suspicious changes in the file system and registry, and mysterious entries in event logs, Schrader adds.