13 May 2020

US authorities publish list of the most exploited vulnerabilities since 2016


US authorities publish list of the most exploited vulnerabilities since 2016

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Federal Bureau of Investigation (FBI) have released a joint security alert describing the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors between 2016 and 2019.

“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” the cybersecurity agencies said.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”

The list of the top 10 most exploited vulnerabilities described in the report is as follows:

  • CVE-2017-11882 - vulnerable products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 products; associated malware: Loki, FormBook, Pony/FAREIT

  • CVE-2017-0199 - vulnerable products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1; associated malware: FINSPY, LATENTBOT, Dridex

  • CVE-2017-5638 - vulnerable products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1; associated malware: JexBoss

  • CVE-2012-0158 - vulnerable products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0; associated malware: Dridex

  • CVE-2019-0604 - vulnerable products: Microsoft SharePoint; associated malware: China Chopper

  • CVE-2017-0143 - vulnerable products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016; associated malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit

  • CVE-2018-4878 - vulnerable products: Adobe Flash Player before 28.0.0.161; associated malware: DOGCALL

  • CVE-2017-8759 - vulnerable products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7; associated malware: FINSPY, FinFisher, WingBird

  • CVE-2015-1641 - vulnerable products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1; associated malware: Toshliph, UWarrior

  • CVE-2018-7600 - vulnerable products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1; associated malware: Kitty

According to US Government's analysis of cyber attacks exploiting security vulnerabilities, threat actors have most often exploited flaws in Microsoft’s Object Linking and Embedding (OLE) technology, with the Apache Struts web framework being the second-most-reported exploited technology.

“Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology,” the report said.

The security alert also provides mitigations for each of the top vulnerabilities described above.

Back to the list

Latest Posts

Cyber Security Week in Review: November 22, 2024

Cyber Security Week in Review: November 22, 2024

In brief: 2K+ PAN devices compromised in an ongoing attack, 240 domains linked to the ONNX phishing service disrupted, and more.
22 November 2024
New Ghost Tap cash-out technique exploiting mobile payment systems

New Ghost Tap cash-out technique exploiting mobile payment systems

The attack relies on a relay mechanism that connects a stolen card to a PPOS terminal via NFC.
21 November 2024
Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Since late 2022, Ngioweb has been providing residential proxies to both financially motivated groups and nation-state threat actors.
21 November 2024