10 most exploited Software from 2016 to 2020
US CERT has published the list of top 10 vulnerabilities that have been exploited between 2016 and 2020. Based on that, we have prepared the list of affected software and the methods using which the vulnerabilities have been exploited. This article is divided into two parts. In the Part 1 we have mentioned the list of top 7 software that have been exploited between 2016 and 2019, along with their vulnerabilities. In the Part 2 we have mentioned the list of top 3 software that have been exploited in first quarter of 2020.
Part 1 – Most exploited software between 2016-2019
1. Microsoft Office
CVE-2017-11882 and CVE-2017-0199 are two exploited vulnerabilities that affected Microsoft Office 2007 products the most. The malware like Loki, FormBook and Pony/FAREIT have been used to exploit the CVE-2017-11882 vulnerability. By using a specially crafted Office file, attackers executed code remotely, and gained user privileges to perform undesirable activities.
Similarly, malware have been used to exploit the remote code execution vulnerability CVE-2017-0199 in Microsoft Office. Through an infected Office file, attackers got control of the system, modified system data and installed malicious programs.
CVE-2015-1641 is another vulnerability which allowed hacking into a system through a crafted Microsoft Office file. It’s nicknamed “Microsoft Office Memory Corruption Vulnerability”. And hackers have used RTF documents to benefit from the vulnerability.
A code injection vulnerability CVE-2017-8759 in the WSDL parser module has also been exploited to inject arbitrary code during the parsing of SOAP WSDL definition contents. Attackers used it to download and execute VB scripts containing PowerShell commands.
2. Microsoft Office 2003 to 2010 and Internet Explorer
Some ActiveX controls have allowed attackers to execute code using a fabricated website or Office document. This vulnerability is numbered CVE-2012-0158, and the malware called Dridex have been used to exploit it. Attackers distributed the malware through spam emails and persuaded users to open the attachments. These attachments varied from compressed files to documents like DOC or PDF. And those files contained links or macros to download the malware.
3. Microsoft Server Message Block 1.0 (SMBv1)
CVE-2017-0143 and CVE-2017-0144 are two remote code execution vulnerability which have been exploited in Microsoft Server Message Block 1.0 (SMBv1). Various versions of Windows OS, from Windows 7 to Windows 10, have been affected due to this vulnerability. Devices running Windows Server 2003 to Windows Server 2016 have also been affected. The WannaCry ransomware used this exploit worldwide to attack unpatched computers. It targeted the SMBv1 server to execute malicious code on the target server.
The, the remote code execution vulnerability CVE-2017-0144 was found in the way the SMBv1 server handled certain requests. The EternalBlue exploit kits have been used to send maliciously engineered message packets and execute the code to access the target server.
4. Adobe Flash Player
The hackers exploited the CVE-2018-4878 vulnerability in Adobe Flash Player to execute arbitrary code in the infected system. In most cases, malicious Flash embedded Microsoft Excel documents were distributed via wild in a massive Malspam campaign. And those cyber attackers lured users into opening the files or web pages with embedded Flash content. A malware called DOGCALL has been used to exploit that critical flaw in Adobe Flash Player prior to version 126.96.36.199.
5. Apache Struts 2
The Jakarta Multipart parser in Apache Struts 2 had a flaw in exception handling, known as the CVE-2017-5638 vulnerability. The incorrect exception handling and error-message system allowed hackers to execute commands during file-upload attempts.
Hackers have used the JexBoss tool to exploit such vulnerabilities. JexBoss automates all the phases of a cyber-attack, and upon successful execution, a hacker can take almost complete control of the affected web server.
The cybercriminals executed commands via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. And Apache Struts versions 2.3.x before 2.3.32 and 2.5.x before 188.8.131.52 have been affected because of the CVE-2017-5638 vulnerability.
A remote code execution vulnerability CVE-2018-7600 within subsystems of Drupal 7.x and 8.x allowed an attacker to run commands on the affected Drupal installations.
The Kitty ransomware have been used to exploit this vulnerability. The aim had been to take over the affected Drupal website, and compromise the internal network and server.
Apart from compromising the web application, Kitty also targeted the visitors of the affected website and infected their operating system and the stored files.
7. Microsoft SharePoint 2006 to 2019
The CVE-2019-0604 vulnerability in Microsoft SharePoint applications resulted in failure to check the source mark-ups of application packages. And many attackers actively exploited this critical flaw by uploading specially crafted application packages to infected SharePoint installations.
Upon successful exploitation, the attackers could run arbitrary code. Read more about CVE-2019-0604
Part 2 – Most exploited software in 2020
1. Pulse Connect Secure and Pulse Policy Secure
Due to a critical flaw (CVE-2019-11510), a remote attacker could get a remote arbitrary file access on the Pulse Connect Secure and Pulse Policy Secure gateways.
REvil ransomware was used to take advantage of this network device vulnerability. It allowed unauthorized remote attacker with network access via HTTPS to send fabricated URI (Uniform Resource Identifier) to exploit the vulnerability.
The CVE-2019-11510 vulnerability affected a range of Pulse Connect Secure applications including versions 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12 and 8.1R1 – 8.1R15. The affected Pulse Policy Secure applications were from versions 5.1 to 5.4 and 9.0
2. Citrix Application Delivery Controller and Gateway
A vulnerability CVE-2019-19781 in Citrix Application Delivery Controller (Citrix ADC) allowed cybercriminals to attack a device and execute code remotely.
One of the techniques used by attackers involved creating an XML file that uses directory traversal, and executing it through a Perl script. And the cybercriminals exploited the vulnerability by providing malicious content to such scripts.
The attackers, thus, gained access to information stored in the hacked devices. Various devices with Citrix ADC and Citrix Gateway version 10.5, 11.1, 12.0, 12.1 and 13.0 were attacked by exploiting the CVE-2019-19781 vulnerability. Citrix further mentioned that the vulnerability also affected Citrix SD-WAN. The Citrix SD-WAN WANOP edition has Citrix ADC as a load balancer, and targeted hacking attempts thus, affected it too.
6. Microsoft O365
In the wake of coronavirus crisis and global lockdown, many organizations started using Microsoft Office 365 and other cloud collaboration services. Cybersecurity and Infrastructure Security Agency (CISA) saw instances where the organizations ignored many security recommendations and preventive measures.
And the ignorance resulted in increased vulnerability to outsiders getting unauthorised access to the data stored in those cloud services.
Disabled Unified Audit Log and alerts and the absence of multi-factor authentication in admin accounts were among the security flaws observed by CISA. You can read more about it in AR19-133A:Microsoft Office 365 Security Observations report.
Software vulnerabilities can wreak havoc on the application, on the OS and on the device too. They can allow hackers to take control of data and disrupt any business.
That’s why Payatu insists on implementing stringent cybersecurity measures. You must be prepared to defend your business against any hacking attempts.
So, make sure you undertake regular comprehensive security assessment on all your critical business applications.