preface
In February 2021, IBM security team X-Force released the threat Intelligence Index 2021, which revealed vulnerability exploitation as the top threat in 2020.
Finding and exploiting unpatched problems or common vulnerabilities and exposures (Cves) in a network is the most successful approach for an attacker, and is the most common way to gain initial access to a network.
In fact, the success rate of exploits has surpassed phishing emails, largely replacing credential theft as the most reliable method for attackers to penetrate networks.
What we see now: New vulnerabilities abound, but old ones pose a greater threat
X-force data shows that the Citrix server directory Traversal vulnerability (CVE-2019-19871) was the most exploited vulnerability in 2020.
While this relatively new vulnerability dominates the list, past security vulnerabilities dominate the list of the Top 10 most exploited vulnerabilities in 2020, with only two of the Top 10 discovered in 2020.
As security vulnerabilities from previous years continue to pose a threat to unpatched devices and organizations, the cumulative effect of vulnerabilities makes them more vulnerable each year.
Since 1988, there has been an overall increase in the number of new vulnerabilities discovered each year. The number of new vulnerabilities discovered in 2020 was 17,992, and by the end of 2020, the total number of vulnerabilities discovered reached a peak of 180,171.
New vulnerabilities discovered and accumulated each year, 1988-2020 (Source: X-Force Red)
For security practitioners, the importance of quickly identifying and remediating vulnerabilities is urgent.
An unclosed loophole
2CVE-2006-1547 and CVE-2012-0391 are two of the most eye-catching vulnerabilities in 2020, both of which are Apache Struts vulnerabilities. These two vulnerabilities rank third and fourth on X-Force’s list of the most exploited vulnerabilities of 2020.
Although both vulnerabilities were discovered 15 and nine years ago and have long been remedied, many times they remain unpatched and attackers still try to exploit them in large numbers. The increasing number of new vulnerabilities each year, combined with the accumulation of old ones, is a bonanza for attackers.
Top 10 vulnerabilities of 2020
X-force ranked the top 10 vulnerabilities for 2020, based on how often and with what intent attackers exploited them. The ranking is based on 2020 IBM X-Force Event Response (IR) and IBM Managed Security Services (MSS) data. According to the findings, the attackers focused on enterprise applications and open source frameworks that are common on the Intranet.
Cve-2019-19871: Citrix Application Delivery Controller (ADC) CVE-2018-2006: NoneCMS ThinkPHP Remote Code execution CVE-2006-1547: Cve-2012-0391: Insert the ExceptionDelegator component cVE-2014-6271: GNU Bash into cVE-2019-0708: insert the ExceptionDelegator component cVE-2014-6271: GNU Bash into CVE-2019-0708: Cve-2020-8515: Draytek Vigor Command for CVE-2018-13382 and CVE-2018-13379: Fortinet FortiOS Improper Authorization and Directory Walk Vulnerability CVE-2018-11776: Apache Struts Remote code Execution CVE-2020-5722: HTTP: Grandstream UCM6200 SQL injectionCopy the code
Three of these vulnerabilities are discussed in detail below
1. Cve-2019-19871: Citrix Application delivery controller
The vulnerability, disclosed in December 2019, applies to Citrix ADCs, Citrix Gateways and NetScaler Gateways and allows attackers to execute arbitrary code or download additional payloads on Citrix servers, such as Trojan backdoors that allow execution of commands and forced passwords.
This vulnerability has appeared several times in IBM’s event response activities, most actively in the first half of 2020. It accounted for 25% of all initial compromises in the first quarter of 2020 alone. Up to 59% of all attacks remedied by X-Force in January 2020.
In fact, attackers exploit this vulnerability 15 times more than any other vulnerability in x-Force event response activities. IBM’s managed security service regularly observes alerts that indicate that an attacker is trying to exploit the vulnerability.
2, CVE-2018-20062: NoneCMS ThinkPHP remote code execution
The second most utilized vulnerability in 2020 is CVE-2018-200662, which allows an attacker to execute arbitrary PHP code. X-force threat intelligence analysts observed that it mainly targets Internet of Things (IoT) devices. This is in line with IBM’s forecast of a sharp rise in attacks on the Internet of Things in 2020.
Attackers mostly used CVE-2018-2006 to deploy a variety of malware, such as SpeakUp Backdoor, Mirai botnet, and various cryptocurrency mining machines.
ThinkPHP is an open source PHP framework, and while the vulnerability was patched in ThinkPHP 5.0.23 and 5.1.31 on December 8, 2018, the vulnerability can be exploited by PoC in the December 11, 2018 release, allowing for persistent attacks by attackers. The delay in fixing the vulnerability may be related to the difficulty of identifying and fixing iot devices.
3. Cve-2006-1547: ActionForm vulnerability in ApacheStruts
Struts is an open source framework commonly used to create Java web applications. The flaw, discovered 15 years ago, can crash A Struts network application to gain access to confidential information. Attackers recognized the opportunities presented by the wide use of the framework and exploited several Vulnerabilities in Apache Struts.
Old vulnerabilities are being exploited with increasing frequency, alerting us to regularly scan web applications for unpatched vulnerabilities.
What about unknown vulnerabilities?
Unpublished vulnerabilities, including zero-day vulnerabilities, continue to pose a threat to corporate networks. An enterprise may discover unknown vulnerabilities through penetration testing. But X-Force has observed that known cyber security vulnerabilities, even with mitigation methods in place, pose a greater threat to enterprises than zero-day vulnerabilities.
While companies cannot control the exploitation of unknown vulnerabilities, they can take structured action against known vulnerabilities, and the relative return on focusing on this area is higher. Vulnerability management services help organizations improve the security of their assets by identifying, prioritizing, and fixing existing vulnerabilities.
How to prevent vulnerabilities in the network?
Vulnerability management is complicated. When making decisions, it needs to consider assets, data categorizations, business goals, risks, and performance benchmarks, and there is no one-size-fits-all solution.
The machines and infrastructure in some networks are vulnerable and require rigorous testing to ensure that no failures occur when updates or patches are applied.
Devices on other networks, even with specific patches, are best not to receive. Vulnerability management is always a balance of risk, never a simple single threaded mind.
Some patch management measures:
-
Know your network. Make a regular inventory of the devices in your network, including devices, operating systems, applications, versions, IP addresses, cloud assets, and the owners of these systems. Quarterly is recommended.
-
Identify risks. Use vulnerability management tools and Crown Jewel Analysis to identify critical assets and analyze which vulnerabilities are most likely to affect those assets.
-
Test before applying the patch. Develop a test environment that simulates the identification of problems that may occur when the patch is deployed to an enterprise environment. It is recommended to apply patches to appropriate test equipment and asset samples.
-
Patch deployment. Deploy the newly fixed patch in the enterprise environment. Some vulnerability management tools can automate patch deployment.
Network security learning route
Systematic learning materials & Brief introduction to Baipiao