Surging Remote Access Technology Vulnerabilities – See how they affect you
Surging Remote Access Technology Vulnerabilities – See how they affect you
Well-sponsored APT groups, typically backed by nations or nation states, strive to gain unauthorized access to computer networks and remain undetected for extended periods of time. Many vulnerabilities have already been found to be actively targeted by these sophisticated APT groups who have the means to develop exploits for a given vulnerability even if no exploit existed prior. For example, Iranian APT groups (33, 34, 39) are currently targeting CVE-2019-11510 (sodinokibi-ransomware) and Chinese APT group (41) is targeting CVE-2019-19781 (Ragnarok, Sodinokibi). Both CVEs are being actively exploited in the wild and affect Pulse Secure and Citrix, whose popular products pave the way for employees to work remotely.
In order to access tools and programs needed to work remotely, there is growing dependence on various systems, which in turn changes the shape and increases the size of an organization’s attack surface. With organizations hurriedly mobilizing their workforce to stay in operation, what new risks do these remote access applications bring? What weaponized vulnerabilities might be lurking on these critical work-from-home infrastructures? How can organizations identify and remediate these high-priority vulnerabilities?
Of the 4,847 vulnerabilities in the past 10 years covering 150 products, 343 CVEs (roughly 9%) are weaponized. Of those, about half (171 CVEs) allow remote code execution (RCE) or privilege escalation (PE), critical capabilities that attackers use to breach defenses. To better understand the impact to an organization’s attack surface, we narrowed our focus to the following remote-work technologies: VPNs, remote access services, databases, web proxies, web gateways, online meeting tools, customer relationship management tools (CRMs), business intelligence (BI) tools, backup and storage, and teleconferencing applications.
The information in this report is based on data gathered from a variety of sources including proprietary RiskSense and Cyber Security Works data, publicly available vulnerability databases, vulnerability advisories, threat databases, and information shared by RiskSense threat researchers and penetration testers.
To intelligently prioritize vulnerabilities, we need to know real-world, threat-based information and data about the vulnerability itself.
In practice, three high-level metrics are often very powerful for honing in on the most important vulnerabilities. These are:
- Weaponized Vulnerabilities: Vulnerabilities that have associated exploit code or malware capable of taking advantage of the vulnerability.
- Strategic Vulnerabilities: Vulnerabilities that allow RCE or PE are highly valuable to attackers and significantly increase the risk of damage to a victim organization.
- Trending Vulnerabilities: These are vulnerabilities that are actively being used in the wild in attacks and malware based on RiskSense research correlated with third-party sources.
Trending vulnerabilities are particularly important to monitor, especially in technology critical to maintaining business continuity for remote operations. While RCE and PE are still regarded as some of the most critical vulnerability types to remediate, other exploit and malware categories are also important to track, especially when they trend. A VPN vulnerable to a denial-of-service (DoS) attack is one attack away from bringing the productivity of an entire organization that is working from home to a halt; choosing weak or guessable secrets, whether they be passwords or virtual meeting URLs can lead to, at best, awkward or uncomfortable moments and, at worst, remote access to a company’s internal network and infrastructure; of course ransomware often shuts down entire business operations.
To understand which vulnerabilities to prioritize, we honed in on each of the three high-level metrics listed above for CVEs related to remote access tools.
- Only about 9% of the 3,847 total CVEs are weaponized across 150 products and of those, about half (171 CVEs) are considered strategic (either RCE or PE).
- 10 CVEs (less than 1%) have trended within the past year.
- CVE-2019-11510 (sodinokibi), CVE-2019-19781 (Ragnarok, Sodinokibi), CVE-2012-0158, CVE-2019-1068, CVE-2020-0618, CVE-2019-2588, CVE-2019-2616, CVE-2019-13449, CVE-2019-13450, CVE-2019-1674
- 5 CVEs were being used as ransomware by Iranian and Chinese APT Groups.
- CVE-2019-19781 (Ragnarok, Sodinokibi), CVE-2019-2390, CVE-2019-6110, CVE-2019-6109, CVE-2018-20685
- Of those trending vulnerabilities, three pertain to teleconferencing solutions that are being heavily relied upon to maintain business continuity during COVID-19.
Another way to visualize this data regarding remote access solutions is to understand the frequency of weaponized vulnerabilities in comparison to the total number of CVEs since 2010.
While the weaponized vulnerability percentages may seem low, don’t let the numbers fool you. All it takes is one weaponized vulnerability to wreak havoc on your network. At the beginning of the decade, we see a low amount of weaponized vulnerabilities, but the count peaks at 71 CVEs in 2018. There are many factors that contribute to lower vulnerability counts in 2019, some including a latency issue. It takes time and effort to reverse engineer a vulnerability and to then find the correct payload to exploit the vulnerability, causing the latency.
Because of this latency, which also involves certain CVEs being around longer than others, the amount of weaponized vulnerabilities is lower for 2019 than we would expect, and there isn’t sufficient data (as of April 6, 2020) to form an accurate representation for 2020. However, CVEs are not restricted to a single year and have no expiration date. Consider CVE-2012-0158: not only is this CVE trending, it is also being exploited by Cmstar malware and was disclosed in April of 2012.
Understanding a vulnerability’s context provides more insight into whether it will be weaponized. With this thought in mind, we then focused our research on the technologies frequently used when working remotely.
By reviewing the last ten years of CVEs based on these technology categories, new trends in the data are illuminated. One major factor in the discrepancies between these different categories is the number of products available in each category. Another contributing factor can be attributed to the cost-benefit analysis of exploiting vulnerabilities in each category. Databases are among the biggest targets for attackers who are looking to exfiltrate large dumps of a target organization’s sensitive data. On the other hand, exploiting a web proxy service may not yield as much from an attacker’s perspective.
From an organization’s perspective, the task for remediation continues to be vulnerability prioritization. Any given software solution can be affected by tens, hundreds, or even thousands of vulnerabilities. How can an organization be expected to understand and then give a priority to such a huge amount of data?
To help you going forward, we’ve identified below a number of correlations between trending and ransomware CVEs with available patches that affect software being used by remote workers. Where applicable, we’ve also provided links to the exploit, the threat type, and APT groups who are exploiting those CVEs. Organizations should immediately check their infrastructure for the presence of these vulnerabilities. If found, they should be remediated as quickly as possible. In our experience, applying a risk-based approach to prioritizing vulnerabilities that includes trending and patch intelligence is the fastest path to an improved security risk posture.
Trending CVEs & Ransomware with Associated Vendors & Products
|CVE||Type/Ransomware Family/APT Group||Vendor||Product||Internet Exposure4/13/2020|
|CVE-2019-11510||RCE / Sodinokibi / Iran
(APT 39, 34, 33)
|Pulse Secure||Pulse Connect Secure||1310|
|CVE-2019-19781||RCE / Ragnarok,
Sodinokibi / China (APT 41)
|Citrix||Netscaler Gateway firmware||6744|
|CVE-2012-0158||RCE / – / Cmstar APT||Microsoft||Microsoft SQL Server||0|
|CVE-2019-1068||–||Microsoft||Microsoft SQL Server||0|
|CVE-2020-0618||Web App||Microsoft||Microsoft SQL Server||0|
|CVE-2019-2588||Web App||Oracle||Oracle BI||0|
|CVE-2019-2616||Web App||Oracle||Oracle BI||0|
Webex Meetings Online,
Webex Productivity Tools
|CVE-2019-6109||–||Western Digital||My Cloud||1510|
|CVE-2018-20685||–||Western Digital||My Cloud||1510|
Note: Internet Exposure is based on Shodan/internet Storm analysis on the surge of these CVEs being searched or exposed.