Rachel Bishop 09.21.2021

The Top Four CVEs Attackers Exploit

While the move to remote work last year gave many of us comforts such as working in our pajamas and being 10 steps away from the fridge, it’s been a bit of a nightmare for those who work in cybersecurity.

Quote 1 - Blue-Lime - ShortThe Institute for Security and Technology reports that in 2020, the victims of ransomware attacks paid $350M in ransom—a more than 300% increase over the previous year. By this year’s end, it’s predicted that cybercrime will cost the world $6 trillion. While cybercrime is a lucrative gig for hackers, it's expensive for the rest of us—and unfortunately, it's only getting worse with remote work.

In many ways, remote work has removed many of the security measures that organizations typically put in place to keep their data and networks secure. For example, corporate networks usually only allow trusted devices to connect, making them safer than typical home networks. Meanwhile, home networks often forego some security measures to ensure ease of configuration and use—and while this doesn’t always invite a disaster, it does make one more in reach for today’s savvy threat actors. Case-in-point: Four of the most actively exploited vulnerabilities impacted remote work in 2020.

Here are some of the top Common Vulnerabilities and Exposures (CVEs) attackers exploited last year, including what each can potentially do and how you can protect your environments against them.

CVE-2019-19781: Citrix | Arbitrary Code Execution

What it is: This threat impacts Citrix’s Application Delivery Controller (ADC), which is a load balancing application that lives on servers that are used frequently throughout the United States. Because of the popularity and widespread usage of Citrix’s ADC and the ease of exploitation, this vulnerability has been a favorite among threat actors.

According to a technical analysis conducted by the U.S. Federal Government, CVE-2019-19781 was the most exploited flaw in 2020. This vulnerability enables threat actors to gain access to conduct unauthorized remote code execution (RCE) on a target system. 

Why it’s dangerous: In essence, arbitrary code execution (ACE) begins with a flaw that exists in software or hardware. It’s a dangerous attack tactic because of its inherently malicious intent. Once threat actors discover these flaws, they can use them to their advantage. It enables them to execute commands on a target device—for example, they can use commands to escalate their privileges on a machine to gain administrator rights. With this heightened level of privilege, hackers can essentially do what they please.

How to defend against it: Citrix has a series of steps that cybersecurity professionals can take to mitigate the CVE-2019-19781 vulnerability. The steps for remediation include running a series of commands from the command line interface of the ADC.

In general, defending against arbitrary code execution attacks starts with making it difficult for attackers to exploit flaws. Keeping your software and hardware up to date with the latest patches can help you defend against ACE attacks. Also, regularly back up your data on a device that is regularly disconnected from your network and machine—just in case the worst does happen.

CVE-2019-11510: Pulse | Arbitrary File Reading

What it is: This threat affects Pulse Secure Virtual Private Network (VPN) servers. Threat actors who exploit this vulnerability are able to grab all unencrypted and unauthorized credentials that live on a compromised server—even after the servers are patched.

Why it’s dangerous: Arbitrary file reading enables threat actors to access and read any files they want once they’ve gained access to a system. In the case of CVE-2019-11510, the vulnerability gives threat actors the ability to access the Pulse Secure VPN servers. From there, attackers can conduct an arbitrary file reading attack, empowering them to obtain sensitive information—including database configuration files, which threaten the security of a website.

This threat is particularly dangerous because it can continue to wreak havoc even after servers are patched. Because of this, not only must servers be patched, but all credentials that live on a compromised server must be changed. This is one scenario where patching isn’t enough to guarantee remediation.

How to defend against it: There is a patch available to mitigate this attack; however, it’s equally critical that all passwords on a compromised server be changed. Users should complete any required system updates to defend against CVE-2019-11510.

CVE-2018-13379: Fortinet | Path Traversal

What it is: This critical vulnerability affects the Fortinet Secure Sockets Layer (SSL) VPN. It enables attackers to gain access to a sensitive file via path traversal. This effectively gives threat actors the ability to grab clear-text usernames and passwords.

Why it’s dangerous: Attacks that are powered by path traversal are dangerous because they allow threat actors to arbitrarily access files and directories, including those outside of the web root folder. In other words, threat actors can venture outside of the web root folder and sneak into other files stored on a system, such as application source code. 

How to defend against it: Much like with CVE-2019-11510, defenders can mitigate this attack by applying a patch and changing passwords.

CVE-2020-0787: Microsoft | Elevation of Privilege

What it is: This vulnerability takes advantage of situations when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, or files that point to other files, much like a shortcut. Once attackers exploit this vulnerability, they can overwrite a targeted file and escalate their privileges. 

Why it’s dangerous: Privilege escalation attacks are inherently dangerous as they essentially allow threat actors the access needed to give themselves the needed rights to do whatever they want in your environment, whether it’s gaining access to sensitive files or running malicious code. Because unauthorized access is involved, it’s critical that these attacks are mitigated as soon as possible to minimize damage.

How to defend against it: There’s a patch available to correct the issue. In general, a best practice to avoid privilege escalation attacks include granting users the lowest level of privileges possible so that in the event that this type of attack does happen, attackers will need to work harder to escalate their privileges. 

• • •

There are many more vulnerabilities that shook up the cybersecurity landscape in 2020; however, these four common CVEs give a good overview of what today’s attackers are capable of—and how you can protect your environments from various types of common attacks.

Want to see if anything—or anyone—is lurking in your environment? Sign up for a free 21-day Huntress trial.

Start your Huntress trial

avatar

Rachel Bishop

Coffee Consumer. Inquisitive Learner. Content Marketing Manager at Huntress.