Skip to content

探究CISA的15個經常被利用的漏洞

On April 27, the Cybersecurity and Infrastructure Security Agency (CISA), published a joint advisory in collaboration with CSA/NSA/FBI/ACSC and other cybersecurity authorities, providing details on the top 15 vulnerabilities routinely exploited by threat actors in 2021,and other CVEs frequently exploited.

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, potentially allowing threat actors to remotely take over systems. 

Unpatched devices and systems can serve as an easy network entry point for threat actors, as they provide attackers with a reliable and efficient Initial Access method. A number of these vulnerabilities were seen as a part of ransomware attack vectors, one of today’s top threats to operational technology.

Many of these vulnerabilities share characteristics that make them widely exploitable: They affect widely used systems, where the vulnerability can be present in multiple systems.

In the past year, threat actors targeted internet-facing systems, such as email servers and VPN servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, a proof of concept code was released within two weeks of the vulnerability’s disclosure. (Read more about when to patch or not patch, here).  

Malicious threat actors continued exploiting publicly known vulnerabilities, demonstrating the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.

The Top 15 Routinely Exploited Vulnerabilities

The top vulnerabilities detail how threat actors exploited newly disclosed vulnerabilities in popular services, aiming to create a massive and extended impact on organizations.

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses.

Following are the most exploited vulnerabilities:

  • CVE-2021-44228 – this vulnerability, known as Log4Shell, affects the Apache Log4j library, an open-source logging framework. Exploiting this vulnerability allows threat actors to control java-based web servers and launch remote code execution attacks. 
  • CVE-2020-1472 – this vulnerability, known as ZeroLogon, affects Microsoft’s Active Directory Netlogon Remote Protocol. Exploiting this vulnerability allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller.
  • CVE-2019-11510 – this vulnerability affects Pulse Connect Secure. Successful exploitation of this vulnerability allows an unauthenticated remote attacker to perform an arbitrary file reading.
  • CVE-2018-13379 – this vulnerability affects Fortinet’s FortiGate SSL VPN. Exploitation of this vulnerability could allow an unauthenticated attacker to read arbitrary files.
  • CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – these vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities allows unauthenticated attackers to execute arbitrary code on vulnerable Exchange Servers and compromise trust and identity in a vulnerable network.
  • CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – these vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. 

As our customers are well aware, The SCADAfence Platform protects against these vulnerabilities, detects any unexpected connections to and from external devices, and detects unexpected connections to and from the Internet. These connections would trigger alerts indicating a malicious threat actor might be attempting to exploit a vulnerability.

The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

The SCADAfence Platform can help identify where the network is exposed to potential risks and match between exposed assets and their relative vulnerabilities.

Additionally, the User Activity Analyzer can be utilized to track any propagation attempts by malicious actors.

Detecting Exploitation Attempts

The SCADAfence Platform detects exploitation attempts of the following vulnerabilities:

  • CVE-2021-44228 (Log4Shell) – this vulnerability was widely exploited, thousands of products use Log4j and were vulnerable to the Log4Shell exploitation.
  • CVE-2020-1472 (ZeroLogon) – this vulnerability has been observed in the attack chain of ransomware actors such as Ryuk.
  • CVE-2019-11510 (Pulse) – while patches for this vulnerability were released April 2019, multiple incidents have occurred where compromised AD credentials were used months after victim organizations patched their VPN appliance.
  • CVE-2018-13379 (Fortinet) – this vulnerability has been exploited routinely for over four years, and has often been used to deploy ransomware.

The SCADAfence research team is constantly monitoring newly disclosed vulnerabilities, as well as routinely exploited ones, and working to continuously improve the platform’s vulnerability detection abilities.

SCADAfence Researchers’ Recommendations for Reducing Risk

Our researchers recommend taking the following measures to minimize the risk of exploitation:

  • Limit Network Exposure – minimize network exposure for all of your control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Monitor Network Traffic – monitor access to the production segments. In your network monitoring tool (and we know a really good one), create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
  • Monitor User Activity – If you’re a customer, you can use the SCADAfence Platform to monitor access to the affected devices and track all of your user activities using the User Activity View.
  • Connect to the SCADAfence Cloud – Again, If you’re a customer, connect your SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.

Additional recommendations include updating your software, operating systems, applications, and firmware on IT network assets in a timely manner, while prioritizing patching known exploited vulnerabilities. 

If you’re not a customer yet and would like to see how this works from up close, you can watch a short demo here.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

物聯網設備的興起帶來的新的網絡威脅和漏洞

Diving into Internet of Things Statistics

An Internet of Things (IoT) device simply means a device which can communicate back and forth with a central hub, mainly via WiFi but also using technologies such as SIM cards and radio frequencies. We are living in the age of digital connectivity, if it can have an IP address then you best believe it’ll have one assigned. From Samsung’s AI-powered Family Hub Smart Fridge which tells you what recipes you can make based on the ingredients inside, to Tesla vehicles with over-the-air updates for not only the software but also actual motor components (a 2018 update on the Model 3 to adjust the anti-lock algorithm which helped with braking distance).  

Consumer technologies aren’t alone when it comes to utilizing the Internet of Everything. Industries such as healthcare have their own use case. Internet of Medical Things (IoMT) such as smart sensors for monitoring patients’ vitals are an essential piece of equipment in modern healthcare facilities.  

The statistics back this growth: there are already more active IoT devices (10 billion) than people on earth. It’s expected that there will be over 30 billion total IoT devices by 2025, with the market value projected to reach $875 billion by that time. Every second over 100 new IoT appliances connect to the public internet. It’s so widely adopted that almost a third of the US population own a smartwatch. This sharp increase in devices has a clear effect on the global volume of data being transported, the graph below shows year to year growth.  

Cyber Threats & Vulnerabilities of IoT

As the Internet of Things rapidly grows, the cyber threats and associated risks continue to evolve and become increasingly complex with hackers coming up with new ways to breach devices and networks. Every organization should be aware of their own network attack surface, which is the totality of all vulnerabilities from connected devices and hardware. Each device poses a possible point of entry for an unauthorized user to gain access. Ideally you keep your attack surface as small as possible, making it easier to protect. But for some organizations, this simply isn’t a possibility, as there might be a need for thousands, if not hundreds of thousands of IoT sensors to report on key analytics.  

As mentioned earlier, the healthcare industry has a sizable use case when it comes to IoT devices. An issue with this is the cost associated with these complex pieces of equipment such as MRI scanners and X-ray machines. It simply isn’t feasible for these items to be upgraded regularly, which in turn leads to outdated and unsupported systems still playing a key role in the infrastructure. As an example, Windows 7 support was discontinued in January of 2020 after 10 years in operation, creating an untold number of vulnerabilities for organizations around the globe. According to a report from Palo Alto Networks cybersecurity division Unit 42, 83% of medical imaging devices are running unsupported operating systems.  

IoT devices suffer from a range of other vulnerabilities, including: 
  • Weak/default passwords and settings: Back in 2016, the largest DDoS attack ever at the time was launched against the service provider Dyn using a botnet powered by IoT devices. Hackers used a piece of malware called Mirai, which after initially infecting a computer would continue searching for vulnerable IoT devices and use default usernames and passwords to login. These credentials can be found online easily, and if the network operator doesn’t change them, anyone can gain access. 
  • Poor device security from the manufacturer: When a device communicates in plain text, all information that is being transferred can easily be intercepted via a Man-in-the-Middle attack. 
  • Outdated IoT firmware: A large percentage of IoT devices use third-party libraries for their firmware, these can easily become outdated and with the lack of ability to update the firmware on some devices, this poses an issue. 
  • Protecting your IoT Devices and Network: Network administrators need to realise that with these new devices they need to ensure they are keeping up with the essential security solutions. Strong passwords, firewalls and anti-virus software simply isn’t sufficient. The first step in protecting your IoT devices is to learn and understand what the most likely cyber threats are. Create a threat model which identifies, evaluates, and prioritizes potential vulnerabilities. Having a documented network is essential, a well-maintained network management system with advanced monitoring will massively help identify weak spots in the network.  
Basic IoT network security measures include:
  • VLANs: Placing the IoT devices in their own VLAN with total segregation from the rest of the network. This doesn’t have to be anything overly complicated, just set some simple rules such as trusted and untrusted depending on how much faith you have in the device. E.g. A Nest smoke alarm can be placed in the trusted VLAN and have access to the internet but a cheap Chinese thermometer would go in the untrusted VLAN and not have access to anything else.  
  • Static IPs: If it is possible to assign a static IP, definitely do so. This helps you to keep track of the device and can make troubleshooting a whole lot easier. Another benefit of this is helping with identifying new devices on the network. 
  • MAC Address whitelisting: An easy way of ensuring only authorized devices can access your company network. But it is important to note that these can be easily spoofed. 
Advanced IoT security measures include:
  • Modern Network Access Control (NAC): Traditional NAC solutions don’t scale well when it comes to IoT. Standard IEEE 802.1x security protocols are mostly incompatible with IoT devices. As mentioned above, MAC authentication can be spoofed. With NAC, network administrators are able to configure and enforce security policies and analyze device risk postures. 
  • Automated configuration: Having an automated onboarding system in place for new devices is a smart idea. If your company has a large number of IoT devices, it can be easy for some to slip through the security configuration if done manually.  
  • Device certificates: Using X.509 device certificates to manage the identity and security of devices adds another layer of security. These certificates play a key role in PKI-based security and serve as proof of device authenticity by authentication, encryption, and data integrity. 
  • Secure API connections: APIs are commonly used to transfer data between applications and devices. This can give way to a whole host of cyber threats. It is essential that only authorized systems can communicate with the API. The use of tokens to establish trusted identities and provide access to the appropriate services is highly recommended. 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。