Several Microsoft Office vulnerabilities that were patched years ago continue to be among the security flaws most exploited in attacks, the U.S. government warns.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) this week published an alert to provide guidance on some of the vulnerabilities that are most targeted in attacks.
The bugs, the alert underlines, are routinely exploited by foreign cyber actors in attacks targeting both the public and private sectors, and risks associated with them could be mitigated “through an increased effort to patch systems and implement programs to keep system patching up to date.”
Between 2016 and 2019, threat actors mainly attempted to compromise systems through vulnerabilities in Microsoft Office (CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2015-1641), Apache Struts (CVE-2017-5638), Microsoft SharePoint (CVE-2019-0604), Microsoft Windows (CVE-2017-0143), Microsoft .NET Framework (CVE-2017-8759), Adobe Flash Player (CVE-2018-4878), and Drupal (CVE-2018-7600).
Attacks attempting to exploit these security issues tried to deploy a broad range of malware families, including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBoss, China Chopper, DOGCALL, FinFisher, WingBird, Toshliph, UWarrior, and Kitty, among others.
The three vulnerabilities that state-sponsored threat actors from China, Iran, North Korea, and Russia are abusing most frequently impact Microsoft Office and have been patched long ago: CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158.
“According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts,” the alert reads.
In 2015, the U.S. government assessed that CVE-2012-0158 was the most used in Chinese threat actors’ cyber operations, and the vulnerability continues to be widely used by these hackers.
“This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective,” the U.S. government says.
In 2020, in addition to the aforementioned vulnerabilities, threat actors started wide exploitation of virtual private network flaws (CVE-2019-19781 and CVE-2019-11510), Microsoft Office 365 misconfigurations, and cybersecurity weaknesses such as poor employee training on social engineering, and the lack of system recovery and contingency plans.
Related: Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns
Related: DHS Reiterates Recommendations on Securing Office 365