7 of the Top 10 Vulnerabilities Target Microsoft

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 52 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Researchers at Recorded Future recently published a report titled, “The Top 10 Vulnerabilities Used by Cybercriminals,” along with a blog post outlining how Microsoft Office tops the exploit charts. Seven out of the top 10 most exploited vulnerabilities in 2017 targeted Microsoft products.

We’ve got a pair of experts from Recorded Future to take us through their findings. Scott Donnelly is vice president of technical solutions, and we’ll hear from him first, with a look at the technical side of the research and what the findings represent in terms of trends. A little later in this podcast, we’ll hear from Adrian Porcescu, EMEA professional services manager, for his take on the practical implications of the report’s findings, and how organizations can use this information for setting priorities and planning their defenses. Stay with us.

Scott Donnelly:

This is the third annual report that Recorded Future has done around vulnerabilities exploited by cybercriminals. The first time we did it, we had just recently gotten access to a lot of dark web forums, code repositories — really, the hard parts of the web — and in order to provide a sample of some of the top vulnerabilities out there, we decided to do some of the analysis for our users and come out with a “top 10 list” and say, “These are the most obviously exploited vulnerabilities on the web, based on our access to deep and dark web forums.”

Dave Bittner:

Let’s dig into some of the details here. Take us through how you approached it.

Scott Donnelly:

We look at exploit kits. This year, we added phishing. We wanted to take a look at some of the most obvious cybercriminal attack vectors. We use our natural language processing to say, “What vulnerabilities are associated with the exploit kits in phishing?” We look at that information and we make the rankings based on the amount of times we see that vulnerability with an exploit kit or a phishing attack. That’s how we prioritize and identify some of the top vulnerabilities tied to these attack vectors.

Dave Bittner:

Let’s go through what you found here. Can you take us through some of the top exploits that you discovered?

Scott Donnelly:

The big judgment this year is that Microsoft products provided seven of the top 10 vulnerability exploits adopted by exploit kits and phishing campaigns. That was a change. In years past, it was Java that topped. That was a favorite of exploit kits. In the last two reports, we highlighted how Adobe Flash exploits were high on the list. With the decline of Adobe, now, Microsoft — this year — provides most of the new vulnerabilities exploited by exploit kits or phishing attacks.

Dave Bittner:

Do you suspect that we’re seeing less and less use of Flash?

Scott Donnelly:

We are. There were two main factors. And the other interesting takeaway this year was not just the change in the target, it’s that the means have changed. When I went to go pull the data together for this report — I had heard, anecdotally, that exploit kit usage was down, but when we actually looked at the data — the hard data — there was a huge drop. I think, in the report, we said a 62 percent drop in new exploit kits in 2017. One of the reasons that Microsoft topped our list this year is not so much that there was anything worse about Microsoft vulnerabilities, it’s just that overall, we’ve seen a significant drop in the usage of Flash, which has provided a lot less opportunities for exploit kits. So we’ve seen Flash usage significantly drop out of the web. It’s going to be sunsetted as a product in 2020. And so, the rise of more secure browsing … Google Chrome is now used in over 60 percent of desktops, and Flash usage is significantly down. With less Flash out on the web and in a sunsetting product, there are a lot less Flash vulnerabilities for exploit kits to take advantage of.

Dave Bittner:

And yet, it still manages to make the top 10.

Scott Donnelly:

It does. Certainly, it’s a major portion of the growth of the web. Flash Player certainly made for very compelling websites and gave designers a lot of opportunities to make compelling websites. Certainly, it’s a big part of the web. While it is sunsetting, there is even just a recent Flash zero day, just a couple of weeks ago, that began to make the rounds with cybercriminals. So it’s still there, it’s still present, but it certainly has peaked and has seen its usage continue to dwindle.

Dave Bittner:

What are the bad guys using instead of exploit kits?

Scott Donnelly:

That’s been the common feedback about the report, saying, “Does this mean that cybercrime is down?” Certainly, the answer is no. It’s like the old adage, “Why did the criminal rob the bank? Because that’s where the money is.” Certainly, cybercriminals are just as prolific, looking for opportunities for profit.

While exploit kit usage is still out there, there still are new exploit kits appearing, just at a lower frequency. We’re seeing things like cryptocurrency mining malware being very popular. There’s a lot of malware out there, causing a lot of difficulty for users and companies — Monero, among other cryptocurrencies.

Ransomware, which is oftentimes deployed via exploit kits, is now being done in more targeted and more lucrative attacks. When cybercriminals were using exploit kits … Exploit kits take advantage of targets of opportunity, where they’re looking for victims that just so happen to fall into their net. Many times, there were ransomware attacks against major organizations — hospitals, universities, police stations — and they were charging the same, relatively small fee as they were if my dad got hit by an exploit kit. So now, criminals are wisening up, and they’re deploying more specific and targeted attacks with much more lucrative price tags, against known organizations. So, again, they’re still looking to make money. They’re just changing the means.

Dave Bittner:

In terms of these things being offered as a service, what are you seeing there?

Scott Donnelly:

Like any good service, exploit kits need to offer fresh and new exploitive vulnerabilities. Along with the other factors leading to the recent decline of exploit kits are the lack of new and effective browser exploits. Chrome, certainly, has a much better security track record. So with a move toward Chrome, with a lack of any recent major Chrome exploits, we’re certainly seeing less of a quality product out there. Exploit kits were very interesting to me. One of the reasons why I used them at the beginning of our research, when we started putting this list together, is that they’re really “crimeware as a service,” in that lower skilled hackers can go onto some of these forums and rent these exploit kits to deploy their payload. Very often, that payload is ransomware. With the lack of new exploits to continue to make a compelling product, we see, certainly, a decline in the usage of exploit kits for attacks.

Dave Bittner:

So, as the browsers themselves are getting more secure, it’s harder for the bad guys to come up with these kits to exploit that.

Scott Donnelly:

That’s correct. The kits are the inroad to the victim machine. So if there are less inroads, then the business dries up a little bit.

Dave Bittner:

I’m looking at the chart in your research here, the “New Exploit Kits Observed by Year,” and you looked at 2013, 2014, and 2015. It looked like we were headed on a nice, steady decline. And then, we saw a peak in 2016 again, and then back down for 2017. Do you think 2016 was an aberration, or is it too soon to confirm any sort of trend yet?

Scott Donnelly:

Anecdotally, we’ve heard that a lot less … One thing we don’t take a look at in the report is network traffic. We’re not actually seeing the attacks in real time. We’re observing the marketplace. That’s the different angle that this research takes a look at. We’ve heard, anecdotally — and I’ve seen plenty of reports — that exploit kit activity is down. Some of the major kits have been taken down. The loss of the Angler exploit kit was a huge blow a couple of years ago. The 2016 spike … There were a lot of Flash zero days leaked in the late 2015 Hacking Team breach, where the Hacking Team, which was a seller of exploits to different governments and different organizations, they themselves were hacked, and Flash zero days were thrown to the wild. That trickled over into 2016, where we saw a lot of exploit kit activity based on those new exploits thrown to the wild, where criminals could adopt them into the kits. With the lack of a recent breach, just like the Hacking Team, that dries up the business a little bit. I do think it’s a trend that will continue, but certainly, if there are more leaks and more breaches, we certainly could see a return. There’s really no reason why exploit kits couldn’t begin to fill up the forums with all sorts of offerings of services.

Dave Bittner:

In terms of recommendations and looking forward, what are you looking at? What are your recommendations for people to protect themselves against these sorts of things?

Scott Donnelly:

In terms of recommendations, I think one of the biggest things that we see from looking at the code repositories and the closed forums and other parts of the dark web, is that there are times where the CVSS score does not correspond to how that vulnerability is being exploited in the wild. One of the vulnerabilities that we highlight, CVE-2017-022 — it’s a Microsoft Windows vulnerability — we only saw it adopted by two exploit kits. But one of those exploit kits was the Neutrino exploit kit. That’s one of the major exploit kits that was around last year. The CVSS score, which is the score provided by the National Vulnerability Database, was 4.3. When you first take a look at this vulnerability, you might not initially think that it should be at the top of your list or that you should immediately look to patch or remediate. But when you take a look at how this vulnerability is being exploited on the web — and that is information that is not always readily available to organizations or to users — when you factor that in, that can really give you a full picture of how dangerous that vulnerability is to you or your organization. There are a lot of different ways that you can use the web for searching, but by overlaying that information from the web, you get the full picture of how dangerous that vulnerability is.

One of the trends we’ve seen is a move to more secure browsing. Google Chrome usage now nears about 60 percent globally. One of the unique things about Google Chrome is that the default is “click to play.” With many browsers, Flash automatically will load. Chrome was one of the first to have “click to play” as the option, and now, the default is “click to play.” By limiting the ability of Flash to automatically load on websites, Google Chrome has really choked off the ability to use Flash as an inroads for attack. That rise of secure browsing has also been seen by a decline in use of Flash on websites. In the middle of last year, 17 percent of sites that Chrome users visited had Flash. That’s a significant decline from 2014, when 80 percent of sites visited by Chrome users had Flash running. So, a significant drop-off in Flash, and a lot of that has to do with Google Chrome, which by changing their defaults, has choked off one of the main inroads of attack for those building exploit kits.

Dave Bittner:

I would suspect, as well, since Flash Player has announced that it’s going to be ending in 2020, if you’re a developer of these exploits, why would you invest in something that you know isn’t going to be around that much longer?

Scott Donnelly:

That’s correct. One of the last holdouts is actually Facebook, and certainly, other social media sites that still use Flash technology for videos. They’re one of the last holdouts, but I’m sure that as the trends go, that will certainly wane as well.

Dave Bittner:

That was Recorded Future’s Scott Donnelly. Next up, we hear from Adrian Porcescu, with his take on threat intelligence and how this report can help organizations looking to better defend themselves.

Adrian Porcescu:

Threat intelligence properly sourced from the open, deep, and dark web enables practitioners to better understand the real level of exploitability of vulnerabilities and assess the associated risk against organizations’ assets. This “in the wild” severity does not map one to one against NVD or CVSS scores. So that means that providing a clear view around the most exploited technologies, or which exploits are most commonly used and leveraged by exploit kits, threat intelligence allows vulnerability management programs to assign better priorities for patching of assets and associated technologies.

So how is this actually happening? As a result of internal threat modeling and incident response efforts, practitioners should know the types of threats, malware, or attack vectors that could be or have been successful against the enterprise. Threat intelligence brings valuable context around vulnerabilities, context that can map against those results. Thus, vulnerability management teams can bring into assessment certain aspects, like ease of use of an exploit due to the low cost of exploit kits that include it, or what attack vectors or malware are associated with the exploit. Also, having capabilities to impact the infrastructure, operations, or valuable business assets.

For example, if a certain exploit has been added recently to an exploit kit, that means that lower-level attackers can now leverage that exploit with lower costs — something that should raise the priority of patching or mitigating the associated vulnerability. Also, if a particular exploit has been reported using specific attack vectors for delivering a piece of malware, practitioners now have the possibility to consider patching this vulnerability, but only if the attack vectors represent a valid opportunity against the business, or if the malware is indeed a threat to the organization.

So, threat intelligence minimizes the visibility, or time gap, between the vulnerability being reported or found and the moment it is exploited. And also, it provides an essential context for efficient prioritization of patching.

Dave Bittner:

It was interesting to me that Microsoft rose to the top of the list here versus Flash, which was in the past, the top thing here. Do you suppose that has more to do with Flash falling out of favor?

Adrian Porcescu:

I think it’s more about, basically, what are the opportunities for different attackers. It all depends on the usability on the enterprise level of those technologies. If the attackers consider that a certain technology gives them more chances of actually imposing some threat against the company, they will start using those vulnerabilities and those technologies and exploit those technologies. So it all comes back to the opportunities that those attackers are actually finding against the enterprise’s environment.

Dave Bittner:

Do the bad guys generally follow the path of least resistance?

Adrian Porcescu:

It depends on their interest, because, as you know, a threat is actually a mix between opportunity, capabilities, and intent. Right? So, depending on the intent of a certain attacker, they might be either taking the path of least effort — which means exploiting the technologies that they find more easily to exploit — or it might be the case in which attackers are targeting specific enterprises, in which they will be just taking the opportunities that they have against that particular enterprise.

Dave Bittner:

In terms of recommendations for folks — how to best use this report, how to look at this list of top 10 vulnerabilities — what would you recommend in terms of how people should approach it?

Adrian Porcescu:

I think that everything, first of all, should be starting from an internal perspective of the opportunities that a company is offering to external threats. So they should, at the beginning, start with a proper asset management inventory of all the assets that are involved in the business process, understand the most critical assets that they hold, and after that, of course, providing, assessing, and performing threat modeling against those assets. Understanding which one of them is most exposed, or which one of them being attacked might be determining a big impact for the company — then, that should be a starting point for assessing the priorities. Afterwards, of course, priorities could be influenced by the level of that particular exploit being used in the wild, or of course, the different other threats that are found in the context of that particular vulnerability or exploit.

For example, if a certain company has previously encountered or had incidents related to a specific malware, that means that particular threat is prevalent against their infrastructure or against their assets. So, a vulnerability that is being actively used for delivering the same malware, or the same category of malware, should be considered as a priority in patching. But as I said, everything should start, initially, with a bit of threat modeling. And of course, afterwards, understanding the threat landscaping which the business is running.

Dave Bittner:

In terms of the human factor here — if I’m trying to dial in how much I am defending myself using technology — how much am I defending myself using training and education? Do you have any insights there?

Adrian Porcescu:

I don’t have exact numbers or percentages on how much that actually can count, but like in every question of threat intelligence, it actually depends. If a company, for example, already has established threat modeling and established asset inventory, of course, that goes back to the training of the people that are defending that company and the operations in which they are involved. But, of course, understanding what kind of assets you are defending — that might start with applying some technologies to defend them, and then, of course, putting some operations around them — which of course, depends on the training of the people that are involved — in order to better structure and make the technologies work better for the purpose of defending those assets.

I think one of the most important aspects that we need to consider is that, if the practitioners — and this is quite a common practice, to rely only on a CVSS score — I think one of the most important ideas to mention here is that a CVSS score is the exploitability of a technology from the technological perspective. It doesn’t reflect exactly how much that vulnerability is being actively exploited in the wild. So, the main point of this is to make sure that the practitioners are not only relying on a CVSS score, but also on understanding their threat landscape and what is the actual behavior in real life around exploiting that vulnerability.

Dave Bittner:

Our thanks to Scott Donnelly and Adrian Porcescu for joining us.

You can find out more about the research we discussed today on the Recorded Future website. Head on over to go.recordedfuture.com/vulnerability. We hope you’ll check it out.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.