Dashboard Toolbox - VM DASHBOARD: Top 10 Routinely Exploited Vulnerabilities | Alert (AA20-133A)

Document created by Felix Jimenez Employee on May 14, 2020Last modified by Felix Jimenez Employee on May 15, 2020
Version 4Show Document
  • View in full screen mode

This page contains template information to create a Vulnerabilities Dashboard leveraging data in Qualys Vulnerability Management / VMDR subscription. 

 

Run the attached dashboard to see your exposure to the top 10 most exploited vulnerabilities by state, non-state, and unattributed cyber actors from 2016 to 2019.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government provided a technical guidance alert to advise IT security professionals at public and private sector organizations to monitor with an increased priority finding, analyzing your exposure and patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.

This alert provides details on vulnerabilities routinely exploited by foreign cyber actors as they continue to exploit publicly known and often dated software vulnerabilities against broadly vulnerable exposed targets, including public and private sector organizations. The exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see each entry within the Mitigations section contained within the alert

 

Click here for a PDF version of this report.

Technical Details

Top 10 Most Exploited Vulnerabilities 2016–2019

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

  • According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
  • Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology.
  • As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations. This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.
  • Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.
  • A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies. Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.

 

 

VM Dashboard Example:

 

 

IOC Dashboard and Search Example:

As we see in MAR-10238137-1.v2 | CISA Alert this CVE-2017-8759 has an IOC associated as well. Because of the Qualys cloud platform, you can search for that IOC as well and make sure not only you can remediate before anything happens but also rest assured if you have an IOC Qualys can find it. 

 

 

SUGGESTED if you have IOC  ADDITIONAL WIDGETS 

 

Attached Files:

  • IOC-Malware-Hash-Widget.zip

 

 

IMPORTANT: Importing Dashboard and/or Widget JSON files - Enable historical data collection

 

When you export dashboard(s) and/or widget(s) that have "Enable historical data collection" turned on, and then import them later, you will have to manually "Enable historical data collection" following your import.  This is by design.  The action of turning on this feature starts the clock for data retention.

 

 

 

If you have any questions, please post them below, contact your TAM, or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc..

 

Back to Dashboards and Reporting Resources - Start Here 

Back to Dashboard Toolbox - New Vulnerability Management (VM) Dashboard BETA [CLOSED] 

Outcomes