A recently published list of 25 of the most frequently exploited Common Vulnerabilities and Exposures (CVEs) currently being exploited by state-sponsored advanced persistent threat (APT) actors originating in China has highlighted the importance of applying software updates and patches in a timely fashion.
The list was released by the US’s National Security Agency (NSA), and details a number of vulnerabilities that can be used to gain initial access into victim networks going through products that can be directly accessed from the public internet, and then wreak havoc once inside.
Many of them have been known for some time, reflecting a general preference among malicious actors to pick off low-hanging fruit through old, unpatched bugs.
“We hear loud and clear that it can be hard to prioritise patching and mitigation efforts,” said NSA director of cyber security, Anne Neuberger.
“We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cyber security professionals will gain actionable information to prioritise efforts and secure their systems.”
The 25 listed vulnerabilities are detailed in the NSA’s advisory which can be accessed online here, and include bugs in products from Cisco, Citrix, F5 Networks, Microsoft, MobileIron, Oracle, Pulse Secure and Symantec. Some of them have been known about for years, and many of them have attracted widespread attention already.
Chloé Messdaghi, vice-president of strategy at Point3 Security, said she had seen a substantial increase in malicious actors targeting such well-known CVEs in the past 12 months.
“They’re trying to collect intellectual property data. Chinese attackers could be nation state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilise and build competitive companies, in other words, to steal and use for their own gain,” she said.
“I’m glad that the NSA has issued this. Publishing this report reinforces the work that companies need to do to secure their intellectual property, and pushes them to make the patches and maintenance they need to do,” added Messdaghi.
Jamie Akhtar, CEO and co-founder of CyberSmart, said: “People have the impression that cyber crime is sophisticated and difficult to protect against. But as this news demonstrates, even highly professional criminals are often just exploiting known vulnerabilities that organisations and the public haven’t taken the time to address.
“Making sure software is up to date, and thus patches for known vulnerabilities are in place, is one of the five fundamental rules of cyber hygiene. The UK government has developed a scheme that covers these fundamentals to help all businesses and their staff understand and maintain basic security.”
Ciaran Byrne, head of platform operations at Edgescan, said the disclosure showed it was important to have procedures in place to update vulnerable software as soon as possible after fixes are released.
“Sometimes it is not always practical or possible to update software straight away as certain elements rely on a specific version or the update requires scheduling downtime, however, a plan and a timeline should be put in place,” he added.
During this process, he said, organisations need to first consider why software can’t be patched right away, and ask whether or not it is so out of date in needs to be replaced.
Second, businesses should question what needs to be done to protect themselves when unpatched, such as by establishing new firewall rules to allow access to specific ports only from predefined IPs.
Finally, they should ask whether or not the current risk associated is low enough to not patch – that is to say, to establish if sensitive information can be exposed or stolen, or if the disclosed vulnerability could be leveraged into a more serious incident by an attacker.