Juha-Matti Laurio
Labs / 05 May 2015

These 30 vulnerabilities are used to attack critical infrastructure

Juha-Matti Laurio
Information security authorities recently published a list of the most common vulnerabilities used in attacks against critical infrastructure organisations.
 
The list was published in the form of a warning by US-CERT, the national computer security incident response team for the United Stated States of America, see Top 30 Targeted High Risk Vulnerabilities. The list is based on an analysis made by Canada's Cyber Incident Response Centre, the CCIRC, and compiled in collaboration with partners in the UK, New Zealand and Canada as well the Australian Cyber Security Centre.
 
The list contains 30 vulnerabilities that involve products from the following software vendors:  Microsoft, Adobe, Oracle, OpenSSL.  Only high risk vulnerabilities are included.
 
The only one on the list that is purely a Windows vulnerability is one that affects OLE objects (Microsoft bulletin MS14-060, CVE-2014-4114). If you like to keep up with what's happening in cyber security, you may remember that it is a zero day vulnerability that was used in Sandworm attacks for months and SCADA systems were also targeted. Internet Explorer and Microsoft Office packages of varying ages are heavily featured on the list and these applications are prime targets for anyone wanting to access the internal network of a critical infrastructure organisation.
 
The list includes Adobe product vulnerabilities prior to the Adobe Reader security update that was released five years ago (Adobe Security Bulletin APSB10-02). A vulnerability (CVE-2010-2883) in Adobe Reader versions 9 and 8 was repaired the same year but had already been exploited before the release of the update.  Although the list includes a Flash vulnerability from October of last year, all other Flash vulnerabilities have been repaired more than four years ago.

Oracle made the list with JRE and Java Development Kit vulnerabilities that were patched with updates in 2012 and 2013 and JRE (Java Runtime Environment) vulnerablities. Of these, vulnerability CVE-2013-2465, involving a version of Java found on most standard work stations, has the highest possible score of 10.0 on the CVSS scale of severity.
 
That the OpenSSL library'sHeartbleed vulnerability is on the list is not surprising because of its widespread distribution. This report proves, however, that Heartbleed has been exploited in attacks targeting critical infrastructure in sample countries.
 
Updating internal networks
 
The fact that Heartbleed (CVE-2014-0160) is on this list, is a stark reminder that even in the world's leading nations the critical infrastructure systems still include targets that haven't been updated since the release of the Heartbleed fix in April of last year. 
 
A sample of the studied attacks leads me to understand that the vulnerabilities have been exploited in bundles. Once an attacker has penetrated the outer perimeter and entered the organisation's internal network, the fact that database servers and end user workstations have not been updated has made it possible to introduce malware into the organisation's network. 
 
Pull up your sleeves and get to work
 
The Alert recommends implementing these four mitigation strategies: 
  1. Use application whitelisting to help prevent malicious software and unapproved programs from running
  2. Patch applications such as Java, Flash, PDF viewers, web browsers and Microsoft Office
  3. Patch operating system vulnerabilities
  4. Restrict administrative privileges to operating systems and applications based on user duties
 
Points 2 and 3 are especially useful as they reduce the number of exploitable entry points available to an attacker. To prevent zero-day vulnerabilities from being exploited, it is a good idea to include a solution like the EMET utility in a Microsoft environment. 
 
The Alert notes the following about patching these 30 vulnerabilities:
 
Executives should ensure their organisation's information security professionals have patched the following software vulnerabilities. 
 
Executives should ensure their organisation's information security professionals have patched the following software vulnerabilities. A vulnerability management service is a great tool for this purpose.