Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
International cybersecurity agencies issue a joint alert outlining the top malware strains of 2021. We identified vulnerabilities associated with these strains.
Antecedentes
On August 4, the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory regarding the top malware strains observed being exploited throughout 2021. According to this advisory, most of these top strains have been seen in use for over five years, through different variations and evolutions.
While malware is used for a variety of purposes, the government agencies point out that ransomware is a primary use case.
Análisis
Malware is most commonly distributed in phishing messages or malicious documents and websites; it often still relies on unpatched vulnerabilities to gain elevated privileges, move throughout target environments and execute code. We have analyzed reports on the malware strains to identify any vulnerabilities associated with them. This doesn’t represent an exhaustive list of vulnerabilities exploited by malware, but it is a helpful starting point for organizations to cut off attack paths for these most prevalent strains.
Based on this list, we have identified a few key themes regarding the vulnerabilities used in malware.
| CVE | Description | CVSSv3 | VPR* |
|---|---|---|---|
| CVE-2015-5122 | Adobe Flash Player user-after-free | v2 10.0 | 9.7 |
| CVE-2016-0189 | Scripting Engine memory corruption | 7.5 | 9.8 |
| CVE-2016-4171 | Adobe Flash Player arbitrary code execution (apsa16-03) | 9.8 | 8.9 |
| CVE-2017-0144 | Windows SMB remote code execution (EternalBlue) | 8.1 | 9.6 |
| CVE-2017-0199 | Microsoft Office/WordPad remote code execution | 7.8 | 9.8 |
| CVE-2017-11882 | Microsoft Office memory corruption | 7.8 | 9.9 |
| CVE-2017-8570 | Microsoft Office remote code execution | 7.8 | 9.8 |
| CVE-2017-8750 | Microsoft Browser memory corruption | 7.5 | 8.9 |
| CVE-2017-8759 | .NET Framework remote code execution | 7.8 | 9.8 |
| CVE-2018-0798 | Microsoft Office memory corruption | 8.8 | 9.8 |
| CVE-2018-0802 | Microsoft Office memory corruption | 7.8 | 9.8 |
| CVE-2018-14847 | MikroTik RouterOS remote code execution | 9.1 | 8.8 |
| CVE-2020-0787 | Windows Background Intelligent Transfer Service elevation of privilege | 7.8 | 9.8 |
| CVE-2021-34527 | Windows Print Spooler remote code execution (PrintNightmare) | 8.8 | 9.8 |
| CVE-2021-40444 | Microsoft MSHTML remote code execution | 7.8 | 9.8 |
| CVE-2021-43890 | Windows AppX installer spoofing vulnerability | 7.1 | 9.2 |
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool remote code execution (Follina) | 7.8 | 9.8 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 4 and reflects VPR at that time.
Fuente: Tenable Research, August 2022
Notably, 14 of the 17 vulnerabilities identified are in Microsoft products. Nine of the flaws are code execution vulnerabilities and five are memory corruption. It is interesting to see that there is only one elevation of privilege flaw, given that vulnerability type’s utility to other threat actors.
CVE-2017-11882, a memory corruption remote code execution flaw in Microsoft Office, is an interesting case. From what we have seen, it is widely exploited by malware, including six of the 11 strains listed in this advisory and Emotet. In 2019, CVE-2017-11882 was identified as the most common delivery method for spreading malware by Cofense. It was also identified as a routinely exploited vulnerability in both 2020 and 2021 according to several government cybersecurity agencies.
We routinely see CVE-2017-11882 being used by various malware strains, including Trickbot and Qakbot, which are both first-stage malware components that download secondary and tertiary malware, which may include a variety of ransomware. Ultimately, vulnerabilities like CVE-2017-11882, CVE-2017-0199 and CVE-2021-40444 are just vehicles for threat actors to gain initial access into a targeted network.
Vulnerabilities used by ransomware affiliates and IABs
Several vulnerabilities connected to the joint alert have been utilized by key players in the ransomware ecosystem, including Initial Access Brokers (IABs) and ransomware affiliates. The flaws have also been used as part of first stage malware components to deploy ransomware.
The LockBit ransomware group and its affiliates have been seen using CVE-2020-0787, an elevation of privilege vulnerability in the Microsoft Windows Background Intelligent Transfer Service. CVE-2021-34527, an elevation of privilege vulnerability in the Windows Print Spooler service, referred to as PrintNightmare, has been utilized by several ransomware groups including Vice Society, Conti, Magniber and Black Basta. Elevation of privilege vulnerabilities are valuable tools as part of post-compromise activity, once an attacker has gained access to a vulnerable system with limited privileges.
CVE-2021-40444, a remote code execution vulnerability in Microsoft MSHTML, was used by EXOTIC LILY, an IAB that worked directly with the Conti ransomware group. IABs specialize in gaining initial access to an organization and selling access to a variety of threat actors, including ransomware affiliates or in rare instances, partnering directly with ransomware groups like Conti. We dive into the various players in our Ransomware Ecosystem report, which includes a broader list of known vulnerabilities leveraged by IABs, affiliates and ransomware groups.
Adoption of CVE-2022-30190, aka Follina
The majority of the vulnerabilities identified are at least two years old, which tracks with the “if it isn’t broken, don’t fix it” approach most attackers take in their toolsets. If seven-year-old vulnerabilities are still working, why would they adopt new ones?
One vulnerability that busts this trend is CVE-2022-30190, aka “Follina,” a zero day publicly disclosed in May of this year based on attacks in April. Its speedy adoption into malware (Qakbot and Remco specifically) shows the confounding nature of threat actors. They will rely on old faithful vulnerabilities like CVE-2017-11882, but they’ll also bring new flaws into their repertoire, especially when there is publicly available proof-of-concept code.
Top malware use top exploited vulnerabilities of 2021
In April, CISA, the National Security Agency, Federal Bureau of Investigation, ACSC, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and United Kingdom’s National Cyber Security Centre released an advisory listing the top routinely exploited vulnerabilities of 2021. The report highlighted 36 vulnerabilities frequently exploited by threat actors; four of those are also represented in malware associated with this latest advisory — two of them were released after the relevant timeframe.
Two of the vulnerabilities that appear on both lists, CVE-2021-34527 (PrintNightmare) and CVE-2021-40444, were also among the top five vulnerabilities of 2021 in Tenable’s Threat Landscape Retrospective. We have seen sustained exploitation of these flaws by diverse threat actors since their disclosure. The continued exploitation is troubling evidence that organizations are leaving these flaws unremediated, which is particularly concerning considering how many Print Spooler flaws Microsoft has patched in the intervening year since PrintNightmare.
When making prioritization decisions, it’s always valuable to consider multiple data points. While the majority of the vulnerabilities associated with this malware advisory may not have been the top exploited flaws in 2021, remediating them is still an important step to reducing risk. It’s about cutting down known paths of exploitation.
Identificación de los sistemas afectados
A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear for the vulnerabilities referenced in this post.
Obtenga más información
- Joint Cybersecurity Advisory A22-216A
- AA22-117A: 2021 Top Routinely Exploited Vulnerabilities
- Tenable’s Ransomware Ecosystem report
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Obtenga una prueba gratuita de 30 días de Tenable.io Vulnerability Management.
Artículos relacionados
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: New Guide Details How To Use AI Securely, as CERT Honcho Tells CISOs To Sharpen AI Security Skills Pronto
January 26, 2024Cyber agencies from multiple countries published a joint guide on using artificial intelligence safely. Meanwhile, CERT’s director says AI is the top skill for CISOs to have in 2024. Plus, the UK’s NCSC forecasts how AI will supercharge cyberattacks. And a global survey shows cyber pros weighing pros and cons of AI. And much more!
Cybersecurity Snapshot: Are SBOMs on Your Supply Chain Security Radar Screen? Check Out New Recommendations from CISA and NSA
November 17, 2023The SBOM concept is still half-baked, but CISA and NSA want to help change that with new best practices for software vendors, developers and buyers. Plus, there’s new guidance about the Royal ransomware gang – as ransomware attacks grow. In addition, Google highlights a new typosquatting trend impacting cloud storage. And much more!
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Malware
- Vulnerability Management