Olivier Le Moal - stock.adobe.co
High-profile vulnerabilities in Citrix, Pulse Secure and Fortinet software were the most popular targets for attackers in 2020.
According to a report released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), a remote code execution flaw in Citrix's Application Delivery Controller and Gateway products, CVE-2019-19781, was the top target for exploits in 2020, despite being fully patched more than a year ago. The study included figures gathered by CISA, the FBI, the Australian Cyber Security Centre and the U.K. National Cyber Security Centre.
The Citrix flaw, publicized at the turn of the 2020 year, enables intruders to gain remote code execution on vulnerable servers via a directory traversal flaw. CISA said that according to the figures it gathered, the bug was the single most common target for attackers. The report said known flaws remain the best source of open doors for criminals even as patches are rolled out.
One big factor in the 2020 trend appears to be remote work, as cybercriminals seized on flaws that were exposed by the need to accommodate employees dialing into the company network from home.
"Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic," the CISA report said.
"The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching," the report noted.
Second to the Citrix bug in terms of attacks was CVE-2019-11510, a file read vulnerability in Pulse Secure products, followed by CVE-2018-13379, a path traversal bug in Fortinet's FortiGate VPN, and CVE-2020-5902, a remote code execution flaw in F5 Network's BIG-IP devices.
All four vulnerabilities were exploited in extensive attacks and were included in several security advisories from vendors and government agencies. For example, a Fortinet bug became a cash cow for criminals in 2020 as the Cring ransomware group preyed on it in order to take servers hostage.
For once, Microsoft did not find itself the prime target for attacks, as it only placed sixth (CVE-2017-11882, remote code execution) on the CISA list of top targets. Microsoft usually finds itself atop these rankings due to the ubiquity of Windows OSes and popularity with vulnerability researchers.
Industry pundits don't expect this trend of Microsoft ranking outside the top three attack targets to last, however. Jon Oltsik, principal analyst at Enterprise Strategy Group, a division of TechTarget, said this was more a case of Citrix and Pulse being in the wrong place at the wrong time, snatching up dubious titles usually claimed in Redmond due to Microsoft's massive enterprise footprint.
"I would characterize this as a one-off situation," Oltsik told SearchSecurity. "Given Microsoft's market presence, it will make all top lists more often than not and I don't believe customers are doing anything better with Microsoft vulnerabilities as opposed to others."
CISA noted that Microsoft flaws are likely to continue to be the favorite targets of attackers, thanks to the sloppy patching habits of companies that neglect to address years-old vulnerabilities.
"Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched," CISA said.
"Adversaries' use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known," CISA reported.
CISA's report also listed the most targeted vulnerabilities in 2021 so far, which include the Microsoft Exchange zero-day vulnerabilities revealed earlier this year and a flaw in Accellion's File Transfer Appliance, commonly known as FTA.