Measuring the Global Impact of the NSA’s Top 25 Vulnerabilities Being Exploited In the Wild

Adi Ikan, Network Research & Protection Group Manager

On Tuesday October 20, 2020, the NSA published a detailed report informing the public of the top 25 vulnerabilities currently being leveraged and exploited by Chinese hacking groups. The list is mostly composed of high-profile vulnerabilities, such as SIGRed (CVE-2020-1350), BlueKeep (CVE-2019-0708) and CurveBall (CVE-2020-0601). Furthermore, the list encompasses a number of popular products and vendors, including Microsoft, Adobe, Citrix, and Atlassian. The majority of the vulnerabilities outlined by the report date from 2020, while the rest are from previous years.

Security researchers at Check Point can confirm that there are numerous attack attempts exploiting the vulnerabilities outlined in NSA’s reports, targeting victims from all over the world and across industries. Check Point’s assessment is based on ThreatCloud, a real-time threat intelligence derived from hundreds of millions of sensors worldwide.

The impact of such attacks can be severe, ranging from file disclosure to the execution of arbitrary commands on affected systems. Check Point provides comprehensive coverage to all of the 25 vulnerabilities listed in NSA’s report.

Figure 1: Amounts of attacks per country

A Wide Range of High Profile Vulnerabilities

The top 25 vulnerabilities outlined in NSA’s report are high profile, as they target popular products that would make for severe impact, if exploited. The most exploited vulnerabilities in the list are the following:

  • Draytek Vigor Command Injection (CVE-2020-8515) – A critical vulnerability (CVSS base score of 9.8) in various versions of DrayTek Vigor, a series of VPN routers.
  • Microsoft Windows NTLM Authentication Bypass (CVE20191040) – A vulnerability (CVSS base score of 5.8) in various Microsoft Windows versions.
  • Citrix Multiple Products Directory Traversal (CVE201919781) – A critical vulnerability (CVSS base score of 9.8) in Citrix Application Delivery Controller (ADC) and Citrix Gateway
  • Pulse Connect Secure File Disclosure (CVE-2019-11510) – A critical vulnerability (CVSS base score of 10) in Pulse Connect Secure, the SSL VPN solution of Pulse Secure.
  • F5 BIG-IP Remote Code Execution (CVE20205902) – A critical vulnerability (CVSS base score of 9.8) in various versions of BIG-IP, popular F5 products.

In addition, the majority of the vulnerabilities may have severe impact on the affected systems.

For example, attackers exploiting  SIGRed (CVE-2020-1350) would be able to take control on the affected system and conduct malicious activity, such as manipulate users’ emails and network traffic, disable services, and harvest users’ credentials. In another example, exploiting F5 BIG-IP Remote Code Execution (CVE-2020-5902) may enable attackers to compromise the affected systems and conduct activities such as creating or deleting files, manipulating sensitive data, and disabling services.

Massive Exploitation in the Wild

Check Point has prevented the exploitation of these vulnerabilities, nearly 3M attack attempts in the last year around many of these vulnerabilities. The vast majority are from the last 6 months (2.5M).

In fact, on average, those vulnerabilities were exploited 7 times more than other vulnerabilities in 2020.

There are also vulnerabilities in the list that may be easily exploitable, leveraging publicly available PoC’s (Proof of Concept). For example, Atlassian Confluence and Data Center Remote Code Execution (CVE-2019-3396) and Citrix Multiple Products Directory Traversal (CVE201919781) can be easily exploited by sending  simple requests to relevant systems with specific known structure and parameters, following the info and scripts available online.

Worldwide and Cross Industries Impact

The attacks exploiting those vulnerabilities targeted 161 countries worldwide. The most dominant ones were the US, Germany, UK, Indonesia and The Netherlands.

In addition, those attack targeted many industries. The most common ones were Government\Military, Retail\Wholesale, Manufacturing and Finance\Banking. For example, in the United States, almost 30% of the attacks targeted Government\Military victims, which is 31% more in comparison to the rest of the world.



Figure 2: Global distribution of affected industries

Security Tips to Keep Your Organization Safe

  • We strongly recommend users to patch their servers in order to prevent the exploitation of such vulnerabilities.
  • Intrusion Prevention System (IPS) prevents attempts to exploit weaknesses in vulnerable systems or applications, protecting you in the race to exploit the latest breaking threat. Updated IPS helps your organization stay protected.
  • Endpoint protections: Conventional signature-based Anti-Virus is a highly efficient solution for preventing known attacks and should definitely be implemented in any organization, as it protects against a majority of the malware attacks that an organization faces. In addition,  comprehensive endpoint protection at the highest security level is crucial in order to avoid security breaches and data compromises