Site icon Check Point Blog

Measuring the Global Impact of the NSA’s Top 25 Vulnerabilities Being Exploited In the Wild

Adi Ikan, Network Research & Protection Group Manager

On Tuesday October 20, 2020, the NSA published a detailed report informing the public of the top 25 vulnerabilities currently being leveraged and exploited by Chinese hacking groups. The list is mostly composed of high-profile vulnerabilities, such as SIGRed (CVE-2020-1350), BlueKeep (CVE-2019-0708) and CurveBall (CVE-2020-0601). Furthermore, the list encompasses a number of popular products and vendors, including Microsoft, Adobe, Citrix, and Atlassian. The majority of the vulnerabilities outlined by the report date from 2020, while the rest are from previous years.

Security researchers at Check Point can confirm that there are numerous attack attempts exploiting the vulnerabilities outlined in NSA’s reports, targeting victims from all over the world and across industries. Check Point’s assessment is based on ThreatCloud, a real-time threat intelligence derived from hundreds of millions of sensors worldwide.

The impact of such attacks can be severe, ranging from file disclosure to the execution of arbitrary commands on affected systems. Check Point provides comprehensive coverage to all of the 25 vulnerabilities listed in NSA’s report.

Figure 1: Amounts of attacks per country

A Wide Range of High Profile Vulnerabilities

The top 25 vulnerabilities outlined in NSA’s report are high profile, as they target popular products that would make for severe impact, if exploited. The most exploited vulnerabilities in the list are the following:

In addition, the majority of the vulnerabilities may have severe impact on the affected systems.

For example, attackers exploiting  SIGRed (CVE-2020-1350) would be able to take control on the affected system and conduct malicious activity, such as manipulate users’ emails and network traffic, disable services, and harvest users’ credentials. In another example, exploiting F5 BIG-IP Remote Code Execution (CVE-2020-5902) may enable attackers to compromise the affected systems and conduct activities such as creating or deleting files, manipulating sensitive data, and disabling services.

Massive Exploitation in the Wild

Check Point has prevented the exploitation of these vulnerabilities, nearly 3M attack attempts in the last year around many of these vulnerabilities. The vast majority are from the last 6 months (2.5M).

In fact, on average, those vulnerabilities were exploited 7 times more than other vulnerabilities in 2020.

There are also vulnerabilities in the list that may be easily exploitable, leveraging publicly available PoC’s (Proof of Concept). For example, Atlassian Confluence and Data Center Remote Code Execution (CVE-2019-3396) and Citrix Multiple Products Directory Traversal (CVE201919781) can be easily exploited by sending  simple requests to relevant systems with specific known structure and parameters, following the info and scripts available online.

Worldwide and Cross Industries Impact

The attacks exploiting those vulnerabilities targeted 161 countries worldwide. The most dominant ones were the US, Germany, UK, Indonesia and The Netherlands.

In addition, those attack targeted many industries. The most common ones were Government\Military, Retail\Wholesale, Manufacturing and Finance\Banking. For example, in the United States, almost 30% of the attacks targeted Government\Military victims, which is 31% more in comparison to the rest of the world.

 

 

Figure 2: Global distribution of affected industries

Security Tips to Keep Your Organization Safe

Exit mobile version