Old vulnerabilities are still a big problem
A recently flagged phishing campaign aimed at delivering the Agent Tesla RAT to unsuspecting users takes advantage of old vulnerabilities in Microsoft Office that allow remote code execution.
“Despite fixes for CVE-2017-11882/CVE-2018-0802 being released by Microsoft in November, 2017 and January, 2018, this vulnerability remains popular amongst threat actors, suggesting there are still unpatched devices in the wild, even after over five years,” says Fortinet researcher Xiaopeng Zhang.
“We are observing and mitigating 3000 attacks per day, at the IPS level. The number of observed vulnerable devices is around 1300 per day.”
Patches are available, but…
On Monday, Qualys published its list of top 20 vulnerabilities exploited by malware, threat actors, and ransomware gangs. Some are very old and others newer, but the newest date back to two years ago.
CVE-2017-11882 tops the list, CVE-2018-0802 is number 16.
Other vulnerabilities on the list that affect specific Microsoft Office and Wordpad versions are CVE-2017-0199 and CVE-2017-8570, and listed vulnerabilities in other Microsoft offerings include:
- CVE-2012-0158 (in Windows Common Controls)
- CVE-2020-1472 (aka Zerologon, in Microsoft’s Netlogon Remote Protocol)
- CVE-2017-0144, CVE-2017-0145, CVE-2017-0143 (in Microsoft’s SMBv1 protocol)
- CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (collectively dubbed ProxyShell, affecting Microsoft Exchange Servers)
- CVE-2018-8174 (in Microsoft Windows’ VBScript Engine)
- CVE-2013-0074 (in Microsoft Silverlight)
- CVE-2021-26855 (a Microsoft Exchange Server authentication bypass flaw that’s part of the ProxyLogon exploit chain)
The rest affect a variety of other solutions:
- CVE-2012-1723 and CVE-2012-0507 (in Oracle’s Java Runtime Environment)
- CVE-2019-11510 (in the Pulse Connect Secure VPN solution)
- CVE-2021-44228 (in the Apache Log4j library)
- CVE-2014-6271 (aka Shellshock, affecting Linux Bash)
- CVE-2019-2725 (in Oracle WebLogic Server)
- CVE-2018-13379 (in Fortinet FortiGate)
- CVE-2021-26084 (in Atlassian Confluence Server)
All of these have patches (or micropatches) and some came be mitigated by switching off certain features/services. But attackers know and count on the fact that many systems remain unpatched for years and years.
It should go without saying that users – whether consumers or enterprises – should work on implementing available patches sooner rather than later.