A brand-new IBM Security «X-Force Threat Intelligence Index» report was published today and reveals some very old Microsoft vulnerabilities are still causing very real problems.
There was some good news to be found within the pages of the latest threat intelligence report from the IBM Security X-Force. Namely that phishing was used as a successful initial infection vector in just 31% of incidents analyzed. That is compared to half in the previous year. While it would be nice to lay this firmly at the feet of cyber-awareness initiatives working as they should, I’m afraid that’s not the case. Indeed, the bitter pill you need to swallow when reading the report is that twice as many initial infections (60%) of victim networks used either stolen credential reuse or known software vulnerabilities. Although deception certainly isn’t dead, cybercriminals aren’t exactly known for their work ethic: the simplest way to nefarious profit will always be route one. Increasingly, IBM’s X-Force report suggests, previously disclosed vulnerabilities are a contributing factor. With more than 150,000 vulnerabilities disclosed to date, the researchers found that vulnerability scanning and exploitation resulted in 8% of incidents during 2018, rising to 30% in 2019. But that’s not the real shocker: older, already well-known, vulnerabilities in Microsoft Office and Windows Server Message Block accounted for «high rates of exploitation» in 2019.
90% of one threat vector driven by just two old Microsoft vulnerabilities
So, just how old is «old» in the context of these Microsoft vulnerabilities? Well, the IBM X-Force analysis of global spam activity, often used as part of the attack chain, found that just two patched vulnerabilities accounted for nearly 90% of those that threat actors attempted to exploit via these campaigns. CVE-2017-0199, a Microsoft Word exploit, dates back to November 2016 as far as exploits are concerned, with a Microsoft patch available from April 2017. That’s pretty old, huh? Not as old as the other vulnerability, CVE-2017-11882, a memory corruption issue in Microsoft Office that apparently has roots that can be traced back nearly twenty years.
«While sophisticated adversaries may develop zero-day exploits,» the report states, «relying on known exploits occurs more frequently as such exploits allow adversaries to gain an initial foothold without having to expend resources to craft new tactics, techniques and procedures (TTPs), saving their best weapons for the most heavily defended networks.» You only have to look to the WannaCry infection, MS17-010, instances of which are still being seen more than two years after the patch became available.
To patch or not to patch? That is the question
This leads to the question of whether it’s a won’t patch or can’t patch situation that is the problem here. I put that precise question, as well as one asking what it will take to burst the unpatched old vulnerabilities bubble, to members of the Beer Farmers https://twitter.com/TheBeerFarmers information security collective.
Sean Wright, OWASP Scotland chapter leader, agrees with the X-Force report conclusion attackers tend to focus on known vulnerabilities. «A saying comes to mind from the attacker’s perspective, namely if it ain’t broke don’t fix it,» Wright says, «if old exploits work, then attackers don’t need to invest additional time and resources to create something new.» Application security specialist, Mike Thompson, tells me that he «knows for a fact,» that many hospitals are still running equipment using Windows XP, for example. «Why use a fresh exploit,» Thompson says, «when there’s still an unhealthy footprint like that kicking around?»
Within the SME space, there are plenty such cases of legacy applications integrating with old versions of Microsoft Office, says Ian Thornton-Trump, CISO at threat intelligence company Cyjax. «You think that an integrated app could support the latest versions of Office?» he says, «not a chance.» Many of the line of business client-server apps found in professional services firms date back to the early 2000s, meaning that «patching them may put at risk a critical billing, ERP, CRM or record system,» according to Thornton-Trump. «The business probably has looked at upgrading that legacy app and balked or rejected the upgrade cost outright,» he says, «that’s the primary reason I believe so much old on-premises SQL, SharePoint, and Exchange is still out there. If it works and makes money for the firm, why upgrade it?»
So how can this problem ever be resolved? «The biggest improvement to technical security an organization can make is to remove technological debt for hardware and software,» Thornton-Trump concludes. I won’t repeat just how easy it is to discover the system admin password for a SQL database using many apps from 15 years ago, with the method that Thornton-Trump showed me, but he’s certainly not the only one to know it works…