US-CERT recently issued an alert regarding the 30 most prevalent vulnerabilities in targeted attacks that took place in 2014. Each of these vulnerabilities, when exploited, equals a compromised endpoint.
From this compromised endpoint the attacker will expand to other endpoints and servers in your network until it reaches its goal, possibly stealing the crown jewels it set out for.
The CERT list is a valuable source, reflecting the actual threat landscape. Security decision makers can derive important knowledge from reading between its lines:
The prevailing attack scenario is still a user browsing or opening an attachment. According to the CERT list, the only exceptions are one OpenSSL and four ColdFusion vulnerabilities. The following discussion does not relate to these vulnerabilities.
Memory corruption, logical and Java Vulnerabilities:
|CVE ID||Targeted Application||Vulnerability Type||Zero Day|
|CVE-2006-3227||Internet Explorer||Charset obfuscation|
|CVE-2008-2244||MS Word||Buffer overflow|
|CVE-2009-3129||MS Excel||Excel featherhead record|
|CVE-2009-3674||Internet Explorer||Uninitialized memory corruption|
|CVE-2009-3953||Adobe Reader\Acrobat||Array overflow|
|CVE-2010-0806||Internet Explorer||Use after free||yes|
|CVE-2010-3333||MS Office||Stack buffer overflow|
|CVE-2010-0188||Adobe Reader\Acrobat||Stack buffer overflow||yes|
|CVE-2010-2883||Adobe Reader\Acrobat||Stack buffer overflow||yes|
|CVE-2011-0101||MS Excel||Excel record parsing WriteAV|
|CVE-2011-0611||Adobe Flash Player||Object type confusion||yes|
|CVE-2012-0158||MSOffice DOC\RTF||Stack buffer overflow||yes|
|CVE-2012-1856||MS Office||Use after free|
|CVE-2012-4792||Internet Explorer||Use after free||yes|
|CVE-2012-1723||Oracle Java||Sandbox escape|
|CVE-2013-0074||MS Silverlight||Double Dereference|
|CVE-2013-1347||Internet Explorer||Use after free||yes|
|CVE-2013-2465||Oracle Java||Sandbox escape|
|CVE-2013-2729||Adobe Reader||Integer overflow|
|CVE-2014-0322||Internet Explorer||Use after free||yes|
|CVE-2014-1761||Word||Object Type confusion||yes|
|CVE-2014-1776||Internet Explorer||Use after free||yes|
The targeted applications are the most common ones. This comes as no surprise. The list is solely comprised of Internet Explorer, Silverlight MS Office, Oracle Java and Adobe Flash, Reader and Acrobat.
Vulnerabilities from 2012 and backwards comprise more than half of the list. This tells us more about victims rather attackers. Apparently non-patching is a common practice. Updating vulnerable software is not prioritized. This enables attackers to successfully leverage old vulnerabilities (dating back as far as 2006!) for their purpose.
Browser and attachment attacks are equally distributed. The distribution of these two main attack vectors is around 50/50 with slightly more browser exploits shown. Browser exploits are common in watering hole attacks and are typically integrated in exploit kits. Attachments on the other hand (Office, Adobe Reader etc.) are utilized in spear phishing attacks, targeting specific users. The nearly equal distribution implies that both vectors remain areas of concern..
Half of these vulnerabilities are zero days. One of the most pressing issues for current cybersecurity strategists is the correlation between sophistication and prevalence. The non -proportional zero day presence in the CERT list implies that today’s zero day is tomorrow’s common attack vector. Of course, there is a natural selection involved which determines which zero-days will spread and which will decline.
Most of the memory corruption vulnerabilities enable exploits to bypass DEP and ASLR. In recent years, Windows integrated exploit mitigations forced attackers to adjust how exploits are written. The CERT list suggests they have succeeded; ROP, for example is common to almost all exploits shown. This illustrates once more the ever changing nature of the cyber threat arena in which whenever a security measure is introduced, attackers reflect, learn, reshape and attack in alternative patterns.
Addressing the Security Gap
Palo Alto Networks Traps directly addresses the security gaps reflected in the CERT list.
Traps prevents exploitation in real time by mitigating the core techniques that are common to all exploits. Exploitations of the vulnerabilities on the CERT list are different from each other but all of them converge into a known pool of techniques. Traps proactively obstructs these techniques, providing protection without relying on signatures or prior knowledge.
Learn more about advanced endpoint protection here.