5 Common Business Cybersecurity Vulnerabilities (for the Techie)
The COVID-19 pandemic is widely known for pushing companies to adopt remote friendly tools such as MS Teams or Zoom, Cloud Productivity suites like Office 365, to leverage VPNs to extend office network resources, and more. Unfortunately, these often hasty adoptions resulted in exposing these companies to many cybersecurity vulnerabilities. In fact studies show that there was a 600% rise in cybercrime during the pandemic.
Things don’t seem to be slowing down in 2022 either as companies continue to increase their cybersecurity budgets. It has become even more imperative that business organizations dedicate resources to identifying and mitigating new vulnerabilities.
The MITRE corporation created and oversees the Common Vulnerabilities and Exposures (CVE) program which keeps track of potential exploits and vulnerabilities. Simply put, CVE entries are documented vulnerabilities that go into a large database to create awareness of the issue. Additionally, numerous IT vendors coordinate to provide information and fixes on these CVE identifies to ensure they are quickly resolved and taken care of. In this article we cover the 5 most common CVEs that businesses should watch out for, along with tips on mitigating them.
1. Citrix ADC/Gateway – CVE-2019-1978
The Citrix ADC, Citrix Gateway, and NetScaler Gateway are all affected by this vulnerability, which was discovered in December 2019. An attacker can use the exploit to execute arbitrary code on a Citrix server or install other malware, such as trojan backdoors that allow command execution and brute-force passwords.
This vulnerability was discovered in IBM’s incident response activities many times, most recently in the first part of 2020. In fact, it was used by hackers 15 times more than any of the other vulnerabilities in X-Force incident response engagements, and IBM’s provided security services routinely saw signals indicating that attackers were trying to exploit it. Citrix has released some configuration changes that can be applied to the Citrix ADC and Citrix Gateway to help mitigate this issue.
2. NoneCMS ThinkPHP Remote Code Execution – CVE-2018-20062
CVE-2018-20062, which allows hackers to run unauthorized PHP code, was the second most targeted vulnerability in 2020. It has primarily been used to attack Internet of Things (IoT) devices, according to X-Force threat intelligence experts.
According to IBM network data, there will be a significant increase in assaults against IoT in the coming years. CVE-2018-20062 has been connected to the distribution of a wide range of malware, such as the SpeakUp backdoor, the Mirai botnet, and many bitcoin miners.
Although this cybersecurity vulnerability was addressed on December 8, 2018, with ThinkPHP versions 5.0.23 and 5.1.31, a proof-of-concept to manipulate it was released on December 11, 2018, and it continues to draw the interest of attackers attempting to exploit it. It’s possible that the difficulties of detecting and fixing IoT devices might be the main contributor to their persistent vulnerability.
Versions 5.0.23 and 5.1.31 of ThinkPHP were updated to address this issue. Upgrades to the new releases of the framework are strongly recommended.
3. Apache Struts 1.2.7/1.2.8 Denial Of Service – CVE-2006-1547
Hackers can exploit this vulnerability, which was initially found 16 years ago in 2006, to create a denial of service — such as crashing the Struts web application — or even acquiring access to personal information. Apache Struts is a prevalent open-source structure for building Java web software. Attackers have taken advantage of many Apache Struts vulnerabilities, recognizing the opportunity afforded by the framework’s widespread adoption.
Because of the continuous use of this outdated vulnerability, it’s more vital than ever to check online applications for unpatched vulnerabilities and pay special attention to older web programs built using obsolete frameworks. The recommended mitigation measure for this vulnerability is to upgrade the programming tool software to version struts:struts@1.2.9.
4. SMBGhost Vulnerability – CVE-2020-0796
CVE-2020-0796, commonly known as SMBGhost, can be exploited in a variety of ways. According to SophosLabs researchers, a network-based attack may compromise any Windows device that has file sharing activated, whether that system is simply a regular desktop or a more sophisticated file server.
Attackers can potentially set up a rogue file sharing server, mislead targets into connecting to it, and then respond with a malicious message to the connection request (which could transport the vulnerability back to the user’s SMB client).
Finally, after gaining code execution on the target device, an inside attacker uses the bug to get system rights. SophosLabs researchers have recently created a proof-of-concept approach for this situation, but they will not be disclosing it. Other researchers have written PoC code that may cause a Denial of Service condition, and they’ve said that the flaw was simple to find – despite the fact that they didn’t have the patch to evaluate and provide pointers.
Lucas Georges of Synacktiv has also provided an informative root cause study of the problem. It’ll only be a matter of time until attackers construct their own exploit and utilize it. It might be a major issue because there are so many susceptible hosts.
While there isn’t a sustainable remedy for the SMBGhost issue yet, users can use a PowerShell command to deactivate compression to prevent unauthorized intruders from exploiting the vulnerability against an SMBv3 server.
5. Netlogon Elevation of Privilege Vulnerability – CVE-2020-1472
CVE-2020-1472 (also known as Zerologon) affects all compatible Windows Server versions, although it is particularly dangerous for servers that operate as Active Directory (AD) domain controllers in business networks. The vulnerability is due to a fault in the Netlogon Remote Protocol’s cryptographic authentication method.
An attacker can modify the computer password of the DNS server that is recorded in the AD by simply sending a series of Netlogon messages with various fields filled with zeroes. The domain admin credentials can be acquired, and the original DC password restored.
This exploit has a significant impact: it enables a hacker on the local network such as a rogue insider or someone who just connected a device to an on-premise network socket to entirely corrupt the Windows domain. The attack is totally unauthenticated: the hacker does not require any credentials from the victim.
Organizations and businesses with internet backups may endure a nightmare scenario if a ransomware team destroys backups in order to boost their chances of receiving a payment from the victim. All Windows-based machine accounts, trust accounts, and domain controller accounts can be safeguarded by downloading the updates released on August 11, 2020, onto the domain controllers.
Cybersecurity Vulnerability Assessment
Vulnerability assessments aren’t the end-all solution for an organization’s cybersecurity problems, but they are an important tool for mitigating cyberattacks and exposing IT security flaws before they get exploited. No business IT security plan should exclude them, especially in these times when the risk environment changes so rapidly. Furthermore, new safety measures should be implemented as needed to deal with unanticipated threats or configuration issues that might put the company at risk.
Outsource IT provides reliable business IT security services, including regular vulnerability assessments to identify and fix IT security vulnerabilities. To learn more, contact an Outsource IT account manager today.
