What cybersecurity vulnerabilities new and old should organizations look out for this year? Let IBM X-Force be your guide to today’s top cybersecurity threats with this detailed report.

First, scanning for and exploiting vulnerabilities emerged as the top infection vector of 2020, according to the 2021 X-Force Threat Intelligence Index. In other words, attackers are finding that searching networks for unpatched issues or common vulnerabilities and exposures (CVEs) and exploiting those vulnerabilities has become the most common — and successful — method for gaining initial access to a network. In fact, this infection method has surpassed even phishing emails and appears to have largely displaced credential theft as the most reliable method for attackers to infiltrate a network.

The state of today’s cybersecurity vulnerabilities

One CVE, CVE-2019-19871 (a Citrix server path traversal flaw), was far and away the most exploited vulnerability in 2020, according to X-Force data. Despite the dominance of this relatively new vulnerability, the list of the 10 most exploited vulnerabilities of 2020 was dominated by older security issues, with just two out of the top 10 being discovered in 2020.

The number of new vulnerabilities identified each year has followed a general upward trend since 1988, with 17,992 new vulnerabilities identified in 2020, and culminating in a grand total of 180,171 vulnerabilities identified by the end of 2020.

As cybersecurity vulnerabilities from prior years continue to pose a threat for organizations that have not yet patched them, this cumulative effect of vulnerabilities is increasing attack opportunities for threat actors on a yearly basis.

Figure 1: Newly Identified and Cumulative Vulnerabilities Per Year, 1988-2020 (Source: X-Force Red)

For security defenders, the importance of quickly identifying and remediating vulnerabilities has never been greater. These gateways into a network must be closed quickly, methodically and effectively to prevent threat actors from maintaining this upper hand they appear to have gained throughout 2020.

Vulnerabilities that linger unpatched

Two examples of lingering issues that have impacted organizations in 2020 are CVE-2006-1547 and CVE-2012-0391, which are both Apache Struts vulnerabilities. These were third and fourth on our list of most exploited vulnerabilities in 2020.

Although these vulnerabilities have been known for 15 and nine years, respectively, and remedies have long since been available, too often they remain unpatched, and attackers are still attempting to exploit them in large numbers. As the number of new vulnerabilities continues to grow each year, options for attackers to exploit are increasing exponentially as some old vulnerabilities remain viable entry points.

Top 10 CVEs of 2020

IBM Security X-Force ranked the top 10 CVEs of 2020 based on how frequently threat actors exploited or attempted to exploit them. The ranking is based on both IBM X-Force incident response (IR) and IBM managed security services (MSS) data for 2020. According to our findings, attackers focused on common enterprise applications and open source frameworks that many businesses use within their networks.

• CVE-2019-19871: Citrix Application Delivery Controller (ADC)
• CVE-2018-20062: NoneCMS ThinkPHP Remote Code Execution
• CVE-2006-1547: ActionForm in Apache Software Foundation (SAF) Struts
• CVE-2012-0391: ExceptionDelegator component in Apache Struts
• CVE-2014-6271: GNU Bash Command Injection
• CVE-2019-0708: ‘Bluekeep’ Microsoft Remote Desktop Services Remote Code Execution
• CVE-2020-8515: Draytek Vigor Command Injection
• CVE-2018-13382 and CVE-2018-13379: Improper Authorization and Path Traversal in Fortinet FortiOS
• CVE-2018-11776: Apache Struts Remote Code Execution
• CVE-2020-5722: HTTP: Grandstream UCM6200 SQL Injection

Explore the top three CVEs in greater detail below:

1. CVE-2019-19871: Citrix application delivery controller

This CVE, disclosed in December 2019, applies to the Citrix ADC, Citrix Gateway and NetScaler Gateway. The vulnerability allows an attacker to perform arbitrary code execution on a Citrix server or download additional payloads, such as trojan backdoors allowing for command execution and brute-forcing passwords.

This vulnerability appeared multiple times in IBM’s incident response engagements, most notably in the first half of 2020. In fact, it alone accounted for 25% of all initial compromises X-Force saw in Q1 2020 and was part of a staggering 59% of all attacks X-Force remediated in January 2020. In fact, attackers exploited it 15 times more than any other used in X-Force incident response engagements, and IBM’s managed security services frequently observed alerts showing attackers were attempting to exploit this cybersecurity vulnerability.

2. CVE-2018-20062: NoneCMS ThinkPHP remote code execution

The second-most exploited CVE of 2020 was CVE-2018-20062, which allows attackers to execute arbitrary PHP code. X-Force threat intelligence analysts have observed that it has largely been used to target Internet of Things (IoT) devices. This coincides with a major uptick in attacks against IoT in 2020 as revealed in IBM network data. Exploitation of CVE-2018-20062 has been linked to the deployment of a wide variety of malware, including the SpeakUp backdoor, Mirai botnet and various cryptocurrency miners.

ThinkPHP is an open-source PHP framework, and while this cybersecurity vulnerability was patched on Dec. 8, 2018, with ThinkPHP versions 5.0.23 and 5.1.31, a proof-of-concept to exploit it was published on Dec. 11, 2018, and continues to attract attackers trying to leverage it. The difficulty of identifying and patching IoT devices may be contributing to their continued susceptibility to this vulnerability.

3. CVE-2006-1547: ActionForm in Apache Software Foundation (SAF) Struts

This vulnerability, first discovered 15 years ago in 2006, allows an attacker to cause a denial of service — including a crash of the Struts web application — or even gain access to confidential information. Apache Struts is an open source framework commonly used to create Java web applications. Attackers have recognized the opportunities presented by the widespread use of this framework and have capitalized on several Apache Struts vulnerabilities.

Increased use of this dated vulnerability highlights the importance of scanning web applications for unpatched vulnerabilities and paying close attention to older web apps built with outdated frameworks.

What about unknown vulnerabilities?

Vulnerabilities that have not yet been made publicly known — potentially exploitable through zero-day exploits — continue to pose a threat to enterprise networks. Penetration testing has the potential to unearth as-yet-unknown vulnerabilities. Yet, overall, X-Force is observing that known cybersecurity vulnerabilities — with known mitigation options — continue to pose the more significant threat to organizations, when compared to zero-day exploits.

While enterprises may not always be able to control the exploitation of unknown vulnerabilities on their network, they can take structured action against known vulnerabilities. The relative payoff from focusing effort in this area is likely to be high. Vulnerability management services that identify, prioritize and remediate existing vulnerabilities can assist organizations in enhancing the security of their most critical assets.

How do I protect against vulnerabilities in my network?

Vulnerability management can be complex. It requires decision making that accounts for asset and data classification, business objectives, risk, performance benchmarks and more. There is no one perfect solution that can be applied to every organization. Some networks have sensitive machines and infrastructure that require rigorous testing to ensure nothing will fail when an update or patch is applied. Other networks have equipment that, upon final analysis, is better off not receiving a particular patch even once it becomes available. The balance is always about risk, and that’s never a simple answer.

While there are numerous considerations in some cases, prioritizing vulnerabilities is important, and X-Force recommends using our top ten CVEs list to identify the vulnerabilities being most actively exploited by threat actors today, and prioritizing remediation of those vulnerabilities as applicable.

Several additional measures can assist your organization in implementing a robust patch management program:

• Know your network. Periodically take inventory of the equipment on your network, to include devices, operating systems, applications, versions, IP addresses, cloud assets, and who owns these systems. We recommend doing this on a quarterly basis.
• Identify the risk. Use vulnerability management tools and crown jewel analysis to identify which assets are classified as critical to your organization, and which vulnerabilities are most likely to affect those assets.
• Test patches before applying. Develop a test environment that can assist in identifying problems that may arise once a patch is deployed in your enterprise environment. Apply patches to an appropriate sample of test devices and assets.
• Deploy the patch. Roll the new patch out to your enterprise environment. Several vulnerability management tools can assist in automating this process. We recommend rolling out patches in batches, so you can identify and address any issues that the lab environment did not generate.

Learn more about the top attack vectors and attack types of 2020 with the X-Force Threat Intelligence Index.