Top Internationally Exploited Vulnerabilities and OSINT
An International View of Exploited Vulnerabilities
The Five Eyes (FVEY) is an intelligence alliance comprised of Australia, Canada, New Zealand, the United Kingdom, and the United States. On November 12, 2024, the US Critical Infrastructure Security Agency (CISA) published an advisory titled “2023 Top Routinely Exploited Vulnerabilities,” co-authored by intelligence organizations in the FVEY countries. This advisory contains some significant data and valuable recommendations.
This advisory is an excellent example of a narrative. It was written to be read and consumed by a specific audience: people working to defend networks, information systems, and information. In the upper right-hand corner of the first page are the words “TLP: CLEAR,” which signifies that this document is unclassified and can be distributed freely.
TLP:CLEAR is a Traffic Light Protocol (TLP) designation that means information can be shared without restrictions as long as it follows all of the co-author’s copyright rules and public release procedures. FIRST.ORG is an excellent reference that explains CISA’s use of the TLP and provides information and training about TLP in security operations.
Next, I looked at the sources of data presented in the advisory. CISA maintains the Known Exploited Vulnerabilities Catalog, a publicly available repository of disclosed vulnerabilities. The KEV catalog analysis and data come from sources such as:
CISA’s network and Internet scanning tools.
Open-source reporting from vendors, media, and government agencies.
Public sources such as ISAC and other forums.
Industry partners that identify and confirm vulnerabilities and exploits.
This advisory expands that analysis to include data from other English-speaking countries.
Looking at the outliers in the Top 15 data was interesting. The average CVSS for the 15 was 9.3, but two scores skewed that. The first two vulnerabilities provide a threat actor with unauthorized privileged access. The Microsoft Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472), originally published on August 17, 2020, has a CVSS of 5.5 (medium severity). The 2020 initial release date and the current (temporal) CVSS made this an outlier.
Another outlier was Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (CVE-2023-20273) published October 24, 2023, whose CVE is 7.2 (high severity). From the KEV catalog 20273, “When chained with CVE-2023-20198, the attacker can leverage the new local user to elevate privilege to root and write the implant to the file system.”. This CVE was interesting for the lower CVSS score and the “chained" relationship with CVE-2023-20198, which did not appear in the Top 15 advisory.
The other outlier is the infamous Apache Log4j2 vulnerability (CVE-2021-44228), published in 2021 with a CVSS of 10.0. Apache Log4j is an industrial-grade Java logging framework found in many Linux distributions. This flaw was found in the Apache Log4j logging library in version 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters can execute arbitrary code on the server using information from those log messages. Log4j is infamous, based on reports that many servers were not patched even after patches became available and recurrences (where the patch was discovered not present after a later patch was applied) were found.
I believe that this type of international reporting on threats is very important. The Internet is a global network. Potential targets for threat actors exist almost anywhere in the world. Are threat actors using targets in other countries to practice and perfect their threat craft?
References:
https://www.cisa.gov/sites/default/files/2024-11/aa24-317a-2023-top-routinely-exploited-vulnerabilities.pdf
https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage
https://www.first.org/tlp/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z