Past is prologue, wrote William Shakespeare in his play "The Tempest," meaning that the present can often be determined by what has come before. So it is with cybersecurity, serving as the basis of which is Trustwave’s "Decade Retrospective: The State of Vulnerabilities" over the last 10 years.
Threat actors frequently revisit well-known and previously patched vulnerabilities to take advantage of continuing poor cybersecurity hygiene. “If one does not know what has recently taken place it leaves you vulnerable to another attack,” Trustwave said in its report that identifies and examines the “watershed moments” that shaped cybersecurity between 2011 and 2021.
With a backdrop of the number of security incidents and vulnerabilities increasing in volume and sophistication, here are Trustwave’s top 10 network vulnerabilities in no particular order that defined the decade and “won’t be forgotten.”
SolarWinds hack and FireEye breach
Detected: December 8, 2020 (FireEye)
Patched: December 13, 2020
Status: Active. The hackers planted a malicious backdoor update, dubbed SUNBURST, into about 18,000 customers, granting the attackers the ability to modify, steal and destroy data. Infected servers currently exist, and attacks still take place due to companies being unaware of dormant attack vectors set up before patch.
EternalBlue Exploit
Detected: April 14, 2017
Patched: March 14, 2017 (Patched after NSA alerted Microsoft)
Status: Active. Shodan, a popular search engine for Internet-connected devices, currently lists more than 7,500 vulnerable systems.
Heartbleed
Detected: March 21, 2014
Patched: April 7, 2014
Status: Active. Six years later, this vulnerability continues to be targeted by attackers due to the volume of unpatched public-facing servers.
Shellshock, Remote Code Execution in BASH
Detected: September 12, 2014
Patched: September 24, 2014
Status: Inactive. Last exploited with the Sea Turtle Campaign, the vulnerability was considered even more severe than Heartbleed because it allowed an attacker to take complete control of a system without having a username and password.
Apache Struts Remote Command Injection & Equifax Breach
Detected: March 6, 2017
Patched: September 5, 2017
Status: Inactive. Shortly after it was disclosed, Apache issued emergency security patch S2-045 for the vulnerability. Months later, credit reporting giant Equifax announced that hackers had gained access to company data, potentially compromising sensitive information for 143 million people in the U.S., U.K. and Canada.
Chipocalypse, Speculative Execution Vulnerabilities Meltdown & Spectre
Status: Inactive (No exploit found in the wild). In early 2018, security researchers disclosed significant vulnerabilities in the CPUs that run most of the world’s computers. These flaws were dubbed Meltdown and Spectre and belong to a class of flaws called speculative execution vulnerabilities.
BlueKeep, Remote Desktop as an Access Vector
Detected: January, 2018
Patched: April, 2018
Status: Active. More than 30,000 vulnerable instances have been found. Since 2016, attackers have increasingly used the Remote Desktop Protocol (RDP) to target computers for compromise, exploiting vulnerable RDP sessions to steal personal data, login credentials and install ransomware.
Drupalgeddon Series, CMS Vulnerabilities
Detected: January, 2018
Status: Active. More than 2,000 vulnerable instances were found on Shodan.
Microsoft Windows OLE Vulnerability, Sandworm Exploit
Detected: September 3, 2014
Patched: October 15, 2014
Status: Inactive. The vulnerability exists in the way the OLE package manager downloaded and executed INF files. The vulnerability reportedly has been in use since August 2013, distributed primarily through weaponized PowerPoint documents.
Ripple20 Vulnerabilities, Growing IoT landscape
Detected: June 16, 2020
Patched: March 3, 2020
Status: Active. The vulnerabilities were collectively called Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. When properly exploited, an attacker could gain total control over an internal network device from outside the network perimeter through the Internet-facing gateway.
The Relevance of Trustwave's Data
Trustwave’s report asks and answers three questions about why its data is “relevant”:
Q. Why are there so many vulnerable publicly exposed servers?
A. The lack of ability to track and log various services running on a network.
Q. Why aren’t patches being applied?
A. The ability to vouch for and apply patches to assets of the organization without disrupting workflow.
Q. Why aren’t organizations working towards fixing their security flaws?
A. The slow reaction to discovered zero-days.
More zero days attacks are in our future, Trustwave says, calling the coming period the Age of Zero Days. So far, organizations have lost some $6 trillion in damages from those instances. As Proof of Concepts (POCs) have become publicly available, major threat actors are hunting and exploiting vulnerable instances.
Yet, all is not lost, Trustwave said:
“With the addition of new approaches of security, improved firewall technology, sophisticated end point detection and response systems (EDR) and implementation of AI shows how necessity breeds rapid innovation. Cybersecurity solutions have seen major progress over the years and are in great shape to face what is yet to come.”