Continued Attempts to Exploit Years-Old Vulnerabilities

Summary

On May 12, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities. Within the list of top 10 vulnerabilities exploited from 2016-2019 is CVE-2017-5638 , an Apache Struts 2 vulnerability that was exploited in the Equifax breach disclosed in September 2017. Though this vulnerability was patched by Apache over three years ago, it is still often used by threat actors attempting to gain unauthorized access to a network. The above graph depicts unsuccessful attempts to exploit Garden State Network systems, targeting vulnerabilities in CISA's top 10 list.  Threat actors’ continued attempts to exploit CVE-2017-5638, and many of the other vulnerabilities included in the list that date as far back as 2012, highlight that systems are being left unpatched against critical vulnerabilities for years. These unpatched systems leave networks at an increased risk of intrusion and compromise.

Recommendations

The NJCCIC recommends establishing a patch management plan that incorporates the timely updating of systems after appropriate testing and prioritizes patching of critical vulnerabilities and vulnerabilities actively being exploited or for which proof of concept code is available.