The most trending vulnerabilities among Cybercriminals

July 19, 2021 · frtg · 4 min read

Cyber-criminals exploit software and infrastructure vulnerabilities to obtain initial access, escalate privileges, or move laterally within target environments. Identifying and remediating critical vulnerabilities represents a high-priority activity that directly constrains adversary operational movement across compromised systems.

Applying security updates reduces exposure to cyber-attacks. However, threat actors frequently leverage logic flaws and misconfigurations to traverse infrastructure without relying on exploits or known vulnerabilities. Detection of lateral movement requires dedicated Security Monitoring, Malware Analysis, and Threat Hunting activities.

Based on published analysis, the following list documents the most frequently exploited vulnerabilities by threat actors:

CVE-2020-1472 – SMB protocol attack enabling lateral movement and perimeter compromise
CVE-2020-0796 – SMB protocol attack enabling lateral movement and perimeter compromise
CVE-2019-19781 – Citrix systems attack
CVE-2019-0708 – BlueKeep, RDP service attack
CVE-2017-11882 – Email and attachment-based attack
CVE-2017-0199 – Email and attachment-based attack

Many of these CVEs are dated; patches addressing them have been available for extended periods. Analysis by threat intelligence teams indicates that the most discussed CVEs vary by language used in underground forums. Russian-language forums prioritize CVE-2019-19781; Chinese-language forums focus on CVE-2020-0796; English-language forums discuss CVE-2019-19781 and CVE-2020-0688; Turkish-language forums emphasize CVE-2019-6340.

CVE-2020-1472

This vulnerability relates to privilege escalation when an attacker establishes a connection to a domain controller over a Netlogon channel, affecting the Netlogon Remote Protocol. An attacker successfully exploiting this vulnerability can execute arbitrary processes on networked devices. Exploitation requires an unauthenticated threat actor to use MS-NRPC to connect to a domain controller.

CVE-2020-0796

Remote code execution vulnerability stems from improper handling of specific requests by the SMBv3 (Microsoft Server Message Block 3.1.1) protocol. An attacker successfully exploiting this vulnerability can execute code on target servers or clients.

To exploit this vulnerability against a server, an unauthenticated attacker can send a specially crafted packet to a target SMBv3 server.

The security update resolves the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

CVE-2019-19781

This issue affects Citrix Application Delivery Controller (ADC) and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability permits an unauthenticated remote attacker to write files to arbitrary disk paths via directory traversal. When combined with Perl Templating Toolkit, this vulnerability enables remote code execution on the affected system.

CVE-2019-0708

This vulnerability resides in the Remote Desktop service and permits code execution through specially crafted requests. The vulnerability requires no user interaction. An attacker successfully exploiting this vulnerability can execute arbitrary code on the target system.

The update resolves the vulnerability by correcting how Remote Desktop Services handles connection requests.

CVE-2017-11882

A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory. An attacker successfully exploiting this vulnerability can execute arbitrary code in the context of the current user. Users whose accounts operate with reduced privileges face lower risk than those with administrative rights.

Exploitation requires a user to open a specially crafted file with a vulnerable version of Microsoft Office or Microsoft WordPad.

CVE-2017-0199

A remote code execution vulnerability exists in how Microsoft Office and WordPad parse specially crafted files. An attacker successfully exploiting this vulnerability can assume control of an affected system. The attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.

Exploitation requires a user to open or preview a specially crafted file with a vulnerable version of Microsoft Office or WordPad. In email-based attack scenarios, an attacker can exploit this vulnerability by sending a specially crafted file to a user and convincing the user to open it. Continuous Cybersecurity Advisory monitoring of exploitation patterns remains critical for detecting such campaigns in real time.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.