Cybercriminals and state actors continue to exploit a collection of older vulnerabilities — in some cases, more than 5 years old — to compromise companies and organizations that have poorly maintained systems, the US government warned in an advisory released on May 12.
In its "Top 10 Routinely Exploited Vulnerabilities," the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other US government cybersecurity responders warned companies and agencies that publicly known vulnerabilities are far more commonly targeted by nation-state, cybercriminal, and unattributed attackers than zero-day vulnerabilities. All of the vulnerabilities are associated with popular malware frameworks — such as Dridex, FinSpy, China Chopper, and EternalBlue exploit kits — used by attackers in ongoing campaigns.
Failure to patch these vulnerabilities — all of which are more than a year old — puts organizations at significantly higher risk of compromise, the advisory stated.
"The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date," the advisory stated. "A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."
Patching is the most basic way that companies can improve their cybersecurity posture, but old versions of software still exist in organizations' IT environments. The problems with patching are highlighted by the fact that one vulnerability on the CISA's top 10 list of commonly exploited vulnerabilities was first disclosed in 2012.
"The biggest risk associated w ..
Support the originator by clicking the read the rest link below.
