Government officials in the US, UK, and Australia are urging public and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.
In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.
Four of the most targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in the number of work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.
Discovery dates of the top four vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.
Here is the complete list.
Citrix – CVE-2019-19781 – various products: Several organisations were targeted in early January through a flaw in Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN that allowed hackers to perform arbitrary code execution on a network.
Ivanti – CVE 2019-11510 – Pulse Connect Secure – Hackers exploited the popular SSL VPN platform used by large organisations and governments to gain access to vulnerable networks. The flaw was even used in Sodinokibi ransomware attacks.
Fortinet – CVE 2018-13379 – FortiOS: A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
F5 – CVE 2020-5902 – BIG-IP: Unauthenticated attackers with network access to the configuration utility of the BIG-IP family of networking hardware and software products could exploit this bug to perform various attacks, including executing arbitrary system commands.
MobileIron – CVE 2020-15505 – various products: MobileIron released patches in June 2020 to address holes in its mobile device management (MDM) systems including this remote code execution (RCE) flaw. It was being exploited by state-backed hackers to compromise the networks of UK organisations.
Microsoft – CVE-2017-11882 – Microsoft Office: Discovered in 2017, this is an RCEbug that exists when the software fails to properly handle objects in memory. If a user is logged in with admin rights, an attacker could take control of the affected system.
Atlassian – CVE-2019-11580 – Atlassian Crowd: Atlassian patched an RCE flaw in its crowd platform in May 2020. This is a user management application for access control for Active Directory (AD), Lightweight Directory Access Protocol (LDAP), OpenLDAP and Microsoft Azure AD.
Drupal – CVE-2018-7600 – Drupal 7 and 8: Older iterations of version 7 and 8 of the content management system (CMS) platform was embedded with an RCE flaw that allowed attackers to execute arbitrary code due to an issue affecting multiple subsystems.
Telerik – CVE 2019-18935 – Telerik UI for ASP.NET AJAX: Hackers have been exploiting an RCE flaw in this widely used suite of UI components for web applications since December 2019. The vulnerability insecurely deserialises JSON objects in a way that results in RCE of the software’s underlying host.
Microsoft – CVE-2019-0604 – Microsoft SharePoint: An RCE vulnerability exists in SharePoint when the software fails to check the source markup of an application package. An attacker can exploit the flaw to run arbitrary code within the SharePoint application pool and the SharePoint server farm account
Microsoft – CVE-2020-0787 – Windows Background Intelligent Transfer Service (BITS): The BITS component in Windows improperly handles symbolic links, with an attacker able to overwrite a targeted file leading to elevation of privileges. Hackers have exploited this by logging into a targeted system and running a specially crafted application to exploit the flaw and take control of the targeted system.
Microsoft – CVE-2020-1472 – Netlogon Remote Protocol: This elevation of privilege vulnerability exists when a hacker establishes a vulnerable Netlogon secure channel connection to a domain controller. Attackers who exploit the flaw can run a specially crafted application on a device on the network.
Microsoft – CVE-2020-0688 – Exchange Server: An RCE vulnerability exists in Exchange Server when the server fails to properly create unique cryptographic keys at the time of installation. Specifically, this is found in the Exchange Control Panel (ECP) component.
Atlassian – CVE-2019-3396 – Confluence Widget Connector: This critical server-side template injection vulnerability, found in the Confluence Server and Data Center Widget Connector, can lead to path traversal and RCE.
Microsoft – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065 – Exchange Server: Chinese state-backed hackers exploited four previously unknown zero-days to launch a series of devastating attacks against businesses. They were exploiting these flaws as part of a chain attack, with the initial attack demanding the ability to make an untrusted connection to Exchange server port 443.
Ivanti – CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 – Pulse Secure: At least two major hacking groups deployed a dozen malware families to exploit flaws in Pulse Connect Secure’s suite of VPNs to spy on the US defence sector. The NCSC issued guidance for businesses in May 2021 to update their Pulse Connect Secure systems to version 9.1R.11.4.
Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 – File Transfer Appliance (FTA): In February this year, Accellion patched four flaws in its FTA tool after detecting that fewer than customers were targeted earlier in the year. Cyber security agencies around the world later warned, however, that hackers had continued to exploit the vulnerabilities to target multiple layers of government in the US.
VMware – CVE-2021-21985 – vCenter Server: VMware warned customers in May this year that ransomware gangs were primed to exploit vulnerabilities in the vSphere Client to launch attacks. The flaw involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in the system.
Fortinet – CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591 – FortiOS: US cyber security agencies warned in April that state-backed hackers were exploiting these flaws to gain access to government systems. The first vulnerability let attackers download system files, and the second led to users successfully logging in without being prompted for a second factor of authentication, while the third let hackers on the same FortiOS subnet intercept sensitive information.
The bottom-line, is that most software products come with some vulnerabilities. It is the nature of product development over time. Also, the more popular a product, the greater risk there is as more users risk exposure. Developers are publishing patches constantly and it is a full-time career to keep IT systems updated. Rather than having to rely completley on installing patches, simply utilize the Helix22 SDK at this point and you are immune from data theft and cyber attacks. Your firm can still do all the patches as they are released, but your data is no longer at risk in the interim especially with zero-day attacks.
The new era of data security is one that requires new solutions. The era of perimeter defenses is over as it is proving impossible to keep hackers from breaching the perimeter and accessing data. Further E2E encryption based on old models of RSA cryptography are obsolete as quantum computing becomes mainstream.
In Math We Trust
Helix22 delivers perfect security assurance due to our genius engineering team that has invented a new model for data security that required an innovative look at the problem. The approach we took was to protect the data itself. Almost all other data security products try to build a perimeter or being fanatic on user credentials. However, once the product is breached or a password is stolen, even if it is 2FA or encrypted, your firms data is in the clear.
You see, the Helix22 cryptography is embedded with the data itself through our inventive and patented process of DNA BindingTM. Therefore, even if credentials are stolen the data cannot be exfiltrated. This means that all data is 100% protected regardless of the type of attack.
Another substantial advantage of Helix22, is that it protects all data whether at rest, in use or in transit. All communication apps for example, only encrypt data while in transit. Therefore, that encryption become useless for internal IT security or Artificial Intelligence or Machine Learning experimentation. All data generated during these massive computing exercises is equally protected in real time. Plus, the latency period for the Helix22 is exponentially less than any other security product, so it actually contributes to faster processing times.
In this protocol, we are truly a “zero-knowledge” server so your private communications and transmissions remain completely top secret. Even in the event that BLAKFX were subpoenaed, we can honor the request by just handing over the encrypted content…as that is literally all we have. Helix22 also only use keys just one-time and then destroys them. This way the data security is future forward prefect. Therefore, in our unique device-to-device encryption (D2D) world, there is no opportunity ever for any data leak.
The Helix22 data security SDK accomplishes the following:
- Protects all your firms data at rest, in use and in transit
- Renders ransomware threats obsolete
- Eliminates human error
- Eliminates all malicious or interior attacks
- Verifies original content i.e. minimizes the threat of impersonation attacks and deep fakes
- Reduces latency
- Installs with 5 lines of code
- Runs on any platform, network, device and in any programming language
- Provides perfect future/forward secrecy
- Delivers “zero-knowledge” encryption
- Compatible with all cloud, 3rd party and vendor services
- Ensures privacy and security for blockchain and all cryptocurrency transactions
- Is quantum ready – so there’s no need to upgrade when the time comes
- Requires no employee training
- Exceeds all gov’t and banking standards
- Meets compliance regulations
We can make this claim as the tech engineers at BLAKFX invented and patented a device2device (D2D) encryption. We manage data security transmission through the truly brilliant and also patented universal Helix22 key service. The Helix22 encryption originates on your network or device, not just when the app is opened. This means, that when data arrives to our key server, it is already encrypted so all it needs to do is issue another key. Signal and Telegram cannot claim this level of security. This key will then only work with the intended device, which generates a matching key required to open the data. In this protocol, we are truly a “zero-knowledge” server so your communications and transmissions remain completely top secret. Even in the event that BLAKFX were subpoenaed, we can honor the request by just handing over the encrypted content…as that is literally all we have. Helix22 also only use keys just one-time and then destroys them. This way the data security is future forward prefect. Therefore, in our unique device-to-device (D2D) world, there is no opportunity at all for any data leak.
This same protocol just described, can be the same with all your 3rd party vendors and suppliers. It does not matter in the least what platform they are running or what device they are using or even the type of data, it is all 100% protected. We do however, strongly advise that all firms involved be utilizing Helix22 due to the nature of the data content. Helix22 can ensure that whatever data they are generating is protected as well.
Let’s take it a step further. Even if your organization were a victim of an internal attack or a victim of malicious open source downloads, there is no reason for concern. Any data that has been forwarded, downloaded, copied or saved cannot be exfiltrated. Period. We have the technology industries foremost data packets which are protected with multi-layered, military grade encryption algorithms that have already proven the ability to withstand penetration testing from MI5 and quantum computing attacks.
One final practical genius of DNA BindingTM is in that it is immediately compatible with whichever system or software you are utilizing. Therefore, any organization can forward information to another and then discuss it and there is immediate privacy.
The BLAKFX Suite of Data Security Products
In addition to the fastest and most secure data protection product available in Helix22, we provide a full range of security products for an holistic approach.
We are on a mission to stop ransomware threats
Ransomware Auditing as a Service (RaaS): ransomware attacks have skyrocketed in the past year and currently represents the biggest threat to the data of government agencies, military, intelligence agencies as well as private enterprises. BLAKFX developed the first in the world Ransomware Auditing as a Service (RaaS) platform which allows our cyber security engineers to scan your network and simulate real-world ransomware attacks to test the prevention, detection and mitigation strategies of your organization and establish how resilient your network is to real ransomware attacks. After the scan we provide a comprehensive report and our recommendations for remediation.
If you are the victim of an actual ransomware attack, we are able to recover the data that has been hi-jacked during the attack and due to Helix22’s DNA BindingTM cryptography, restore it to its original state.
DARKHYDRA3 – Auditing/Penetration Testing: we provide cyber auditing & penetration testing services in order to identify the gaps in your network, cloud, communications, network appliances, wireless networks, laptops, desktops & mobile devices, website, backup and 3rd party applications and services. Once we scan your systems, we provide a comprehensive report and our recommendations for remediation.
MSS & Insider Threat Prevention: BLAKFX has a national security level Secure Operations Center that can monitor your network (via our Managed Security Service) for threats & vulnerabilities as well as your employees via threat behavioral analysis techniques in order to stop threats (including insider threats) before they become a problem for your network, data and organization.
TSCM: many organizations and government agencies are aware of the threats posed by hacking surveillance and data theft but are not aware that Technical Surveillance Counter Measures and Electronic Security are an essential component of overall risk mitigation. BLAKFX’s access to the most sophisticated equipment, military and intelligence community level RF frequencies monitoring expertise is unique in the world.
Physical Security: we offer overall physical security services and designs for your buildings, data centers, cloud providers, airplanes, vehicles and personnel security. We provide full physical security planning, insider threat detection and prevention, physical security audits, certification, and security awareness training.
Global Governments: (restrictions apply) Click here to request information & quotes
*Katim Ultra Secure Smartphone: part of the BLAKFX’s suite of secure products, we are pleased to offer governments, law enforcement, intelligence agencies, military forces globally and enterprises, a fully user2user encrypted phone, with secure messenger, secure email, secure news, secure audio/video calling & secure conference calling.
Blacklight & CyAn – OSINT: the Collection Platform provides real time comprehensive view of collected intelligence from various sources. The system allows for more effective operation management by allowing the operators to control all available intelligence gathering tools from a single, unified dashboard. By allowing centralized control, alongside presentation of key intelligence and insights the overall operational effectiveness is significantly increased.
The Analytics Platform system fuses all field intelligence meta-data and cyber intelligence content, as well as other data sources, to highlight and identify suspicious activity, important events and analyze suspects’ relationships and communications. The system can provide in-depth operational understanding in near-real-time to the field operations teams.
Pre-Crime, Data Fusion and Big-Data Analysis: a full range of capacity for big data analytics. Analyze billions of events, merge data from heterogeneous sources, reveal weak signals and understand the digital behavior of a target are some of the numerous features of the Analytics Center. It’s composed of modules like Analytics, Profile, Relational and Predictive.
LLDDS: Low Level Defender Drone System consists of three essential elements, the first of which is our Ground Based Sensor Node (GBSN). The GBSN employs a very low power, high sensitivity FMCW radar system, functionally integrated with a complementary video/IR detection and confirmation system. The GBSN is controlled by AI and by either a single on-site operator or via remote operator control over our fully secure Command, Control and Communications (C3) SatComm-based network. The second element in the System is a medium endurance, low-level, missile-armed defender drone. This critical airborne asset will provide: persistent or on-demand zone protection including airborne patrol, target identification, target confirmation, and attack. This unmanned, very capable platform is the attack and deterrent end of the LLDD defense chain. It is continuously and closely monitored and controlled by AI and a Controller/Operator – in real-time – via the LLDD C3 SatComm Network. Our highly automated and minimally manned concept employs proven off-the-shelf, ground-based and airborne sensors and platforms combined with proprietary BLAKFX technology.
Note: Items marked with * are available for enterprises as well
BLAKFX is Based on Success
Our founders, Robert Statica PhD and Kara Coppa, also founded Wickr, which is used by the US military and has never been hacked since its inception in 2012. The Helix22 data security SDK is several generations enhanced since then. Dr. Statica also delivered the encryption for the world’s most secure phone, Katim.
Founder – Robert Statica PhD Founder – Kara Coppa Founder – Alex Maslov MS, MBA
Co-Founders of Wickr KatimTM Ultra Secure Smartphone