Hackers Targeted Work-From-Home Technology and Avoided Adobe Products Last Year

In 2015, eight of the top ten most exploited vulnerabilities involved Adobe products. But in 2020, no Adobe products made the list, according to new data.

Instead, cybercriminals focused their attention on vulnerabilities in remote-work technology, such as Citrix’s Application Delivery Controller, PulseSecure’s Pulse Connect, and Oracle’s WebLogic, as well as widely-used Microsoft products. The new data from Recorded Future’s annual vulnerability report was gleaned from code repositories, underground forums, vulnerability databases, dark web sites, and other sources to rate threats based on how actively they are being exploited. Although more than 18,000 vulnerabilities were disclosed in 2020, most are never exploited because they're difficult for hackers to take advantage of.

Adobe Flash Player, which has for years been a favorite target of cybercriminals, was absent from the report for the first time since its inception after it officially reached its end-of-life at the end of 2020. Open standards like HTML5 and WebAssembly have largely replaced Flash’s features, like support for 3D graphics and complex animation, and browsers have switched to using these alternatives as their default. 

“Unsurprisingly, Adobe Flash Player was not an issue in 2020 because the overall percentage of users accessing content with Flash Player has been greatly decreasing since 2017,” said Kathleen Kuczma, a co-author of the study. “Cybercriminals have moved on to targeting other technologies, such as Microsoft, that have a much larger user base.”

The top-exploited vulnerability of 2020 was CVE-2019-19781, which impacts Citrix ADC. The vulnerability has been associated with multiple ransomware families, including DoppelPaymer, RagnarLocker, Nefilim, Maze, and REvil. Ransomware attacks and associated demands skyrocketed in 2020, with groups often targeting hospitals, schools, and other organizations that were seen as particularly vulnerable. Nation-state threat actors affiliated with China and Iran have also made use of the exploit in attacks on a variety of industries, including healthcare and manufacturing.

“One reason why CVE-2019-19781, a Citrix ADC vulnerability, has been so popular in 2020 is likely due to it’s targeting one of the major VPN technology providers,” Kuczma said. “VPN usage greatly increased during the global pandemic. Companies needed a way to allow a now fully remote workforce to access company-specific information.”

Another vulnerability at the top of the list was CVE-2020-1472, a privilege escalation vulnerability also known as Zerologon. Interestingly, the vulnerability was disclosed relatively late in the year. Microsoft released its first patch for Zerologon in August, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive ordering civilian federal agencies to immediately patch or disable all affected Windows servers. In October, Microsoft said it identified that Iranian nation-state threat actors had exploited the vulnerability for at least two weeks against unspecified targets. The resulting media attention may have prompted the vulnerability's rapid popularity among cybercriminals at the end of the year, according to the report.

Three other vulnerabilities that made the list were also disclosed in 2020—previous reports contained more legacy vulnerabilities, according to the researchers. These include CVE-2020-0796, a remote code execution vulnerability within the Microsoft Server Message Block 3.1 protocol also known as CoronaBlue or SMBGhost, CVE-2020-14882, a vulnerability in the Oracle WebLogic Server which was disclosed by the company in October, and CVE-2020-0674, a vulnerability in Internet Explorer that allows attackers to execute arbitrary code in the context of the current user.