Despite Microsoft issuing a patch in 2010 to fix the vulnerability abused by the Stuxnet worm, researchers have said that flaw is still the most exploited in the world.
Inspired by the recent release of more Equation Group exploits and cyberweapons, Kaspersky Lab looked at the top exploits targeting all users in 2015 and 2016. Kaspersky found that the flaw in the Windows Shell behind the Stuxnet worm (CVE-2010-2568) still ranked "first in terms of the number of users attacked," and "almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability."
"For several years in a row, exploits for the infamous Stuxnet vulnerability CVE-2010- 2568 have topped the chart of the most widespread malware of this type. In 2015, 27% of users that encountered any exploit attack during the year at least once, faced exploits to this particular vulnerability," researchers wrote in the Kaspersky report. "This may be due to the fact that malware that uses these exploits have a self-replicating feature, constantly recreating themselves in the attacked network where vulnerable computers are installed."
Amol Sarwate, director of vulnerability labs at Qualys Inc., said his company's data couldn't confirm Kaspersky's analysis but did show most companies were patched.
"If attackers are still aggressively targeting the Stuxnet vulnerability, our data shows that organizations have taken effective steps to remediate the issue. We see that by mid-2012, approximately 90% of Qualys customers had applied the patch MS10-046, which addresses the Stuxnet vulnerability," Sarwate told SearchSecurity. "This reinforces the notion that patching all known vulnerabilities should always be the standard baseline of any security practice."
Ralph Langner, the security researcher who first reverse engineered Stuxnet, told SearchSecurity, "That's a powerful general-purpose exploit and one would simply expect that it continues to be in use until the last computer is patched appropriately."
Marc-Antoine Héroux, an IT analyst, said it was believable that so many exploits of the vulnerability would be found, but noted a caveat regarding the Stuxnet worm replication function.
"It is also an extremely well designed/very complex malware, designed by a huge team, which is why it is being repurposed/modded," Héroux told SearchSecurity on Twitter. "If you want to be very thorough: the 'original Stuxnet' was designed to erase itself and only replicate under very specific circumstances. The 'Stuxnet variants'/successors don't have to obey those rules however, that's the key part. "
Héroux noted there may not be much hope for these exploits to get better because the vulnerability used by the Stuxnet worm affects older and unpatched systems.
"[Microsoft] only supports outdated OSes for so long. Once patches stop trickling in for these OSes, that's when things quickly get out of control," Héroux said. "We could hear [two plus months] from now that hackers now have shifted to using retooled leaked [Shadow Brokers] NSA exploits that were 'patched up.'"
Richard Henderson, global security strategist at Absolute, also said he wasn't surprised about the continued exploits related to the Stuxnet worm vulnerability.
"The attack itself has a really interesting self-replication feature that allows it to move throughout a vulnerable network and attack other vulnerable devices, which is exactly what the original designers of the attack wanted to do," Henderson told SearchSecurity. "More importantly is the simple fact that ICS and SCADA networks have always been designed and built for long deployment cycles. This technology is designed to be dropped in, turned on, and left alone quietly humming away for years ... if not a decade or more. Security for a lot of these devices was an afterthought, and it can take a long time to replace these things with newer devices that may be able to accept patches."
NSA and the Stuxnet worm
The Stuxnet worm has been suspected to be the work of the U.S. and Israeli governments, the history of which was laid out recently in the documentary "Zero Days." Kasperky's new research adds more evidence to that history.
And a security researcher based in France with the Twitter handle "x0rz" pointed out this was not the first time Kaspersky had connected the Stuxnet worm with the Equation Group. Kaspersky research from 2015 reported a link between the Equation Group and a group called Fanny.
"It's important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating the Equation Group had access to these zero-days before the Stuxnet group," Kaspersky wrote. "Actually, the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together."
Henderson said that although neither the U.S. or Israeli governments have admitted to developing the Stuxnet worm, at this point attribution falls under Occam's Razor.
"Who else would have the ability to create such a specialized piece of ICS/SCADA malware and convince insiders to install it inside an air-gapped network? The motives for the U.S. and Israel to throw a figurative wrench in the uranium processing abilities was crystal clear," Henderson said. "This latest leak, while still not providing a smoking gun linking back to the NSA being the genesis of Stuxnet, just adds to significant amount of circumstantial evidence pointing fingers at them."
Learn what enterprises need to consider with automated patching.
Find out how to best adapt to Microsoft's patching changes.
Get info on why the Stuxnet worm was a wake-up call for nuclear cybersecurity.