The top exploited vulnerability of 2021 was the Log4Shell affecting Apache’s Log4j library that was disclosed in December and achieved “rapid widespread exploitation,” demonstrating “the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” according to a new multinational assessment.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK) co-authored an advisory released today detailing the top 15 Common Vulnerabilities and Exposures (CVEs) along with other vulnerabilities routinely exploited by malicious cyber actors.
The cyber agencies assessed that “malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide.”
“Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,” the advisory said. “For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.”
“To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier,” the agencies continued. “The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.”
Following the Log4j vulnerability — remote code execution that enables an attacker to take over a system to swipe data or launch ransomware — was the critical vulnerability affecting Zoho ManageEngine ADSelfService Plus reported in September.
Then come three ProxyShell vulnerabilities that affected Microsoft Exchange email servers with elevation of privilege, remote code execution, and security feature bypass attacks. “Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code,” the advisory said. “These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.”
Following that came the ProxyLogon targeting Microsoft Exchange Server with remote code execution. “Successful exploitation of these vulnerabilities in combination (i.e., ‘vulnerability chaining’) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers,” the advisory continued. “Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.”
Next was the arbitrary code execution vulnerability affecting the Atlassian Confluence Server and Data Center that saw attempted mass exploitation in September. “This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure,” the agencies noted.
Rounding out the list was the remote code execution vulnerability targeting VMware vSphere Client, the ZeroLogon vulnerability affecting Microsoft Netlogon Remote Protocol (MS-NRPC), the Microsoft Exchange Memory Corruption Vulnerability, the arbitrary file reading vulnerability targeting Pulse Secure Pulse Connect Secure, and the path traversal vulnerability targeting Fortinet FortiOS and FortiProxy.
Three of the year’s top vulnerabilities — ZeroLogon, Fortinet FortiOS and FortiProxy, and Pulse Secure Pulse Connect Secure — were also routinely exploited in 2020. “Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” agencies reiterated.
The advisory includes an additional list of vulnerabilities routinely exploited by malicious cyber actors in 2021, with multiple vulnerabilities affecting internet-facing systems including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure.
Organizations are urged to apply mitigation recommendations in the advisory, including “applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.”
Recommendations include replacing software that is no longer supported by the vendor, enforcing multifactor authentication “for all users, without exception,” properly configuring and securing internet-facing network devices, and implementing vendor-approved workarounds if a patch for a known exploited or critical vulnerability cannot be quickly applied.