A joint advisory issued by cyber agencies in Australia, the United States and the United Kingdom has detailed the top cyber security vulnerabilities exploited by malicious cyber actors since 2020.
Not only does the advisory highlight the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020, it also includes those vulnerabilities being widely exploited thus far in 2021.
One of the key findings of the respective cyber agencies was that four of the most targeted vulnerabilities in 2020 involved remote work, VPNs or cloud-based technologies.
Indeed, many VPN gateway devices remained unpatched during 2020, with the growth of remote work options due to the COVID-19 pandemic challenging the ability of organisations to conduct rigorous patch management, the agencies noted.
In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices, according to the agencies, which included the United States’ Cyber Security and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), the UK’s National Cyber Security Centre (NCSC) and the Australian Cyber Security Centre (ACSC).
Together, the agencies considered the vulnerabilities listed below to be the topmost regularly exploited CVEs by cyber actors during 2020:
- Citrix: CVE-2019-19781 (arbitrary code execution)
- Pulse: CVE 2019-11510 (arbitrary file reading)
- Fortinet: CVE 2018-13379 (path traversal)
- F5/Big-IP: CVE 2020-5902 (remote code execution (RCE))
- MobileIron: CVE 2020-15505 (RCE)
- Microsoft: CVE-2017-11882 (RCE)
- Atlassian: CVE-2019-11580 (RCE)
- Drupal: CVE-2018-7600 (RCE)
- Telerik: CVE 2019-18935 (RCE)
- Microsoft CVE-2019-0604 (RCE)
- Microsoft: CVE-2020-0787 (elevation of privilege)
- Netlogon: CVE-2020-1472 (elevation of privilege)
Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to US government technical analysis.
In 2021, threats have not slowed down, with malicious cyber actors continuing to target vulnerabilities in perimeter-type devices.
Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware and Fortinet, the agencies said, urging that organisations should prioritise patching for the following CVEs known to be exploited:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
“In cyber security, getting the basics right is often most important,” said Eric Goldstein, executive assistant director for cyber security at CISA. “Organisations that apply the best practices of cyber security, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks.
“Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organisations should prioritise for patching to minimise risk of being exploited by malicious actors,” he added.
The agencies jointly encouraged organisations that have not yet remediated the vulnerabilities to investigate for the presence of indicators of compromise. If compromised, organisations should initiate incident response and recovery plans, the agencies urged.
One of the exploited vulnerabilities noted by the agencies was the global Microsoft Exchange Server hack earlier this year.
On March 2, 2021 Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.
Microsoft subsequently released security updates for Exchange Server to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind exploits targeting the flaws.
The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443.
By 4 March, Microsoft said that its Exchange Server team had released a script for checking Hafnium indicators of compromise (IOCs). The script was published on GitHub.
In a blog post published by the Microsoft Security Response Center on 6 March, the company detailed alternative mitigation techniques for customers that were not able to quickly apply updates and which needed more time to patch their deployments or were willing to make risk and service function trade-offs.