Most vulnerabilities have one thing in common: they’re old


Cybercrooks routinely exploit more than 40 common vulnerabilities and target “if it ain't broke, don't fix it” systems around the globe. A new report reveals that they use older software vulnerabilities more frequently than recently discovered ones, and the main target is unpatched internet-facing systems.

According to a joint cybersecurity advisory prepared by international cybersecurity agencies, including CISA, the proof of concept code for many software vulnerabilities or vulnerability chains is public and utilized by a broader range of malicious cyber actors.

Exploits for critical, widespread, and publicly known vulnerabilities give cyber criminals low-cost, high-impact tools they can use for several years, as organizations are slow in patching their systems.

ADVERTISEMENT

The list of routinely exploited vulnerabilities includes more than 40 entries.

Most of the success in exploiting known flaws can be achieved within two years of public disclosure, because the value of such vulnerabilities gradually decreases as software is updated or upgraded.

“Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent common vulnerabilities and exposures,” the report writes.

Timely patching reduces the effectiveness of such attacks and pushes hackers to work harder, pursuing more costly and time-consuming methods.

Zero-day exploits or conducting supply chain operations are usually carried out by sophisticated threat actors.

The authoring agencies recommend that vendors, developers, and end-user organizations identify the most exploited vulnerabilities, implement appropriate mitigations, follow appropriate secure software design and development practices, and improve their cybersecurity posture accordingly.

The first recommendation begins with “Update software, operating systems, applications, and firmware on IT network assets in a timely manner.”

The complete list for organizations includes all the fundamental practices of cybersecurity hygiene:

ADVERTISEMENT
  • Routinely perform automated asset discovery
  • Implement a robust patch management process
  • Document secure baseline configurations for all IT/OT components
  • Perform regular secure system backups
  • Maintain an updated cybersecurity incident response plan
  • Enforce phishing-resistant multifactor authentication (MFA) for all users
  • Enforce MFA on all VPN connections
  • Regularly review, validate, or remove privileged accounts
  • Configure access control under the principle of least privilege
  • Properly configure and secure internet-facing network devices
  • Implement Zero Trust Network Architecture (ZTNA)
  • Continuously monitor the attack surface
  • Reduce third-party applications and unique system/application builds
  • Ask your software providers to discuss their secure-by-design program

Top 12 vulnerabilities observed:

CVE-2018-13379. The continued exploitation of this vulnerability, affecting Fortinet SSL VPNs, indicates that many organizations failed to patch software promptly and remain vulnerable to malicious cyber actors.

CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. ProxyShell vulnerabilities affect Microsoft Exchange email servers. Exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service, which is commonly exposed to the internet to allow users to access their email via mobile devices and web browsers, service runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft's web server).

CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency.

CVE-2021-26084. This vulnerability affects Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies). It could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited after a proof of concept was released within a week of its disclosure.

CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache's Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system.

CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution.

CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.

CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.

ADVERTISEMENT

CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability was likely initially exploited as a zero-day before public disclosure in June 2022.