Cybersecurity Agencies Around the World Released a Joint Advisory on Commonly Exploited Vulnerabilities in 2022

The Canadian Centre for Cyber Security, along with cybersecurity agencies from the US, Australia, New Zealand and UK, have released a joint advisory on commonly exploited vulnerabilities by attackers in 2022.

The report finds that attackers exploited older software vulnerabilities more frequently than more recent vulnerabilities, targeting systems that are unpatched after long periods of time. Proof of concept exploit code was publicly available for many of the vulnerabilities, which reduced the effort on the attackers part to write exploits, and sped up the exploitation process.

The top most commonly exploited vulnerabilities for 2022 are:

  • CVE-2018-13379: vulnerability affecting Fortinet SSL VPNs, also commonly exploited in 2020 and 2021, which can be exploited to steal files from the device

  • CVE-2021-34473, CVE-2021-31207 and CVE-2021-34523: vulnerabilities affecting Microsoft Exchange Server, collectively known as ProxyShell, which can be exploited to run arbitrary code

  • CVE-2021-40539: vulnerability in Zoho ManageEngine ADSelfService Plus, which can be exploited to run arbitrary code. The vulnerability itself is the result of using an outdated third-party dependency.

  • CVE-2021-26084: vulnerability affecting Atlassian Confluence Server and Data Center, which can be exploited to run arbitrary code. Proof of concept exploit was released a week after disclosure, and mass exploitation followed soon after

  • CVE-2021-44228: vulnerability in Apache’s Log4j library, known as Log4Shell, which can be exploited to run arbitrary code. Mass exploitation followed soon after public disclosure

  • CVE-2022-22954, and CVE-2022-22960: vulnerability in VMware Workspace ONE Access, Identity Manager and other VMware products, which can be exploited to run arbitrary code

  • CVE-2022-1388: vulnerability in F5 BIG-IP, which can be exploited to bypass iControl REST authentication and execute arbitrary code

  • CVE-2022-30190: vulnerability in Microsoft Support Diagnostics Tool, which can be exploited to run arbitrary code

  • CVE-2022-26134: vulnerability in Atlassian Confluence and Data Center, which can be exploited to run arbitrary code

There were many other vulnerabilities in Microsoft, Citrix, F5, Oracle, SonicWALL, Ivanti, Apache, Fortinet, Zimbra, SAP, VMware and QNAP beyond the top 12.

Main Observations

  • Software is still not being patched, even after many years

  • Commonly exploited vulnerabilities are in Internet-facing systems, which is expected

  • Commonly exploited vulnerabilities tend to result in remote/arbitrary code execution, which allows an attacker to take full control over the software and device

  • There is no specific vendor that is more vulnerable/targeted than others

  • Vulnerabilities are getting exploited soon after public disclosure and/or release of proof of concept code, likely reducing the cost to attackers

  • The software being exploited tend to have widespread usage, so attackers want to have wide exploitability to have greater impact

Why Should You Care?

  • Common software used in businesses are frequent attack targets

  • Vast majority of attacks are about opportunity (as a result of businesses not patching their systems), so attacks will affect you

  • You cannot rely on any vendor to be completely vulnerability-free

  • Attackers are getting better at weaponizing vulnerabilities

  • If your business does not keep up to date with vulnerabilities and patching, you are almost guaranteed to be compromised

What Should You Do?

  • Have accurate inventory of all assets within an organization, including hardware, software, networking devices, phones, data, etc. to know what can be attacked, and keep up to date

  • Implement a patch management process to ensure vulnerabilities are patched ASAP

  • Implement a multi-layered approach to security to better protect against a single weakness compromising the entire system

  • Establish a security baseline for all assets, document all deviations and monitor for compliance

  • Implement and maintain a cybersecurity incident response plan, so that in the event of an attack, the attack can be caught quickly, stopped, and its impact is reduced

References

  • https://www.cyber.gc.ca/en/news-events/joint-advisory-2022-top-routinely-exploited-vulnerabilities

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

Previous
Previous

Weekly Roundup - Aug 6, 2023

Next
Next

Weekly Roundup - Jul 30, 2023