Cybersecurity Agencies Around the World Released a Joint Advisory on Commonly Exploited Vulnerabilities in 2022
The Canadian Centre for Cyber Security, along with cybersecurity agencies from the US, Australia, New Zealand and UK, have released a joint advisory on commonly exploited vulnerabilities by attackers in 2022.
The report finds that attackers exploited older software vulnerabilities more frequently than more recent vulnerabilities, targeting systems that are unpatched after long periods of time. Proof of concept exploit code was publicly available for many of the vulnerabilities, which reduced the effort on the attackers part to write exploits, and sped up the exploitation process.
The top most commonly exploited vulnerabilities for 2022 are:
CVE-2018-13379: vulnerability affecting Fortinet SSL VPNs, also commonly exploited in 2020 and 2021, which can be exploited to steal files from the device
CVE-2021-34473, CVE-2021-31207 and CVE-2021-34523: vulnerabilities affecting Microsoft Exchange Server, collectively known as ProxyShell, which can be exploited to run arbitrary code
CVE-2021-40539: vulnerability in Zoho ManageEngine ADSelfService Plus, which can be exploited to run arbitrary code. The vulnerability itself is the result of using an outdated third-party dependency.
CVE-2021-26084: vulnerability affecting Atlassian Confluence Server and Data Center, which can be exploited to run arbitrary code. Proof of concept exploit was released a week after disclosure, and mass exploitation followed soon after
CVE-2021-44228: vulnerability in Apache’s Log4j library, known as Log4Shell, which can be exploited to run arbitrary code. Mass exploitation followed soon after public disclosure
CVE-2022-22954, and CVE-2022-22960: vulnerability in VMware Workspace ONE Access, Identity Manager and other VMware products, which can be exploited to run arbitrary code
CVE-2022-1388: vulnerability in F5 BIG-IP, which can be exploited to bypass iControl REST authentication and execute arbitrary code
CVE-2022-30190: vulnerability in Microsoft Support Diagnostics Tool, which can be exploited to run arbitrary code
CVE-2022-26134: vulnerability in Atlassian Confluence and Data Center, which can be exploited to run arbitrary code
There were many other vulnerabilities in Microsoft, Citrix, F5, Oracle, SonicWALL, Ivanti, Apache, Fortinet, Zimbra, SAP, VMware and QNAP beyond the top 12.
Main Observations
Software is still not being patched, even after many years
Commonly exploited vulnerabilities are in Internet-facing systems, which is expected
Commonly exploited vulnerabilities tend to result in remote/arbitrary code execution, which allows an attacker to take full control over the software and device
There is no specific vendor that is more vulnerable/targeted than others
Vulnerabilities are getting exploited soon after public disclosure and/or release of proof of concept code, likely reducing the cost to attackers
The software being exploited tend to have widespread usage, so attackers want to have wide exploitability to have greater impact
Why Should You Care?
Common software used in businesses are frequent attack targets
Vast majority of attacks are about opportunity (as a result of businesses not patching their systems), so attacks will affect you
You cannot rely on any vendor to be completely vulnerability-free
Attackers are getting better at weaponizing vulnerabilities
If your business does not keep up to date with vulnerabilities and patching, you are almost guaranteed to be compromised
What Should You Do?
Have accurate inventory of all assets within an organization, including hardware, software, networking devices, phones, data, etc. to know what can be attacked, and keep up to date
Implement a patch management process to ensure vulnerabilities are patched ASAP
Implement a multi-layered approach to security to better protect against a single weakness compromising the entire system
Establish a security baseline for all assets, document all deviations and monitor for compliance
Implement and maintain a cybersecurity incident response plan, so that in the event of an attack, the attack can be caught quickly, stopped, and its impact is reduced
References
https://www.cyber.gc.ca/en/news-events/joint-advisory-2022-top-routinely-exploited-vulnerabilities
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a