BOOK THIS SPACE FOR AD
ARTICLE ADA joint security advisory issued today by several cybersecurity agencies from the US, the UK, and Australia reveals the top 30 most targeted security vulnerabilities of the last two years.
CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the Federal Bureau of Investigation (FBI) also shared mitigation to help private and public sector organizations counter these vulnerabilities
"Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organization should prioritize for patching to minimize risk of being exploited by malicious actors," said Eric Goldstein, CISA Executive Assistant Director for Cybersecurity.
Attacks focused remote work, VPN, cloud technologies
Based on data collected by the US Government, most of the top targeted bugs last year were disclosed since the start of 2020, with this trend stemming from the recent move to remote work since the beginning of the pandemic.
"The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching," CISA explains.
With threat actors taking advantage of the move to remote working, four of the most routinely targeted vulnerabilities during 2020 impact work-from-home (WFH), VPNs, or cloud-based technologies, as revealed in the table below.
"In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet," CISA added.
As further shown in the advisory, attackers keep exploiting publicly known (often old) security bugs affecting a broad set of targets from various industry sectors.
Vendor | CVE | Type |
Citrix | CVE-2019-19781 | arbitrary code execution |
Pulse | CVE 2019-11510 | arbitrary file reading |
Fortinet | CVE 2018-13379 | path traversal |
F5- Big IP | CVE 2020-5902 | remote code execution (RCE) |
MobileIron | CVE 2020-15505 | RCE |
Microsoft | CVE-2017-11882 | RCE |
Atlassian | CVE-2019-11580 | RCE |
Drupal | CVE-2018-7600 | RCE |
Telerik | CVE 2019-18935 | RCE |
Microsoft | CVE-2019-0604 | RCE |
Microsoft | CVE-2020-0787 | elevation of privilege |
Netlogon | CVE-2020-1472 | elevation of privilege |
Organizations urged to patch their systems
CISA, ACSC, the NCSC, and the FBI advise public and private orgs worldwide to patch and update their systems as soon as possible to decrease their attack surface
"Entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system," the joint advisory added.
Those who cannot immediately patch or don't plan to patch soon should check for signs of compromise and immediately initiate incident response and recovery plans.
The complete list of Common Vulnerabilities and Exposures (CVEs) routinely exploited in attacks during the last two years is available in the joint advisory published earlier today.
The four agencies have also released indicators of compromise, recommended mitigations, detection methods, and links to patches for each of the vulnerabilities listed in the advisory.
"The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices," added Paul Chichester, NCSC's Director for Operations.
"Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm."
Last week, MITRE also shared this year's top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years.
One year ago, CISA and the FBI had also published a list of the top 10 most exploited security vulnerabilities between 2016 and 2019.