- Five Eyes, the cybersecurity alliance, discovered that older but unpatched vulnerabilities are the favorites of threat actors.
- Organizations are yet to implement timely patch applications and periodic security maintenance practices.
- According to the report by the NSA, the FBI, and CISA, over half of the top 12 exploited vulnerabilities were discovered in 2021 or earlier.
This week, Five Eyes published the 2022 Top Routinely Exploited Vulnerabilities report. The cybersecurity alliance discovered that older but unpatched vulnerabilities are the favorites of threat actors.
The United States Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) collaborated with respective cybersecurity agencies from the U.K., Australia, Canada, and New Zealand, to unearth the findings, which reveal that organizations are yet to implement timely patch application and periodic security maintenance practices.
The report noted that more than half of the top 12 exploited vulnerabilities were discovered in 2021 or earlier and that patches for the flaws are available. Moreover, the proof of concept (PoC) for most of these security bugs is publicly available.
Rosa Smothers, former CIA cyber threat analyst and current executive at KnowBe4, told Spiceworks, “What’s most interesting from a cybersecurity perspective is that seven out of twelve of these vulnerabilities were discovered between 2018 and 2021.
“One of the basic tenets of cybersecurity is good patch management of security flaws affecting software and equipment. Organizations that remain vulnerable are clearly apathetic to the threat landscape.â€
The Fortinet FortiOS and FortiProxy vulnerability featured as the most exploited vulnerability of 2022, followed by the three Microsoft Exchange Server vulnerabilities, the remote code execution bug in Zoho ManageEngine, the code execution vulnerability in Confluence Server and Data Center, and the Log4Shell flaw in Apache’s Log4j framework, all of which also made it in CISA’s 2021 Top Routinely Exploited Vulnerabilities list.
William Wright, CEO of Closed Door Security, told Spiceworks, “The vulnerabilities on the top 12 list come from a range of vendors, and some are very old, but these are the bugs attackers look for. They know the software is ubiquitous, and they can easily run scans to find vulnerable servers, so exploiting these bugs takes very little effort on their part.â€
List of the Top 12 Routinely Exploited Vulnerabilities of 2022
|
CVE |
CVSS v3.1 Score | Vendor | Product |
Type |
| 9.8 | Fortinet | FortiOS and FortiProxy | SSL VPN credential exposure | |
| CVE-2021-34473Opens a new window
(Proxy Shell) |
9.8 | Microsoft | Exchange Server |
RCE |
|
CVE-2021-31207Opens a new window (Proxy Shell) |
7.2 | Microsoft | Exchange Server | Security Feature Bypass |
| CVE-2021-34523Opens a new window
(Proxy Shell) |
9.8 | Microsoft | Exchange Server |
Elevation of Privilege |
| 9.8 | Zoho ManageEngine | ADSelfService Plus | RCE/
Authentication Bypass |
|
| CVE-2021-26084Opens a new window | 9.8 | Atlassian | Confluence Server and Data Center |
Arbitrary code execution |
|
CVE-2021- 44228Opens a new window (Log4Shell) |
10 | Apache | Log4j2 | RCE |
| CVE-2022-22954Opens a new window | 9.8 | VMware | Workspace ONE Access and Identity Manager | RCE |
| 7.8 | VMware | Workspace ONE Access, Identity Manager, and vRealize Automation |
Improper Privilege Management |
|
| CVE-2022-1388Opens a new window | 9.8 | F5 Networks | BIG-IP |
Missing Authentication Vulnerability |
| 7.8 | Microsoft | Multiple Products | RCE | |
| CVE-2022-26134Opens a new window | 9.8 | Atlassian | Confluence Server and Data Center |
RCE |
“This target list is already a part of the arsenal used by cybercriminals to gain access to organizations’ networks. It’s like ringing the doorbell to see if anyone is home and turning the door handle. If it’s unlocked, they go inside without any problem,†James McQuiggan, Security Awareness Advocate at KnowBe4, explained to Spiceworks.
“Suppose the cybercriminals scan for these vulnerabilities on an organization’s external network devices like Exchange, Fortinet, or Apache (Log4j). If the result comes back true, then it’s susceptible. In that case, organizations are making it easy for them to walk in the front door before doing any social engineering.â€
Still, McQuiggan highlighted the importance of developers in ensuring protection from vulnerabilities. “While it’s essential to keep up with patches, developers must ensure they have patches for the known vulnerabilities available as quickly as possible to reduce the risk of attacks against their customers.â€
While this holds true for new vulnerabilities, there is no excuse for downstream organizations to slack off in their role for responsible patching. “My advice to organizations is to test their assets against these vulnerabilities as soon as possible and then to apply the patches where necessary. Now that this list has been issued, attackers will be working hard to utilize these bugs as much as possible while they still can. The clock is ticking, and attackers know it,†Wright said.
See More: MOVEit Vulnerability Impact: Over 500 Organizations, 34M Individuals and Counting
Microsoft in the Eye of the Storm
Besides the above 12, Five Eyes also shared the list of 30 additional vulnerabilities, 10 of which reside in Microsoft products. Overall, of the 42 vulnerabilities identified by Five Eyes, 14 are from Microsoft products.
The 2022 Top Routinely Exploited Vulnerabilities report comes on the heels of Senator Ron Wyden’s (D-OR) scathing letter to Jen Easterly, director at CISA; Merrick B. Garland, attorney general at the Department of Justice; and Lina Khan, chair of the Federal Trade Commission, of Microsoft’s conduct in regards to vulnerability management.
“I write to request that your agencies take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government,†Wyden wrote.
Wyden’s letter refers to the cyberespionage campaign originating from China that targeted and compromised hundreds of U.S. individuals, including government officials. Wyden goes on allege that Microsoft is also to blame for the massive SolarWinds campaign wherein attackers gained access “by stealing encryption keys and forging Microsoft credentials.â€
Almost a week after Wyden’s letter, Tenable chair and CEO Amit Yoran also took to LinkedIn to express his disapproval of Microsoft and its “culture of toxic obfuscation.†Yoran pointed out a Google Project Zero report that discovered that Microsoft products account for an aggregated 42.5% of all zero-day vulnerabilities found since 2014.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices, and vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,†Yoran wrote. The Tenable CEO cited two vulnerabilities the company discovered in March 2023 that Microsoft took 90 days to roll out a partial fix.
“This is a repeated pattern of behavior. Several security companies have written about their vulnerability notification interactions with Microsoft and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers. Orca Security, Wiz, Positive Security, and Fortinet published prime examples, with the latter covering the security disaster known as ‘Follina.’†– Amit Yoran, CEO at Tenable.
According to Yoran, the bugs, one of which Tenable deems as a critical one, still aren’t fully resolved 120 days after Tenable apprised the Redmond-based tech giant.
“Cloud providers have long espoused the shared responsibility model. That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly,†Yoran continued. “Microsoft’s track record puts us all at risk. And it’s even worse than we thought.â€
How can organizations inculcate best practices for vulnerability management? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
Image source: Shutterstock