Today, the Cybersecurity and Infrastructure Agency (CISA) published a joint advisory with the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom detailing 2021’s top routinely exploited vulnerabilities.
CISA noted that while some threat actors continued to “play the hits” by exploiting older vulnerabilities from 2020 and earlier, newer vulnerabilities were generally more popular targets.
Two conclusions can be drawn from this data: Older vulnerabilities are still targeted and organizations must patch these. There are no excuses here.
However, patching older vulnerabilities is not enough as threat actors are detecting and exploiting new vulnerabilities faster than ever. Organizations must match or exceed the speed of threat actors to mitigate the risk of breaches or incidents.
CISA also notes that proof of concept (POC) code for most of the top exploited vulnerabilities was released within two weeks of the vulnerability disclosure. We strongly recommend that your patching policy reflect this speed – any critical vulnerabilities should aim to be patched within a 24/72 hour threshold due to the already existing weaponization of these vulnerabilities.
Top 15 Routinely Exploited Vulnerabilities of 2021
Disclosed in December of 2021, the vulnerability was quickly weaponized by threat actors, and when exploited gave them full control over the system to steal information, deploy ransomware or cryptocurrency miners, or conduct other malicious activity.
CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065: These vulnerabilities, collectively referred to as ProxyLogon, affect Microsoft Exchange email servers. When chained, exploitation of these vulnerabilities allows for an unauthenticated attacker to execute arbitrary code on the affected server and gain access to the files, mailboxes, and credentials stored on the servers.
Advanced Persistent Threats (APT), such as Hafnium, weaponized these vulnerabilities quickly to gain access to vulnerable Exchange servers.
CVE-2021-34523, CVE-2021-34473, CVE-2021-31207: Microsoft Exchange email servers were a popular target for threat actors in 2021. These vulnerabilities are collectively referred to as “ProxyShell” and when chained together allow attackers to execute arbitrary code on the server.
CISA included additional recommendations to help mitigate the above vulnerabilities and improve your security posture for the inevitable threats in 2022 and beyond:
Improve your vulnerability and configuration management
Update software, operating systems, applications, and firmware with a centralized patch management system in a timely manner
Prioritize patching known exploited vulnerabilities first
Replace end-of-life software that is no longer supported by the vendors
If you’re unable to scan and patch internet-facing assets promptly, consider moving the services to a reputable cloud service provider or managed service provider (MSP)
Implement identity and access management
Enforce multi-factor authentication (MFA) for all users, especially those on VPN connections – no exceptions
Incorporate a regular (at least annual) review, update, and removal of privileged accounts
Adopt and configure access control with a “least privilege” principle
Implement protective controls and secure architecture
Configure and secure internet-facing network devices, disable unused and nonessential ports and protocols, encrypt network traffic, and disable unused network services and devices
Segment networks to help limit or block lateral movement by threat actors
Use private virtual local area networks (LANs)
Implement continuous monitoring and investigate abnormal activity
Reduce third-party applications with unique system or application builds, using them only when business-critical
Implement application allowlisting
And if you’re not already using Automox for patching, you can start a free trial to patch your Microsoft and Log4j vulnerabilities today.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.