Among those that topped the list were Microsoft and Atlassian bugs, and the Log4Shell vulnerability – the latter of which is still in circulation today. Microsoft accounts for 9 out of the 15 top exploits listed in the report. The agencies, that were in partnership with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA), stress that organizations need to do more to identify and manage these malicious actors, some of which have been targeting virtual private network (VPN) servers and emails to deploy their malware.
Cybersecurity Agencies Revealed The 15 Top Routinely Exploited Vulnerabilities
After over 20,000 common online vulnerabilities were disclosed in 2021, a global suite of cybersecurity organizations – alongside the US’s most notable security agencies – have identified the most commonly occurring threats. The Five Eyes intelligence partnership, comprised of authorities from the US, Australia, Canada, New Zealand, and the UK, found that the top bugs were Log4Shell, the Microsoft vulnerabilities ProxyShell, ProxiLogon, and a bug affecting Atlassian products.
— Rob Joyce (@NSA_CSDirector) April 27, 2022 According to an official release from CISA, three of the top 15 vulnerabilities were also being exploited in 2020. These include the Windows CVE-2020-1472 bug, which targets Microsoft servers, the CVE-2018-13379 bug, which was used to leak the credentials of over 87,000 Fortinet VPNs, and the CVE-2019-11510 bug, which was exploited by Russian actors to target US infrastructure sites. The report also warned that exploited proof-of-concept codes were partly responsible for the growing number of attacks. The codes, which are developed by IT researchers to demonstrate security flaws, are commonly released weeks after the vulnerabilities disclosure. Once released, these codes often fall into the hands of malicious actors, where they can be used to target and extort an even wider network of organizations. And these stunts aren’t happening on a small scale. The mass exploitation of a proof-of-concept code was behind the Atlassian bug, which was one of the most widespread vulnerabilities cited on the list. When asked if proof-of-concept codes should be kept private, CISA explained that these codes provide “a net benefit to network defenders, allowing them to validate patches and test mitigations.” This suggests that the threat of proof-of-concept vulnerabilities isn’t set to fade anytime soon.
The Malicious Log4Shell Bug Is Still At Large
CISA’s report also revealed that some bugs – like Log4Shell – are still being exploited to this day. Despite a global campaign to patch the vulnerability, the cybersecurity authorities have found that it is still being used by dangerous actors. For instance, the bug, that was discovered in December, was recently utilized by the North Korean government to hack into an unnamed engineering company with military customers. Yotam Perkal, vulnerability researcher at cybersecurity firm Rezilion, also adds that 68,000 public-facing internet servers and 90,000 machines are still vulnerable to the Log4Shell bug, with David Wolpoff, CTO of security company Randori adding that the vulnerability was one of the worst he’s seen in his career.
What Advice Do These Agencies Have For Businesses?
Knowing about these risks is all well and good. But what practical advice have the security authorities given to businesses? Well, according to this recently released report, the agencies recommend the following mitigations:
Update software, operating systems, and applications regularlyUse a centralized patch management system to patch vulnerabilities as soon as they become knownEnforce multi-factor authentication across all areas of your business – especially on VPN connectionsUse private local area networks when possibleLimit the use of third-party applicationsDisable unused network ports, protocols, services, and devicesUse security tools such as endpoint management software