Remote execution holes in Log4j, Exchange and Confluence lead Five Eyes 2021 exploited CVE list
During 2021, the top 15 vulnerabilities that were exploited — as observed by the US Cybersecurity and Infrastructure Security Agency, US NSA, US FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre — led to remote code execution (RCE) across a range of products, and left IT administrators with a short window to keep their house in order.
“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” the agencies said in an alert.
“The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” the alert said.
Next on the list was CVE-2021-26084 in Atlassian Confluence, which US Cybercom warned was facing mass exploitation in September. In this instance, the agencies said the exploit code was released a week after it was disclosed.
The final vulnerability from 2021 on the list was CVE-2021-21972, which impacted VMware vSphere.
Completing the list was a quartet of vulnerabilities that were highlighted in July, consisting of CVE-2020-1472 in Microsoft Netlogon which is also called Zerologon, CVE-2020-0688 in Exchange, CVE-2019-11510 from Pulse Secure Connect, and CVE-2018-13379 impacting Fortinet FortiOS and FortiProxy.
To mitigate these vulnerabilities, the agencies repeated advice on timely patching, having a centralised patch management system, and shifting to cloud or managed service providers if rapid scanning is not considered doable. The advice added that organisations should enforce multifactor authentication on all users without exception, with VPN logins in particular called out, as well as regularly reviewing privileged accounts at least yearly and adopting the least privilege principle.
Companies should also move to allowlisting, properly segment networks to limit lateral movement, and constantly monitor attack surfaces.