In 2021, threat actors aggressively exploited newly disclosed critical software vulnerabilities to hit a broad set of targets worldwide, says the latest advisory published by the US Cybersecurity and Infrastructure Security Agency.
Most exploited vulnerabilities, new and old
Compiled by cybersecurity authorities from the Five Eyes intelligence alliance, the list of top 15 CVEs routinely exploited by attackers in 2021 looks like this:
- CVE-2021-44228 (aka Log4Shell) – in Apache Log4j
- CVE-2021-40539 – in Zoho ManageEngine AD SelfService Plus
- CVE-2021-34523, CVE-2021-34473 and CVE-2021-31207 (collectively known as ProxyShell) – in Microsoft Exchange Server
- CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2021-26855 (collectively known as ProxyLogon) – in Microsoft Exchange Server
- CVE-2021-26084 – in Atlassian Confluence Server and Data Center
- CVE-2021-21972 – in VMware vSphere Client
- CVE-2020-1472 (aka ZeroLogon) – in Microsoft Netlogon Remote Protocol (MS-NRPC)
- CVE-2020-0688 – in Microsoft Exchange Server
- CVE-2019-11510 – in Pulse Secure Pulse Connect Secure
- CVE-2018-13379 – in Fortinet FortiOS and FortiProxy
As you might have noticed due to the last few entries, attackers haven’t stopped exploiting older publicly known software flaws.
Other vulnerable solutions under attack
An additional list of routinely exploited vulnerabilities in 2021 lists many flaws fixed in 2021, but also some that date back to up to 2017 and 2018.
That list contains flaws in:
- Sitecore XP
- ForgeRock OpenAM server
- Accellion FTA
- VMware vCenter Server
- SonicWall Secure Mobile Access (SMA)
- Microsoft MSHTML
- Microsoft Windows Print Spooler
- Checkbox Survey
- Pulse Secure Pulse Connect Secure
- SonicWall SSLVPN SMA100
- QNAP QTS and QuTS hero
- Citrix Application Delivery Controller (ADC) and Gateway
- Progress Telerik UI for ASP.NET AJAX
- Cisco IOS Software and IOS XE Software
- Microsoft Office
“Threat actors often geared their efforts towards targeting internet-facing systems, such as email and virtual private network (VPN) servers,” noted Lindy Cameron, the CEO of UK’s National Cyber Security Centre (NCSC).
Organizations using any of the listed solutions should make sure to implement the patches for these widely exploited flaws – or mitigations is patches can’t be deployed (quickly).
“This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem,” Cameron added.
The CISA also advises organizations to use a centralized patch management system and to replace end-of-life software. If any those actions can’t be performed by internal security teams, organizations should consider switching to reputable cloud-based offerings and start using managed service providers.