New analysis of data on the most attacked vulnerabilities over the past year confirms what many have been saying recently about a growing attacker focus on remote work, virtual private networks (VPNs), and cloud-based technologies.
On Tuesday, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the UK's National Cyber Security Center, and the Australian Cyber Security Center released a joint advisory that listed vulnerabilities most frequently exploited by attackers in 2020 and 2021.
Four of the most exploited flaws last year — CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, and CVE-2020-5902 — involved technologies that organizations have deployed to secure or better manage remote access to their networks and cloud assets. This year's list includes these vulnerabilities as well as several newer ones, such as the set of four heavily exploited zero-day flaws in Microsoft Exchange Server disclosed in March and others in perimeter-type devices from Pulse, Fortinet, and Accellion.
Most of the frequently attacked CVEs were disclosed over the past two years and are therefore considered relatively recent. However, one of them — a remote code execution flaw in Microsoft Office (CVE-2017-11882) — dates back to 2017. Seven of the 12 most attacked CVEs last year enabled remote code execution on vulnerable systems, two gave attackers a way to escalate privileges, two allowed arbitrary code execution or file reading, and one was a path-traversal flaw.
"Cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets," the joint advisory noted. Organizations impacted by any of the listed vulnerabilities should consider patching their systems or implementing mitigation measures as quickly as possible to avoid risk of compromise, the advisory said.
Rick Holland, chief information security officer and vice president strategy at Digital Shadows, says the CVEs highlighted in the alert show once again that attackers prefer going after known vulnerabilities rather than zero-day flaws whenever they have an opportunity.
"Why increase the cost and complexity of an intrusion when you can go after low-hanging fruit?" he says.
Enterprises should reconcile their infrastructure and software against CISA's list and make sure their outbound third-party risk-monitoring accounts for these flaws as well.
"In this era of supply chain attacks, enterprises must validate that their critical suppliers manage their attack surface and patch exploited vulnerabilities," Holland says.
CISA, the FBI, and the other partners that compiled the list identified CVE-2019-19781 — a flaw in Citrix’s Application Delivery Controller (ADC) — as the most exploited vulnerability in 2020. The flaw impacted 80,000 organizations worldwide, nearly 40% of them in the US. Though Citrix and numerous others warned organizations to patch immediately because of how easily the flaw could be exploited, thousands dragged their feet, leading to broad concerns about widespread compromises. According to CISA, nation-state actors and cybercriminals likely favored the flaw because of how easy it was to exploit, that it gave them an opportunity to take complete control of vulnerable systems, and because of the number of exploitable systems.
CVE-2019-11510, an arbitrary file-reading flaw in Pulse Secure Connect VPN, was the second most frequently targeted flaw last year. The flaw allows an unauthenticated attacker access to administrative credentials and to unencrypted credentials for all users on a compromised Pulse VPN server. The vulnerability was considered especially dangerous because it allowed attackers to maintain access on a system even after it had been patched until all compromised credentials were changed. Attackers, including nation-state groups, abused the flaw in various ways, including to distribute ransomware. Like the Citrix flaw, many organizations delayed patching the Pulse VPN issue despite numerous warnings, including from the likes of the NSA.
The same Pulse flaw — and several others in Pulse technology, including an authentication bypass flaw (CVE-2021-22893), a buffer-overflow issue (CVE-2021-22894), and a command injection bug (CVE-2021-22899) — have been attackers' favorites this year as well. Pulse is not the only VPN vendor whose products attackers have targeted. Others include Fortinet and Palo Alto.
Meanwhile, the so-called ProxyLogon set of bugs in Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), for which Microsoft released emergency patches on March 2, have been among the most targeted vulnerabilities so far in 2021. Among those known to have exploited the flaws before a patch became available for them is a Chinese threat actor called Hafnium and several criminal groups.
Four flaws in a near-obsolete file transfer appliance from enterprise firewall company Accellion have been another popular attacker target in 2021. The flaws, which were being actively attacked before patches became available for them, have resulted in data breaches at numerous Accellion customers, including Qualys, Kroger, Jones Day, Singapore Telecommunications, and the Reserve Bank of New Zealand.
The CVE list highlights several attacker trends, says Ilia Kolochenko, founder of ImmuniWeb.
"First, cybercriminals mostly target critical-risk vulnerabilities that [enable] full access to the vulnerable system," he says. "Second, they exploit both newly disclosed vulnerabilities, while unprepared companies remain unpatched, and pretty old ones … that are still exploitable due to persistent shadow IT or poor IT asset inventory."
Finally, most of the targeted software vendors are used by large enterprises, suggesting that cybercriminals are looking for big fish, Kolochenko says.