Most Exploited Vulnerabilities in the Pandemic and Pre-pandemic Era

In July 2021, Cybersecurity and Infrastructure Security Agency (CISA), together  with the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI), published an advisory notifying about the top 30 vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, as well as organizational information.  information.

However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches on their systems and by implementing a centralized patch management system.

The shift in work environment because of the pandemic and the consequent need for remote work options saw an unprecedented surge round the year. This led to the need of virtual private networks (VPNs) and cloud-based environments – which were the primary focus area of cyber actors in 2020.

CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed below to be the top-most regularly exploited CVEs by threat actors in 2020.

Affected Vendor CVE Attack type QID
Citrix CVE-2019-19781 Arbitrary code execution 372305
Pulse CVE-2019-11510 Arbitrary file reading 38771
Fortinet CVE-2018-13379 Path Traversal 43702
F5-Big IP CVE-2020-5902 Remote Code Execution (RCE) 373106
MobileIron CVE-2020-15505 RCE 13998
Microsoft CVE-2017-11882 RCE 110308
Atlassian CVE-2019-11580 RCE 13525
Drupal CVE-2018-7600 RCE 11942
Telerik CVE-2019-18935 RCE 372327
Microsoft CVE-2019-0604 RCE 110330
Microsoft CVE-2020-0787 Elevation of Privilege 91609
Netlogon CVE-2020-1472 Elevation of Privilege 91680, 91688

Malicious cyber actors will most likely continue to use older known vulnerabilities/CVEs if they remain effective, and if systems remain unpatched. It has been observed multiple times in the pandemic year that an exploitation is either a combination of older CVEs or a new CVE that is imitated from older vulnerabilities.

In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet. All the CVEs mentioned above were talk of the town round the year and may be used as future references in the wild. Cyber actors have learned new ways of exploitation during the Work from Home (WFH)/Remote working shifts. It is radical to see that even in 2021, vendors have been compromised more than once in the same way or in a slightly different manner than the previous attacks.

CISA, in its alert blog, provides a list of widely exploited CVEs in 2021and mentions that  organizations should prioritize patching for the following CVEs known to be exploited:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

Remediation and Mitigation

  • Patch systems and equipment promptly and diligently.
  • Implement rigorous configuration management programs.
  • Disable unnecessary ports, protocols, and services.
  • Enhance monitoring of network and email traffic.
  • Use protection capabilities to stop malicious activity.

CISA Recommendations

Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities must investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans.

Note: The list of associated malwares corresponding to each CVE are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.


Leave a Reply

Your email address will not be published. Required fields are marked *