In July 2021, Cybersecurity and Infrastructure Security Agency (CISA), together with the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI), published an advisory notifying about the top 30 vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, as well as organizational information. information.
However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches on their systems and by implementing a centralized patch management system.
The shift in work environment because of the pandemic and the consequent need for remote work options saw an unprecedented surge round the year. This led to the need of virtual private networks (VPNs) and cloud-based environments – which were the primary focus area of cyber actors in 2020.
CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed below to be the top-most regularly exploited CVEs by threat actors in 2020.
| Affected Vendor | CVE | Attack type | QID |
| Citrix | CVE-2019-19781 | Arbitrary code execution | 372305 |
| Pulse | CVE-2019-11510 | Arbitrary file reading | 38771 |
| Fortinet | CVE-2018-13379 | Path Traversal | 43702 |
| F5-Big IP | CVE-2020-5902 | Remote Code Execution (RCE) | 373106 |
| MobileIron | CVE-2020-15505 | RCE | 13998 |
| Microsoft | CVE-2017-11882 | RCE | 110308 |
| Atlassian | CVE-2019-11580 | RCE | 13525 |
| Drupal | CVE-2018-7600 | RCE | 11942 |
| Telerik | CVE-2019-18935 | RCE | 372327 |
| Microsoft | CVE-2019-0604 | RCE | 110330 |
| Microsoft | CVE-2020-0787 | Elevation of Privilege | 91609 |
| Netlogon | CVE-2020-1472 | Elevation of Privilege | 91680, 91688 |
Malicious cyber actors will most likely continue to use older known vulnerabilities/CVEs if they remain effective, and if systems remain unpatched. It has been observed multiple times in the pandemic year that an exploitation is either a combination of older CVEs or a new CVE that is imitated from older vulnerabilities.
In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet. All the CVEs mentioned above were talk of the town round the year and may be used as future references in the wild. Cyber actors have learned new ways of exploitation during the Work from Home (WFH)/Remote working shifts. It is radical to see that even in 2021, vendors have been compromised more than once in the same way or in a slightly different manner than the previous attacks.
CISA, in its alert blog, provides a list of widely exploited CVEs in 2021and mentions that organizations should prioritize patching for the following CVEs known to be exploited:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
Remediation and Mitigation
- Patch systems and equipment promptly and diligently.
- Implement rigorous configuration management programs.
- Disable unnecessary ports, protocols, and services.
- Enhance monitoring of network and email traffic.
- Use protection capabilities to stop malicious activity.
CISA Recommendations
Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities must investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans.
Note: The list of associated malwares corresponding to each CVE are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.
References
