Global cybersecurity authorities release details on routinely exploited software vulnerabilities in 2021

Global cybersecurity authorities assess in a joint cybersecurity advisory that in 2021 malicious cyber hackers aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber hackers continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. Critical infrastructure owners and operators have been urged to remediate top routinely exploited vulnerabilities identified in 2021, and take appropriate action to mitigate risks. 

Cybersecurity authorities from the U.S., the U.K., Australia, Canada, and New Zealand provided details on the top 15 common vulnerabilities and exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. Additionally, the advisory pointed out that three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020 – CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. “Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” it added.

“Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,” the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK), wrote in the advisory on Wednesday. 

“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” it added.

To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier, the advisory said. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software promptly or are using software that is no longer supported by a vendor, it added.

The global cybersecurity authorities observed that among the top 15 vulnerabilities that were routinely exploited by malicious hackers last year were the Log4Shell vulnerability, the ProxyLogon vulnerabilities that affected Microsoft Exchange email servers, the ProxyShell vulnerabilities that also affect Microsoft Exchange email servers, and the vulnerability affecting Atlassian Confluence Server and Data Center.

Incorporated into thousands of products globally, the Log4Shell vulnerability was disclosed last December and was found to have affected Apache’s Log4j library, an open-source logging framework. Hackers could exploit the vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity. The rapid widespread exploitation of the vulnerability demonstrates the ability of malicious hackers to quickly weaponize known vulnerabilities and target organizations before they patch. 

Classified as the ProxyLogon vulnerabilities tracked as CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination, also known as vulnerability chaining, allows an unauthenticated cyber hacker to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the hacker to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.

The ProxyShell vulnerabilities are tracked as CVE-2021-34523, CVE-2021-34473 and CVE-2021-31207 also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS).

The CVE-2021-26084 vulnerability affects Atlassian Confluence Server and Data Center that could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. The vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of the vulnerability was observed last September.

In addition to the 15 vulnerabilities, the global cybersecurity authorities also identified additional vulnerabilities that were also routinely exploited by malicious cyber actors in 2021. These additional vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. 

The cybersecurity authorities called upon organizations to apply the recommended mitigations, which include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber hackers. Enterprises must also adopt appropriate vulnerability and configuration management, improve identity and access management across the organizations, and enforce protective controls and architecture.

“The recent joint cybersecurity advisory (CSA) from key cyber agencies in Australia, Canada, New Zealand, United Kingdom and the United States, underscores a key trend regarding the most routinely exploited vulnerabilities,” Satnam Narang, staff research engineer at Tenable, wrote in an emailed statement. “Newly disclosed and legacy vulnerabilities, which include those flaws formerly identified as zero-days, are extremely valuable to a larger swath of cybercriminals compared to zero-day flaws.”

“What aids the ability of cybercriminals to take advantage of all of these newly disclosed flaws is the easy access to a proof-of-concept exploit code, which is often made public on average within a few weeks of their disclosure,” according to Narang. “To discover or purchase a zero-day is typically a costly endeavour for even the most sophisticated APT groups, so the no-cost effort of procuring exploit code from public source code repositories is a boon for cybercriminals of all types including the APT groups,” he added.

Last week, the global security agencies warned organizations that the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber hackers or Russian-aligned cybercrime groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.