US, UK and Australia release joint cybersecurity advisory on the 30 most exploited vulnerabilities in 2020 and 2021
US, UK and Australian cybersecurity agencies and the FBI have released a joint cybersecurity advisory on the 30 most exploited vulnerabilities in 2020 and 2021.
US Agency for Cybersecurity and Infrastructure Security (CISA), Australian Cyber Security Center (ACSC), UK National Cyber Security Center (NCSC) and Federal Bureau of Investigation (FBI) from the United States co-authored the Joint Cyber Security Advisory AA21-209A.
The agencies noted that independent and government-sponsored malicious cyber actors continued to exploit publicly known software vulnerabilities to compromise governments, public and private organizations around the world.
The main vulnerabilities exploited in 2020 were discovered in the last two years
The joint cybersecurity advisory noted that the vulnerabilities most exploited in 2020 have been discovered in the past two years.
Remote working, VPNs and cloud-based technologies were among the most exploited vulnerabilities, according to the joint cybersecurity advisory.
Agencies noted that VPN gateway devices were not patched in 2020 during the remote work period, when organizations could not perform rigorous patch management.
The cybersecurity advisory listed some of the most commonly exploited vulnerabilities in 2020.
They included Citrix NetScaler CVE-2019-19781 arbitrary code execution, Pulse Secure Connect CVE-2019-11510 arbitrary file reading, and Fortinet path crossing vulnerabilities CVE-2018-13379.
Fortinet’s directory traversal vulnerability, which exposes usernames and passwords, has been used in Cring ransomware attacks (also known as Crypt3, Ghost, phantom, or Vjszyllo).
Likewise, vulnerabilities in Pulse Secure Connect have been actively exploited by various state-backed cyber espionage groups to steal credentials for further attacks.
The most exploited remote code execution (RCE) vulnerabilities in 2020 included F5 Big-IP (CVE 2020-5902), MobileIron (CVE 2020-15505), Atlassian (CVE-2019-11580), Drupal (CVE- 2018-7600), Telerik (CVE 2019-18935), Microsoft Office (CVE-2017-11882) and SharePoint (CVE-2019-0604) vulnerabilities.
The F5 Big-IP severe vulnerability with a CVSS score of 10.0 allowed attackers to execute arbitrary commands without authentication, create and delete files, and run Java applications. The cybersecurity advisory warned that the vulnerability could lead to “complete system compromise.”
Privilege escalation vulnerabilities such as Microsoft Windows Background Intelligent Transfer Service (BITS) (CVE-2020-0787) and Netlogon security vulnerabilities CVE-2020-1472 were also widely exploited in 2020.
“Opponents’ use of known vulnerabilities complicates attribution, reduces costs and minimizes risk because they do not invest in developing a zero-day exploit for their exclusive use, which they risk losing if known, ”indicates the alert.
Joint cybersecurity advisory says threat actors have targeted perimeter devices in 2021
The joint cybersecurity advisory noted that threat actors continued to exploit perimeter devices in 2021. Some of the most exploited VECs in 2021 included:
- Microsoft Exchange Server Vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065
- Pulse Secure Connect vulnerabilities CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900
- Vulnerabilities Accellion File Transfer Appliance (FTA) CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- Vulnerability of VMware CVE-2021-21985 virtualization software product
- Fortinet CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591
Some of the vulnerabilities listed are all too common as they have been included in several advisories issued by the FBI, NSA, CISA, among others in the past.
For example, the National Security Agency issued a similar cybersecurity advisory in October 2020 regarding Chinese hackers exploiting 25 known vulnerabilities.
Some of the flaws highlighted in that report were also among the top 30 most exploited vulnerabilities published by the Five Eyes cybersecurity agencies. They included the Pulse Secure connect vulnerability CVE-2019-11510, F5-Big IP CVE-2020-5902, and the Citrix Application Delivery Controller and Gateway vulnerability CVE-2019-19781.
The advisory warned that threat actors would continue to exploit known vulnerabilities such as Microsoft Office CVE-2017-11882 if they remained effective and unpatched. The agencies recommended applying the available patches and setting up a centralized patch management system.