The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021.
Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws.
Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor allowing the execution of arbitrary code, which would give the attacker full control of a vulnerable system. The vulnerability was only disclosed publicly in December 2021, yet still ranked first as the most commonly exploited vulnerability, demonstrating how hackers can quickly weaponize and exploit vulnerabilities before organizations can patch. The flaw was rated one of the most serious vulnerabilities to be discovered in the past decade.
CVE | Vulnerability Name | Vendor and Product | Type |
CVE-2021-44228 | Log4Shell | Apache Log4j | Remote code execution (RCE) |
CVE-2021-40539 | Zoho ManageEngine AD SelfService Plus | RCE | |
CVE-2021-34523 | ProxyShell | Microsoft Exchange Server | Elevation of privilege |
CVE-2021-34473 | ProxyShell | Microsoft Exchange Server | RCE |
CVE-2021-31207 | ProxyShell | Microsoft Exchange Server | Security feature bypass |
CVE-2021-27065 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26858 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26857 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26855 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26084 | Atlassian Confluence Server and Data Center | Arbitrary code execution | |
CVE-2021-21972 | VMware vSphere Client | RCE | |
CVE-2020-1472 | ZeroLogon | Microsoft Netlogon Remote Protocol (MS-NRPC) | Elevation of privilege |
CVE-2020-0688 | Microsoft Exchange Server | RCE | |
CVE-2019-11510 | Pulse Secure Pulse Connect Secure | Arbitrary file reading | |
CVE-2018-13379 | Fortinet FortiOS and FortiProxy | Path traversal |
The remote code execution vulnerability in Zoho ManageEngine AD SelfService Plus – CVE-2021-40539 – has a 9.8 CVSS severity rating and was the second most exploited vulnerability, with attacks exploiting the vulnerability continuing in 2022. The flaw can be exploited remotely and allows web shells to be implanted in a network, allowing the attacker to compromise credentials, move laterally, and exfiltrate sensitive data.
The ProxyLogon flaws in Microsoft Exchange email servers were also extensively exploited. These flaws – CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – allow remote attackers to execute arbitrary code on vulnerable exchange servers to gain access to files and mailboxes on the servers, along with any credentials stored on the servers.
Three ProxyShell vulnerabilities made the top 15 list. These vulnerabilities – CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – can be exploited on Microsoft Exchange email servers that have the Microsoft Client Access Service (CAS) exposed to the Internet. This is a common configuration that allows users to access their emails on their mobile devices and via web browsers. The flaws can be exploited to remotely execute arbitrary code on vulnerable servers.
In many cases, vulnerabilities were exploited within two weeks of the vulnerabilities being publicly disclosed, most commonly as a result of security researchers publishing proof-of-concept exploits, which helped a much broader range of threat actors quickly exploit the vulnerabilities before organizations had the time to patch.
A further 21 vulnerabilities are listed that are also routinely exploited, including many from 2021 and some dating back to 2017. Patching these vulnerabilities promptly will ensure they cannot be exploited. The Five Eyes agencies have also included a list of mitigations that make it harder for threat actors to exploit these and other vulnerabilities.
The post 15 Most Exploited Vulnerabilities in 2021 appeared first on HIPAA Journal.