The ACSC, UK’s NCSC and the US’s CISA and FBI have released a joint cybersecurity advisory that highlights the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber criminals in 2020-21.
The ACSC, NCSC, CISA and FBI consider the vulnerabilities listed below to be the topmost regularly exploited CVEs during 2020:
Vendor | CVE | Type |
Citrix | CVE-2019-19781 | arbitrary code execution |
Pulse | CVE 2019-11510 | arbitrary file reading |
Fortinet | CVE 2018-13379 | path traversal |
F5- Big IP | CVE 2020-5902 | remote code execution (RCE) |
MobileIron | CVE 2020-15505 | RCE |
Microsoft | CVE-2017-11882 | RCE |
Atlassian | CVE-2019-11580 | RCE |
Drupal | CVE-2018-7600 | RCE |
Telerik | CVE 2019-18935 | RCE |
Microsoft | CVE-2019-0604 | RCE |
Microsoft | CVE-2020-0787 | elevation of privilege |
Netlogon | CVE-2020-1472 | elevation of privilege |
It was found that four of the most targeted vulnerabilities during this time involved remote work, VPNs, or cloud-based technologies.
The growth of remote work options caused by the COVID-19 pandemic has challenged the ability of organizations to conduct rigorous patch management. This left many VPN gateway devices unpatched in 2020, allowing cyber criminals to exploit their vulnerabilities.
Meanwhile, cyber criminals also continued to target the vulnerabilities in perimeter-type devices in 2021. Among those highly exploited are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.
The advisory lists the vendors, products, and CVEs associated with these vulnerabilities so that organizations can urgently patch them.
“Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organizations should prioritize for patching to minimize the risk of being exploited by malicious actors,” CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein said.
“In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks.”
Head of the Australian Cyber Security Centre Abigail Bradshaw said the advisory is valuable as it allows network defenders and organisations to lift collective defences against cyber threats.
“This advisory complements our advice available through cyber.gov.au and underscores the determination of the ACSC and our partner agencies to collaboratively combat malicious cyber activity,” Bradshaw said.
UK’s NCSC has expressed their commitment to working with allies to raise awareness of global cyber weaknesses, enabling them to present easily actionable solutions to mitigate cyber risks.
“The advisory published today puts the power in every organisation’s hand to fix the most common vulnerabilities, such as unpatched VPN gateway devices. Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm,” NCSC’’s Director of Operations Paul Chichester said.
FBI’s Cyber Assistant Director Bryan Vorndran said the organisation will be sharing information with public and private organizations to prevent malicious cyber actors from exploiting vulnerabilities.
“We firmly believe that coordination and collaboration with our federal and private sector partners will ensure a safer cyber environment to decrease the opportunity for these actors to succeed,” Assistant Director Vorndran said.
One of the most effective practices to mitigate CVEs is to update the software once patches are available and as soon as is practicable.
The advisory states that focusing cyber defence resources on patching those software vulnerabilities should be engrained in the culture of every organization, as it bolsters network security and impedes the disruptive, destructive operations of cyber criminals.
The joint advisory encourages organizations to investigate the presence of indicators of compromise in the software listed. If compromised, organizations should immediately initiate incident response and recovery plans.
As cyber actors continue to exploit publicly-known and often dated software vulnerabilities against broad target sets worldwide, it is recommended that organizations apply the available patches for the vulnerabilities and implement a centralized patch management system.
The advisory also provides the support and resources available for the mitigation and remedial of the CVEs for agencies, governments and industry partners.
SOURCE: ACSC & CISA