The year 2022 witnessed a surge in cyberattacks by malicious actors targeting unpatched, internet-facing systems. In a joint Cybersecurity Advisory (CSA), top cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom highlighted the most frequently exploited Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumeration(s) (CWE) to shed light on the prevailing threats. This article provides an overview of the key findings and recommendations from the CSA to help organizations strengthen their cybersecurity defenses.
The CSA report outlined several key findings that offer insight into the strategies adopted by malicious cyber actors in 2022
Exploitation of Older Software Vulnerabilities: Malicious actors exploited older software vulnerabilities more frequently than recently disclosed ones. Proof of concept (PoC) codes for these vulnerabilities were publicly available, making it easier for a broader range of attackers to carry out cyber-attacks.
Timely Patching Reduces Vulnerabilities: Malicious actors have the most success exploiting known vulnerabilities within the first two years of public disclosure. Timely patching decreases the efficacy of these vulnerabilities, forcing attackers to employ more complex and costly methods.
Prioritizing Severe and Global Vulnerabilities: Cyber attackers targeted severe and globally prevalent CVEs, as well as those more prevalent in specific target networks, allowing them to achieve high-impact results with minimal resources.
Top Routinely Exploited Vulnerabilities
Top Routinely Exploited Vulnerabilities
Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:
- CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
- CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
- CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
- CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
- CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
- CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
- CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
- CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
- CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
Additional Routinely Exploited Vulnerabilities
In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.
Mitigations: Best Practices for Vendors, Developers, and End-User Organizations
The report emphasized the need for collaboration and proactive measures from both vendors and end-user organizations to counter cyber threats effectively. Here are the recommended mitigations:
For Vendors and Developers
Identify Vulnerability Classes: Perform an analysis of CVEs and known exploited vulnerabilities to identify frequently targeted classes of vulnerabilities. Implement appropriate mitigations to eliminate these classes.
Secure by Design and Default: Follow the Secure Software Development Framework (SSDF) and implement secure design practices throughout the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program to address discovered vulnerabilities.
Secure-By-Default Configurations: Prioritize secure-by-default configurations such as eliminating default passwords and providing high-quality audit logs with no additional configuration.
For End-User Organizations
Timely Patching: Apply timely patches to systems, prioritizing known exploited and critical vulnerabilities.
Multifactor Authentication (MFA): Enforce phishing-resistant MFA for all users, especially for remote access.
Network Protection: Properly configure and secure internet-facing network devices, disable unused network ports, protocols, and services, and use web application firewalls to monitor and filter web traffic.
Identity and Access Management (IAM): Enforce least privilege, regularly review and validate privileged accounts, and control the use of native scripting applications.
Vulnerability and Configuration Management: Update software and firmware promptly, conduct regular system backups, and maintain an updated incident response plan.
The joint Cybersecurity Advisory (CSA) from leading cybersecurity agencies serves as a crucial resource to understand the threat landscape of 2022. By prioritizing secure-by-design principles, timely patching, and robust identity and access management, both vendors and end-user organizations can significantly reduce the risk of compromise by malicious cyber actors. A collaborative effort between stakeholders and the adoption of best practices can pave the way for a more secure digital environment.
The article is largely based on the CyberSecurity Advisory released by CISA.gov in August 2023. See original advisory at cisa.gov
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.