Tuesday, October 3, 2023

Top Vulnerabilities Exploited in 2022 as revealed by FBI, CISA, and NSA

The year 2022 witnessed a surge in cyberattacks by malicious actors targeting unpatched, internet-facing systems. In a joint Cybersecurity Advisory (CSA), top cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom highlighted the most frequently exploited Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumeration(s) (CWE) to shed light on the prevailing threats. This article provides an overview of the key findings and recommendations from the CSA to help organizations strengthen their cybersecurity defenses.

Key Findings

The CSA report outlined several key findings that offer insight into the strategies adopted by malicious cyber actors in 2022

Exploitation of Older Software Vulnerabilities: Malicious actors exploited older software vulnerabilities more frequently than recently disclosed ones. Proof of concept (PoC) codes for these vulnerabilities were publicly available, making it easier for a broader range of attackers to carry out cyber-attacks.

Timely Patching Reduces Vulnerabilities: Malicious actors have the most success exploiting known vulnerabilities within the first two years of public disclosure. Timely patching decreases the efficacy of these vulnerabilities, forcing attackers to employ more complex and costly methods.

Prioritizing Severe and Global Vulnerabilities: Cyber attackers targeted severe and globally prevalent CVEs, as well as those more prevalent in specific target networks, allowing them to achieve high-impact results with minimal resources.

Top Routinely Exploited Vulnerabilities

Top Routinely Exploited Vulnerabilities

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

  • CVE-2018-13379This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
  • CVE-2021-34473CVE-2021-31207CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
  • CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
  • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
  • CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
  • CVE-2022-22954CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code executionExploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
  • CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
  • CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
  • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
Recommended:  China Accuses NSA of Hacking Its Military Research University
CVEVendorProductTypeCWE
CVE-2018-13379FortinetFortiOS and FortiProxySSL VPN credential exposureCWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-34473(Proxy Shell)MicrosoftExchange ServerRCECWE-918 Server-Side Request Forgery (SSRF)
CVE-2021-31207(Proxy Shell)MicrosoftExchange ServerSecurity Feature BypassCWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-34523(Proxy Shell)MicrosoftExchange ServerElevation of PrivilegeCWE-287 Improper Authentication
CVE-2021-40539Zoho ManageEngineADSelfService PlusRCE/Authentication BypassCWE-287 Improper Authentication
CVE-2021-26084AtlassianConfluence Server and Data CenterArbitrary code executionCWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVE-2021- 44228(Log4Shell)ApacheLog4j2RCECWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CWE-502 Deserialization of Untrusted Data
CVE-2022-22954VMwareWorkspace ONE Access and Identity ManagerRCECWE-94 Improper Control of Generation of Code (‘Code Injection’)
CVE-2022-22960VMwareWorkspace ONE Access, Identity Manager, and vRealize AutomationImproper Privilege ManagementCWE-269 Improper Privilege Management
CVE-2022-1388F5 NetworksBIG-IPMissing Authentication VulnerabilityCWE-306 Missing Authentication for Critical Function
CVE-2022-30190MicrosoftMultiple ProductsRCENone Listed
CVE-2022-26134AtlassianConfluence Server and Data CenterRCECWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)

Additional Routinely Exploited Vulnerabilities

In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.

CVEVendorProductTypeCWE
CVE-2017-0199MicrosoftMultiple ProductsArbitrary Code ExecutionNone Listed
CVE-2017-11882MicrosoftExchange ServerArbitrary Code ExecutionCWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2019-11510IvantiPulse Secure Pulse Connect SecureArbitrary File ReadingCWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2019-0708MicrosoftRemote Desktop ServicesRCECWE-416: Use After Free
CVE-2019-19781CitrixApplication Delivery Controller and GatewayArbitrary Code ExecutionCWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2020-5902F5 NetworksBIG-IPRCECWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2020-1472MicrosoftMultiple ProductsPrivilege EscalationCWE-330: Use of Insufficiently Random Values
CVE-2020-14882OracleWebLogic ServerRCENone Listed
CVE-2020-14883OracleWebLogic ServerRCENone Listed
CVE-2021-20016SonicWALLSSLVPN SMA100SQL InjectionCWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CVE-2021-26855(ProxyLogon)MicrosoftExchange ServerRCECWE-918: Server-Side Request Forgery (SSRF)
CVE-2021-27065(ProxyLogon)MicrosoftExchange ServerRCECWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-26858(ProxyLogon)MicrosoftExchange ServerRCENone Listed
CVE-2021-26857(ProxyLogon)MicrosoftExchange ServerRCECWE-502: Deserialization of Untrusted Data
CVE-2021-20021SonicWALLEmail SecurityPrivilege Escalation Exploit ChainCWE-269: Improper Privilege Management
CVE-2021-40438ApacheHTTP ServerServer-Side Request ForgeryCWE-918: Server-Side Request Forgery (SSRF)
CVE-2021-41773ApacheHTTP ServerServer Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-42013ApacheHTTP ServerServer Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-20038SonicWallSMA 100 Series AppliancesStack-based Buffer OverflowCWE-787: Out-of-bounds WriteCWE-121: Stack-based Buffer Overflow
CVE-2021-45046ApacheLog4jRCECWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-42475FortinetFortiOSHeap-based Buffer OverflowCWE-787: Out-of-bounds Write
CVE-2022-24682ZimbraCollaboration Suite‘Cross-site Scripting’CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2022-22536SAPInternet Communication Manager (ICM)HTTP Request SmugglingCWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
CVE-2022-22963VMware TanzuSpring CloudRCECWE-94: Improper Control of Generation of Code (‘Code Injection’)CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-29464WSO2Multiple ProductsRCECWE-434: Unrestricted Upload of File with Dangerous Type
CVE-2022-27924ZimbraZimbra Collaboration SuiteCommand InjectionCWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVE-2022-22047MicrosoftWindows CSRSSElevation of PrivilegeCWE-269: Improper Privilege Management
CVE-2022-27593QNAPQNAP NASExternally Controlled ReferenceCWE-610: Externally Controlled Reference to a Resource in Another Sphere
CVE-2022-41082MicrosoftExchange ServerPrivilege EscalationNone Listed
CVE-2022-40684FortinetFortiOS, FortiProxy, FortiSwitchManagerAuthentication BypassCWE-306: Missing Authentication for Critical Function

Mitigations: Best Practices for Vendors, Developers, and End-User Organizations

The report emphasized the need for collaboration and proactive measures from both vendors and end-user organizations to counter cyber threats effectively. Here are the recommended mitigations:

Recommended:  CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog

For Vendors and Developers

Identify Vulnerability Classes: Perform an analysis of CVEs and known exploited vulnerabilities to identify frequently targeted classes of vulnerabilities. Implement appropriate mitigations to eliminate these classes.

Secure by Design and Default: Follow the Secure Software Development Framework (SSDF) and implement secure design practices throughout the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program to address discovered vulnerabilities.

Secure-By-Default Configurations: Prioritize secure-by-default configurations such as eliminating default passwords and providing high-quality audit logs with no additional configuration.

For End-User Organizations

Timely Patching: Apply timely patches to systems, prioritizing known exploited and critical vulnerabilities.

Multifactor Authentication (MFA): Enforce phishing-resistant MFA for all users, especially for remote access.

Network Protection: Properly configure and secure internet-facing network devices, disable unused network ports, protocols, and services, and use web application firewalls to monitor and filter web traffic.

Identity and Access Management (IAM): Enforce least privilege, regularly review and validate privileged accounts, and control the use of native scripting applications.

Vulnerability and Configuration Management: Update software and firmware promptly, conduct regular system backups, and maintain an updated incident response plan.

Final Thoughts

The joint Cybersecurity Advisory (CSA) from leading cybersecurity agencies serves as a crucial resource to understand the threat landscape of 2022. By prioritizing secure-by-design principles, timely patching, and robust identity and access management, both vendors and end-user organizations can significantly reduce the risk of compromise by malicious cyber actors. A collaborative effort between stakeholders and the adoption of best practices can pave the way for a more secure digital environment.

The article is largely based on the CyberSecurity Advisory released by CISA.gov in August 2023. See original advisory at cisa.gov

Recommended:  Atlassian Patches critical Confluence hardcoded credentials flaw

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
ClosePlease loginn
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security