The UK’s National Cyber Security Centre (NCSC) and its Australian and US counterparts have today published an advisory highlighting the most widely exploited common vulnerabilities and exposures (CVEs) of the year so far, and the 30 most exploited of 2020.
The three agencies said that given the ongoing pandemic and the associated pivot to remote working and use of virtual private networks (VPNs) and cloud services, malicious actors have ramped up their targeting of vulnerabilities in perimeter-type devices, placing an additional burden on defenders who are already struggling to keep pace with their routine patching requirements.
“The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,” said NCSC operations director Paul Chichester.
“Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm.”
Eric Goldstein, executive assistant director for cyber security at the Cybersecurity and Infrastructure Security Agency (CISA), added: “Organisations that apply the best practices of cyber security, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks.
“Collaboration is a crucial part of CISA’s work, and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organisations should prioritise for patching to minimise risk of being exploited by malicious actors.”
The most exploited vulnerabilities of 2020 included multiple remote code execution vulnerabilities in products from the likes of Atlassian, Drupal, F5-Big IP, Microsoft, MobileIron, and Telerik, alongside the infamous CVE-2019-19781, an arbitrary code execution vulnerability in Citrix, and other bugs in Fortinet, Pulse Secure and Netlogon products. Many of them are still being widely exploited today.
The 2021 list includes the vulnerabilities exploited in widespread attacks conducted through Accellion FTA, Microsoft Exchange Server, Fortinet, Pulse Secure and VMware. The full list, which also contains further technical information, is available to download from CISA.
The agencies urged end users to do their utmost to update software versions as soon as is practical once patches are made available by the supplier concerned, which is ultimately the single most effective best practice to mitigate CVEs. Automating software updates where possible is a good start.
Failing this, organisations should prioritise patching for CVEs that are already known to be being exploited or that are accessible to the largest number of potential attackers, such as systems that face the public internet.
If cyber defences resources are scarce, focusing on mitigating the most common vulnerabilities not only serves to bolster network security while impeding the ability of malicious actors to compromise target systems.
As an example, CVE-2019-11580, an RCE vulnerability in Atlassian’s Crow centralised identity management application, was one of the most relied upon bugs by nation-state backed groups in 2020 – had Atlassian users focused on this at the time, they could have had a significant impact on attackers’ ability to compromise their victims by tying them up with trying to find alternatives.