The Top 15 Most Routinely Exploited Vulnerabilities of 2021Log4Shell, ProxyShell, ProxyLogon, ZeroLogon and Zoho Bugs Are Priorities to Patch
The Five Eyes intelligence alliance - comprising Australia, Canada, New Zealand, the United Kingdom and the United States - has released a joint advisory that contains a set of the 15 most routinely exploited vulnerabilities in the past year. Nine of the 15 vulnerabilities allow remote code execution to malicious actors, and the rest include privilege escalation, security bypass and path traversal, among other flaws.
The list includes CVEs for the Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, Zoho ManageEngine AD SelfService Plus, Atlassian Confluence and VMware vSphere Client vulnerabilities.
Also, eight of the 15 top vulnerabilities that were routinely exploited affected Microsoft Exchange Servers, according to the advisory.
Rob Joyce, director of cybersecurity at the National Security Agency, urges everyone to take note of these vulnerabilities and mitigate and patch them as soon as possible, saying, "These are the unlocked doors!"
We know these CVEs were frequently exploited in 2021, including some disclosed in 2020 or earlier. Mitigate and patch. These are the unlocked doors! https://t.co/LjMkdqaIVo— Rob Joyce (@NSA_CSDirector) April 27, 2022
No prizes for guessing what tops this list - Log4Shell aka Log4j. Tracked as CVE-2021-44228, the Log4Shell vulnerability exists in Apache's Log4j library, which is a popular open-source logging framework used in thousands of products worldwide. It is touted as one of the most severe vulnerabilities detected in recent years and has a CVSS severity score of 10 out of 10. A recent report from security firm Kaspersky says that although Log4Shell exploitations have slowed down, the attack vectors still remain open and vulnerable (see: Log4j Exploitations Have Slowed, But Attack Vectors Remain)
Up to the end of January 2022, Kaspersky alone says it has detected and prevented more than 150,000 attempts to strike networks by leveraging this vulnerability.
Next up in the list are the four ProxyLogon vulnerabilities tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. These vulnerabilities affect Microsoft Exchange Servers and, subsequently, the systems affected are Exchange Server 2010 RU31 for Service Pack 2, 2013 CU 23, 2016 CU 18 and CU 19; and 2019 CU7 and CU8.
"Successful exploitation [of ProxyLogon vulnerabilities] may additionally enable the cyber actor to compromise trust and identity in a vulnerable network," the joint advisory says.
Security researchers from Eset reported that at least 10 APT groups were known to be exploiting the flaws just before Microsoft deployed its patches (see: Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws).
Another set of vulnerabilities that affects Microsoft Exchange Servers is the ProxyShell vulnerabilities tracked as CVE-2021-34523, CVE-2021-34473 and CVE-2021-31207. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code, according to the advisory.
It adds: "These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers."
Zoho ManageEngine Vulnerability
One more critically rated vulnerability, with a CVSS score of 9.8, is listed in the top 15: the flaw in Zoho ManageEngine AD SelfService Plus. Tracked as CVE-2021-40539, the flaw is observed in the self-service password management and single sign-on tool of Zoho. "If successfully exploited, an attacker can use the vulnerability to then plant malicious web shells within a network. From there, the attacker can then compromise credentials, move laterally through a network and exfiltrate data, including from registry hives and Active Directory files," according to a joint alert from CISA, the FBI and the U.S. Coast Guard Cyber Command.
The Zoho ManageEngine vulnerability is clearly still being exploited, and one notable example is the recent successful attack on the International Committee of the Red Cross. In its technical analysis, the ICRC said that unnamed threat actors exploited the unpatched CVE-2021-40539 flaw to target their systems, which indirectly affected more than 515,000 highly vulnerable people (see: Unpatched Zoho Bug Exploited in Red Cross Attack)
The complete list of top routinely exploited vulnerabilities in 2021 is as follows:
The advisory says these vulnerabilities are widely exploited because for "most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors."
But experts such as Yiftach Keshet, director of product marketing at Silverfort, say that Log4Shell, ProxyShell and ProxyLogon provide attackers with a reliable and efficient Initial Access method, overcoming the uncertainty associated with using weaponized emails for the same purpose.
Keshet tells Information Security Media Group that "in email-based attacks, the attacker doesn't know in advance whether the targeted person will indeed open the email and if so, whether he/she will be lured to open the malicious attachment or click the malicious link. With these vulnerabilities, the attacker is in full control all the way - if the server is vulnerable, it will get compromised." He says this is reason enough for them to rely more on the exploitation of these vulnerabilities.
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, says all the top 15 vulnerabilities "share characteristics that make them widely exploitable: They attack widely used systems (e.g., MS Exchange Server), where the vulnerability can be present in multiple systems (e.g., Log4Shell) and often are managed outside the IT organization (e.g., QNAP QTS).
Organizations should expect to see these open-source and IoT/OT attack vectors continue to grow in both volume and severity and get prepared now to address them better, Broomhead says.
Dated Vulnerabilities Reappear
Three of the top 15 CVEs in 2021 apparently were also listed in 2020. CVE-2020-1472 -ZeroLogon, CVE-2018-13379 and CVE-2019-11510 have been relisted, which shows that many organizations fail to patch software and thus remain vulnerable to known attack vectors - even after repeated warnings, some security experts say.
Professor John Goodacre, director of the UKRI's Digital Security by Design challenge and a professor of computer architectures at the University of Manchester, tells ISMG, "The Five Eye's alert on top vulnerabilities highlights two things: There is an ever-increasing list of issues, and keeping on top of patching is unsustainable as the sole solution to block vulnerabilities from exploitation."
When we see vulnerabilities such as "pkexec" existing in systems for over 10 years, we must ask: How many other unknown vulnerabilities are still to be patched? The recent Stormous ransomware group's confident question, "Who should we hack next?" would suggest they know of some currently unreported vulnerability that they can use to get into most systems, Goodacre says.
He suggests that programs involving security by design in collaboration with Arm, Microsoft, Google and many others should be used as they can block the exploitation of even unknown vulnerabilities.
All the dated vulnerabilities mentioned above have patches available. But then why are they not patched? Sam Curry, chief security officer at Cybereason, says it is because not all patches are created equal. "There are still, for instance, Heartbleed-affected systems out there. In some cases, the lack of a patch or the lack of patch deployment is related to the impact on running systems and QA. And in some cases, a patch can't be deployed without a lot of other upgrades and changes in physical hardware or firmware, if at all."
Jamie Graves, CEO of application security platform Uleska, says there are a number of other reasons for enterprises and organizations not being able to patch known vulnerabilities. "It could be that the organizations do not even know they are running a vulnerable system."
Graves says a system also may remain unpatched because it is a critical system and therefore hard to patch due to the downtime involved. "If this is the case, then the organization must have deployed compensatory measures to reduce the risk of a breach," he says.