Much of the security news cycle is centered around the most recent vulnerability, the newest exploits and the latest campaigns. A joint security advisory released by three members of the Five Eyes alliance serves as a reminder that it’s often last month’s (or last year’s) bug that gets you compromised.
The U.S. Cybersecurity and Infrastructure Security Agency and FBI, along with their counterparts in the U.K. and Australia, released a list detailing 30 vulnerabilities most commonly seen exploiting organizations in 2020 and 2021. Many are old but not ancient, having been discovered in the past two years and they usually affect popular products from major companies or vendors.
CISA did note that the pandemic year of 2020 did see an uptick in attackers exploiting more recent vulnerabilities, something they say is “probably” related to the expansion of telework.
“The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching,” the agency surmised.
Unsurprisingly, remote code execution bugs affecting major vendor products dominated the list. Eight of the top 12 vulnerabilities all allow for remote or arbitrary code execution, including the most popular: A 2019 vulnerability in Citrix Application Delivery Controller and Gateway software that the NSA described as critical and CISA initially said was “unlikely” to be detected by IT security teams due to its reliance on encrypted SSL traffic.
Other examples of RCE madness include a memory corruption bug in Microsoft Office that dates all the way back to 2017. Ironically, Microsoft’s Security Response Center page still classifies this CVE as “less likely” to be exploited in the wild. A 2019 flaw affecting Atlassian’s Crowd identity management software that allows an unauthenticated user to install plugins that allow them to take control of vulnerable systems and scored a 9.8 for severity.
Notable non-RCE vulnerabilities in 2020 included privilege escalation bugs like ZeroLogon and a path traversal flaw in Fortinet’s VPN software.
Many security researchers talk about a dissolving network boundary, but CISA said 2021 was mostly defined by high-profile exploitations of “perimeter-like devices.” That includes the Microsoft Exchange server vulnerabilities, Pulse Connect Secure VPN weaknesses that were used to breach both federal agencies and the private sector, and a chain of bugs used to steal data from Accellion’s File Transfer Application system.
The list largely reinforces a lamentable but undeniable reality: many organizations struggle to keep up with their patching backlog, whether due to neglect, interoperability challenges or lack of time and resources. Security researchers and media reporting often focuses on the latest campaign or malware, and eventually some patches get deprioritized, lost in the shuffle or fade into the background over time.
“You can't patch ‘all the things’ and defenders are drowning in vulnerabilities,” said Rick Holland, CISO for cybersecurity firm Digital Shadows.
State and criminal hacking groups have grasped this reality and are happy to feed on the organizations that can’t stay ahead of the patching cycle and fall behind. It’s cheaper and it mucks up attribution by allowing a group’s activity to blend in with other malicious groups that use the same exploits. This week, Intel471 noted how ransomware actors in particular pay close attention to CVE research and excel at exploiting the lag in these patching windows.
“As the government agencies report, the majority of the top vulnerabilities in 2020 have been discovered in the last few years and have patches available,” said Tenable senior research engineer Claire Tills. “This is consistent with what the security industry has warned organizations about for years: bad actors go after the low-hanging fruit in networks.”
If a patch is not feasible, many of the vulnerabilities can be mitigated with workarounds or detected using indicators of compromise. Teams that struggle to keep up their patching cadence should shift to prioritize updates for vulnerabilities like these where there is evidence of active exploitation.
Ilio Kolochenko, founder of penetration testing company ImmuniWeb, said the list highlights how malicious hacking groups are gravitating towards both high-impact flaws and products with wide market reach.
“First, cybercriminals mostly target critical-risk vulnerabilities that give you full access to the vulnerable system. Second, they exploit both newly disclosed vulnerabilities, while unprepared companies remain unpatched, and pretty old ones coming from 2020 or even 2019 that are still exploitable due to persistent shadow IT or poor IT asset inventory,” said Kolochenko in a statement. “Finally, the targeted software vendors are mostly used by large enterprises (Drupal is an exception), indicating that cybercriminals are looking for a big fish.”
"One of the truths of [incident response] is net new is rare, we see a lot of the same stories over and over again,” Matthew Olney, director of threat intelligence at Cisco, said on Twitter in reaction to the list. “If you don’t know where to start, start here to remove whole collections of actors from your problem space.”