The Cybersecurity Advisory (CSA) co-authored, along with multiple international government cybersecurity and law enforcement organizations, published details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021.
The most commonly exploited vulnerabilities include Log4Shell, ProxyLogon, ProxyShell, ZeroLogon and others.
The report was jointly published by the CSA, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK).
Late last year, researchers had previously discovered the Critical Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE) by logging a certain string. Multiple other Log4j vulnerabilities were subsequently found in the weeks that followed.
Earlier this year, researchers from FortiLabs had detected a new cyber campaign involving Chinese Advanced Persistent Threat (APT) group Deep Panda that has exploited the Log4Shell (log4j) vulnerability CVE-2021-44228 on vulnerable VMware Horizon servers to install digitally signed Fire Chili rootkits.
Just last month, security researchers found nearly “60% of packages” and millions of Java apps are likely affected by the Log4Shell vulnerability and have not been patched for the same issue.
The ProxyLogon vulnerabilities consist of multiple Microsoft Exchange email server vulnerabilities (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065) that could be exploited in combination (i.e., “vulnerability chaining”) of one or more of these to take over unpatched Exchange systems.
In early March 2021, Microsoft released emergency out-of-band security updates to fix multiple Critical vulnerabilities impacting Microsoft Exchange Server 2013, 2016 and 2019, collectively known as “ProxyLogon.”
Shortly after the patches were made available, the FBI and CISA assessed the ProxyLogon threat and warned that it was likely nation-state actors and cyber criminals were exploiting these vulnerabilities in order to gain persistent access of compromised servers and take control of an enterprise network.
Moreover, the Check Point Research (CPR) team had observed thousands of exploit attempts against organizations worldwide – such as a “ten-fold increase” in attempted attacks between March 11 and March 15, 2021.
“Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code execution vulnerabilities in Microsoft Exchange,” the Check Point team warned.
The ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) were patched by Microsoft as part of May 2021 patch updates. One of those, CVE-2021-34473, could result in remote code execution.
In August, 2021, researchers from Huntress discovered Cyberattackers were scanning and exploiting ProxyShell vulnerabilities on unpatched Microsoft Exchange servers.
As revealed by Threatpost, researchers also discovered threat actors were exploiting ProxyShell vulnerabilities to deliver LockFile ransomware.
CISA also issued an urgent alert on the ProxyShell vulnerability exploits on August 21, 2021.
The Zerologon vulnerability CVE-2020-1472 could allow attackers to hijack Windows domain controllers.
Although Microsoft issued the patch for the vulnerability as part of the August 2020 security updates, research soon followed that suggested exploit code was publicly available.
“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network,” Microsoft stated in the advisory in August 2020.
In October, 2020, CISA and FBI warned that advanced persistent threat actors (APTs) were discovered exploiting multiple legacy internet-facing vulnerabilities in combination with Zerologon to target government networks, critical infrastructure, and elections organizations.
What is also interesting is CVE-2020-1472 and two older Top 15 vulnerabilities (CVE-2018-13379 and CVE-2019-11510) were also routinely exploited in 2020.
Atlassian released security updates on August 25, 2021 to patch a remote code execution vulnerability (CVE-2021-26084) in Confluence Server and Data Center.
The following month, researchers from Bad Packets sent out a tweet warning “mass scanning and exploit activity” regarding the Confluence vulnerability CVE-2021-26084 in the wild.
The Australian Cyber Security Centre (ACSC) also issued an alert on the issue.
Rounding out the remaining Top 15 most commonly exploited vulnerabilities include two older vulnerabilities (CVE-2018-13379 and CVE-2019-11510) also routinely exploited in 2020 and three other vulnerabilities:
|CVE-2021-40539||Zoho ManageEngine AD SelfService Plus RCE|
|CVE-2021-21972||VMware vSphere Client RCE|
|CVE-2020-0688||Microsoft Exchange Server RCE|
|CVE-2019-11510||Pulse Secure Pulse Connect Secure Arbritrary File Reading|
|CVE-2018-13379||Fortinet FortiOS and FortiProxy Patch Traversal|
- Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)
- Millions of Java apps still vulnerable to Log4Shell
- Deep Panda APT group launches new attacks against Log4Shell vulnerability to install Fire Chili rootkits
- Threat hunters discover Aquatic Panda Log4Shell exploit attempts
- Cyberattackers exploiting ProxyShell vulnerabilities
- Exploit code available for ‘Zerologon’ vulnerability (CVE-2020-1472) that affects Microsoft Netlogon
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
- Atlassian Confluence Server and Data Center vulnerability (CVE-2021-26084) exploits in the wild