The CISA has published a report that was co-authored by the NSA, FBI, and the FYEY (Five Eyes) from different countries.
The report provides a complete insight into CVEs that were frequently exploited by threat actors.
As per the report, threat actors have been relying on outdated software vulnerabilities for exploitation instead of those disclosed recently. Systems that were exposed to the internet and left unpatched were mostly targeted.
The following vulnerabilities have been most often exploited in 2022:
- CVE-2018-13379 is a path traversal flaw in the Fortinet SSL VPN web portal
- CVE-2021-34473, CVE-2021-31207, CVE-2021-34523 are ProxyShell vulnerabilities affecting Microsoft Exchange servers that, combined, enable pre-authenticated remote code execution
- CVE-2021-40539 is an authentication bypass vulnerability in Zoho ManageEngine AD SelfService Plus
- CVE-2021-26084 is an object-graph navigation language (OGNL) injection vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance
- CVE-2021- 44228 (aka Log4Shell) is a remote code execution vulnerability in Apache Log4j, a popular Java logging library, that allows the threat actor to execute arbitrary code by submitting a specific request, thus making him gain full control of the system.
- CVE-2022-22954, CVE-2022-22960 are RCE, privilege escalation, and authentication bypass vulnerabilities in VMware Workspace ONE Access, Identity Manager, and other VMware products.
- CVE-2022-1388 is a vulnerability in F5 BIG-IP that could allow unauthenticated threat actors to to execute arbitrary system commands, create or delete files, or disable services.
- CVE-2022-30190 is a remote code execution vulnerability affecting Microsoft Windows Support Diagnostic Tool (MSDT) that could allow a remote, unauthenticated threat actor to take ontrol of the system.
- CVE-2022-26134 is a remote code execution vulnerability in Atlassian Confluence Data Center and Server.
Among the other often exploited vulnerabilities listed, there are bugs in solutions by
- Citrix CVE-2019-19781
- Microsoft CVE-2017-0199, CVE-2017-11882, CVE-2020-1472, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2022-41082
- Ivanti CVE-2019-11510
- SonicWALL CVE-2021-20021, CVE-2021-20038
- Fortinet CVE-2022-42475, CVE-2022-40684
- QNAP CVE-2022-27593
Vendors and developers are advised to audit their environments to identify classes of exploited vulnerabilities and eliminate them, implement secure design practices, prioritize secure-by-default configurations, and follow Secure Software Development Framework.
Organizations are advised to apply available software updates and patches in a timely manner, perform secure system backups, maintain a cybersecurity incident response plan, implement robust identity and access management policies, ensure that internet-facing network devices are secured, implement Zero Trust Network Architecture, and improve their supply-chain security.