Familiar names top 2021's most-exploited vulnerabilities list

Dive Brief:

Threat actors are trying to exploit some of the worst software vulnerabilities seen in 2021, including Log4j and Microsoft Exchange server, according to an advisory issued by U.S. and allied cyber authorities last week. Authorities urged companies to immediately patch their systems and take other mitigation steps.
Malicious threat actors are exploiting the vulnerabilities, including Log4Shell (CVE-2021-44228), the ProxyLogon and ProxyShell from Microsoft Exchange Server as well as a vulnerability impacting Atlassian Confluence Server and Data Center (CVE-2021-26084), according the advisory from the FBI, the Cybersecurity and Infrastructure Security Agency and other allied cyber agencies. The vulnerabilities, to varying degrees, allowed outside actors to execute arbitrary code on targeted systems.
Affiliates of Hive, Conti and Avoslocker ransomware operators have recently gained initial access to systems using spear phishing, weak remote desk protocol (RDP) credentials and exploiting vulnerabilities including Log4j, Microsoft Exchange and Fortigate Firewall (CVE-2018-13379 and CVE-2018-13374).

Dive Insight:

The vulnerabilities, though not new, were among the most widely seen vulnerabilities during 2021. At least three of the vulnerabilities were routinely exploited during 2020, including CVE-2018-13379, CVE-2019-11510 and CVE-2020-1472.

Organizations should update software, operating systems, firmware and applications in a timely manner, according to the advisory. Any software that has reached its end-of-life term, where the vendor no longer supports the product, requires replacement.

Companies unable to quickly scan and patch should consider a reputable cloud service provider or managed service provider, according to the advisory. Multifactor authentication must be implemented and enforced without any exceptions.

Such warnings about vulnerabilities have escalated in frequency and tone over the past six months and demonstrates a heightened level of concern about threat actors using the same techniques to exploit the same vulnerabilities across various organizations, said Katell Thielemann, research VP at Gartner, via email.

Vulnerabilities are now appearing everywhere, because for most vendors, speed to market is a higher priority than secure to market.

“We are also facing a vicious cycle,” Thielemann said. “More vulnerabilities are being disclosed, which lets bad actors know where they are, while vendors and end users face the daunting task of fielding patches and performing updates on multiple fronts.”

Symantec researchers say it's hard to pinpoint why organizations are not properly patching their systems.

“It could be that they haven’t prioritized it sufficiently or it could be a case where they haven’t audited their systems well and accordingly missed some when patching,” Dick O’Brien, principal editor at the Symantec Threat Hunter team.

Organizations are still downloading a large number of vulnerable software versions, according to Sonatype. Over the last 24 hours, starting Sunday morning, 37% of developers were still downloading vulnerable versions of Log4j. Meanwhile 81% of developers have downloaded potentially vulnerable versions of Spring4Shell since March 31.

“We are aware of a potential exploit and are actively monitoring the situation,” according to a statement issued last week from NHS Digital in the U.K. “We will support our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organizations.