It's an old story with an old twist.
The most-frequently exploited vulnerabilities in 2022 include older bugs and high-profile flaws affecting major products, according to a new joint cybersecurity advisory from Five Eyes governments.
The advisory, signed by multiple agencies from the U.S., UK, Australian, Canadian and New Zealand governments, puts the focus on a persistent problem in cybersecurity. Namely, that the vulnerabilities most often leveraged by ransomware actors, nation states and cybercriminal groups have often already been discovered, disclosed and patched for years.
Like previous years, the list highlights how exploiting years-old vulnerabilities in unpatched systems still dominate the threat landscape. Organizations are more likely to be compromised a bug found in 2021 or 2020 than they are ones discovered over the past year.
Bugs by the numbers
Half of the 12 vulnerabilities listed by the governments allow for remote code execution – unsurprising but a reminder of why such security researchers tend to sound the alarm bells around such vulnerabilities, even when the chances of exploitability may be low or in dispute.
The oldest vulnerability listed in the top 12, an SSL Virtual Private Network bug affecting FortiOS and Fortiguard (CVE-2018-13379) that can expose credentials, dates back to 2018. It was also listed in the 2020 and 2021 advisories and its continued exploitation “indicates that many organizations failed to patch software in a timely manner and remain vulnerable” today, the agencies warn.
“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded,” the advisory states.
To that end, some of the highest-profile vulnerabilities you read about in the news over the past few years show up on this year’s list. They include three bugs related to Proxy Shell affecting Microsoft Exchange that were discovered in 2021 (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), the 2021 Atlassian Confluence bug that allows for arbitrary code execution (CVE-2021-26084)
Also on the list is Log4Shell (CVE-2021-44228), the Apache open-source vulnerability that is embedded in thousands of software products and that was the subject of a coordinated global mitigation effort for much of 2022. While officials in government and industry hasve hailed those efforts for significantly reducing the amount of vulnerable applications, the corrupted code is so popular (and laborious to find and patch) that it continues to find traction with attackers.
The bigger the come the bigger the bug count
The exception to that rule is that some new bugs – particularly ones that impact a wide range of products or organizations – do receive a flurry of initial attention from threat actors who race to exploit them before patches or widespread awareness take hold. It’s why the top 12 – and many of the 30 additional vulnerabilities listed – are almost entirely populated by flaws affecting products in major providers like Microsoft, Fortinet, F5 Networks, VMWare and Oracle.
Microsoft – already under fire from the security community and policymakers following its less than forthcoming response to disclosures last month of a stolen encryption key that was used by Chinese hackers to compromise multiple federal agencies (and possibly more) – stands out. Four of the top 12 vulnerabilities affect their products, as do 10 of the 30 additional vulnerabilities on the list. It’s a reflection of both Microsoft’s vast global reach in the software, cloud and hardware markets and a reminder that the company’s products continue to serve as the most direct entry point for cybercriminal groups and nation states.
Proof-of-Concept double edge sword
A key part of legitimate security research often involves the creation and sharing of “proof-of-concept” code that can demonstrate whether and how easily a flaw can be exploited in a victim environment. However, the agencies claim that the availability of such code for many of the vulnerabilities on this year list “likely” contributed to “facilitating exploitation by a broader range of malicious cyber actors.”
The agencies urge vendors and developers to do more than simply patch a bug when it’s brought to their attention. Rather, if they continue to see multiple versions of the same type of bug in their products, it’s a clear sign that further root cause analysis will discover additional pathways to exploitation inherent in the code.
One example of this phenomenon can be found in this year’s biggest hack: Progress Software’s MOVEit file transfer service. After disclosing an initial SQL injection vulnerability in late May, the company has made at least two more updates over the past two months to patch multiple SQL injection vulnerabilities discovered in the same products since. While only one of those vulnerabilities is known to have been exploited in the wild, the Cl0p extortion group has listed more than 500 victims from the MOVEit hack alone on its dark web leak site.
“Business leaders should ensure that proactive steps [are taken] to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered,” the advisory states.
They should also prioritize “secure by default” design principles and configurations in their products, such as eliminating default passwords, implementing trusted single-sign-on solutions and allowing for high-quality audit logging.
To see a full list of 2022 exploited vulnerabilities, click here.
