Cybersecurity authorities publish a joint advisory on most frequently exploited vulnerabilities

May 3, 2022 |

The Cybersecurity and Infrastructure Security Agency (‘CISA’) along with:

  • the Federal Bureau of Investigation (‘FBI’),
  • National Security Agency (‘NSA’),
  • Australian Cyber Security Centre (‘ACSC’),
  • Canadian Centre for Cyber Security (‘CCCS’),
  • New Zealand National Cyber Security Centre (‘NCSC’), and the UK’s National Cyber Security Centre (‘NCSC’),

has published a joint cybersecurity advisory, titled ‘2021 Top Routinely Exploited Vulnerabilities’.

The advisory provides a detailed overview of the 15 most commonly exploited cybersecurity vulnerabilities and exposures of 2021.

The advisory aims to help organisations prioritise their mitigation strategies, and highlights the importance of prioritising several mitigation measures related to:

  • vulnerability and configuration management;
  • identity and access management; and
  • protective controls and architecture.

The  press release relevantly provides:

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory today on the common vulnerabilities and exposures (CVEs) frequently exploited by malicious cyber actors, including the 15 most commonly exploited of 2021.?? 

Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this Advisory is meant to help organizations prioritize their mitigation strategies.

The cybersecurity authorities recommend the following prioritized mitigation measures:??? 

    • Vulnerability and configuration management, including updating software, operating systems, applications, and firmware, with a prioritization on patching known exploited vulnerabilities; implementing a centralized patch management system; and replacing end-of-life software.?? 
    • Identity and access management, including enforcing multi-factor authentication (MFA) for all users; if MFA is unavailable, require employees engaging in remote work to use strong passwords; and regularly reviewing, validating, or removing privileged accounts.??? 
    • Protective controls and architecture, including properly configuring and secure internet-facing network devices, disabling unused or unnecessary network ports and protocols, encrypting network traffic, and disabling unused network services and devices.??? 

“We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them,” said CISA Director Jen Easterly. “CISA and our partners are releasing this advisory to highlight the risk that the most commonly exploited vulnerabilities pose to both public and private sector networks. We urge all organizations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities.” ? 

“This report should be a reminder to organizations that bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities,” said NSA Cybersecurity Director Rob Joyce. “Get a handle on mitigations or patches as these CVEs are actively exploited.” 

“The FBI, together with our federal and international partners, is providing this information to better arm our private sector partners and the public to defend their systems from adversarial cyber threats,” said FBI’s Cyber Division Assistant Director Bryan Vorndran. “Though the FBI will continue to pursue and disrupt this type of malicious cyber activity, we need your help. We strongly encourage private sector organizations and the public to implement these steps to mitigate threats from known vulnerabilities, and if you believe you are a victim of a cyber incident, contact your local FBI field office.”? 

“Malicious cyber actors continue to exploit known and dated software vulnerabilities to attack private and public networks globally,” said Abigail Bradshaw, Head of the Australian Cyber Security Centre.?“The ACSC is committed to providing cyber security advice and sharing threat information with our partners, to ensure a safer online environment for everyone. Organisations can implement the effective mitigations highlighted in this advisory to protect themselves.”? 

“Cyber security best practices, including patch management, are essential tools for organizations to better protect themselves against malicious threat actors,” said Sami Khoury, Head of the Canadian Centre for Cyber Security. “We encourage all organizations to take action and follow the appropriate mitigations in this report against known and routinely exploited vulnerabilities, and make themselves more secure.”? 

“We are seeing an increase in the speed and scale of malicious actors taking advantage of newly disclosed vulnerabilities,” said Lisa Fong, Director of the New Zealand Government Communications Security Bureau’s National Cyber Security Centre (NCSC). “The NCSC works with international partners to provide timely access to critical cyber threat information. This joint advisory underscores the importance of addressing vulnerabilities as they are disclosed and better equips New Zealand organisations to secure their information and systems.”? 

“The NCSC and our allies are committed to raising awareness of global cyber vulnerabilities and presenting actionable solutions to mitigate them,” said Lindy Cameron, CEO of NCSC. “This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses within the public and private sector ecosystem. Working with our international partners, we will continue to raise awareness of the threats posed by those which seek to harm us.” 

All organizations are encouraged to review and implement the recommended mitigations in this detailed joint CSA.??? 

The advisory is found here

To mitigate the problem the advisory recommends that:

Regarding Vulnerability and Configuration Management organisations and public authorities:

  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. 
    • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
  • Use a centralized patch management system.
  • Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.
  • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization’s attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources.

Regarding Identity and Access Management the recommendation is:

  • Enforce multifactor authentication (MFA) for all users, without exception.
  • Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. 
  • Regularly review, validate, or remove privileged accounts (annually at a minimum).
  • Configure access control under the concept of least privilege principle.
    • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).

Note: see CISA Capacity Enhancement Guide – Implementing Strong Authentication and ACSC guidance on Implementing Multi-Factor Authentication for more information on hardening authentication systems.

Regarding Protective Controls and Architecture the recommendation is:

  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. 
    • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
    • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
    • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
  • Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. 
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware.
    • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.
    • Monitor the environment for potentially unwanted programs.
  • Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions.
  • Implement application allowlisting. 


Leave a Reply