The U.S. Cybersecurity & Infrastructure Security Agency have published a report outlining the top exploited vulnerabilities of 2021, which was last revised on April 28, 2022.
According to the report, in addition to consistently targeting newly disclosed critical software vulnerabilities, cybercriminals continue to exploit vulnerabilities found in out-dated legacy software, thus highlighting the importance of a robust patch management strategy.
All common software vulnerabilities are publicly listed in the Common Vulnerabilities and Exposures (CVE) database, along with their corresponding ID. Below is a brief summary of the most exploited vulnerabilities of 2021.
Top Exploited Vulnerabilities in 2021
Log4Shell is a security vulnerability found in Apache Log4j 2, which allows an adversary to gain remote access and control of devices running certain versions of Log4j 2. This vulnerability was recorded on November 26th, 2021.
ProxyLogon is a security vulnerability that allows an adversary to bypass the Microsoft Exchange Server authentication process. This means an attacker can essentially login as an administrator, and execute arbitrary commands on Microsoft Exchange Server through port 443. The ProxyLogon vulnerability was first discovered and documented by DEVCORE on December 10, 2020.
As with the ProxyLogon vulnerability, the ProxyShell vulnerability allows attackers to bypass the Microsoft Exchange server authentication process, enabling them to execute code as a privileged user. The vulnerability can be found in the Microsoft Client Access Service (CAS), which also runs on port 443 in IIS. This vulnerability was recorded on June 9, 2021.
The ZeroLogon vulnerability takes advantage of an encryption flaw that makes it possible for hackers to impersonate any user or computer in Active Directory, including the root domain controller. This in turn will allow adversaries to launch attacks on domain controllers. This vulnerability was recorded on May 11, 2019.
OGNL injection (CVE-2021-26084)
Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) used in Java. An OGNL injection vulnerability exists which enables attackers to execute arbitrary code on Atlassian Confluence Server or Data Center instances. This vulnerability was recorded on Jan 25, 2021. For more information about these vulnerabilities (and others), either visit the CISA website or look-up the vulnerabilities directly on the official CVE website.
Naturally, in order to protect your systems from the vulnerabilities listed above, you must ensure that all software, including operating systems and firmware, are patched in a timely manner.
It might be good to use a centralized patch management solution to ensure that you don’t get caught out. Suppose it’s not possible to address the vulnerability by installing a patch. In that case, you will need to follow the instructions on the vendor’s website or ask questions on their support forum (assuming they have one).
If the vulnerability is associated with software that is no longer supported by the vendor, you will probably have no choice but to either upgrade or change the software you are using, or perhaps consider switching to a cloud-based alternative instead.
In addition to installing the relevant patches, ensure that you have robust access controls in place in order to minimize the likelihood of an adversary elevating their privileges in the event of a breach. Always adhere to the Principle of Least Privilege (PoLP), to ensure that accounts only have access to the systems and data they need to perform their role.
Use a Data Security Platform to ensure that you have real-time visibility into who is accessing which accounts, and when. Use multi-factor authentication (MFA) for all users, including all VPN connections. Failing that, at least ensure that you have a strong password policy in place.