The 15 most targeted security vulnerabilities of 2021 have just been published in a joint advisory from the NCSC.  These are the main ways hackers are attacking businesses around the world.

Cybersecurity authorities across multiple nations co-authored this publication to provide insight into the exploited vulnerabilities and offer mitigation strategies to deal with the identified risk.

Of the top 15, the majority are, unsurprisingly, found in internet-facing systems, such as Microsoft Exchange Server as well as virtual private network (VPN) servers. There was also continued exploitation of previously documented vulnerabilities, ranging from as early as 2018 to more recently identified exploits in 2020. This emphasises the need to patch software regularly. At a minimum, monthly patches are recommended to maintain continued security – given the speed at which malicious actors start to target new vulnerabilities once they are published.  Older vulnerabilities can also be avoided by not continuing to use software that is no longer supported by the providers. Proof of concept (POC) code was released within a few weeks of most of the identified vulnerabilities on this list, allowing more malicious actors to participate in these exploits.

The Top 15 Exploited Vulnerabilities

2021 was a bad year for Exchange admins, as Microsoft Exchange Server turns up eight times in the list – including six remote code execution (RCE) vulnerabilities, one of which was from 2020, and therefore could have been avoided by organisations implementing software patches more promptly. Four ProxyLogon vulnerabilities were an issue for Exchange, enabling the malicious actors to gain access to credentials, files and mailboxes stored on the servers. Three ProxyShell vulnerabilities were also exploited from the Microsoft Client Access Service (CAS) – another internet-facing, exposed service.

But the bad news for Microsoft isn’t over yet, as Microsoft Netlogon Remote Protocol (MS-NRPC) was the victim of an exploit of a ZeroLogon vulnerability, which utilised elevation of privilege to allow a malicious actor to connect through a vulnerable secure channel connection to a domain controller.

Apache Log4j, VMware vSphere Client and  Zoho ManageEngine AD SelfService Plus all suffered RCE vulnerabilities that were among the top 15 exploited in 2021. Attackers of Apache Log4j were able to control log messages and execute code through message lookup substitution. Malicious actors were allowed to have unrestricted privileges while executing commands on the vCenter Server host operating system for the VMware vSphere Client while ManageEngine AD SelfService Plus fell victim to an exploitation of an authentication bypass vulnerability.

A variety of unauthenticated attacker exploits round up the top 15 of 2021, such as through a path traversal vulnerability on Fortinet FortiOS and FortiProxy, where a restricted directory was not used to limit pathnames, so system files could be downloaded via HTTP resource requests. An exploited Atlassian Confluence Server and Data Center vulnerability allowed for arbitrary code execution by unauthenticated users. Arbitrary file reading by unauthenticated actors was also exploited this year, on the Pulse Secure Pulse Connect Secure products.

Mitigation Strategies

You have the patch – please install it

Approximately a quarter of these exploited vulnerabilities were older, previously identified, and therefore could have been protected against attack through available patches. This should be made a priority for organisations, as well as regular updates of all network assets, including software, operating systems, applications, and firmware. Setting up a centralised system for patch management will ensure patches are applied consistently and in a timely manner. A list of patch information for these top exploited vulnerabilities can be found in the appendix of the CISA report, here. 2021 Top Routinely Exploited Vulnerabilities | CISA As well as updates, end of life software needs to be replaced to maintain higher levels of security.

Watch for intrusions

Endpoint detection programmes search for known patterns of behaviour on a system and provide information on any abnormalities detected. Some systems not only report on these incidents, but also have the ability to not just detect but also prevent an exploit. It is therefore important to use endpoint detection and response (EDR) and security information and event management (SIEM) tools to help you spot the warnings that are always in the logs that an attack is underway.  Logging is important, but pointless if the logs are not being monitored. All abnormal activity should be noted through continuous monitoring of the attack service, which will help in identifying any suspicious activity or lateral movement across your network.

Get help if you need it

If you cannot keep up with all the patching and monitoring that your network needs, get help from someone who can. Either migrate in house servers into a managed cloud (where someone else does the patching for you) or bring in a firm to help run your infrastructure (a Managed Service Provider).  However, any risks associated with the introduction of another possible attack surface need to be carefully considered when using any third-party software, or services such as these.

Make MFA the Norm

Regular implementation across organisations of multi-factor authentication (MFA) for all users regardless of clearance level reduces risk, and this should be particularly focused on all VPN connections and applied across the board with no exceptions. If MFA is unavailable for your VPN connections, seriously consider getting a new VPN solution.  The principle of least privilege needs to be used when assigning access control to users, with the few privileged accounts being regularly reviewed and validated. Any privileged accounts that are not in use should be removed, and a check that this is being consistently followed should occur at least once per quarter.

Use Network Segmentation and Server Hardening as a firebreak

Network segmentation can allow for more control over what users and devices have access to each area of the network. This can be strengthened by disabling unused network services and devices.  Application allowlisting can reinforce this again and add an extra security layer between departments. Hardening of commonly exploited services can also be used as a preventative method of risk mitigation. Unused network ports and protocols, as well as those that are unnecessary for operations should be disabled, and all network devices properly configured.

While the top list of exploited vulnerabilities changes from year to year, the basic mitigations any business can put in place to protect against them does not really change.  If you are not sure where to start, then Cyber Essentials is a great first step for most businesses.

Photo: By Adrian Pingstone, Public Domain, https://commons.wikimedia.org/w/index.php?curid=71918549