Four of the most targeted vulnerabilities in 2020 involved remote work.
The US Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), United Kingdom’s National Cyber Security Centre (NCSC) and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory highlighting the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021.
Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organisations worldwide. It is recommended that organisations apply the available patches for the 30 vulnerabilities listed in the joint cybersecurity advisory and implement a centralised patch management system.
One of the key findings is that four of the most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options due to the COVID-19 pandemic challenging the ability of organisations to conduct rigorous patch management. In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. This advisory lists the vendors, products, and CVEs associated with these vulnerabilities, which organisations should urgently patch.
“In cybersecurity, getting the basics right is often most important. Organisations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organisations should prioritise for patching to minimise risk of being exploited by malicious actors.”
“This guidance will be valuable for enabling network defenders and organisations to lift collective defences against cyber threats,” said Ms Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “This advisory complements our advice available through cyber.gov.au and underscores the determination of the ACSC and our partner agencies to collaboratively combat malicious cyber activity.”
“We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them,” said NCSC Director of Operations, Paul Chichester. “The advisory published today puts the power in every organisation’s hand to fix the most common vulnerabilities, such as unpatched VPN gateway devices. Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm.”
“The FBI remains committed to sharing information with public and private organisations in an effort to prevent malicious cyber actors from exploiting vulnerabilities,” said FBI’s Cyber Assistant Director Bryan Vorndran. “We firmly believe that coordination and collaboration with our federal and private sector partners will ensure a safer cyber environment to decrease the opportunity for these actors to succeed.”
The advisory also directs public and private sector partners to the support and resources available to mitigate and remediate these vulnerabilities from each agency, as well as from other government and industry partners.
One of the most effective best practices to mitigate vulnerabilities is to update software once patches are available and as soon as is practicable. Focusing cyber defence resources on patching those vulnerabilities that malicious cyber actors most often use should be engrained in the culture of every organisation.
This approach offers the potential of not only bolstering network security, but also impeding the disruptive, destructive operations of our adversaries.
CISA, ACSC, NCSC, and FBI encourage organisations that have not yet remediated these vulnerabilities to investigate for the presence of indicators of compromise listed in this advisory. If compromised, organisations should initiate incident response and recovery plans.