The last calendar year was a tough one for a lot of people, but for attackers searching for vulnerabilities to exploit in enterprise networks, 2021 provided an embarrassment of riches. Among the top targets for malicious actors last year were the collection of ProxyShell and ProxyLogon bugs, the Apache Log4j vulnerability, and the ZeroLogon flaw in Microsoft’s Netlogon Remote Protocol, according to a new advisory from intelligence and law enforcement agencies in the U.S., UK, Canada, Australia, and New Zealand.
The advisory lists the most commonly exploited vulnerabilities from 2021, and not surprisingly, the brand name bugs lead the pack. Last year was an unusual one, with more than its share of branded vulnerabilities that actually were serious issues and not just attention grabs. The ProxyShell, ProxyLogon, and Log4Shell bugs all fall into that category, requiring quite a lot of effort from defenders and drawing plenty of attention from attackers. All of the vulnerabilities in the advisory have fixes available at this point, and several of the bugs were disclosed in 2018, 2019, or 2020.
In the advisory, officials warn that attackers are being more and more aggressive in going after vulnerabilities as soon as they’re disclosed.
“We are seeing an increase in the speed and scale of malicious actors taking advantage of newly disclosed vulnerabilities,” said Lisa Fong, director of the New Zealand Government Communications Security Bureau’s National Cyber Security Centre.
Among the 15 most commonly exploited vulnerabilities listed in the advisory, eight of them were in Microsoft Exchange Server, including seven ProxyLogon/ProxyShell flaws. Collectively, those vulnerabilities, which allowed remote code execution on target servers, caused massive headaches for defenders throughout the summer of 2021. After the initial disclosure of the bug in June, several other related flaws emerged in the following weeks and attack groups took advantage. A variety of actors exploited the ProxyLogon and ProxyShell bugs, including some ransomware groups and APT teams.
While Microsoft made patches available for those vulnerabilities many months ago, that doesn’t mean that every affected organization has deployed them, a fact that attackers are well aware of and happy to use to their advantage.
“We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them,” said CISA Director Jen Easterly.
One of the other commonly exploited vulnerabilities in 2021 was a flaw in Atlassian Confluence, which is used widely in enterprises and government agencies in many countries.
“In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance,” the Atlassian advisory for CVE-2021-26084 says.
Attackers tend to follow the path of least resistance and are unlikely to spend time and resources finding a new flaw and developing an exploit for it when there are soft targets freely available.
"This report should be a reminder to organizations that bad actors don't need to develop sophisticated tools when they can just exploit publicly known vulnerabilities," said NSA Cybersecurity Director Rob Joyce. "Get a handle on mitigations or patches as these CVEs are actively exploited.”