Organizations should have already defended against three of the vulnerabilities, because they had been exploited often in 2020 — a finding that the countries’ joint advisory said underscored the need for timely patching.
Among those was a flaw in Ivanti’s Pulse Secure VPN servers. The company announced the flaw and released several updates in April 2019, per the Cybersecurity and Infrastructure Security Agency (CISA).
Flashing forward two years, April 2021 saw CISA warning that hackers were using this and other Pulse Secure vulnerabilities to gain access to federal agencies, critical infrastructure organizations and private firms’ systems. Nation state-backed actors allegedly conducted these attacks, reported Ars Technica, and Ivanti said “the bulk” of those 2021 exploits involved vulnerabilities for which patches had been available for one to two years.
In many of the other top 2021 exploits, researchers’ eagerness to publish findings about ways that newly disclosed vulnerabilities could be abused may have effectively handed a road map to hackers.
“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” the advisory states.
The advisory reflects the work of CISA, the National Security Agency (NSA), FBI and cybersecurity authorities from Australia, Canada, New Zealand and the United Kingdom.
LOG4J AND THE OPEN SOURCE CONUNDRUM
The advisory spotlighted several of the top 15 common vulnerabilities and exploits (CVEs), including Log4Shell.
The vulnerability’s December 2021 unveiling shook the cybersecurity world. Hackers could take advantage of this weakness in the Log4j open source software to seize control of affected systems by sending them a “specially crafted request,” it states. With this control established, hackers could then engage in harmful activities like stealing data or implementing ransomware.
The vulnerability turned attention onto how heavily open software security depends on the efforts of unpaid volunteers like the nonprofit Apache Software Foundation, which maintains Log4j. The vulnerability also has wide-ranging impact because open source offerings often become deeply incorporated into a vast array of public and private software.
MICROSOFT EXCHANGE PROMPTS PROCUREMENT QUESTIONS
Eight of the top 15 exploitable weaknesses involved Microsoft Exchange email servers.
ProxyLogon-related CVEs could let outsiders gain “persistent access” to email inboxes, files and credentials stored on the Exchange servers, said the advisory. Microsoft attributed those attacks to China-backed actors.
The ProxyShell weaknesses, meanwhile, let hackers exploit Microsoft’s client access service to conduct remote code execution attacks.
Andrew Grotto was the White House senior director for cybersecurity policy under Presidents Obama and Trump, and is current director of Stanford University’s Program on Geopolitics, Technology and Governance. He told GovTech that Microsoft’s frequent presence on this list raises concerns about government procurement.
Microsoft provides roughly 85 percent of the office productivity software used by U.S. state, local and federal agencies, according to a September 2021 report from analysis and consulting firm Omdia. The Computer and Communications Industry Association (CCIA) and Google commissioned that report.
Grotto says that customers who come to heavily use a single vendor can start feeling “lock[ed]-in” to the relationship, due to the cost and inconvenience of trying to switch to another provider. That can make it harder for customers to make demands from their vendor — such as for offerings to be designed with greater security.
LEGACY CODE, LEGACY PROBLEMS?
Another concern: software that incorporates previously developed code that may have been written at a time when security was less top-of-mind. Grotto said that Microsoft has been investing heavily in security in recent years, but that its products tend to “layer” newer code atop legacy code, meaning that security isn’t infused into the foundation of the new product.
“Twenty years ago — if you look at Microsoft XP and all the problems that product line had — it was pretty clear security was not part of the business picture of Microsoft at that time,” Grotto said. “Since then, they've obviously put a lot of resources into trying to make the product more secure, but products are still built on this legacy code base ..."
Revelations of the Microsoft Exchange Server vulnerabilities prompted the firm to release patches for both current and no longer supported versions of the product, including its 2010 offering, reported cybersecurity journalist Brian Krebs on his blog, KrebsonSecurity. The need to patch such an old product, “means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years,” Krebs wrote.
A Microsoft spokesperson, meanwhile, told GovTech that the firm works to quickly handle security concerns and urges its customers to promptly install updates and follow certain best practices.
“All of the vulnerabilities listed in this report have been addressed and customers who have applied the latest updates are already protected,” the spokesperson said in emailed comments. “We have a comprehensive response process for responding to and remediating software security events and incidents as quickly as possible,”
Microsoft participates in the Coordinated Vulnerability Disclosure process, the spokesperson noted. That process sees researchers who discover vulnerabilities alert the relevant vendors and allow the latter to prepare updates, workarounds or other mitigations before publicly disclosing the vulnerabilities.
PROOF-OF-CONCEPT CODES
The top 15 CVEs include an issue with Atlassian’s Confluence Server and Data Center that “quickly became one of the most routinely exploited vulnerabilities after a [proof-of-concept code] was released within a week of its disclosure.”
Researchers and others create proof-of-concept (PoC) codes to demonstrate how vulnerabilities could be used to harm an operating system or software. This can help defenders better understand how to patch the issue or mitigate its effects.
But hackers can also use PoC codes as guides for how to exploit newly discovered vulnerabilities, if these codes become public before patches are widely available or widely adopted, a CISA spokesperson told GovTech.
“Proof-of-concept code provides a net benefit to network defenders ... [but] CISA recommends researchers and analysts wait at least two weeks to release [them],” the spokesperson said in an email.
Industry norms typically see individuals who discover software vulnerabilities inform the vendor and give them a “reasonable opportunity to patch” before publicizing a PoC code, Grotto said. And if the vulnerability is difficult to patch, PoC code creators may decide that the safest route is to avoid publishing at all.
“Where things get ethically fraught for researchers [is] where if a researcher has reason to believe that a different researcher has discovered the same vulnerability, there’s always a desire to get credit for the discovery, and [being] first to publish is one way to anchor your credit. That can create incentives to publish sooner than might be considered responsible,” Grotto said.
WHAT TO DO ABOUT IT
Organizations can boost their defenses with more robust approaches to patching, including steps like quickly adopting updates, using centralized patch management systems and replacing software once vendors stop supporting — and thus stops patching — it, the joint advisory said.
If quickly scanning and patching all Internet-facing systems proves too hard, organizations can offload some of that work by using managed service providers (MSPs) or cloud service providers. These third parties can handle patching on clients’ behalf, but don’t eliminate all risk. Every time an organization shares its data with a new player, it’s expanding its attack surface, because each new entity involved is another potential target for hackers. And MSPs themselves can become compromised — as happened to several providers in 2017, per the Australian Cyber Security Centre.
Efforts like continuously monitoring for abnormal activities, segmenting networks — to limit how much damage an attacker can cause after penetrating a system — and implementing multifactor authentication (MFA) for all users all help as well, the advisory said.
Grotto shared similar advice, urging the use of multifactor authentication, system patching and the use of a password manager with unique passwords. "If organizations enforced them, those alone would have a huge impact on security and resilience,” he said.
