Log4Shell, ProxyLogon, ProxyShell among most exploited bugs of 2021

The UK’s National Cyber Security Centre (NCSC) has again teamed with its counterparts in Australia, Canada, New Zealand and the US to highlight some of the most impactful common vulnerabilities and exposures (CVEs) exploited by malicious actors in 2021, and advise organisations that have not yet done so, to patch against them.

During an eventful 12 months, financially motivated cyber criminals and more sinister state-backed threat actors aggressively targeted internet-facing systems at a broad set of victims across both the private and public sectors through a combination of freshly disclosed CVEs and older, dated vulnerabilities.

The authorities said that for most of the top exploited vulnerabilities, researchers or other actors released proof-of-concept code within a fortnight of the initial disclosure, facilitating exploitation by an ever-increasing range of groups.

The list includes vulnerabilities such as CVE-2021-44228, aka Log4Shell, targeting the Apache Log4j open source logging framework, disclosed in December 2021 and rapidly weaponised, as well as the set of four vulnerabilities known collectively as ProxyLogon, and the set of three vulnerabilities known as ProxyShell, all of which affected Microsoft Exchange email servers.

The advisory also warns of continued exploitation of CVE-2021-26084 in Atlassian Confluence Server and Data Center, and of two vulnerabilities first disclosed in 2020 and others dating from 2019 and 2018, an indication that many organisations are failing to patch in a timely manner.

“The NCSC and our allies are committed to raising awareness of vulnerabilities and presenting actionable solutions to mitigate them,” said NCSC CEO Lindy Cameron.

“This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem. Working with our international partners, we will continue to raise awareness of the threats posed by those who seek to harm us.”

Abigail Bradshaw, head of the Australian Cyber Security Centre, added: “Malicious cyber actors continue to exploit known and dated software vulnerabilities to attack private and public networks globally. The ACSC is committed to providing cyber security advice and sharing threat information with our partners, to ensure a safer online environment for everyone. Organisations can implement the effective mitigations highlighted in this advisory to protect themselves.”

CISA’s Jen Easterly said: “CISA and our interagency and international partners are releasing this advisory to highlight the risk that commonly exploited vulnerabilities pose to both public and private sector networks.

“We know that malicious cyber actors target these critical software vulnerabilities across many public and private organisations worldwide. CISA and our partners urge all organisations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities outlined in this advisory.”

The full list is as follows:

• CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j (Log4Shell).
• CVE-2021-40539, an RCE vulnerability in Zoho ManageEngine AD SelfService Plus.
• CVE-2021-44523, an elevation of privilege (EoP) vulnerability in Microsoft Exchange server (ProxyShell).
• CVE-2021-34473, an RCE vulnerability in Microsoft Exchange Server (ProxyShell).
• CVE-2021-31207, a security feature bypass in Microsoft Exchange Server (ProxyShell).
• CVE-2021-27065, an RCE vulnerability in Microsoft Exchange Server (ProxyLogon).
• CVE-2021-26858, an RCE vulnerability in Microsoft Exchange Server (ProxyLogon).
• CVE-2021-26857, an RCE vulnerability in Microsoft Exchange Server (ProxyLogon).
• CVE-2021-28855, an RCE vulnerability in Microsoft Exchange Server (ProxyLogon).
• CVE-2021-26084, an arbitrary code execution vulnerability in Atlassian Confluence Server and Data Center.
• CVE-2021-21972, an RCE vulnerability in VMware vSphere Client.
• CVE-2020-1472, an EOP vulnerability in Microsoft Netlogon Remote Protocol (ZeroLogon).
• CVE-2020-0688, an RCE vulnerability in Microsoft Exchange Server.
• CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Secure Pulse Connect Secure.
• CVE-2018-13379, a path traversal vulnerability in Fortinet FortiOS and FortiProxy.

The advisory also contains details of a further 21 vulnerabilities often picked on by malicious actors in the past year, some of which date back several years. These include additional bugs found in Acelllion, Cisco, Citrix, Microsoft, Pulse Secure, SonicWall and VMware products.

The relevant authorities are encouraging security teams to apply the mitigations set out in its advisory, taking steps such as applying patches in a timely manner, and implementing centralised patch management tools to ease the process and reduce the risk of compromise.

Last week, new intelligence from Mandiant revealed that threat actors exploited disclosed zero-day CVEs at more than double the previous record volume during 2021, with state-sponsored groups the primary actors using them, followed closely by financially motivated ransomware gangs. Note that while not every CVE is a zero-day, every zero-day either is, or will shortly be, a CVE.

Mandiant said this vast increase in zero-day exploitation and the diversification of those using them expanded the risk portfolio for organisations in every industry sector and geography.

“We suggest that a number of factors contribute to growth in the quantity of zero-days exploited,” wrote Mandiant’s James Sadowski. “For example, the continued move toward cloud hosting, mobile, and internet of things [IoT] technologies increases the volume and complexity of systems and devices connected to the internet – put simply, more software leads to more software flaws.

“The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero-days, both by private companies and researchers, as well as threat groups. Finally, enhanced defences also likely allow defenders to detect more zero-day exploitation now than in previous years, and more organisations have tightened security protocols to reduce compromises through other vectors.”