Hacker working at night showing cybersecurity advisory on exploited vulnerabilities

US, UK, and Australia Issue Joint Cybersecurity Advisory on the Top 30 Most Exploited Vulnerabilities in 2020 and 2021

The US, UK, and Australian cybersecurity agencies and the FBI issued a joint cybersecurity advisory on the top 30 most exploited vulnerabilities in 2020 and 2021.

The United States Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the UK’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) co-authored the joint cybersecurity advisory AA21-209A.

The agencies noted that government-sponsored and independent malicious cyber actors continued to exploit publicly known software vulnerabilities to compromise governments, public and private organizations globally.

Top exploited vulnerabilities in 2020 were discovered within the past two years

The joint cybersecurity advisory noted that the most exploited vulnerabilities in 2020 were discovered within the last two years.

Remote working, VPNs, and cloud-based technologies were among the most exploited vulnerabilities, according to the joint cybersecurity advisory.

The agencies noted that VPN gateway devices remained unpatched in 2020 during the remote working period when organizations could not conduct rigorous patch management.

The cybersecurity advisory listed some of the most commonly exploited vulnerabilities in 2020.

They included Citrix NetScaler arbitrary code execution CVE-2019-19781, Pulse Secure Connect arbitrary file reading CVE-2019-11510, and Fortinet path traversal CVE-2018-13379 vulnerabilities.

Fortinet’s directory traversal vulnerability, which exposes usernames and passwords, was used in Cring (also known as Crypt3, Ghost, phantom, or Vjszyllo) ransomware attacks.

Similarly, Pulse Secure Connect vulnerabilities were actively exploited by various state-backed cyberespionage groups to steal credentials for further attacks.

The most exploited Remote Code Execution (RCE) vulnerabilities in 2020 included the F5 Big-IP (CVE 2020-5902), MobileIron (CVE 2020-15505), Atlassian (CVE-2019-11580), Drupal (CVE-2018-7600), Telerik (CVE 2019-18935), Microsoft Office (CVE-2017-11882), and SharePoint (CVE-2019-0604) flaws.

F5 Big-IP severe vulnerability with a CVSS score of 10.0 allowed attackers to execute arbitrary commands without authentication, create and delete files, and execute Java applications. The cybersecurity advisory warned that the vulnerability could lead to “complete system compromise.”

Privilege escalation vulnerabilities such as Microsoft Windows Background Intelligent Transfer Service (BITS) (CVE-2020-0787) and Netlogon CVE-2020-1472 security flaws were also widely exploited in 2020.

“Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known,” the alert stated.

Joint cybersecurity advisory says threat actors targeted perimeter devices in 2021

The joint cybersecurity advisory noted that threat actors continued to exploit perimeter devices in 2021. Some of the most exploited CVEs in 2021 included:

  • Microsoft Exchange server vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
  • Pulse Secure Connect vulnerabilities CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion File Transfer Appliance (FTA) vulnerabilities CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware virtualization software product vulnerability CVE-2021-21985
  • Fortinet CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

Some of the listed vulnerabilities are too common because they were included in several advisories issued by the FBI, NSA, CISA, among others in the past.

For example, the National Security Agency issued a similar cybersecurity advisory in October 2020 over Chinese hackers exploiting 25 known vulnerabilities.

Some flaws highlighted in that report also appeared among the top 30 most exploited vulnerabilities published by the Five Eyes cybersecurity agencies. They included Pulse Secure connect vulnerability CVE-2019-11510, F5-Big IP CVE-2020-5902, and the Citrix Application Delivery Controller and gateway vulnerability CVE-2019-19781.

The advisory warned that threat actors would continue exploiting known vulnerabilities such as Microsoft Office CVE-2017-11882 if they remain effective and unpatched. The agencies recommended applying the available patches and implementing a centralized patch management system.