There are 30 vulnerabilities listed in total; organizations would do well to patch their systems if they haven’t done so yet
The leading cybersecurity and law enforcement agencies from the United States, the United Kingdom, and Australia have issued a joint cybersecurity advisory focusing on the top 30 vulnerabilities that were commonly abused by threat actors over the course of 2020 and 2021.
The advisory, coauthored by the United States’ Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Center (NCSC) and the Australian Cyber Security Centre (ACSC) revealed that the four most targeted vulnerabilities in 2020 were related to remote work focused technologies. This could be attributed to the COVID-19 pandemic that forced most companies to quickly transition to a work-from-home environment.
“The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.” the advisory reads.
According to the U.S. government’s findings, the most exploited vulnerability in 2020 was a flaw in the Citrix Delivery Controller. Tracked as CVE-2019-19781, the arbitrary code execution bug was rated as critical in severity and holds an almost perfect score of 9.8 out of 10 on the common vulnerability scoring system (CVSS) scale. If an attacker is successful in exploiting the security loophole they could take over the affected system. The vulnerability attracted cybercriminals because it is easily exploited and the fact that Citrix servers are used extensively worldwide.
“In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet. CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs,” CISA went on to add.
You can find the full list of vulnerabilities with recommended mitigations in CISA’s advisory.
The quartet of agencies urged companies and organizations to patch their vulnerable systems as it’s one of the easiest ways to mitigate the chances of the vulnerabilities being exploited and having their systems compromised. It goes without saying that patches should be deployed as soon as practicable. However, sometimes not everything can be patched, in those cases, the best course of action is to apply workarounds or other mitigations that vendors usually provide.
RELATED READING: Rough patch, or how to shut the window of (unpatched) opportunity
“In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks,” said Executive Assistant Director for Cybersecurity, CISA, Eric Goldstein.