Government agencies in Australia, Canada, New Zealand, the UK, and the US have published a list of the software vulnerabilities that were most frequently exploited in malicious attacks in 2022.
Last year, the Five Eyes agencies say, threat actors mainly targeted internet-facing systems that were not patched against older, known vulnerabilities, including flaws for which proof-of-concept (PoC) exploit code exists publicly.
“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations,” the agencies note.
Threat actors, the agencies say, likely focus on exploits for severe vulnerabilities that have wider impact, which provides them with “low-cost, high-impact tools” that can be used for years, and prioritize exploits for bugs impacting the networks of their specific targets.
Throughout 2022, the reporting agencies observed the frequent exploitation of 12 vulnerabilities, some of which were exploited in previous attacks as well, although patches have been available for years.
The list includes CVE-2018-13379 (Fortinet SSL VPNs), CVE-2021-34473, CVE-2021-31207, CVE-2021-34523 (Microsoft Exchange, ProxyShell), CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus), CVE-2021-26084, CVE-2022-26134 (Atlassian Confluence), CVE-2021- 44228 (Log4Shell), CVE-2022-22954, CVE-2022-22960 (VMware products), CVE-2022-1388 (F5 BIG-IP), and CVE-2022-30190 (Windows, Follina).
Additionally, the Five Eyes agencies call attention to 30 other known vulnerabilities that were routinely exploited in attacks in 2022, in products from Apache, Citrix, F5 Networks, Fortinet, Ivanti, Microsoft, Oracle, QNAP, SAP, SonicWall, VMware, WSO2, and Zimbra.
Vendors and developers are advised to audit their environments to identify classes of exploited vulnerabilities and eliminate them, implement secure design practices, prioritize secure-by-default configurations, and follow Secure Software Development Framework (SSDF).
End-user organizations are advised to apply available software updates and patches in a timely manner, perform secure system backups, maintain a cybersecurity incident response plan, implement robust identity and access management policies, ensure that internet-facing network devices are secured, implement Zero Trust Network Architecture (ZTNA), and improve their supply-chain security.