Western cybersecurity agencies have published a list of 30 of the most exploited vulnerabilities abused by hostile foreign states in 2020, urging infosec bods to ensure their networks and deployments are fully patched against them.
Number one on the US, UK, and Australia's jointly published [PDF] list was the well-known Citrix arbitrary code execution vuln in Application Delivery Controller, aka Netscaler load-balancer. Tracked as CVE-2019-19781, the vuln has been the subject of repeated patch-it-now warnings ever since.
"In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet," said the US's CISA and FBI, Britain's NCSC, and Australia's ACSC, three of the Five Eyes alliance.
Second, third, and fourth on the agencies' list were, you guessed it, the Pulse Secure VPN, Fortinet, and F5 Big IP vulns. Regular readers of El Reg's security pages can't have failed to notice that these are really quite bad and ought to have been patched months (or even years) ago.
Paul Chichester, NCSC Director for Operations, said: "We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them. The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices."
- SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild
- What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft
- You've patched that critical Sage X3 ERP security hole, yeah? Not exposing the suite to the internet, either, yeah?
- Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say
Aside from the well-known VPN vulns are other common entry methods, such as exploitation of the Netlogon escalation-of-privilege flaw, an RCE hole in software development framework Telerik that was abused by the Chinese for attacks on Australia, and more.
And 2021 to date isn't much better
This year the picture is just as rosy. Enemies of the West gleefully bashed the button over the Microsoft Exchange vulns exploited by China's Ministry of State Security.
Second to that were the aforementioned Pulse Secure VPN flaws, and vulns in Accellion file-transfer appliances that became a popular target for ransomware gangs – with their victims even including infosec firm Qualys.
Along with that are critical RCE holes in VMware's vCenter product, as we reported in May.
ACSC chief Abigail Bradshaw said in a canned comment: "This guidance will be valuable for enabling network defenders and organisations to lift collective defences against cyber threats. This advisory complements our advice available through cyber.gov.au and underscores the determination of the ACSC and our partner agencies to collaboratively combat malicious cyber activity."
The four agencies also gave some pragmatic advice for overworked sysadmins unable to immediately patch every single thing, perhaps for fear of KO'ing production networks through unforeseen side effects:
"If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems)."
The full advisory, including detailed notes on each of the highlighted vulns, can be read on the Australian Cyber Security Centre's website. ®