Incident & Breach Response , Security Operations
Zero Days Top Cybersecurity Agencies' Most-Exploited List
Cybersecurity Officials Urge to Prioritize Fixing These 15 Most-Exploited FlawsWhich vulnerabilities need fixing first to best block nation-state and other hacking attempts?
See Also: Gartner Market Guide for DFIR Retainer Services
One answer to that question arrives in the form of an annual list of the 15 vulnerabilities most routinely exploited by attackers, prepared by cybersecurity officials across the Five Eyes intelligence partnership countries, including the U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency.
In an accompanying security alert, the governments of Australia, Canada, New Zealand, the U.K. and the U.S. urged organizations to prioritize remediating the vulnerabilities most routinely exploited in 2023 by attackers.
"All of these vulnerabilities are publicly known, but many are in the top 15 list for the first time," said Jeffrey Dickerson, cybersecurity technical director at NSA. "Exploitation will likely continue in 2024 and 2025."
Of the 15 flaws, 11 were zero-day vulnerabilities, meaning attackers exploited them before they were publicly known, when no patch was available. That's a massive increase from the previous report in 2022, which found only two zero-days in the list of the top vulnerabilities (see: Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List).
Of the 15 most-exploited vulnerabilities last year, eight or more proof-of-concept exploits have been published and 13 have weaponized exploits, meaning they're "explicitly malicious," which helps explain attackers' interest in them, said Patrick Garrity, a security researcher at vulnerability intelligence firm VulnCheck, in a Friday blog post.
Nation-state' advanced persistent threat groups are fans of these flaws. Analyzing top most-targeted CVEs, Garrity said 60 different threat actors have collectively been tied to attempts to exploit 13 of them, with a single North Korean advanced persistent threat group tracked as Silent Chollima - a.k.a. Andariel, DarkSeoul and Onyx Sleet - being tied to various attacks that targeted nine of the CVEs.
Most Discovered in 2023
For the most exploited vulnerabilities in 2023, 12 were first discovered that year, including two separate flaws in Citrix NetScaler ADC and Gateway, and two separate flaws in Cisco IOS XE and IOS XE Web UI. The others pertain to Atlassian's Confluence Data Center and Server, Barracuda Networks' Email Security Gateway Appliance, FortiOS and FortiProxy SSL-VPN, JetBrains' TeamCity servers, Microsoft Office Outlook, OwnCloud's GraphAPI, Papercut MF/NG, and Progress Software's MOVEit Transfer.
Three of the 15 vulnerabilities on the annual list predate 2023: an unauthenticated remote code execution vulnerability in products that use Zoho ManageEngine from 2022, CVE-2022-47966; Log4Shell, a vulnerability in the open-source logging utility Log4j CVE-2021-44228; and a Microsoft Netlogon privilege escalation vulnerability, CVE-2020-1472, found in 2020. The latter two have featured on the most-exploited list annually since being found.
The prevalence of older, long-patchable vulnerabilities on the list of attackers' favorite flaws to target reflects many organizations' inability to keep their IT systems locked down.
A report published last month by S&P Global Ratings, analyzing how 7,000 companies tackle vulnerabilities, found that 40% of them fix known system flaws "infrequently."
With so many major organizations running infrastructure that contains known flaws, hackers seeking to gain remote access to a victim's network appear to have been doubling down vulnerability exploitation as their way in. Verizon's latest Data Breach Investigations Report cites a "180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach." That makes the intrusion tactic second to the use of stolen credentials, tied with phishing (see: Tracking Data Breaches: Targeting of Vulnerabilities Surges).
Cybersecurity Best Practices
To block attempts to exploit these flaws, the joint cybersecurity agency advisory recommends all organizations patch their systems in a timely manner, use a centralized patch management system to facilitate such efforts, and also employ endpoint detection and response tools, web application firewalls and network protocol analyzers. The agencies have also been urging organizations to demand that their vendors employ secure-by-design practices, including shipping with secure-by-default configurations, to build software and hardware that will have fewer flaws for attackers to discover and exploit.
The prevalence of zero-day vulnerabilities on this year's list is a reminder that attackers regularly seek ways of exploiting widely used types of software and hardware before vendors identify the underlying flaw and fix it. The joint security advisory also details guidance prepared by CISA and the National Institute of Standards and Technology designed to improve organizations' cyber resilience to better combat all types of cybersecurity threats.
Specific recommendations also include regularly using automated asset discovery to find all of the hardware, software, systems and services inside an IT organization's estate and locking them down as much as possible; prepping and testing incident response plans; and keeping regular, secure backups of copies which get stored off-network to facilitate rapid repair and restoration of systems.
The guidance also recommends implementing zero trust network architecture, using phishing-resistant multifactor authentication as an identity and access management control, enforcing least-privileged access, and reducing the number of third-party applications and unique types of builds used.