The most exploited cybersecurity vulnerabilities in 2021 have been highlighted by the Five Eyes alliance. The security group, which includes cybersecurity forces from the UK and US as well as Australia, Canada and New Zealand, said “malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organisations worldwide” last year.

The Log4Shell vulnerability was the most exploited of 2021. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

Unsurprisingly, the Log4Shell vulnerability, which caused chaos when it was discovered in December, tops the list, while multiple flaws in Microsoft’s Exchange Server systems have also been commonly compromised.

Details on the number of times the vulnerabilities have been exploited have not been revealed, but their significance should not be underestimated, says Sam Curry, chief security officer at security company Cybereason: “That a normally not-very-visible alliance took to the stage publicly to make an announcement points to the importance of this set of vulnerabilities,” he says.

The Five Eyes warning should be heeded by businesses says Darren Williams, CEO of security company BlackFog. “These vulnerabilities are still extremely relevant,” he says. “Organisations have vast amounts of software installed on systems, many of which they often don’t even realise they have.”

Mitigation by applying patches to systems and implementing centralised patching software is key. But what are the exploits and how much are they really used?

The most exploited cybersecurity vulnerabilities in 2021

Log4Shell

This was a widely used and exploited vulnerability in a popular open-source logging tool from the Apache Foundation, which has left millions at the mercy of cybercriminals. The vulnerability was caused by a logging feature that can be exploited as it was designed to make logging in easier and quicker. “It’s a fantastic feature that makes your logging super easy,” explained principal research scientist at Sophos Paul Ducklin to Tech Monitor. “Unfortunately, somebody figured out that it also makes it very easy for almost anybody who wants to exploit this.”

CVE-2021-44228: An exploit for a critical vulnerability affecting Apache Log4j2, known as Log4Shell.

Zoho ManageEngine

A vulnerability in Zoho ManageEngine Desktop Central allows threat actors to elevate privileges and drop malware into machines across sectors like energy, healthcare and technology. This vulnerability triggered an FBI warning, stating that advanced persistent threat groups were able to use the bug to infiltrate systems and dump malware. The exploit has been used for everything from ransomware to espionage. At the time of its discovery the company itself was hacked. Threat actors infiltrated the company’s passport system and 11,000 servers were infected with malware.

CVE-2021-40539 – With this vulnerability an attacker can create a crafted Rest API URL to bypass a security filter due to an error in URL normalisation, explains a report by PaloAlto Networks. This allows bad actors to execute arbitrary code.

Proxyshell

Proxyshell is the name given to a collection of critical vulnerabilities for Microsoft Exchange servers that blew through public and private sectors in 2021. They enable a hacker to bypass authentication and execute code as a privileged user, according to Sophos. The vulnerabilities came to light in April 2021 and, at the time, hundreds of thousands of Microsoft servers were vulnerable to exploitation.

CVE-2021-34473: Pre-auth path confusion vulnerability to bypass access control

CVE-2021-34523: Privilege escalation vulnerability in the Exchange Powershell back end.

CVE-2021-31207: Post-auth remote code execution via arbitrary file write.

ProxyLogon

ProxyLogon is another collection of critical Microsoft Exchange Server vulnerabilities discovered in 2020. By 2021 the vulnerabilities had been released by Microsoft, but ransomware gangs had already started to use them with some success. State-sponsored Chinese hacking group HAFNIUM hacked into at least 30,000 organisations within one week, with the use of these exploits. In a report by security company Radware, the vulnerability is cited as “critical for all industries across the globe, from small to large corporations”. The vulnerabilities are below.

CVE-2021-26855: This is a Server Side Request Forgery (SSRF). An SSRF provides a remote actor with admin access by sending a crafted web request to a vulnerable Exchange server.

CVE-2021-26857: According to the Radware report, this is a post-authentication insecure deserialisation vulnerability in the Unified Messaging service of a vulnerable Exchange server. It allows commands to be run with SYSTEM account privileges.

CVE-2021-26858/CVE-2021-27065: Both of these are post-authentication arbitrary file write vulnerabilities that allow an authenticated user to write files to any path on a vulnerable Exchange server. A malicious actor could leverage the previously mentioned SSRF vulnerability to gain admin access.

ZeroLogon

This vulnerability exploits a cryptographic flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC). It has ten out of ten for severity from the common vulnerability scoring system (CVSS), explains Trend Micro. MS-NRCP is used to transmit account changes such as alterations to passwords, which could fall into the wrong hands.

CVE-2020-1472: The vulnerability is especially severe since the only requirement for a successful exploit is the ability to establish a connection with a domain controller, states a report by CrowdStrike.

Atlassian Confluence Server and Data Center

This impacts Confluence Server and Confluence Data Center software that’s usually installed on Confluence self-hosted project management, wiki, and team collaboration platforms.

When it released patches in 2021, Atlassian, the company that owns the Confluence software family, said the vulnerability could be exploited by threat actors to bypass authentication and inject malicious OGNL commands that allow them to take over unpatched systems, continues the report.

CVE-2021-26084: The vulnerability resides in OGNL (Object-Graph Navigation Language), a simple scripting language for interacting with Java code.

VMware vSphere Client

CVE-2021-21972: This is a proof-of-concept exploit script for a critical remote code execution flaw, along with mass scanning activity. This indicates that organisations should apply vCenter Server patches immediately explains a blog post by Tenable.

Microsoft Exchange Server

CVE-2020-0688: This is a vulnerability in Microsoft Exchange that would allow an attacker to turn any stolen Exchange user account into a complete system compromise. In many cases, this could be used to completely compromise the entire Exchange environment, including all email, and potentially all of Active Directory.

Pulse Connect Secure

CVE-2019-11510: This is a critical arbitrary file disclosure vulnerability in the Pulse Connect Secure VPN, and allowed hackers to place web shells, or malicious scripts, inside a compromised system to allow them further access and bypass security protocols. Exploitation of the vulnerability is simple and it apparently affected multiple public and private sector organisations.

Fortinet FortiOS and FortiProxy

CVE-2018-13379: Another VPN vulnerability which potentially allows unauthenticated, remote attackers to access network devices and their information.

Read more: Five Eyes issue Russia cyberattack warning