Cybercriminals are increasingly targeting historical vulnerabilities, rather than exploiting new flaws, to gain access to systems, according to members of the Five Eyes security alliance, which includes the UK’s National Cyber Security Agency (NCSC) and its US counterpart CISA.
A joint report from security agencies in the Five Eyes countries – the UK, the US, Australia, Canada and New Zealand – has highlighted the most commonly exploited vulnerabilities in the past year. They are urging companies to check they have patched the 12 top vulnerabilities, which have already led to some notable cyberattacks.
Five Eyes release joint warning on 12 most exploited vulnerabilities of 2022
More than half of the top vulnerabilities of 2022 were also highlighted on the previous year’s list, indicating that companies are still not applying the latest patches despite that, in some cases, they have been available for years.
Attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure, according to the UK’s NCSC. They “likely target their exploits to maximise impact, emphasising the benefit of organisations applying security updates promptly,” an NCSC statement said.
Among the most popular of the bugs in the report are three exploits relating to Proxy Shell, affecting Microsoft Exchange, for which patches were released in 2021. The Atlassian Confluence bug has also been listed, a nasty vulnerability that affected 31 versions of the company’s products last year: CVE-2021-26084.
Another widely listed vulnerability is Log4j, the infamous bug that was discovered in 2021 and has affected thousands of businesses. The Apache open-source vulnerability is embedded in thousands of software products, triggering a global mitigation effort for much of 2022. The bug is so widely used, and so laborious to find and fix, that it continues to be fruitful to exploit to this day.
The advisory has provided mitigatory measures for “vendors, designers and developers” on implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software.
“Organisations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks,” the report warns.
Jonathan Ellison, NCSC director of resilience and future technology, said that “vulnerabilities are sadly part and parcel of our online world and we see [cybercriminals] continue to take advantage of these weaknesses to compromise systems.”
The advisory report should raise awareness of the most routinely exploited vulnerabilities in 2022 “to help organisations identify where they might be at risk and take action,” Ellison added. “To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers,” he said.