The Australian Cyber Security Centre (ACSC) has released the key findings from a joint report with other cybersecurity authorities on the top 15 most routinely exploited cybersecurity vulnerabilities in 2021.
The Cybersecurity Advisory (CSA) shows that cybersecurity authorities have found that malicious actors aggressively targeted newly disclosed critical software vulnerabilities in 2021. These targets range across industries, with little discrimination between public and private sector organisations worldwide.
SEE THE FULL REPORT ON THE ACSC WEBSITE HERE
The top vulnerability names include Log4shell, ProxyShell, ProxyLogon, and ZeroLogon.
At the same time, malicious cyber actors continued to use older, more publicly known software vulnerabilities across a broad spectrum of targets, although to a lesser extent. Three of the top 15 vulnerabilities recorded in 2021 were also regularly exploited in 2020. The CSA states:
Their continued exploitation indicates that many organisations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.
This exploitation of older vulnerabilities demonstrates that any organisation that uses software that no longer receives vendor support – or fails to patch software regularly – is putting itself at unnecessary risk.
The CSA identified mitigation actions that can help reduce the risk and potential impact of a cybersecurity attack.
These recommendations focused on three key areas:
Vulnerability and Configuration Management
Identity and Access Management
Protective Controls and Architecture
Organisations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs).
The CSA also encourages organisations to apply the basic recommendations included in the advisory. These mitigations include applying timely patches to systems and implementing a centralised patch management system to reduce the risk of compromise by malicious cyber actors.
You can find these actions and more in the ACSC’s Essential Eight and the NIST Cybersecurity Framework.
Writing the CSA involved leading cybersecurity authorities, including the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).