The Top Routinely Exploited Vulnerabilities advisory published this month by the Cybersecurity and Infrastructure Security Agency, provides details on the common vulnerabilities and exposures routinely and frequently exploited. In 2022, cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems, it shows.
WHY IT MATTERS
Each year the CISA, the National Security Agency and the FBI work with international cybersecurity agencies to compile their observations of the most exploited vulnerabilities that cyber actors use to infiltrate organizations with malware, ransomware and more in order to disrupt them, extort them or both.
For the 2022 alert, federal cybersecurity agencies worked with the Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre and Computer Emergency Response Team New Zealand and the United Kingdom’s National Cyber Security Centre.
It was relatively easy for the cyber actors to take advantage of these vulnerabilities – present in Microsoft, Atlassian, VMWare and other products – once they found them exposed in the organizations networks they hacked into, officials said.
“Proof of concept code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors,” according to the agencies.
Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure.
“While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years.”
The top 12 2022 vulnerabilities exploited are:
- CVE-2018-13379 affects Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.
- CVE-2021-34473, CVE-2021-31207, CVE-2021-34523 vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers residing within the Microsoft Client Access Service.
- CVE-2021-40539 enables unauthenticated remote code execution in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency.
- CVE-2021-26084 affects Atlassian Confluence Server and Data Center and quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure.
- CVE-2021- 44228, known as Log4Shell, affects Apache’s Log4j library. If successful, a cyber actor takes full control of a system and can steal information, launch ransomware or conduct other malicious activity.
- CVE-2022-22954, CVE-2022-22960 vulnerabilities allow RCE, privilege escalation and authentication bypass in VMware Workspace ONE Access, Identity Manager and other VMware products.
- CVE-2022-1388 allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
- CVE-2022-30190 impacts the Microsoft Support Diagnostic Tool in Windows.
- CVE-2022-26134 is a critical RCE vulnerability affects Atlassian Confluence and Data Center likely exploited as a zero-day initially before public disclosure in June 2022 and is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
The agencies recommend vendors and developers take all recommended mitigation steps to ensure products are secured by design and default.
THE LARGER TREND
“The healthcare sector is integrating with several third-party vendors and gathering more patient data, so relying solely on conventional network security methods like VPN may no longer be effective,” said Apu Pavithran, CEO and founder of Hexnode, a vendor of a unified endpoint management platform housed by Mitsogo.
He spoke with Healthcare IT News in January to advise health systems that they should prioritize unified endpoint management and rethink their virtual private networks.
“With an exponentially increasing system of connected devices, cloud connections and third-party dependencies, healthcare and public health have become the most targeted critical infrastructure sectors,” said Margie Zuk, senior principal cybersecurity engineer at MITRE.
She told Healthcare IT News this week that healthcare organizations need to revamp their cybersecurity strategies now.
Interconnected devices and systems and more sophisticated cyberattacks regularly expose new security vulnerabilities, requiring healthcare organizations to reevaluate their cyber postures now.
ON THE RECORD
“Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations),” the agencies said in the alert.
Next month, the HIMSS 2023 Healthcare Cybersecurity Forum will explore how the industry is fortifying its defenses today and preparing strategies for the future. It’s scheduled for Sept. 7 and 8 in Boston. Learn more and register at HIMSS.org/event-healthcare-cybersecurity-forum.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
