The most Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 have been released by the US federal Cybersecurity and Infrastructure Security Agency (CISA) and equivalent agencies in four other countries, including the UK.
CISA urges vendors, designers, and developers to work according to secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in software; while the agencies ask tech users to apply timely patches to their IT systems.
According to the agencies, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains. Hence the recommendation for timely patching, which reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing the attackers into pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).
Comment
William Wright, CEO of Closed Door Security, said: “In the last few months, the whole world has witnessed the dangerous power of one unpatched vulnerability, so it is not surprising this advice is being issued now. With MOVEit, a zero-day resulted in hundreds of causalities, while potentially netting attackers hundreds of millions of dollars and these are the types of situations that can easily occur when organisations don’t keep up to date with patches and proactive pen testing.
As organisations depending on software and hardware from multiple vendors, it is quite easy for patches to slip through the net, he added. “While Microsoft runs an autopatch service, many other vendors do not, so this means patches can be released, but not applied, very easily.
“The vulnerabilities on the top 12 list come from a range of vendors and some are very old, but these are the bugs attackers look for. They know the software is ubiquitous and they can easily run scans to find vulnerable servers, so exploiting these bugs takes very little effort on their part.
“My advice to organisations is to test their assets against these vulnerabilities as soon as possible, and then to apply the patches where necessary. Now that this list has been issued, attackers will be working hard to utilise these bugs as much as possible, while they still can. The clock is ticking, and attackers know it.”