CISA's Top Vulnerabilities in 2020 and 2021

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) to author a report detailing current top vulnerabilities exploitable by hackers. Each vulnerability has been meticulously documented in the Common Vulnerabilities and Exposures (CVEs) database; a top source of threat intelligence used by infosec professionals.

Report Findings

In 2020, a rapid shift to remote work caused by the pandemic turned into a bonanza for hackers. Systems brought home in haste lost access to patching infrastructure which prohibited direct Microsoft updates, in favor of a controlled rollout of patches to company-owned devices. The problem is, in some cases, you needed to talk to a domain controller in the corporate office to receive your patches. Working remotely for 6 to 9 months meant some computers got no patches for six to nine months. Four of the most commonly targeted vulnerabilities in 2020 affected unpatched Microsoft vulnerabilities.

Below is a table outlining the most frequently exploited CVEs by hackers during 2020:

Businesses need to plan their patching infrastructure to accommodate the new realities of remote workers. Either they enable direct Microsoft Updates, or newer cloud-based infrastructure accessible by remote workers needs to be deployed. Systems cannot be left unpatched at remote work locations.

2021 Vulnerabilities Continue the Trend

Hackers continued to attack unpatched systems in 2021 with a variety of Microsoft vulnerabilities (shown below), as well as the firewall solutions witnessed in 2020 (Fortinet with Accellion added in 2021) and remote access solutions (Pulse remained on the list while VM Ware replaced Citrix).

Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- See CISA’s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and reducing malicious activity regarding these vulnerabilities.
Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- See CISA’s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.
Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.
VMware: CVE-2021-21985
- See CISA’s Current Activity: Unpatched VMware vCenter Software for more information and guidance.
Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
- See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations.

What To Do about Vulnerability and Patch Management?

The most effective way to alleviate many vulnerabilities is to update software versions once patches are available. Oftentimes, while a patch is being created, the vendor will provide instructions for temporary workarounds to stay secure until the patch is released. In order to stay up to date in pandemic times, deploy a cloud-based patch management solution to automatically update software whenever and wherever necessary.

Common small to medium-sized business patch management solutions include ManageEngine and Automox. ManageEngine even includes free patching services for up to 25 devices.

SMB Protections Beyond Patch Management

In addition to adopting a patch management system, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks: