Most exploited cyber vulnerabilities of 2022 revealed

Fortinet, Exchange Server and Atlassian flaws are in the top 12 compiled by Five Eyes intelligence agencies

The vulnerabilities frequently targeted by nation states, ransomware actors, and cybercriminal groups in 2022 encompassed older bugs and high-profile flaws that affected major products, according to a new joint cybersecurity advisory from Five Eyes agencies.

Five Eyes cybersecurity authorities, in partnership with US agencies CISA, NSA and the FBI, have released a comprehensive list of the 12 most exploited vulnerabilities throughout 2022.

The list underscores the persistent trend of attackers exploiting years-old vulnerabilities in systems that remains unpatched, emphasising their continued dominance in the threat landscape, as seen in previous years.

"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," reads the joint advisory signed by agencies from the US, UK, Australia, Canada and New Zealand.

"Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors."

According to the advisory, malicious cyber actors typically experience the highest success rates when exploiting known vulnerabilities within the initial two years of their public disclosure.

As time progresses and software is patched or upgraded to address these vulnerabilities, their value diminishes gradually, making them less effective targets for attackers.

The findings provide valuable insights into the tactics employed by cybercriminals, shedding light on the apparent lack of urgency among organisations to address security flaws in their software and equipment through patching.

Interestingly, the vulnerability most exploited in 2022, a Fortinet flaw, had been publicly disclosed as early as 2018 and was patched in May 2019.

Despite having three years to act, many organisations failed to address this specific flaw in their appliances.

The vulnerability, tracked as CVE-2018-13379, affects Fortinet's SSL VPNs.

This vulnerability has been a subject of repeated reports from prominent agencies such as the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, indicating the persistent negligence of some entities in securing their systems against known threats.

Western authorities have consistently cautioned about its exploitation by APT29, an advanced persistent threat group linked to Russia's SVR foreign intelligence service, along with other malicious entities.

Following the Fortinet SSL VPN vulnerability, the next on the list of widely exploited issues was a series of vulnerabilities, commonly referred to as ProxyShell, impacting Microsoft Exchange servers.

These vulnerabilities are tracked as CVE-2021-34473, CVE-2021-31207 and CVE-2021-34523.

They were discovered in 2021 and have been exploited by malicious actors to target and compromise vulnerable Microsoft Exchange servers.

The list of widely exploited vulnerabilities also includes the following:

• CVE-2021-40539: A remote code execution bug in Zoho ManageEngine ADSelfService Plus, which was first exploited in late 2021 and continued into 2022.
• CVE-2021-26084: A flaw in Atlassian's Confluence Server and Data Center collaboration tools. There was a significant attempted mass exploitation of this flaw in late 2021.
• CVE-2021-44228 (Log4Shell): This vulnerability affects Apache's Log4j library and was disclosed at the end of 2021. Cybersecurity agencies observed high interest in this security weakness from attackers throughout the first half of 2022.
• CVE-2022-22954 and CVE-2022-22960: Vulnerabilities in VMware's products that allowed for privilege escalation, remote code execution, and authentication bypass.
• CVE-2022-30190: A vulnerability that impacted Microsoft Support Diagnostic Tool.
• CVE-2022-26134: A critical remote code execution vulnerability in Atlassian Confluence and Data Center.
• CVE-2022-1388: A vulnerability that enables malicious actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.

In the advisory, the agencies strongly recommend vendors, designers, developers and end-user organisations to take immediate action and implement the mitigation measures specified.

Failing to promptly apply patches leaves systems vulnerable to exploitation. Attackers can easily scan exposed systems for a particular vulnerability, providing them with critical information on its potential value as a target for attacks.