This week, the Five Eyes, an intelligence alliance involving cybersecurity authorities from the United Kingdom, the United States, Australia, Canada and New Zealand, released an advisory outlining the fifteen most exploited vulnerabilities in 2021. Within this list is the infamous Log4Shell vulnerability, along with ProxyLogon, ZeroLogon and other flaws impacting Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client.
According to the alliance, cyber criminals appeared to ramp up their attacks on newly disclosed vulnerabilities in the past year and had weaned off slightly on older, publicly known vulnerabilities. This should not be an indication for organisations to grow lax with regards to older vulnerabilities as they do continue to pose a significant risk, but it does seem that newer flaws are of particular interest. Another observation they made, is that the malicious actors would frequently target internet-facing systems like email servers and virtual private network (VPN) servers.
In other news, Coca-Cola made headlines this week as the victim of a potential data breach by the ransomware gang, dubbed Stormous. Through a post on the dark web, Stormous professed to hacking the beverage conglomerate and stealing 161 gigabytes of its data. In this post, they also offered to sell the data at 1.6467 bitcoin or about US$64,400.
In response to both pieces of news, John Goodacre, Director of Digital Security by Design and Professor of Computer Architectures at Manchester University shares:
“The Five Eyes’ alert on top vulnerabilities highlights two things: there is an ever-increasing list of issues and that keeping on top of patching is unsustainable as the sole solution to block vulnerabilities from exploitation.
When we see vulnerabilities such as “pkexec” existing in systems for over 10 years, it must be questioned just how many other unknown vulnerabilities are still to be patched.
The recent Stormous ransomware group happily asking “who should we hack next” would suggest they know of some currently unreported vulnerability they’re confident they can use to get into most systems.
Until such time that technologies such as those being investigated through the UKRI Digital Security by Design programme in collaboration with Arm, Microsoft, Google and many others can block the exploitation of even unknown vulnerabilities, it is critical that enterprises know exactly what software they use and the processes by which they maintain their patching regime.”
Follow Innovate UK