Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 5 August 2023

Feedback & Followups

Deep Dive — ‘Five Eyes’ Report on Top Exploited Vulnerabilities in 2022

The relevant intelligence & cybersecurity agencies from the so-called Five Eyes group of nations have jointly released a report outlining the most exploited vulnerabilities of 2022. In case you’re wondering, the Five Eyes are Australia, Canada, New Zealand, the United Kingdom, and the United States.

What makes this report particularly interesting each year is that it doesn’t tell you about the scariest sounding vulnerabilities, or the most technologically powerful ones, but the ones attackers actually found to be the most useful — In other words, these are the vulnerabilities that really did enable the most damage in 2022.

While the information in the report is fascinating, the actual PDF is dry and boring looking — walls of text full of big words, big tables, and other than a few logos in the headers and footers, no graphics at all. Don’t let that put you off though, the report is short and the two parts I would recommend are the table of the top 12 most exploited vulnerabilities near the start, and the list of recommendations that starts on page 9.

Translating the top 12 into a human-friendly form we get:

  • 1 — Login details leaking from a widely used and very expensive corporate firewall product (FortiOS & FortiProxy from Fortinet)
  • 2, 3 & 4 — remote code execution and the ability to bypass the login process in self-hosted versions of the most popular corporate groupware product in the world (Self-hosted Exchange Server from Microsoft)
  • 5 — remote code execution and the ability to bypass authentication in a commonly used Multi-Factor Authentication (MFA/2FA) solution for servers and enterprise apps (ADSelfService Plus from Zoho Manage Engine)
  • 6 — Arbitrary code execution in the self-hosted versions of a very popular project management suite (Confluence Server & Confluence Data Center from Atlassian)
  • 7 — Remote code execution in an exceptionally popular open source library used in many enterprise apps (the infamous Log4Shell vulnerability in the Log4J Java library)
  • 8 & 9 — Remote code execution and privilege escalation in a very popular server virtualisation suite (VMWare)
  • 10 — The ability to avoid authentication in one of the biggest and beefiest edge firewalls in the world (BIG-IP from F5 Networks)

So, looking at that list, what stands out to me?

  1. Attackers are targeting exactly the things you’d expect — the defences corporations place around their networks (firewalls, MFA, etc.), the day-to-day information that makes companies tick (email, contacts, calendars, project plans, etc.), and the kind of internal apps large organisations build to manage their own operations.
  2. There’s only one open source product on the list — Apache Log4J
  3. The companies on the list are almost all really really big names — Microsoft, VM Ware, Atlassian, F5 & Fortinet (sorry Zoho, you’re not in the big leagues yet IMO )
  4. Five of the vulnerabilities are in the self-hosted versions of apps that are now available as a Software-as-a-Service (SaaS) offering, and the SaaS customers were not affected

* Office365 is Microsoft’s SaaS offering that includes Exchange
* Confluence Cloud is Atlassian’s SaaS version of Confluence Confluence Server & Confluence Data

The other interesting part of the report is always the advice it gives to organisations to defend themselves. I’m extremely fond of a slide Microsoft used on their 2021 annual threat report that put it very simply (paraphrasing) “doing the cybersecurity basics well protects you from 98% of threats”. That sure lines up with the advice this report gives. None of it is rocket science, though it is of course all easier to say than to do well

My key takeaways:

  1. Make sure senior management is explicitly responsible for your organisation’s cybersecurity
  2. Everything you do must be secure by design and secure by default — you can’t just bolt security on later, and you can’t have things fail open
  3. If you’re not on the Zero Trust train yet, get on it ASAP — the old moat-and-castle model is obsolete!

* MFA everywhere always
* Make devices prove their identity before they get network access (AKA Network Access Control, or NAC)
4. Patch early and patch often (AKA patch management)
5. Proactively manage your configurations — capture them in an auditable way so you can detect when something gets changed, and fix it (AKA secure baseline configurations)
6. Proactively audit all privileged access (AKA Identity Governance)
7. Pro-actively scan your networks so you notice when something new appears (AKA asset discovery)
8. Log everything, send it to a central place, and harness the power of AI to alert you when something out of the ordinary happens

Links

Notable News

  • Because of how dangerous data breaches can be to the financial health of companies, the US Securities & Exchange Commission (SEC) have updated their rules to require publicly traded companies to “any cybersecurity incident they determine to be material” within 4 days of determining that such an incident has occurred — nakedsecurity.sophos.com/… (As Naked Security point out, actually defining what is and is not a material cybersecurity incident is not at all easy!)
  • No, ChatGPT did not find any Mac malware — www.intego.com/… — Joshua Long sums it up perfectly:

“The research group essentially asked ChatGPT, ‘Hey, do you think there’s more Mac malware out there?’ And ChatGPT basically answered, ‘Yeah, probably’. Then the researchers were like, ‘Okay, cool, we’ll go back to doing our jobs now, and try to find some’.

Palate Cleansers

  • Anyone who worked in IT or studied computer science in the late 90s and or early 2000s will instantly recognise what these covers are spoofing — phpc.social/…(found by Allison)
  • A Handy Guide to Picking STEM Majors from Math With Bad Drawings — infosec.exchange/… (found by Allison)

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top