U.S., UK and Australia Issue Joint Cybersecurity Advisory

As vulnerabilities are discovered, advisories are issued, remedies and mitigations are shared and then the onus is on the end user and/or company to do what’s necessary to close the window into their infrastructure. That is what happens in a perfect world, where CISOs and CIOs have fully collaborative relationships with operations and when the mitigations don’t derail the organization’s operational efficiency and capabilities.

Joint Cybersecurity Advisory

On July 28, 2021, four agencies across three countries issued a joint cybersecurity advisory identifying 30 vulnerabilities that companies (be they big or small) should be mitigating. From the U.S., the agencies are the FBI and CISA; from Australia, the ACSC and from the U.K. the NCSC.

The advisory doesn’t mince words: “Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide.  It’s recommended that organizations apply the available patches for the 30 vulnerabilities listed in the joint cybersecurity advisory and implement a centralized patch management system.”

CISOs—you’ve received your marching orders. Close the delta of vulnerability.

Collaboration is Crucial for Cybersecurity

“In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk of cyber actors exploiting known vulnerabilities in their networks,” said Eric Goldstein, executive assistant director for cybersecurity, CISA. “Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organizations should prioritize for patching to minimize the risk of being exploited by malicious actors.”

“The FBI remains committed to sharing information with public and private organizations in an effort to prevent malicious cyber actors from exploiting vulnerabilities,” said Bryan Vorndran, the FBI’s cyber assistant director. “We firmly believe that coordination and collaboration with our federal and private sector partners will ensure a safer cyber environment to decrease the opportunity for these actors to succeed.”

The advisory says what every cybersecurity awareness program has been saying for years, but it bears repeating: “Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide.” Granted, not all vulnerabilities should be automatically closed with the proffered patch, especially if said patch will knock the company offline and in a position that leaves them unable to continue operations. A mitigation plan for those rare instances, then, would be a mandatory first step toward ultimate mitigation.

The 2020 Vulnerabilities

It should come as no surprise that the number-one avenue to exploitation is via the virtual private network (VPN). The top 12 identified vulnerabilities being exploited in 2020 are identified as:

  1. Citrix CVE-2019-19781 arbitrary code execution
  2. Pulse CVE 2019-11510 arbitrary file reading
  3. Fortinet CVE 2018-13379 path traversal
  4. F5 Big IP CVE 2020-5902 remote code execution (RCE)
  5. MobileIron CVE 2020-15505 RCE
  6. Microsoft CVE-2017-11882 RCE
  7. Atlassian CVE-2019-11580 RCE
  8. Drupal CVE-2018-7600 RCE
  9. Telerik CVE 2019-18935 RCE
  10. Microsoft CVE-2019-0604 RCE
  11. Microsoft CVE-2020-0787 elevation of privilege
  12. Netlogon CVE-2020-1472 elevation of privilege

The 2021 Vulnerabilities Breakdown

The advisory details how, in 2021, “cyber actors” can be expected to continue to exploit known, but as yet not fully patched, vulnerabilities. In 2021, the advisory notes how these cyber actors have made hay exploiting vulnerabilities identified in Microsove, Fortinet, Pulse, Accellion and VMware.

  1. Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
  2. Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  3. Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  4. Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-559

CISOs and CIOs should download the PDF and dig into the meat of the document where there’s discussion on how the identified CVEs are being exploited and where remediation steps are identified. Furthermore, CISA offers cyberhygiene assistance to companies to identify indicators of compromise (IoCs) and to implement solution pathways to remedy compromised instances.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher