Skip to main content

Joint cybersecurity advisory released on 2021's top routinely exploited vulnerabilities

Malicious cyber actors are aggressively targeting newly-disclosed and dated critical software vulnerabilities against a broad range of targets, including public and private sector organisations worldwide.

Organisations are urged to patch their systems to reduce the risk of compromise by malicious cyber actors.

Australian, Canadian, New Zealand, UK and US cybersecurity agencies have co-authored the joint Cybersecurity Advisory (CSA), outlining the top 15 Common Vulnerabilities and Exposures (or CVEs) routinely exploited by malicious cyber actors in 2021.

Head of the Australian Cyber Security Centre, Abigail Bradshaw CSC, said organisations should immediately protect themselves by implementing mitigations highlighted in the advisory.

“Malicious cyber actors continue to exploit known and dated software vulnerabilities to attack private and public networks globally,” Ms Bradshaw said.

“The ACSC is committed to providing cyber security advice and sharing threat information with our partners, to ensure a safer online environment for everyone.”

Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed and dated vulnerabilities.

The top routinely exploited vulnerability was Log4Shell, affecting Apache’s Log4j library. By submitting a specially-crafted request to a vulnerable system, an actor can take full system control. The Log4Shell vulnerability could allow malicious actors to steal information and launch ransomware on exploited systems.

Several vulnerabilities affecting Microsoft Exchange email servers also featured in the top 15.

For most of the top exploited vulnerabilities, researchers or other actors released proof-of-concept code within two weeks of the vulnerability’s disclosure. This likely facilitated exploitation of these vulnerabilities by a broader range of malicious actors.

To help stay secure, organisations should:

  • Update software, including operating systems and firmware on IT network assets.
  • Use a centralised patch management system.
  • Replace end-of-life software.
  • Enforce multi-factor authentication for all users, including VPN connections.
  • Regularly review and validate privileged accounts, and enforce the least privilege principle.
  • Properly configure and secure internet-facing network devices, and segment networks.
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate a threat actor or malware.
  • Reduce third-party applications and unique system/application builds, and implement application allow-listing.

Australian organisations should consider joining the ACSC’s free Partnership Program to receive and share the latest advice, insights and cyber threat intelligence with the Australian cyber security community.

Organisations should also share information about incidents and unusual cyber activity with their respective cybersecurity authorities. All Australians are encouraged to report cybercrime and cyber incidents to the ACSC’s 24/7 Australian Cyber Security Hotline 1300 CYBER1 (1300 292 371), or via ReportCyber.

See the joint press release with international partners for more information.