On 27 April 2022 the NCSC published an advisory on the most commonly exploited vulnerabilities in 2021. This results from a collaborative piece of work with other agencies in the USA, Australia, Canada and New Zealand. The advisory is published in full on the CISA website here: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
It’s no surprise that Log4j is in the mix, but what is interesting is that of the Top 15 Routinely Exploited Vulnerabilities in 2021 four of them date from before 2021, including one from 2018 and one from 2019. A further list of ‘Additional Routinely Exploited Vulnerabilities’ includes a couple of Microsoft Office vulnerabilities from 2017!
Rob Joyce, NSA Cybersecurity Director, commented on the advisory “This report should be a reminder to organisations that bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities. Getting a handle on patch management will go a long way in forcing adversaries to spend a lot more resources to even try and get in to targeted networks.” – well said!
If you would like assistance with any of you cyber security concerns, please contact us.