CISA has released a joint advisory tagged AA22-279A alongside the FBI and NSA which highlights the top CVEs used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors. These actors continue to target U.S and allied networks, as well as hardware and software vendors, and are using the intellectual property they have gained in doing so to develop access to sensitive networks. The joint advisory urges allied governments, critical infrastructure, and private sector organizations to prioritize applying the recommended mitigations and remediation detailed within the advisory.
The Nucleus research team joined together with GreyNoise Intelligence to put together further analysis to assist in understanding the top risks associated with this Advisory. While some CVEs listed suggest other uses, all vulnerabilities included in the advisory pertain to gaining access and persistence on a network.
| wdt_ID | CVE ID | Vendor | Software | EPSS Probability | EPSS Percentile | cvssV3 | GreyNoise | GreyNoise Search |
|---|---|---|---|---|---|---|---|---|
| 1 | CVE-2021-41773 | Apache | HTTP Server | 0.92452 | 0.99906 | 7.5 | 44 | CVE-2021-41773 |
| 2 | CVE-2021-20090 | Arcadyan | Buffalo WSR-2533DHPL2 and WSR-2533DHP3 firmware | 0.01055 | 0.50603 | 9.8 | 0 | |
| 3 | CVE-2021-26084 | Atlassian | Confluence Server | 0.96199 | 0.99994 | 9.8 | 147 | CVE-2021-26084 |
| 4 | CVE-2021-1497 | Cisco | HyperFlex HX | 0.01055 | 0.50603 | 9.8 | 16 | CVE-2021-1497 |
| 5 | CVE-2019-19781 | Citrix | Application Delivery Controller (ADC) and Gateway | 0.95611 | 0.99975 | 9.8 | 99 | CVE-2019-19781 |
| 6 | CVE-2021-22205 | ExifTool | ExifTool | 0.69867 | 0.99107 | 9.9 | 11 | CVE-2021-22205 |
| 7 | CVE-2020-5902 | F5 | BIG-IP | 0.96817 | 0.99999 | 9.8 | 26 | CVE-2020-5902 |
| 8 | CVE-2021-26855 | Microsoft | Microsoft Exchange Server | 0.9621 | 0.99994 | 9.8 | 714 | CVE-2021-26855 |
| 9 | CVE-2021-26858 | Microsoft | Microsoft Exchange Server | 0.31092 | 0.97458 | 7.8 | 0 | |
| 10 | CVE-2021-27065 | Microsoft | Microsoft Exchange Server | 0.61804 | 0.98897 | 7.8 | 0 | |
| 11 | CVE-2021-26857 | Microsoft | Microsoft Exchange Server | 0.31092 | 0.97458 | 7.8 | 0 | |
| 12 | CVE-2019-11510 | Pulse Secure | Pulse Connect Secure | 0.96507 | 0.99997 | 10 | 34 | CVE-2019-11510 |
| 13 | CVE-2021-22005 | VMware | vCenter Server | 0.92029 | 0.99897 | 9.8 | 38 | CVE-2021-22005 |
| 14 | CVE-2021-40539 | Zoho | ManageEngine ADSelfServicePlus | 0.95954 | 0.99985 | 9.8 | 18 | CVE-2021-40539 |
| 15 | CVE-2021-44228 | Apache | Log4j2 | 0.90484 | 0.99857 | 10 | 302 | CVE-2021-44228 |
| 16 | CVE-2021-36260 | Hikvision | Security cameras web server | 0.87785 | 0.99771 | 9.8 | 15 | CVE-2021-36260 |
| 17 | CVE-2021-42237 | Sitecore | XP | 0.93637 | 0.99935 | 9.8 | 14 | CVE-2021-42237 |
| 18 | CVE-2022-1388 | F5 | BIG-IP | 0.91511 | 0.99878 | 9.8 | 4 | CVE-2022-1388 |
| 19 | CVE-2022-26134 | Atlassian | Confluence Server/Data Center | 0.86384 | 0.99696 | 9.8 | 471 | CVE-2022-26134 |
| 20 | CVE-2022-24112 | Apache | APISIX | 0.69867 | 0.99107 | 9.8 | 9 | CVE-2022-24112 |
| CVE ID | Vendor | Software | EPSS Probability | EPSS Percentile | cvssV3 | GreyNoise | GreyNoise Search |
Microsoft Exchange | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
As excited as we can imagine the security community is to hear more about Microsoft Exchange, it remains a consistent target for high-level actors targeting U.S based organizations. With the recent headlines regarding ProxyNotShell, an update fixing the zero-days has been on everyone’s radar. With the addition of this advisory, it gives four more reasons to continue to be vigilant in hardening Exchange whether hybrid or on-prem. Many organizations made the change to Office 365, but this still likely leaves an Outlook Web Access (OWA) server or some other type of hybrid deployment in place. This means the on-premise Exchange infrastructure is still vulnerable to these types of exploitation.
Updating Exchange can be a painful process. While adoption to Office 365 can lift this burden slightly, Exchange servers that are not up-to-date enough to run the update can find themselves in a tight spot when trying to remediate at a quick enough pace. Keep in mind, it’s not only important to ensure that your deployment tool identifies Exchange as most recently updated, but your scanning tools must also concur with this fact. If your scanner indicates missing updates, you will likely need to install an in-support cumulative update before the server can accept recent updates.
Consumer Grade Buffalo Routers | CVE-2021-20090
One vulnerability listed in this advisory stuck out as differentiating from the rest due to the fact that it points to a firmware vulnerability in dozens of Buffalo and Arcadyan manufactured routers. At this time, CISA appears to be understating the amount of consumer routers this vulnerability affects, as the count is closer to 35, rather than the two reported by CISA; Buffalo Wsr-2533Dhpl2-Bk Firmware and Buffalo Wsr-2533Dhp3-Bk Firmware.
Unfortunately, restarting your router is not enough to automatically deploy an update. It needs to be done manually. If you’re not comfortable updating your router on your own, you can contact your ISP if they are the one who issued you your device and they can update it for you, or you can contact the manufacturer to walk you through the updating process.
One temporary fix would be to stay vigilant about restarting your router frequently, as this could kick someone off who has potentially infiltrated your router. However, as mentioned, this is only a temporary fix.
It is important to note that, of the 20 vulnerabilities listed in this advisory, this is the only one affecting consumer technology. The lack of traffic observed by GreyNoise sensors raises the possibility that nation-state-backed groups may have an exclusive exploit on this vulnerability, and may be using compromised routers to make attribution more difficult.
Technologies Easily Forgotten | CVE-2020-5902, CVE-2021-36260, CVE-2021-22205
Three of the vulnerabilities listed in this advisory can be ones that tend to fly under the radar, and ironically two of them find themselves within security devices. CVE-2020-5902 exploits a vulnerability in F5 Big IP Load Balancers. This can be a problem in many large organizations because it may not be clear whose responsibility it is to update load balancers, and the scanning of load balancers can sometimes be considered an afterthought.
A potentially bigger afterthought is scanning and updating your security camera system. CVE-2021-36260 is a remote code execution vulnerability in the firmware for popular security camera system Hikvision PTZ-N5225I-A.
Lastly, while you may be running SAST scans on your code repositories, are you confident that you are conducting network vulnerability scans on your code repositories? If not, you can completely miss CVE-2021-22205, a remote code execution flaw in GitHub’s embedded copy of Exiftool, a utility for reading and editing metadata in images.
Log4j | CVE-2021-44228
Needing little introduction, CVE-2021-44228 received large amounts of publicity when it was discovered in early December, and a tremendous amount of remediation activity followed over the course of the next 30 days or so. Unfortunately, this followed a pattern that many high publicity vulnerabilities go through in which other priorities simply catch the attention of remediators, and some jobs left unfinished remain there until the stone is turned by an outsider. Finishing the job in remediating this particular vulnerability can be easier said than done. Nucleus urges users to find the most effective remediation and, if needed, mitigation to prevent the exploitation of log4j to allow for an attacker to gain further leverage.
How Nucleus Gives You Visibility Into Exploitable Vulnerabilities
There is a problem in relating vulnerability disclosure to the public, in that every new vulnerability wants to be the next Heartbleed. Almost every month there is a new vulnerability grabbing headlines and pulling the attention of your remediators away from the last ‘really big deal.’
Where Nucleus is best leveraged is taking the judgement call out of the equation. This allows your organization to maintain focus where you need it so you can chase down vulnerabilities and complete the remediation, rather than being easily distracted by vulnerabilities that may be important, but not as important as what your remediators are already working on.
Nucleus can import your asset inventory so if you have gaps in coverage and devices, like your security cameras and load balancers aren’t getting scanned, you’ll know about it and can confidently avoid blind spots in your network that advanced threat actors can leverage. Not only that, Nucleus builds a software inventory from information it finds in your vulnerability scans, so that next time a zero-day comes out, you can quickly identify which assets are the best candidates to be vulnerable and you can target your vulnerability scans and remediation efforts to quickly confirm this.
Click here to watch a Demo On Demand to see for yourself how Nucleus unites the existing tools in your security stack make it easy to analyze, prioritize, and act on your data.