Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Blog da Tenable

Inscrever-se

Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out

The 2021 Threat Landscape Retrospective explored the top five vulnerabilities of the year. Learn about other high-impact vulnerabilities that nearly made our list.

When putting together the Threat Landscape Retrospective (TLR) for 2021, the Security Response Team had a particularly difficult challenge picking the top five vulnerabilities for the year out of the many candidates.

In this blog post, we’re pulling back the curtain on our selection process, both to highlight the high-impact vulnerabilities that almost made the cut and to discuss our methodology for selecting the top five.

Our goal is to complement the TLR, whose mission is to help cybersecurity professionals with ongoing analysis of the threat landscape, including government, vendor and researcher advisories on important vulnerabilities and noteworthy incidents.

How we chose the 2021 Top 5

When we compiled the top five vulnerabilities for the 2020 TLR, it was easier to select distinct, individual CVEs. As a matter of fact, most of 2020’s top five CVEs continue to haunt organizations well into 2021. One of them — CVE-2020-1472, aka Zerologon — even carried over to the 2021 top five).

On the other hand, 2021 was more about clusters of vulnerabilities that illustrated the cybersecurity landscape. Therefore, we selected “representative” CVEs — selecting a single vulnerability out of a cluster that effectively epitomized a class of flaws or a particular product that was highly targeted throughout the year. For example, the full TLR covers eight vulnerabilities in Microsoft Exchange Server, but CVE-2021-26855, aka ProxyLogon, was the first to gain broad exploitation that continues to this day.

That brings us to another key decision criteria for the top five: long term impact. You may notice that CVE-2021-44228, aka Log4Shell, does not appear on the list. That is because the long term effects of the vulnerabilities in Log4j 2.0 remain to be seen. We may see long term exploitation of these flaws but, when we published the 2021 TLR, they were still too new to have that level of impact. In our analysis, we find time and again that the vulnerabilities with a long tail are the biggest risk to organizations.

Tipicamente, as vulnerabilidades de dia zero tornam-se mais problemáticas para a maioria das organizações após terem feito a transição para o status de herdadas.

In short, here are our key criteria for selecting the top five vulnerabilities:

  1. Representative of a product that has been highly targeted by threat actors
  2. Has had sustained and widespread exploitation
  3. Offers high value in attack chains
  4. Affects ubiquitous products or protocols

Now, let us explore how the vulnerabilities that didn’t make the Top 5 measure up against these criteria.

CVE Description CVSSv3 Score Tenable VPR*
CVE-2021-26855 Microsoft Exchange Server remote code execution 9.8 9.9
CVE-2021-34527 Windows Print Spooler remote code execution 8.8 9.8
CVE-2021-21985 VMware Vsphere remote code execution 9.8 9.4
CVE-2021-22893 Pulse Connect Secure authentication bypass 10 10.0
CVE-2020-1472 Windows Netlogon protocol elevation of privilege 10 10.0
CVE-2021-20016 SonicWall SMA SQL injection 9.8 9.7
CVE-2021-40444 Windows MSHTML remote code execution 7.8 9.9
CVE-2021-30116 Kaseya VSA credential exposure 9.8 9.7
CVE-2021-36942 Windows LSA spoofing vulnerability 5.3 5.0
CVE-2021-27101 Accellion FTA SQL injection 9.8 9.0

* Please note Tenable VPR scores are calculated nightly. This blog post was published on March 13, 2022 and reflects VPR at that time.

CVE-2021-20016: SonicWall SMA zero day

In January 2021, SonicWall disclosed that its internal systems were breached by threat actors, and in February it followed up with an advisory for CVE-2021- 20016, a zero-day vulnerability in its Secure Mobile Access (SMA) SSL VPN. Discovered by NCC Group, CVE-2021-20016 is a SQL injection vulnerability that allows a remote, unauthenticated attacker to access login credentials and session information.

The attacks exploiting CVE-2021-20016 were tied to the FiveHands ransomware by Mandiant, though the NCC Group also saw “indication of indiscriminate” exploitation shortly after SonicWall’s initial announcement, before patches were available. NCC Group did not release significant details or a proof-of-concept (PoC) for CVE-2021-20016 because they didn’t want to facilitate future attacks.

Why it didn’t make the cut

While CVE-2021-20016 fits many of the criteria used to select the top five, it just barely missed out on inclusion because it did not quite have the same effect as those that made the cut. Perhaps because no PoC was published, we did not see widespread exploitation on the scale of vulnerabilities like ProxyLogon, PrintNightmare or even other vulnerabilities in SSL VPNs. On that note, we felt that the flaw in Pulse Connect Secure was much more illustrative of the risks to VPN products. Because CVE-2021-22893 was already in the top five, we felt the remaining slots were best used for other illustrative vulnerabilities in order to give a full view of the threat landscape.

CVE-2021-40444: Microsoft MSHTML zero day

CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML (Trident) platform. Microsoft announced the vulnerability on September 7, 2021, in response to active exploitation but did not release patches until that month’s dedicated Patch Tuesday a week later. By then, nearly two dozen PoC repositories had been published on GitHub. To exploit this vulnerability, an attacker would use social engineering like phishing to convince targets to open a malicious Microsoft Office document.

CVE-2021-40444 was exploited as a zero day in limited, targeted attacks and continues to be exploited, notably in targeted cyberespionage attacks by an advanced persistent threat group. After the full advisory was published, Microsoft confirmed that “multiple threat actors, including ransomware-as-a-service affiliates” had adopted CVE-2021-40444.

While RiskIQ did find that initial attacks exploiting CVE-2021-40444 shared common infrastructure with the Ryuk ransomware family, the researchers were careful to note that this overlap is inconclusive.

Why it didn’t make the cut

Despite being adopted by ransomware groups, the primary attacks exploiting CVE-2021-40444 were targeted and leveraged specially tailored phishing lures that require user interaction. This specificity limits the scope of this vulnerability and, while we expect to see it used in ongoing phishing attacks, it did not meet the level of concern we felt for the Microsoft Exchange vulnerabilities.

CVE-2021-30116, CVE-2021-30119, CVE-2021-30120: Kaseya VSA

There is an unfortunate precedent of cybersecurity incidents ruining a holiday weekend. Chief among them in 2021, Kaseya Limited announced on July 5 that three zero-day vulnerabilities in its Virtual System Administrator (VSA) remote monitoring and management software were exploited in a large-scale ransomware attack later tied to the REvil ransomware group.

CVE Descrição CVSSv3 Tenable VPR*
CVE-2021-30116 Insufficiently protected credentials 9.8 9.7
CVE-2021-30119 Cross-site scripting 5.4 5.7
CVE-2021-30120 Incorrect authorization vulnerability 7.5 5.1

The disclosure and investigation of this incident was a whirlwind, developing quickly over the Fourth of July holiday weekend in the United States. The attack was first reported on July 2 and patches were released on July 11.

Since the incident in July, more vulnerabilities have been disclosed in Kaseya products, but none have been exploited in the wild, and one (CVE-2021-40386) remains unpatched at the time this blog post was published.

Why it didn’t make the cut

This set of vulnerabilities falls into the subcategory of zero days that made a big splash, but it didn’t have the long tails we have seen on other vulnerabilities in the top five. According to Kaseya, “only a very small percentage of our customers were affected — currently estimated at fewer than 40 worldwide.” Interestingly, only CVE-2021-30116 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. While that doesn’t necessarily mean there hasn’t been known exploitation of the other vulnerabilities, it does offer additional context for evaluating these vulnerabilities against the rest of the top five.

PetitPotam (CVE-2021-36942)

Somewhat unique on this list is PetitPotam, which is a new technology LAN manager (NTLM) relay attack rather than a distinct vulnerability. Originally disclosed by Gilles Lionel, PetitPotam can force domain controllers to authenticate to an attacker-controlled destination. Shortly after disclosure, the PoC was adopted by ransomware groups like LockFile. At first, Microsoft labeled this issue as “won’t fix,” and continues to primarily rely on its general mitigation guidance for defending against NTLM Relay Attacks.

There is a vulnerability associated with this attack, CVE-2021-36942, which is a Windows LSA Spoofing Vulnerability that received a CVSSv3 score of 7.8 and was patched in August’s Patch Tuesday release. However, later reports indicate that this patch was incomplete. It is important to note that, in this case, the vulnerability itself does not represent the true risks of this attack vector.

Why it didn’t make the cut

PetitPotam has seen similar use to Zerologon by threat actors but with a smaller attack surface and more limited adoption. The CVE associated with PetitPotam does have the lowest CVSSv3 score on the list but that wasn’t a factor in our decision. It is perhaps more notable that a vulnerability with a score of 5.3 made it into the top 10 at all.

CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104: Accellion File Transfer Appliance

At the end of 2020 and into the beginning of 2021, a large number of organizations — we have tracked more than 40 — were breached using four zero day vulnerabilities in Accellion’s File Transfer Appliance (FTA).

CVE Descrição CVSSv3 Tenable VPR*
CVE-2021-27101 SQL injection 9.8 9.0
CVE-2021-27102 Operating system command injection 7.8 8.4
CVE-2021-27103 Solicitação forjada do servidor 9.8 8.4
CVE-2021-27104 Operating system command injection 9.8 8.4

Almost immediately upon the announcement of these attacks, some were traced back to the Clop/CL0P ransomware group. Disclosures of breaches linked to Accellion FTA continued to occur throughout the beginning of 2021, making these zero days some of the most exploited vulnerabilities in the first half of the year.

Why it didn’t make the cut

While these vulnerabilities had considerable impact on the organizations breached using them, the effects were relatively short-lived. Attacks exploiting Accellion peaked in January 2021 and these vulnerabilities don’t appear to have the long tail that characterize those in the top five.

Common themes among the outliers

One thing that stands out for several of these entries is that they are not a distinct CVE but rather groups or chains of vulnerabilities. While this wasn’t a conscious decision factor when we selected the top five, it shows an important component of our decision criteria. We sought out vulnerabilities that not only represented considerable, long-term risks to organizations but also those that were uniquely illustrative. We could have compiled the top five just out of flaws in Microsoft Exchange Server and Print Spooler but decided to instead highlight a diverse set of products that many organizations might deploy.

Also interesting is that the vulnerabilities that did not make the cut were all zero days, while only two of the final top five were. While we did see more threat actors exploiting zero days in attacks this year, 83% of the zero days we tracked for the 2021 TLR were exploited in the wild, unpatched known vulnerabilities continue to be a fertile ground for attackers.

While the effects of these vulnerabilities were acutely felt by those organizations breached using them, the wide-scale impact was lacking. Attackers have a plethora of vulnerabilities from which to choose, and the vulnerabilities that did make it into the top five represent those that a large number of attackers chose to exploit in a greater number of attacks than those that just missed the cut. That being said, organizations with any of the vulnerabilities discussed here should immediately set a plan to identify and remediate any affected assets.

Identificação de sistemas afetados

Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for the vulnerabilities discussed in this report. In addition, Tenable.io customers have a new dashboard and widgets in the widgets library and Tenable.sc users also have a new dashboard covering the 2021 Threat Landscape Retrospective.

Junte-se à equipe de resposta de segurança da Tenable na Tenable.

Saiba mais sobre a Tenable, a primeira plataforma de Cyber Exposure para o gerenciamento holístico da sua superfície de ataque moderna.

Obtenha uma avaliação gratuita por 30 dias do Vulnerability Management da Tenable.io.

Artigos relacionados

As notícias de segurança cibernética mais relevantes

Informe seu e-mail e nunca mais perca os alertas oportunos e orientações de segurança dos especialistas da Tenable.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

Sua avaliação do Tenable Vulnerability Management também inclui o Tenable Lumin e o Tenable Web App Scanning.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

100 ativos

Escolha sua opção de assinatura:

Compre já

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

Sua avaliação do Tenable Vulnerability Management também inclui o Tenable Lumin e o Tenable Web App Scanning.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

100 ativos

Escolha sua opção de assinatura:

Compre já

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

Sua avaliação do Tenable Vulnerability Management também inclui o Tenable Lumin e o Tenable Web App Scanning.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

100 ativos

Escolha sua opção de assinatura:

Compre já

Experimente o Tenable Web App Scanning

Aproveite o acesso total à nossa mais recente oferta de verificação de aplicações Web, projetada para aplicações modernas, como parte da Plataforma de gerenciamento de exposição Tenable One. Verifique com segurança em busca de vulnerabilidades em todo o seu portfólio on-line com um alto grau de precisão sem grandes esforços manuais ou interrupção de aplicações Web críticas. Inscreva-se agora mesmo.

Sua avaliação do Tenable Web App Scanning também inclui o Tenable Vulnerability Management e o Tenable Lumin.

Comprar o Tenable Web App Scanning

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

5 FQDNs

US$ 3.578,00

Compre já

Avalie o Tenable Lumin

Visualize e explore o gerenciamento de exposição, acompanhe a redução de riscos ao longo do tempo e faça comparações com seus pares por meio do Tenable Lumin.

Sua avaliação do Tenable Lumin também inclui o Tenable Vulnerability Management e o Tenable Web App Scanning.

Compre o Tenable Lumin

Entre em contato com um representante de vendas para ver como o Tenable Lumin pode ajudar você a obter insights em toda a sua organização e gerenciar o risco cibernético.

Experimente o Tenable Nessus Professional gratuitamente

GRATUITO POR POR 7 DIAS

O Tenable Nessus é o verificador de vulnerabilidade mais abrangente do mercado atualmente.

NOVIDADE: Tenable Nessus Expert
Já disponível

O Nessus Expert adiciona ainda mais recursos, incluindo verificação de superfície de ataque externa e a capacidade de adicionar domínios e verificações de infraestrutura em nuvem. Clique aqui para testar o Nessus Expert.

Preencha o formulário abaixo para continuar com uma avaliação do Nessus Pro.

Comprar o Tenable Nessus Professional

O Tenable Nessus é o verificador de vulnerabilidade mais abrangente do mercado atualmente. O Tenable Nessus Professional ajudará a automatizar o processo de verificação de vulnerabilidades, economizar tempo nos ciclos de conformidade e permitir que você envolva sua equipe de TI.

Compre uma licença para vários anos e economize. Inclua o Suporte avançado para ter acesso ao suporte por telefone, pela comunidade e por bate-papo 24 horas por dia, 365 dias por ano.

Selecione sua licença

Compre uma licença para vários anos e economize.

Adicionar suporte e treinamento

Experimente o Tenable Nessus Expert gratuitamente

GRÁTIS POR 7 DIAS

Desenvolvido para a superfície de ataque moderna, o Nessus Expert permite ver mais e proteger sua organização de vulnerabilidades, da TI à nuvem.

Já adquiriu o Tenable Nessus Professional?
Atualize para o Nessus Expert gratuitamente por 7 dias.

Comprar o Tenable Nessus Expert

Desenvolvido para a superfície de ataque moderna, o Nessus Expert permite ver mais e proteger sua organização de vulnerabilidades, da TI à nuvem.

Selecione sua licença

Compre uma licença para vários anos e economize mais.

Adicionar suporte e treinamento