Cyber vulnerabilities

Security Agencies Urge Organizations to Address Commonly Exploited Cyber Flaws

U.S. and international security authorities have issued a joint cybersecurity advisory about commonly exploited software flaws.

The authorities, including the Cybersecurity and Infrastructure Security Agency, said that malicious actors continue to target private and public-sector entities despite public knowledge about the vulnerabilities that they exploit. The new advisory is focused on helping organizations implement mitigation steps, CISA said Wednesday.

Jen Easterly, director of CISA and a 2022 Wash100 winner, said that malicious actors “go back to what works” and will continue to do so until the vulnerabilities are addressed.

She urged organizations to evaluate their vulnerability management practices and take steps to protect themselves.

Rob Joyce, cybersecurity director at the National Security Agency and a 2018 Wash100 winner, added that the continued targeting of common vulnerabilities and exposures should serve as a reminder that hackers do not need to rely on sophisticated tools.

“Get a handle on mitigations or patches as these CVEs are actively exploited,” Joyce said.

The agencies’ warning covers the 15 most exploited vulnerabilities in 2021, including the Log4Shell flaw that enables arbitrary code execution, the ProxyLogon and ProxyShell flaws affecting Microsoft Exchange email servers as well as the CVE-2021-26084 vulnerability that was massively exploited in September 2021.

CISA and its partners recommended that organizations regularly update their software, implement a centralized patch management system, enforce multi-factor authentication without exception and properly configure internet-facing devices.

The advisory was a collaboration among CISA, NSA, the FBI and security agencies from Australia, Canada, New Zealand and the United Kingdom.