CISA, along with a cohort of cybersecurity agencies, published the 2022 Top Routinely Exploited Vulnerabilities on August 3, 2023. The advisory contains two lists of vulnerabilities. The first, what we’ll focus on, is the twelve most exploited vulnerabilities in 2022. Additionally, they added thirty more vulnerabilities that were “routinely” exploited.
Unfortunately, these lists lack a lot of context, which can be useful for remediation, prioritization, and detection. Details like: are there public exploits? Are the issues being used by ransomware? Threat actors? DDOS botnets? In this blog, we’ll dig deeper into the top twelve CVEs and provide some much-needed context.
Perhaps unsurprisingly, the twelve most exploited vulnerabilities are very well-known. Most were well-known before we even got to the year 2022, with the earliest dating back to 2018. Seven of the vulnerabilities were included in CISA’s 2021 Top Routinely Exploited Vulnerabilities.
Given all the effort poured into awareness, detection, and remediation, how is it that the same vulnerabilities are repeated year to year? CISA does not discuss their methodology, nor do they clarify what they mean by exploited: exploit attempt or successful exploitation? If it’s the former, this is a “good to know” list that isn’t too concerning. If it’s the latter, the security industry has failed to protect its customers from obvious and widely known threats for two years in a row.
Nothing about these vulnerabilities is a secret. The issues are particularly well-known to the exploit development community.
Where to Find Exploits for the Top 12 Exploited CVE
All twelve have available exploits. All twelve have weaponized exploits in Metasploit, as well as various one-off implementations across GitHub, GitLab, Gitee, etc.
Eight of the twelve have Nuclei templates. Nuclei has made scanning the internet for known vulnerabilities easy, so it’s useful to know which vulnerabilities the Nuclei community has created templates for.
To our knowledge, nine of the vulnerabilities have commercially available exploits. Commercial exploits are typically more customized, highly weaponized, and developed for valuable targets in real-world situations. The fact that exploits were added to commercial exploit products like Core, CANVAS, and VulnCheck’s Initial Access indicates these targets weren’t just prevalent in the wild, but also provided valuable access.
The top twelve vulnerabilities are associated with a slew of attackers. All twelve have been exploited by threat actors, ten are associated with ransomware, and nine are associated with botnets.
Our data shows the vulnerabilities are used by more than 30 different ransomware groups, including AvosLocker, Lockbit, and Clop. The most popular CVEs were the ProxyShell chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) which was widely used against Exchange servers when it popped onto the scene in 2021. The next most popular was CVE-2021-26084, which is an easy to exploit issue in Confluence that was initially exploited in the wild as a zero day.
Top 12 Exploited CVE Most Used by Ransomware Groups (Groups per CVE)
The vulnerabilities have been exploited by more than 60 different groups. The most popular “group” in our ranking is “Unattributed” (twelve vulnerabilities out of twelve), followed by the generic “Chinese-nexus” (six out of twelve), before getting into more well-known groups like SparklingGoblin (five out of twelve), Charming Kitten (five out of twelve), and Nemesis Kitten (four out of twelve).
Threat actors have a reputation of using advanced techniques and zero-day vulnerabilities, but many are opportunistic attackers as well. 22 threat actors are known to have exploited CVE-2021-44228 (Log4Shell), and 18 reportedly used the ProxyShell chain.
Top 12 Exploited CVE Most Used by Threat Actors (Actors per CVE)
Surprisingly, we see much less botnet activity compared to the other two categories. Botnets, of course, are well known for throwing exploits all around the internet. Their volume of exploitation should be higher than, for example, a more targeted threat actor group. Nonetheless, our data indicates that nine of the twelve vulnerabilities are associated with botnets. The most popular, of course, is Mirai (four out of twelve), followed by ProxyShellMiner (three out of twelve), Kinsing, Muhstik, BillGates, and Enemybot (all two out of twelve).
Once again, Log4Shell is the most commonly used vulnerability by the botnets we track.
Top 12 Exploited CVE Most Used by Botnets (Botnets per CVE)
These vulnerabilities didn’t drop off the map just because we flipped the calendar to 2023. GreyNoise provides tags for 10 of these vulnerabilities, and all but one showed active exploitation attempts in the last three days (the one “dead” tag was CVE-2022-1388 – an F5 Auth bypass).
Given that these issues are still actively exploited, it’s not too late to start adding exploit and vulnerability detection to your network. Detections for these issues are widely available through a litany of products. We don’t play favorites, but we will share three “free” solutions:
A combination of the Proofpoint Emerging Threats Rules and the Snort Community Ruleset will give you network signature coverage for ten out of twelve of these issues.
Nessus Free covers all twelve via their plugin system. Although, free is limited to a very small number of IP addresses, so it’s likely not a long-term solution.
The 2022 Top Routinely Exploited Vulnerabilities contains no surprises. All of the top twelve are well known to exploit developers, attackers, and detection engineers. However, it’s good to remember that these vulnerabilities are not yet behind us. Attackers continue to pursue vulnerable targets, particularly older vulnerabilities, that organizations have yet to patch despite available security updates to remediate the flaws. The weaponization of these exploits will carry on until it is no longer worth the effort, underscoring the need for defensive teams to prioritize and remediate the vulnerabilities that matter most. Defenders must continue to minimize their attack surface, monitor their assets, and watch for attacks on the wire.
Did you find our exploit and attacker information interesting? If so, register for a VulnCheck account today by clicking “Sign in / Join Community and schedule a demo.
