The Most Targeted Vulnerability of the Year Was First Identified in 2017

In a joint advisory, international cybersecurity officials say failure to patch years-old vulnerabilities makes attributing cyberattacks more difficult.

The top 30 vulnerabilities routinely exploited since 2020 include one in Microsoft software that has had a patch available for a few years but continues to be targeted by adversaries, top cybersecurity officials from multiple governments said.

“Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted,” reads an advisory jointly released Wednesday by the Cybersecurity and Infrastructure Security Agency, the FBI and cybersecurity agencies from the United Kingdom and Australia. 

“Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables [Remote Code Execution] on vulnerable systems,” the advisory reads.

In general, officials said adversaries are having the most success with vulnerabilities related to capabilities for enabling work through the pandemic.

“One of the key findings is that four of the most targeted vulnerabilities in 2020 involved remote work, [virtual private networks], or cloud-based technologies,” the agencies said in a press release of the advisory. “Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options due to the COVID-19 pandemic challenging the ability of organizations to conduct rigorous patch management. In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices.”

Officials said organizations should consider prioritizing the vulnerabilities identified in the advisory as part of a robust patch management process that involves applying fixes as soon as they’re available, employing automatic updates and implementing any temporary workarounds vendors release. They also noted additional consequences and knock on effects for organizations and the government of poor patch management, beyond hackers gaining unauthorized access to systems.

“Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known,” the advisory reads. “Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations.”