Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 블로그

구독

Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out

The 2021 Threat Landscape Retrospective explored the top five vulnerabilities of the year. Learn about other high-impact vulnerabilities that nearly made our list.

When putting together the Threat Landscape Retrospective (TLR) for 2021, the Security Response Team had a particularly difficult challenge picking the top five vulnerabilities for the year out of the many candidates.

In this blog post, we’re pulling back the curtain on our selection process, both to highlight the high-impact vulnerabilities that almost made the cut and to discuss our methodology for selecting the top five.

Our goal is to complement the TLR, whose mission is to help cybersecurity professionals with ongoing analysis of the threat landscape, including government, vendor and researcher advisories on important vulnerabilities and noteworthy incidents.

How we chose the 2021 Top 5

When we compiled the top five vulnerabilities for the 2020 TLR, it was easier to select distinct, individual CVEs. As a matter of fact, most of 2020’s top five CVEs continue to haunt organizations well into 2021. One of them — CVE-2020-1472, aka Zerologon — even carried over to the 2021 top five).

On the other hand, 2021 was more about clusters of vulnerabilities that illustrated the cybersecurity landscape. Therefore, we selected “representative” CVEs — selecting a single vulnerability out of a cluster that effectively epitomized a class of flaws or a particular product that was highly targeted throughout the year. For example, the full TLR covers eight vulnerabilities in Microsoft Exchange Server, but CVE-2021-26855, aka ProxyLogon, was the first to gain broad exploitation that continues to this day.

That brings us to another key decision criteria for the top five: long term impact. You may notice that CVE-2021-44228, aka Log4Shell, does not appear on the list. That is because the long term effects of the vulnerabilities in Log4j 2.0 remain to be seen. We may see long term exploitation of these flaws but, when we published the 2021 TLR, they were still too new to have that level of impact. In our analysis, we find time and again that the vulnerabilities with a long tail are the biggest risk to organizations.

Zero-day vulnerabilities typically become more problematic for most organizations after they’ve made the transition to legacy status.

In short, here are our key criteria for selecting the top five vulnerabilities:

  1. Representative of a product that has been highly targeted by threat actors
  2. Has had sustained and widespread exploitation
  3. Offers high value in attack chains
  4. Affects ubiquitous products or protocols

Now, let us explore how the vulnerabilities that didn’t make the Top 5 measure up against these criteria.

CVE Description CVSSv3 Score Tenable VPR*
CVE-2021-26855 Microsoft Exchange Server remote code execution 9.8 9.9
CVE-2021-34527 Windows Print Spooler remote code execution 8.8 9.8
CVE-2021-21985 VMware Vsphere remote code execution 9.8 9.4
CVE-2021-22893 Pulse Connect Secure authentication bypass 10 10.0
CVE-2020-1472 Windows Netlogon protocol elevation of privilege 10 10.0
CVE-2021-20016 SonicWall SMA SQL injection 9.8 9.7
CVE-2021-40444 Windows MSHTML remote code execution 7.8 9.9
CVE-2021-30116 Kaseya VSA credential exposure 9.8 9.7
CVE-2021-36942 Windows LSA spoofing vulnerability 5.3 5.0
CVE-2021-27101 Accellion FTA SQL injection 9.8 9.0

* Please note Tenable VPR scores are calculated nightly. This blog post was published on March 13, 2022 and reflects VPR at that time.

CVE-2021-20016: SonicWall SMA zero day

In January 2021, SonicWall disclosed that its internal systems were breached by threat actors, and in February it followed up with an advisory for CVE-2021- 20016, a zero-day vulnerability in its Secure Mobile Access (SMA) SSL VPN. Discovered by NCC Group, CVE-2021-20016 is a SQL injection vulnerability that allows a remote, unauthenticated attacker to access login credentials and session information.

The attacks exploiting CVE-2021-20016 were tied to the FiveHands ransomware by Mandiant, though the NCC Group also saw “indication of indiscriminate” exploitation shortly after SonicWall’s initial announcement, before patches were available. NCC Group did not release significant details or a proof-of-concept (PoC) for CVE-2021-20016 because they didn’t want to facilitate future attacks.

Why it didn’t make the cut

While CVE-2021-20016 fits many of the criteria used to select the top five, it just barely missed out on inclusion because it did not quite have the same effect as those that made the cut. Perhaps because no PoC was published, we did not see widespread exploitation on the scale of vulnerabilities like ProxyLogon, PrintNightmare or even other vulnerabilities in SSL VPNs. On that note, we felt that the flaw in Pulse Connect Secure was much more illustrative of the risks to VPN products. Because CVE-2021-22893 was already in the top five, we felt the remaining slots were best used for other illustrative vulnerabilities in order to give a full view of the threat landscape.

CVE-2021-40444: Microsoft MSHTML zero day

CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML (Trident) platform. Microsoft announced the vulnerability on September 7, 2021, in response to active exploitation but did not release patches until that month’s dedicated Patch Tuesday a week later. By then, nearly two dozen PoC repositories had been published on GitHub. To exploit this vulnerability, an attacker would use social engineering like phishing to convince targets to open a malicious Microsoft Office document.

CVE-2021-40444 was exploited as a zero day in limited, targeted attacks and continues to be exploited, notably in targeted cyberespionage attacks by an advanced persistent threat group. After the full advisory was published, Microsoft confirmed that “multiple threat actors, including ransomware-as-a-service affiliates” had adopted CVE-2021-40444.

While RiskIQ did find that initial attacks exploiting CVE-2021-40444 shared common infrastructure with the Ryuk ransomware family, the researchers were careful to note that this overlap is inconclusive.

Why it didn’t make the cut

Despite being adopted by ransomware groups, the primary attacks exploiting CVE-2021-40444 were targeted and leveraged specially tailored phishing lures that require user interaction. This specificity limits the scope of this vulnerability and, while we expect to see it used in ongoing phishing attacks, it did not meet the level of concern we felt for the Microsoft Exchange vulnerabilities.

CVE-2021-30116, CVE-2021-30119, CVE-2021-30120: Kaseya VSA

There is an unfortunate precedent of cybersecurity incidents ruining a holiday weekend. Chief among them in 2021, Kaseya Limited announced on July 5 that three zero-day vulnerabilities in its Virtual System Administrator (VSA) remote monitoring and management software were exploited in a large-scale ransomware attack later tied to the REvil ransomware group.

CVE 설명 CVSSv3 Tenable VPR*
CVE-2021-30116 Insufficiently protected credentials 9.8 9.7
CVE-2021-30119 Cross-site scripting 5.4 5.7
CVE-2021-30120 Incorrect authorization vulnerability 7.5 5.1

The disclosure and investigation of this incident was a whirlwind, developing quickly over the Fourth of July holiday weekend in the United States. The attack was first reported on July 2 and patches were released on July 11.

Since the incident in July, more vulnerabilities have been disclosed in Kaseya products, but none have been exploited in the wild, and one (CVE-2021-40386) remains unpatched at the time this blog post was published.

Why it didn’t make the cut

This set of vulnerabilities falls into the subcategory of zero days that made a big splash, but it didn’t have the long tails we have seen on other vulnerabilities in the top five. According to Kaseya, “only a very small percentage of our customers were affected — currently estimated at fewer than 40 worldwide.” Interestingly, only CVE-2021-30116 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. While that doesn’t necessarily mean there hasn’t been known exploitation of the other vulnerabilities, it does offer additional context for evaluating these vulnerabilities against the rest of the top five.

PetitPotam (CVE-2021-36942)

Somewhat unique on this list is PetitPotam, which is a new technology LAN manager (NTLM) relay attack rather than a distinct vulnerability. Originally disclosed by Gilles Lionel, PetitPotam can force domain controllers to authenticate to an attacker-controlled destination. Shortly after disclosure, the PoC was adopted by ransomware groups like LockFile. At first, Microsoft labeled this issue as “won’t fix,” and continues to primarily rely on its general mitigation guidance for defending against NTLM Relay Attacks.

There is a vulnerability associated with this attack, CVE-2021-36942, which is a Windows LSA Spoofing Vulnerability that received a CVSSv3 score of 7.8 and was patched in August’s Patch Tuesday release. However, later reports indicate that this patch was incomplete. It is important to note that, in this case, the vulnerability itself does not represent the true risks of this attack vector.

Why it didn’t make the cut

PetitPotam has seen similar use to Zerologon by threat actors but with a smaller attack surface and more limited adoption. The CVE associated with PetitPotam does have the lowest CVSSv3 score on the list but that wasn’t a factor in our decision. It is perhaps more notable that a vulnerability with a score of 5.3 made it into the top 10 at all.

CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104: Accellion File Transfer Appliance

At the end of 2020 and into the beginning of 2021, a large number of organizations — we have tracked more than 40 — were breached using four zero day vulnerabilities in Accellion’s File Transfer Appliance (FTA).

CVE 설명 CVSSv3 Tenable VPR*
CVE-2021-27101 SQL injection 9.8 9.0
CVE-2021-27102 Operating system command injection 7.8 8.4
CVE-2021-27103 Server-side request forgery 9.8 8.4
CVE-2021-27104 Operating system command injection 9.8 8.4

Almost immediately upon the announcement of these attacks, some were traced back to the Clop/CL0P ransomware group. Disclosures of breaches linked to Accellion FTA continued to occur throughout the beginning of 2021, making these zero days some of the most exploited vulnerabilities in the first half of the year.

Why it didn’t make the cut

While these vulnerabilities had considerable impact on the organizations breached using them, the effects were relatively short-lived. Attacks exploiting Accellion peaked in January 2021 and these vulnerabilities don’t appear to have the long tail that characterize those in the top five.

Common themes among the outliers

One thing that stands out for several of these entries is that they are not a distinct CVE but rather groups or chains of vulnerabilities. While this wasn’t a conscious decision factor when we selected the top five, it shows an important component of our decision criteria. We sought out vulnerabilities that not only represented considerable, long-term risks to organizations but also those that were uniquely illustrative. We could have compiled the top five just out of flaws in Microsoft Exchange Server and Print Spooler but decided to instead highlight a diverse set of products that many organizations might deploy.

Also interesting is that the vulnerabilities that did not make the cut were all zero days, while only two of the final top five were. While we did see more threat actors exploiting zero days in attacks this year, 83% of the zero days we tracked for the 2021 TLR were exploited in the wild, unpatched known vulnerabilities continue to be a fertile ground for attackers.

While the effects of these vulnerabilities were acutely felt by those organizations breached using them, the wide-scale impact was lacking. Attackers have a plethora of vulnerabilities from which to choose, and the vulnerabilities that did make it into the top five represent those that a large number of attackers chose to exploit in a greater number of attacks than those that just missed the cut. That being said, organizations with any of the vulnerabilities discussed here should immediately set a plan to identify and remediate any affected assets.

Identifying affected systems

Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for the vulnerabilities discussed in this report. In addition, Tenable.io customers have a new dashboard and widgets in the widgets library and Tenable.sc users also have a new dashboard covering the 2021 Threat Landscape Retrospective.

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

관련 기사

최신 익스플로잇에 대해 취약합니까?

이메일을 입력하여 최신 사이버 노출 알림을 받으십시오.

tenable.io

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Nessus Professional 무료로 사용해 보기

7일간 무료

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

Nessus Professional 구매

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

여러 해 라이선스를 구매하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구매하여 절감하십시오.

지원 및 교육 추가

Tenable.io

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Tenable.io Web Application Scanning 사용해 보기

Tenable.io 플랫폼의 일부로 최신 애플리케이션을 위해 설계된 최신 웹 애플리케이션 스캐닝 서비스에 대한 전체 액세스 권한을 누리십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Web Application Scanning 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io Web Application Scanning 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

5 FQDN

$3,578

지금 구매

Tenable.io Container Security 사용해 보기

취약성 관리 플랫폼에 통합된 유일한 컨테이너 보안 서비스에 대한 전체 액세스 권한을 누리십시오. 컨테이너 이미지에서 취약성, 맬웨어 및 정책 위반을 모니터링합니다. 지속적 통합 및 지속적 배포(CI/CD) 시스템과 통합하여 DevOps 실무를 지원하고 보안을 강화하고 기업 정책 컴플라이언스를 지원합니다.

Tenable.io Container Security 구매

Tenable.io Container Security는 빌드 프로세스와의 통합을 통해 취약성, 맬웨어, 정책 위반 등 컨테이너 이미지의 보안에 대한 가시성을 제공하여 DevOps 프로세스를 원활하고 안전하게 지원합니다.

Tenable Lumin 사용해 보기

Tenable Lumin을 사용하여 Cyber Exposure를 시각화 및 탐색하고 시간 경과에 따른 위험 감소를 추적하고 유사한 조직을 벤치마크하십시오.

Tenable Lumin 평가판에는 Tenable.io Vulnerability Management, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable Lumin 구매

조직 전체에서 인사이트를 얻고 사이버 위험을 관리하는 데 Lumin이 어떻게 도움이 되는지 알아보려면 영업 담당자에게 문의하십시오.

Tenable.cs 사용해 보기

클라우드 인프라 구성 오류를 감지 및 수정하고 런타임 취약성을 볼 수 있는 전체 액세스 권한을 누리십시오. 지금 무료 평가판에 등록하십시오.

Tenable.cs Cloud Security 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.io Web Application Scanning도 포함되어 있습니다.

영업 담당자에게 연락하여 Tenable.cs 구매

영업 담당자에게 연락하여 Tenable.cs 클라우드 보안에 대해 자세히 알아보고, 클라우드 계정을 온보딩하는 것이 얼마나 쉬운지 확인하고, 몇 분 내에 클라우드 구성 오류와 취약성에 대한 가시성을 얻으십시오.

Nessus Expert 무료로 사용해 보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

Nessus Professional이 이미 있습니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Nessus Expert 구매

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

프로모션 가격은 12월 31일까지 연장되었습니다.
여러 해 라이선스를 구매하여 비용을 더 절감하십시오.

지원 및 교육 추가