CISA, Five Eyes cyber advisory lists common vulnerabilities among 2022’s top exploits 

A new cybersecurity advisory released by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the National Security Agency — in coordination with the Five Eyes international security coalition — Thursday, detailed the top-exploited vulnerabilities in 2022 and implored all technology providers to fortify their digital security posture amid increased malware incidents. 

The novel feature in CISA’s latest advisory is the inclusion of Common Weakness Enumerations — a catalog of weaknesses in software and hardware — associated with individual vulnerabilities and exposures. 

For example: the bug CVE-2021-34473 is associated with the Microsoft web server CWE-918. By listing the corresponding CWE, CISA aims to help organizations pinpoint where common malware attacks within company networks. 

Eric Goldstein, the executive assistant director for cybersecurity at CISA, underscored the need for companies to incorporate the federally-backed Secure by Design principles into their technology development.

“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to Secure by Design,” Goldstein said in a statement. “Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world. With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”

According to the advisory, 2022 saw a greater number of older network vulnerabilities being exploited by malicious cyber actors than recently disclosed vulnerabilities.

Some of the technology vendors listed as having exposed system vulnerabilities in the advisory include Microsoft, SAP, VMware, Apache and Oracle, among others. The report authors recommend these vendors employ several steps, such as ensuring business leaders have a hand in security efforts and implementing specific secure design practices and configurations into existing systems. 

The advisory suggests that organizations take steps to ensure asset and identity access management for end-user organizations and routinely scan networks for possible patches in each company’s defense posture.

“Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations),” the advisory reads.

This guidance is the latest released by the Five Eyes organization, which consists of government cybersecurity organizations from the U.S., New Zealand, the U.K., Australia and Canada. Prior work launched by the Five Eyes has touted the need for Secure-by-Design adherence for private sector tech products. 

“When we work as a community we can strengthen our collective resilience,” Sami Khoury, the head of the Canadian Centre for Cyber Security said. “Every organization with internet-facing networks that implements recommended mitigation measures will greatly reduce their risk of compromise by malicious cyber actors. We also know that vendors and developers also have a strong role to play by responsibly designing products that are secure by design and default.”

The Biden administration has worked increasingly hard to bring major private sector tech conglomerates into regulatory compliance. Officials like CISA Director Jen Easterly have been vocal about ensuring private sector companies maintain strong cybersecurity defenses, and executive orders from President Joe Biden have mandated more public-private sector collaboration on best practices and incident reporting.

A recent example of this collaboration comes with the new partnership between CISA and Microsoft that will focus on expanding cloud logging capabilities for federal Microsoft customers to advance cybersecurity without additional costs. 

Vasu Jakkal, the corporate vice president for security, compliance, identity and management at Microsoft, then stated that the collaboration “reflects our commitment to engaging with customers, partners and regulators to address the evolving security needs of the modern world.”

Following this announcement, however, Microsoft came under scrutiny for its unresolved security vulnerabilities. Sen. Ron Wyden, D-Ore.R., sent a letter in late July to Easterly, Attorney General Merrick Garland and Federal Trade Commission Chair Lina Khan seeking probes into Microsoft's handling of encryption keys and the role purloined keys allegedly played in multiple hacking incidents, most notably SolarWinds.

Some public sector tech counterparts have echoed these concerns. Tenable CEO Amit Yoran highlighted the gaps found in Microsoft’s networks that expose personal information and Microsoft’s subsequent inaction. 

"This just further illustrates the scale of the problem. Microsoft's products and services are by far the most often exploited, and make up one-third of the total,” Yoran told Nextgov/FCW, referring to the advisory’s list of vendors with known vulnerabilities in their CWEs. “If they're not responsibly disclosing those vulnerabilities, their customers are unable to make risk-mitigating and informed decisions. Hearing 'just trust us' lacks credibility at this point.”

In response, a Microsoft spokesperson told Nextgov/FCW that they follow a thorough process to investigate potentially compromised systems. 

“We appreciate the collaboration with the security community to responsibly disclose product issues,” a Microsoft spokesperson said. “We follow an extensive process involving a thorough investigation, update development for all versions of affected products and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”