Site icon Check Point Blog

CISA’s 2021 Top-15 routinely exploited Vulnerabilities – Check Point customers remain fully protected

03/05/2022

Background

In a joint advisory published On April 27, the Cybersecurity & Infrastructure Security Agency (CISA)- in collaboration with CSA/NSA/FBI/ACSC and other cybersecurity authorities provided details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.
Security researchers at Check Point are constantly monitoring such vulnerabilities, and have been reporting exploitation attempts during the past year, such in the cases of Spring4Shell and the Log4j vulnerability.
The following graph shows the highest monthly volume of impacted organizations worldwide seen during 2021, by attacks attempting to exploit these published vulnerabilities.

Check Point’s assessment is based on ThreatCloud, our real-time threat intelligence derived from hundreds of millions of sensors worldwide.

Threat actors targeting internet facing systems such as email servers and virtual private networks (VPN)

The top vulnerabilities outlined in the CISA Alert detailing how threat actors exploited newly disclosed vulnerabilities in popular services, aiming to create as massive and extended impact on organizations.

Nine of the top 15 routinely exploited flaws were remote code execution(RCE) vulnerabilities, followed by two privilege escalation weaknesses.

Top vulnerabilities include:

 

Check Point Customers are fully protected against all published exploited vulnerabilities

Check Point’s Quantum Intrusion Prevention System (IPS) prevented attempts to exploit weaknesses in vulnerable systems and applications, protecting in the race to exploit these vulnerabilities.
Check Point IPS protections in our Next Generation Firewall are updated automatically and does not require actions from the users.

Check Point’s Harmony Endpoint prevented log4j related attacks and accelerated detection and investigation of related breaches. Check Point’s teams created several detection and prevention signatures to protect endpoints from the log4j vulnerability. These signatures apply to both Windows and Linux endpoints. The signatures have been added to the Harmony Endpoint behavioral guard engine.
The engine adds a protection layer against advanced attacks by detecting suspicious operations in the behavior of processes.
Check Point’s Infinity Platform is the only security platform that offered pre-emptive protection for customers against recent Log4j exploits(Log4Shell). Leveraging contextual AI, the platform provides precise prevention of even the most sophisticated attacks, without generating false positives. Customer web applications remain safe as the security auto updates without the need for human intervention or CloudGuard AppSec provides zero-day protection from exploiting the Log4j vulnerability using Check Point Web Application Best Practice in Prevent mode.
As soon as the Log4j vulnerability was reported on December 9, all relevant protections were propagated through all of Check Point products (sk176884).

Enclosed is a detailed list of our IPS protections against all the published vulnerabilities by CISA:

CVE Vulnerability Name Vendor and Product Type IPS Protection
CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE) Apache Log4j Remote Code Execution (CVE-2021-44228; CVE-2021-45046)
CVE-2021-40539 Zoho ManageEngine AD SelfService Plus RCE Zoho ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege Microsoft Exchange Server Remote Code Execution (CVE-2021-34473; CVE-2021-34523)
CVE-2021-34473 ProxyShell Microsoft Exchange Server RCE Microsoft Exchange Server Remote Code Execution (CVE-2021-34473; CVE-2021-34523)
CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass Microsoft Exchange Server Security Feature Authentication Bypass (CVE-2021-31207)
CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE Microsoft Exchange Server Remote Code Execution (CVE-2021-26855; CVE-2021-27065)
CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE Microsoft Exchange Server Remote Code Execution (CVE-2021-26857; CVE-2021-26858)
CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE Microsoft Exchange Server Remote Code Execution (CVE-2021-26857; CVE-2021-26858)
CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE Microsoft Exchange Server Remote Code Execution (CVE-2021-26855; CVE-2021-27065)
CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution Atlassian Confluence Remote Code Execution (CVE-2021-26084)
CVE-2021-21972 VMware vSphere Client RCE VMware vSphere Client Remote Code Execution (CVE-2021-21972; CVE-2021-21973)
CVE-2020-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege Microsoft Netlogon Elevation of Privilege (CVE-2020-1472)
CVE-2020-0688 Microsoft Exchange Server RCE Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)
CVE-2019-11510 Pulse Secure Pulse Connect Secure Arbitrary file reading Pulse Connect Secure File Disclosure (CVE-2019-11510)
CVE-2018-13379 Fortinet FortiOS and FortiProxy Path traversal Fortinet FortiOS SSL VPN Directory Traversal (CVE-2018-13379)

 

From SolarWinds to Log4j: The global impact of today’s cybersecurity vulnerabilities

If the past year has taught businesses anything, it’s that the impact of targeted cyberattacks and security vulnerabilities is now, without doubt, universal. From the fallout of the SolarWinds software supply-chain attack to the exposed Apache Log4j vulnerability, the case for organizations of all shapes and sizes to have a comprehensive and robust security infrastructure in place has never been stronger, even if they themselves aren’t necessarily in the cross-hairs. These zero-day vulnerabilities earn their name from their ability to completely blindside businesses, giving them virtually no time to react before they become potential victims. It then becomes a race between threat actors and their ability to exploit the vulnerability, and how quickly businesses can close the gap in their defenses.

 

Keeping Your Organization Safe

 

 

Exit mobile version