The cybersecurity agencies of Five Eyes Alliance – the intelligence-sharing arrangement between the English-speaking democracies including the United States, the United Kingdom, Australia, Canada, and New Zealand – issued a joint cybersecurity advisory that listed the top 15 exploited vulnerabilities discovered in 2023.
The report was co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA) of the United States; the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC); the Canadian Centre for Cyber Security (CCCS); the New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ); and the UK’s National Cyber Security Centre (NCSC-UK).
It warned in 2023, “malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets,” while a dozen out of the top 15 vulnerabilities actively abused in the wild were addressed last year. That aligned with the agencies’ warning that threat actors focused their attacks on zero days.
“Network defenders should pay careful attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue in 2024 and 2025,” the agencies say.
Core Recommendations
The Five Eyes cyber agencies recommended that all vendors, designers, and developers immediately implement “secure by design and default principles and tactics” to reduce the prevalence of vulnerabilities in their software.
This included following the SP 800-218 Secure Software Development Framework (SSDF) and “implementing secure by design practices into each stage of the software development life cycle (SDLC).” In addition, a coordinated vulnerability disclosure program should be established that includes processes to determine the root causes of discovered vulnerabilities.
Efforts should also be made to prioritize secure by default configurations, which could include eliminating default passwords and not requiring additional configuration changes to enhance product security – while published Common Vulnerabilities and Exposures (CVEs) should include the proper Common Weakness Enumeration (CWE) field, which could aid in identifying the root cause of the vulnerability.
For end-user organizations, the agencies called for timely application of patches to systems. “If CVEs identified in this advisory have not been patched, check for signs of compromise before patching,” the agencies stated.
In addition, organizations should implement a centralized patch management system, and that could include the use of security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
“Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings,” the warning added.
Proactive Reaction
The report warned of the most exploited vulnerabilities from last year and offered recommendations, but further due diligence should be taken at all levels.
“While the recommendation to patch is sage advice, it won’t have a material impact against sophisticated attackers who are increasingly reliant on zero days to gain initial access, per the joint advisory,” said Evan Dornbush, former NSA cybersecurity expert, in an email to ClearanceJobs.
“Instead of waiting for attackers to come at them with zero days, finding novel ways to raise the cost of conducting criminal operations would, however, produce a desirable effect,” Dornbush explained. “Sophos did this in its Pacific Rim project, which burned several months of effort—exploits, implants, and infrastructure—quite brilliantly. It’s time for businesses in all industries to pursue new options that disrupt the lucrative nature of criminal operations.”
Prioritize the Threats
The other takeaway from the Five Eyes joint cybersecurity advisory is that it may be impossible to prepare for every unforeseen threat.
“With all the noise of vulnerability alerts it’s important to prioritize those that have proven to be exploited,” said Mali Gorantla, chief scientist at cybersecurity provider AppSoc.
“It’s impossible, and not a good use of resources to chase every possible vulnerability, so smart security professionals need to prioritize the small number that hit all of these criteria,” Gorantla told ClearanceJobs.
“One, is the vulnerability critical – typically found by CVSS (Common Vulnerability Scoring System) scores; two, is it exploitable – as demonstrated with this list; three, is the application critical to your business; and four, does it potentially contain sensitive or regulated information? Lists like this are an important factor, if combined with the context your need to prioritize response.”
