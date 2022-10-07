CISA to infosec: here’s China’s hit-list, why haven’t you patched?

By on
CISA to infosec: here&#8217;s China&#8217;s hit-list, why haven&#8217;t you patched?

Top-20 exploited vulnerabilities include 12 RCEs.

America’s Cybersecurity and Infrastructure Security Agency (CISA) has assembled a list of 20 vulnerabilities actively exploited by state-sponsored actors from China since 2020.

Given its supply-chain impact on other software packages, it’s little surprise the Apache Log4J vulnerability (CVE-2021-44228) leads the list.

Apache has two other CVEs on the list: CVE-2022-24112 (an authentication bypass), and CVE-2021-41773 (a path traversal bug in the HTTP server).

Microsoft made the list four times, with remote code execution (RCE) bugs in Exchange (CVE-2021-26855CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

Atlassian appears twice, via RCE bugs in its Confluence product (CVE-2022-26134 and CVE-2021-26084).

In all, there are 12 RCE bugs in the top 20 list.

Patches and mitigations are available for all the vulnerabilities on the list, so if they’re actively exploited, it’s because users haven’t applied the patches yet.

CISA said the attackers use VPNs to obfuscate their activities, and “target web-facing applications to establish initial access.

“Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.”

The list was put together by CISA, the NSA and the FBI.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apacheatlassiancisacvefbilog4jmicrosoftnsasecurity

Sponsored Whitepapers

Forrester Study APAC: Don&#8217;t Just Educate, Create Cybersafe Behaviour
Forrester Study APAC: Don’t Just Educate, Create Cybersafe Behaviour
Teaching Good Cyber Security Behaviors with Seinfield
Teaching Good Cyber Security Behaviors with Seinfield
2022 State of Email Security Report
2022 State of Email Security Report
Cyber Resilience For Dummies - ANZ edition
Cyber Resilience For Dummies - ANZ edition
How to successfully plan, deploy & launch an intranet
How to successfully plan, deploy & launch an intranet

Events

Most Read Articles

Deloitte brought in to examine Optus data breach

Deloitte brought in to examine Optus data breach
Deloitte Australia acquires Hacktive

Deloitte Australia acquires Hacktive
NSW gov to help reissue driver's licences after Optus breach

NSW gov to help reissue driver's licences after Optus breach
Services Australia now has the Optus data it asked for

Services Australia now has the Optus data it asked for

Digital Nation

Case Study: Munro Footwear Group changes &#8216;every system imaginable&#8217; says CTO Keng Ng
Case Study: Munro Footwear Group changes ‘every system imaginable’ says CTO Keng Ng
Web3 skills shortage creates project backlog until 2024
Web3 skills shortage creates project backlog until 2024
Six trends driving metaverse technologies: Gartner
Six trends driving metaverse technologies: Gartner
Case Study: Bendigo and Adelaide bank turn to AWS and Google for front and backend
Case Study: Bendigo and Adelaide bank turn to AWS and Google for front and backend
COVER STORY: Gen Z forces universities to digitally transform
COVER STORY: Gen Z forces universities to digitally transform

Log In

  |  Forgot your password?