Many widely exploited hacks known to public for two years, cyber agencies warn

Cybersecurity agencies have revealed the top 30 vulnerabilities exploited by hackers last year in a fresh warning to organisations.

The UK and allies in the US and Australia said most exposures were already publicly known during the past two years and are often due to dated software.

Experts believe increased homeworking could be partly to blame for some more recently disclosed software flaws, making it harder for firms to roll out routine patches.

The most targeted vulnerabilities affected remote work, virtual private networks (VPNs), or cloud-based technologies, they said.

The group warned that in 2021 malicious cyber actors have continued to target vulnerabilities in common software by Microsoft, Pulse, Accellion, VMware, and Fortinet.

This includes the high-profile Microsoft Exchange mail server vulnerability, which affected at least 30,000 organisations around the world.

It comes after Lindy Cameron, head of the National Cyber Security Centre (NCSC), which is part of GCHQ, recently stressed that ransomware attacks are the key cyber threat facing the UK, and urged the public and businesses to take it seriously.

Paul Chichester, director for operations at the NCSC, said: “We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them.

“The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices.

“Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm.”

Bryan Vorndran, cyber assistant director at the FBI, said: “The FBI remains committed to sharing information with public and private organisations in an effort to prevent malicious cyber actors from exploiting vulnerabilities.

“We firmly believe that co-ordination and collaboration with our federal and private sector partners will ensure a safer cyber environment to decrease the opportunity for these actors to succeed.”