The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation, National Security Agency, and cybersecurity authorities of Australia, Canada, New Zealand, United Kingdom released a Joint Cybersecurity Advisory covering 47 common vulnerabilities and exposures (CVEs) that were routinely or often exploited by malicious actors in 2023. Each CVE includes associated common weakness enumeration.

A  secure by design approach from software manufacturers could have reduced or even eliminated the vulnerabilities listed in this advisory. By prioritizing security during the design and development phase of the product development lifecycle, manufacturers could implement aggressive adversarial product testing, thereby identifying and eliminating software flaws before release. This proactive approach would help close common entry points, harden systems against attacks, and minimize the potential for zero-day exploitation by malicious actors, ultimately protecting enterprise networks and high-value targets from preventable vulnerabilities.

Compared to the 2022 report, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks which allowed them to conduct cyber operations against higher-priority targets. These actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. Log4Shell ( CVE-2021-44228 ) remains one of the top routinely exploited vulnerabilities.

A key finding is that international cybersecurity efforts on a zero-day reduces the utility and lifespan of that vulnerability to be used by malicious cyber actors. Those efforts include:

• Implementing security-centered product development lifecycles that include robust testing environments and threat modeling that is implemented throughout product development.
• Increasing incentives for responsible vulnerability disclosure, such as bug bounty programs with compensation and recognition to researchers for their contributions.
• Using sophisticated endpoint detection and response tools such as leveraging EDR solutions that may improve detection rate of zero-day exploits.

End-user organizations are encouraged to implement recommended mitigations in this advisory, including applying timely patches to systems. At the same time, CISA continues work to shift the responsibility of secure software from the customer to software manufacturers and make products Secure by Design.

Although this report is on 2023 activity, the assessment and vulnerability data are relevant and useful because malicious cyber actors continue to exploit older vulnerabilities. Until properly mitigated, these CVEs will continue to pose significant risks to organizations.

Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions. Also, for more background on our recent cybersecurity efforts, please visit cyber.nj.gov.