April 27, 2022
CSE’s Canadian Centre for Cyber Security (Cyber Centre) joined cyber security partners from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), the Computer Emergency Response Team New Zealand (CERT NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) in issuing a joint Cybersecurity Advisory (CSA) to provide information on the top 15 Common Vulnerabilities and Exposures (CVEs) exploited by malicious cyber threat actors in 2021, as well as a secondary list of routinely exploited vulnerabilities that were targeted in that timeframe.
All of these CVEs have been previously reported on by the Cyber Centre or its partners, along with mitigations for these vulnerabilities. We continue to encourage all organizations to take the necessary steps to protect their systems, which includes but is not limited to:
- Apply necessary fixes, such as operating system, application, and firmware updates as soon as possible or implement vendor-approved workarounds.
- Enforce multifactor authentication (MFA) for all users.
- Enforce MFA on all VPN connections or, if unavailable, a strong password.
- Review, validate, or remove privileged accounts at least once a year, if not more frequently.
- Utilize the least privilege principle when configuring access controls.
- Disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices.
- Segment networks to limit or block lateral movement.
- Implement application allowlisting.