Wed | May 25, 2022 | 11:00 AM PDT

Cybersecurity authorities from the United States, Canada, New Zealand, the Netherlands, and the United Kingdom have released a joint Cybersecurity Advisory detailing the top 10 commonly exploited controls and practices.

The advisory notes that malicious threat actors often exploit poor security configurations, weak controls, and other faulty cyber hygiene practices in order to gain initial access to a victim's system.

These are the 10 most commonly exploited initial attack vectors, according to the advisory:

1. Multifactor authentication (MFA) is not enforced

MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vector for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement.

2. Incorrectly applied privileges or permissions and errors within access control lists

These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.

3. Software is not up to date

Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.

4. Use of vendor-supplied default configurations or default login usernames and passwords

Many software and hardware products come "out of the box" with overly permissive factory default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit. Network devices are also often preconfigured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings.

5. Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access

During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.

6. Strong password policies are not implemented

Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a
victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP.

7. Cloud services are unprotected

Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.

8. Open ports and misconfigured services are exposed to the internet

This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.

9. Failure to detect or block phishing attempts

Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial
infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.

10. Poor endpoint detection and response

Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.


The Cybersecurity Advisory also shares a wide variety of mitigations that can help your organization defend against these commonly exploited attack vectors. For more information, read the joint advisory, Weak Security Controls and Practices Routinely Exploited for Initial Access.