The threat list provides advice for businesses and individuals to protect themselves and identify system vulnerabilities, following an international onslaught of ­attacks in the West linked to Russian and Chinese cyber actors.

The Joint Cyber Security Advisory statement – released on Wednesday night by the Australian Cyber Security Centre, US Cybersecurity and Infrastructure Security Agency, the FBI and Britain’s National Cyber Security Centre – warns malicious actors continue to exploit “software vulnerabilities against broad targets including public and private sector organisations worldwide”.

The first joint statement from the four agencies urges organisations to apply security patches for all 30 vulnerabilities and ­“implement a centralised patch management system”.

Amid a push in Australia to provide real-time advice on cyber threats and clearer guidance for businesses, FBI cyber assistant ­director Bryan Vorndran said his approach was based on sharing information with both public and private organisations.

“We firmly believe co-ordination and collaboration with our federal and private sector partners will ensure a safer cyber ­environment to decrease the ­opportunity for these actors to succeed,” Mr Vorndran said.

With more people working from home during the pandemic, the joint statement states: “Four of the most targeted vulnerabilities involved remote work, VPNs, or cloud-based technologies”.

“Many VPN (virtual private network) gateway devices remained unpatched during 2020, with the growth of remote work options due to the Covid-19 pandemic challenging the ability of organisations to conduct rigorous patch management. In 2021, ­malicious cyber actors continued to target vulnerabilities in perimeter-type devices,” the security agencies’ statement reads.

DOCUMENT: Read the ways you could be attacked

“This advisory lists the vendors, products and Common Vulnerabilities and Exposures asso­ciated with these vulnerabilities, which organisations should urgently patch.”

The cyber security agencies revealed vulnerabilities targeted by cyber actors in the past 18-months included CVEs associated with commonly used software from Microsoft, Atlassian, Drupal, Fortinet, Accellion, VMware, MobileIron, Netlogon, Citrix and Telerik.

In a bid to raise domestic and international awareness about cyber risks, the joint statement calls on compromised organisations to immediately report any security breaches.

“CISA, ACSC, the NCSC, and FBI assess that public and private organisations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities … as long as they remain effective and systems remain unpatched,” it states.

“Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimises risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it ­becomes known.”

ACSC head Abigail Bradshaw said unless both corporate and government computer system weaknesses were urgently addressed, “malicious cyber actors will continue to use older known vulner­abilities affecting software used by many organisations, including Microsoft Office, as long as they remain effective and ­systems remain unpatched”.

More related stories

Indigenous

Heritage deal to avert next Juukan

Mining advocates and native title protectors have reached a historic heritage protection reform agreement five years on from the Juukan Gorge disaster.

Read more

Nation

Activist throws Shelf spanner in Watt’s works

A report on the potential impacts of emissions on the rock art of the Burrup Peninsula has been with the federal minister since 2023.

Read more