Global cybersecurity alert reveals surge in zero-day exploits targeting high-priority networks in 2023


U.S. and international partners issued a joint cybersecurity advisory detailing the most commonly exploited Common Vulnerabilities and Exposures (CVEs) by malicious cyber hackers and their related Common Weakness Enumerations (CWEs). In 2023, malicious cyber adversaries exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, most of the most frequently exploited vulnerabilities were initially exploited as a zero-day, an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.

“Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability,” the ‘2023 Top Routinely Exploited Vulnerabilities’ document authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA); Australian Signals Directorate’s Australian Cyber Security Centre (ACSC); Canadian Centre for Cyber Security (CCCS); New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ); and the U.K.’s National Cyber Security Centre (NCSC-UK), highlighted. “The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.”

“More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks,” Ollie Whitehouse, NCSC chief technology officer, said in a separate statement. “To reduce the risk of compromise, it is vital all organizations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace.” 

Whitehouse added, “We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations, and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source.”

As part of cybersecurity efforts to include, the agencies prescribed implementing security-centered product development lifecycles; increasing incentives for responsible vulnerability disclosure, and using sophisticated endpoint detection and response (EDR) tools. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero days. Using more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities. 

All vulnerabilities listed have had patches and fixes made available from the vendors to help mitigate the risk of compromise. In the case of zero-day vulnerabilities, where exploitation is rife it is vital organizations have a process in place to install vendor updates at pace after they become available to minimize the opportunity for attackers.

Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber adversaries. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.

In 2023, one of the primary vulnerabilities identified by the authoring agencies that malicious cyber hackers frequently exploited was the CVE-2023-3519 vulnerability. This flaw impacts Citrix NetScaler ADC and NetScaler Gateway, enabling an unauthenticated user to trigger a stack buffer overflow in the NSPPE process through an HTTP GET request. Also, the CVE-2023-4966 vulnerability affects Citrix NetScaler ADC and NetScaler Gateway. It allows session token leakage and a proof-of-concept for this exploit was revealed last October.

The 2023 Top Routinely Exploited Vulnerabilities document also listed the CVE-2023-20198 vulnerability that affects Cisco IOS XE Web UI. It allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access. The CVE-2023-20273 vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198. It allows privilege escalation, once a local user has been created, to root privileges. 

The advisory also covered the CVE-2023-27997 vulnerability that affects Fortinet FortiOS and FortiProxy SSL-VPN. It allows a remote user to craft specific requests to execute arbitrary code or commands. The CVE-2023-34362 vulnerability affects Progress MOVEit Transfer. It allows the abuse of an SQL injection vulnerability to obtain a sysadmin API access token and allows a malicious cyber hacker to obtain remote code execution via this access by abusing a deserialization call.

The 2023 Top Routinely Exploited Vulnerabilities document also covered the CVE-2023-22515 vulnerability that affects Atlassian Confluence Data Center and Server. It allows exploitation of an improper input validation issue; and arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at runtime. The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution. 

The document also included the CVE-2021-44228 vulnerability, known as Log4Shell that affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide. It allows the execution of arbitrary code, allowing a hacker to exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. Subsequently, the hacker can then steal information, launch ransomware, or conduct other malicious activity. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.

The 2023 Top Routinely Exploited Vulnerabilities document also listed the CVE-2023-2868 remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance. It allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance. The CVE-2022-47966 is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine. It allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponseXML to the ServiceDesk Plus SAML endpoint. 

It also mentioned the CVE-2023-27350 vulnerability that affects PaperCut MF/NG. It allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code. 

The joint cybersecurity advisory also included the CVE-2020-1472 vulnerability that affects Microsoft Netlogon. It allows privilege escalation where an unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol. The CVE-2023-42793 vulnerability can affect JetBrains TeamCity servers. It allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers. 

The document also listed the CVE-2023-23397 vulnerability that affects Microsoft Office Outlook. It allows the elevation of privilege when a threat hacker can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it. This exploit occurs even without user interaction. The CVE-2023-49103 vulnerability affects ownCloud ‘graphapi.’ It allows unauthenticated information disclosure where an unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.

Providing further insights into the correlation between internet-facing systems and the likelihood of exploitation amongst others, Satnam Narang, senior staff research engineer at Tenable wrote in an emailed statement that “One of the common threads amongst many of the flaws highlighted in the 2023 Top Routinely Exploited Vulnerabilities list published jointly by the ACSC and other authoring agencies is that they are in services or systems that are exposed to the internet –  from virtual private networking (VPN) solutions to remote management interfaces. There’s a strong correlation between internet-facing systems that utilize software containing known vulnerabilities and the likelihood of exploitation. 

“The oldest vulnerability on the list is seven years old (CVE-2017-6742) and we know that the advanced persistent threat (APT) group known as APT28 (or Fancy Bear) has been historically linked to the exploitation of this flaw as recently as 2021,” Narang highlighted. “Yet in 2023, we still see this same flaw being utilized in the wild by other attackers. According to some intelligence, there are still around 24,000 Cisco IOS and IOS XE systems online that may be vulnerable to this flaw.”

Narang added, “Each year that the Top Routinely Exploited list is published serves as a constant reminder of the threat posed by known vulnerabilities for most organizations and why it is not just important, it is imperative, for organizations to address these known vulnerabilities in a timely manner to protect against unauthorized access to critical business systems.”

The information in the joint cybersecurity advisory aims to help organizations comprehend the impact of these exploits and encourages organizations to review and implement the recommended mitigations. It serves as a guide for vendors, designers, and developers to adopt secure-by-design and default principles, thereby reducing software vulnerabilities and enhancing end-user security. Adhering to this guidance will significantly lower the risk of cyber compromise.

Additionally, vendors and developers are called upon to take appropriate steps to provide products that protect their customers’ sensitive data. They must implement secure-by-design and default principles and tactics to reduce the prevalence of software vulnerabilities; follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure-by-design practices into each stage of the software development life cycle (SDLC); and establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities. 

They must also prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security; and ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.

Addressing supply chain security, the 2023 Top Routinely Exploited Vulnerabilities document suggests reducing third-party applications and unique system/application builds—providing exceptions only if required to support business-critical functions. It also recommends ensuring that contracts require vendors and/or third-party service providers to provide notification of security incidents and vulnerabilities within a risk-informed time frame and supply a Software Bill of Materials (SBOM) with products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities. 

Last year, the cybersecurity agencies revealed in their cybersecurity advisory that in 2022, malicious cyber hackers exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. It also detailed CVEs routinely and frequently exploited by malicious cyber hackers in 2022, with associated CWEs.


 

Comments