2023 was a busy year for vulnerability researchers and analysts, with over 28,000 new CVEs being published to NVD. A 14% increase (and the new record) from the 25,000+ published in 2022.
Throughout the year, we added over 440 unique CVEs to the Cytidel Spotlight, where we highlight the most prominent vulnerabilities each week. In this article we take a look at the top trending vulnerabilities of 2023, highlighting the 10 that hit our weekly Spotlight the most often.
First, some quick context before we dive in.
How does a CVE get added to the Spotlight?
We maintain a two tier approach to monitoring Common Vulnerabilities and Exposures (CVEs). Firstly, we have automated the collection of threat activity to help identify zero-days, trending vulnerabilities, and hacker activity (think exploits, POCs, active campaigns etc). Secondly, our Cyber Threat Intelligence (CTI) team triage the flagged CVEs before writing their analysis and adding the selected vulnerabilities to our Weekly Spotlight.
Why we do this?
We can issue early-warnings to our customers outside of their normal scan cadence and patch cycles. Any CVEs that has a noteworthy change in threat activity can get addressed without having to wait for the next scan to alert them.
The threat activity and spotlight data feeds into the risk-based vulnerability management process, allowing customers to rank CVEs based on their threat activity.
The top 10 trending vulnerabilities from Cytidel's 2023 Spotlight
1. CVE-2023-38831: RarLAB WinRAR (RCE)
Why it was on our Spotlight
CVE-2023-38831 a significant zero-day vulnerability in WinRAR, was prominently on our radar due to its ability to mask harmful scripts as benign files in compressed archives, leading to widespread malware installation and system compromise. Exploited actively since April 2023, this vulnerability posed a multifaceted threat, ranging from financial risks to espionage, affecting individual users and businesses alike.
The distribution of malicious ZIP files on trading forums, disguised as harmless documents, exemplified the deceptive methods used by attackers. This vulnerability's exploitation by Pro-Russian hacking groups, particularly APT29 targeting diplomatic entities, highlighted its significance in the context of international cyber-espionage. The complex multi-step exploitation process, involving booby-trapped PDFs to establish remote access and data theft, indicated the sophistication of the attacks.
The steady increase in the Exploit Prediction Scoring System (EPSS) score and the widespread use of WinRAR globally underscored the urgency for network defenders to patch and mitigate potential spillover effects from these attacks. This vulnerability represented not only a technical challenge but also a significant threat to security operations across various sectors.
How to fix it Update to the latest version of WinRAR.
In addition, it is recommended to advise all users, especially those in finance or using trading platforms, about this threat. Remind them not to download or open files from untrusted sources, and implement 2FA, especially on financial accounts. This provides an additional layer of security, making it harder for attackers to access your accounts.
2. CVE-2023-4966: Citrix NetScaler (Session Hijacking)
Why was it on our Spotlight? CVE-2023-4966 and CVE-2023-4967 in Citrix's NetScaler ADC and Gateway products captured our attention due to their critical nature, enabling sensitive information disclosure and service disruption. These unauthenticated buffer-related vulnerabilities presented a high risk, with potential for attackers to access and leak sensitive data, and to disrupt services without requiring user credentials.
The existing exploitation of another Citrix vulnerability, CVE-2023-3519, heightened concerns, as threat actors could chain these vulnerabilities for more sophisticated attacks. Mandiant's observations of these vulnerabilities being exploited in the wild across professional services, technology, and government sectors further emphasised their severity. The exploitation allowed unauthorised access to organizational resources via hijacked sessions, facilitating lateral movement and data access.
The release of a Proof of Concept exploit, known as "Citrix Bleed," and the rapid increase in the Exploit Prediction Scoring System (EPSS) score to 92.27% signaled a growing threat. The U.S. Cybersecurity and Infrastructure Security Agency's (CISA) inclusion of CVE-2023-4966 in the Known Exploited Vulnerabilities catalog and the urgent updates recommended by Cloud Software Group underscored the critical need for immediate action against these vulnerabilities.
How to fix it Apply the updates as per the Citrix Advisory:
Additionally, the following mitigation actions are recommended by Mandiant:
Isolate vulnerable NetScaler ADC and Gateway appliances for testing and patch deployment. If patching is not immediately possible, restrict ingress IP address access to limit exposure.
Upgrade the affected appliances to the latest firmware versions provided by Citrix, which include fixes for the vulnerability.
After upgrading, terminate all active and persistent sessions on the affected appliances.
Consider rotating credentials for identities provisioned for accessing resources via vulnerable appliances. This step is essential due to the lack of available log records to track exploitation.
If web shells or backdoors are found on appliances, it's recommended to rebuild them using clean-source images with the latest firmware.
Reduce the external attack surface by allowing ingress access only from trusted or predefined source IP address ranges.
Investigation and Detection :organisations should conduct investigations to identify signs of compromise and monitor for suspicious activities, including:
Check for evidence of backdoors or web shells on NetScaler appliances.
Identify suspicious logons and lateral movement originating from systems or resources accessible through the NetScaler appliances.
Correlate authentication and logon events, especially those from unusual geographic locations or those lacking successful MFA challenge/response logs.
If deployed, review logs from web application firewalls for abnormal web requests originating from suspicious IP addresses.
Further details can be found in the associated blog from Mandiant: https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf
3. CVE-2023-2868: Barracuda Email Security Gateway (RCE)
Why was it on our Spotlight?
CVE-2023-2868, a zero-day vulnerability in Barracuda Networks' Email Security Gateway (ESG) appliances, was a focal point due to its exploitation for unauthorised system command execution since October 2022. Stemming from improper sanitization of .tar file processing in an email attachment screening module, it enabled third parties to install SALTWATER and SEASPY malwares, leading to persistent backdoor access and potential control over compromised appliances.
The vulnerability's significance escalated when UNC4841, a group possibly linked to China, was found utilising it for espionage since October 2022, targeting various sectors with malicious emails. Their adaptability in modifying malware and persistence in maintaining access, despite Barracuda's patches, highlighted the threat's complexity. The involvement of government agencies as targets and the inclusion of this vulnerability in CISA’s Known Exploited Vulnerabilities catalog further underscored its criticality. The detailed CISA report on related malwares, especially the "WHIRLPOOL" backdoor, provided crucial insights for detection and mitigation, solidifying CVE-2023-2868 as a major threat in our threat intelligence monitoring.
How to fix it
Barracuda recommend immediate replacement of compromised ESG appliances, regardless of patch level. Customers should discontinue use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
4. CVE-2023-3519: Citrix NetScaler (RCE)
Why was it on our Spotlight?
CVE-2023-3519, an unauthenticated remote code execution vulnerability in Citrix products, was a major focus due to its high severity rating (9.8/10) and active exploitation in the wild. This unauthorised remote code execution vulnerability posed significant risks, including data breaches and disruptions of business operations, especially for organizations using Citrix as a Gateway or AAA server.
Its impact was amplified by the widespread exploitation by threat actors, notably a group linked to China, who targeted nearly 2,000 Citrix NetScaler servers globally. The exploitation led to substantial backdoor installations and was part of sophisticated campaigns, including new ransomware attacks attributed to the threat group STAC4663, who are potentially linked to the FIN8 hacker gang known to deploy the BlackCat/ALPHV ransomware.
The rise in the EPSS from 4.6% to 91.2% in just a few months and the involvement of major infrastructures in the U.S. and Europe underscored its criticality. Mandiant's collaboration with Citrix to introduce a utility for detecting post-exploitation activities related to CVE-2023-3519 was a significant step in addressing these concerns. The ability of attackers to harvest login credentials and gain unauthorised access to systems and networks highlighted the vulnerability's potential for widespread impact, making it a high-priority threat in our vulnerability intelligence monitoring.
How to fix it
To remediate these vulnerabilities, apply the updates as listed in the Citrix Advisory:
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Mandiant’s tool can be downloaded from the GitHub repository, and comprehensive instructions can be found in the README for guidance on running it against a device or forensic image: https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519
5. CVE-2023-29357: Microsoft Sharepoint (EoP)
Why was it on our Spotlight?
CVE-2023-29357, an Elevation of Privilege vulnerability in Microsoft SharePoint Server 2019, was a major focus due to its high impact and exploitability. Rated 9.8 on the CVSSv3 scale, it allows remote attackers to bypass authentication by sending spoofed JWT tokens, granting them user-level privileges without any user interaction. This vulnerability's significant threat was highlighted by its demonstration in the Pwn2Own Vancouver contest, attracting immediate attention from both cybersecurity experts and potential attackers.
The combination with CVE-2023-24955, enabling a two-step attack for full control of the SharePoint Server, further elevated its criticality. The public release of an exploit script on GitHub, although intended for educational purposes, increased its exploitability in the real world. This was reflected in the surge of its EPSS score from 0.27% to 76.12%. Active exploitation attempts and its inclusion in CISA's Known Exploited Vulnerabilities Catalog underscored the urgency of addressing this vulnerability, and making its way onto our Spotlight.
How to fix it
Apply the updates as per the Microsoft advisory:
Remediation for CVE-2023-24955 can be found here:
Workaround: Per Microsoft, this vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, block traffic through that port thus rendering the vulnerability unexploitable. However, testing is recommended beforehand, as disabling Port 1723 could affect communications over the network.
In Addition:
Applying patches from Microsoft's June 2023 Patch Tuesday update will address both vulnerabilities
For CVE-2023-29357, using Microsoft Defender and enabling AMSI on SharePoint Server farms is recommended.
It is also recommended to review and limit high-level SharePoint permissions.
6. CVE-2023-23397: Microsoft Outlook (EoP)
Why was it on our Spotlight?
CVE-2023-23397, a critical elevation of privilege flaw in Microsoft Outlook, drew our attention due to its unique zero-touch exploit mechanism and high impact. Exploitable without user interaction, it allows attackers to execute arbitrary code by sending a specially crafted email. This vulnerability can be exploited simply by the email being retrieved and processed by Outlook for display in the Preview Pane, bypassing the need for the victim to open or read it. CVE-2023-23397 not only affects all versions of Microsoft Outlook for Windows but also allows attackers to hijack Exchange accounts and conduct targeted email theft. Its severity is further underscored by its exploitation by APT28, a Russian state-sponsored group, in sophisticated cyber attacks. Despite patches, the risk remained elevated due to the discovery of a bypass and continued exploitation by APT28, targeting international organisations. The ability of this vulnerability to silently compromise systems, coupled with the involvement of a prominent threat actor, made it a top priority for our threat intelligence monitoring.
How to fix it
Recommendations include:
Apply the latest Microsoft patch.
Block outbound SMB port 445 traffic, which prevents NTLM authentication messages from being sent to remote file shares.
Add users to the Protected Users security group, which restricts NTLM from being used as an authentication method - Note: that this could impact applications that rely on NTLM in your environment.
To prevent a relay attack, it is recommended to enforce SMB signing on both clients and servers.
Other observations include disabling the "Show reminders" setting in Outlook, which can prevent the leak of NTLM credentials.
MS PowerShell Script:
Microsoft has also updated their blog with guidance on investigating attacks using CVE-2023-23397: https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
7. CVE-2023-36884: Microsoft / Windows Search (RCE)
Why was it on our Spotlight?
CVE-2023-36884 was a significant concern due to its remote code execution capability in Microsoft Office and Windows, paired with active exploitation in the wild. This vulnerability enabled attackers to execute malicious code remotely by crafting .docx or .rtf documents to exploit MSDT vulnerabilities, bypassing the need for user interaction. Its high-risk profile was further accentuated by targeted attacks on organisations attending the NATO Summit, where it was used to deliver malware payloads like the MagicSpell loader and the RomCom backdoor.
The vulnerability's exploitation by the RomCom group, targeting government organisations, and the dramatic increase in its EPSS from 0.05% to 49.92% highlighted its widespread potential for harm. Microsoft’s Defence in Depth Update in response to this threat, although not a direct patch, demonstrated the seriousness of the situation. The availability of a PoC, coupled with the vulnerability forming part of an exploit chain with CVE-2023-36584, underscored the complexity and severity of this threat. Its addition to CISA’s Known Exploited Vulnerabilities Catalog further validated our focus, making it a critical point of monitoring and analysis in our threat intelligence efforts.
How to fix it
Per the initial Microsoft advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
Customers using Defender for Office and those who have enabled the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are already safeguarded against these attacks.
For users without these protections, an additional measure can be implemented by adding specific application names to the registry key mentioned in the Advisory, however, it's important to consider that enabling this registry key to block exploitation attempts may impact certain Microsoft Office functionality associated with the listed applications. Therefore, careful testing and evaluation of the potential impact on Office functionality is recommended before implementing this measure.
In August Microsoft provided another update with patching guidance to aid in its mitigation.
8. CVE-2023-46604: Apache ActiveMQ (RCE)
Why was it on our Spotlight?
The Apache ActiveMQ vulnerability, CVE-2023-46604, emerged as a critical concern due to its widespread impact and the ease of exploitation. This flaw, actively exploited by attackers, notably in deploying HelloKitty ransomware, posed a significant risk to thousands of internet-exposed servers. What made this vulnerability particularly alarming was the public availability of its exploitation details, increasing its attractiveness to cyber adversaries. The potential for attackers to not only control affected systems but also to move laterally within networks amplified the threat, endangering additional systems and sensitive data. The exploitation method, involving unbounded deserialization, allowed attackers to execute arbitrary shell commands, leading to severe security breaches. Its inclusion in CISA’s Known Exploitable Vulnerabilities Catalog and the dramatic surge in its EPSS score from 0.5% to 96.78% underscored its criticality and the urgent need for attention in our threat intelligence reporting.
How to fix it
Upgrade to the latest versions as advised by Apache.
In addition, Rapid7 have provided a list of IOCs for threat hunting. Organisations are advised to review logs and system information for signs of exploitation or unauthorised activity. Specifically, look for activemq.log entries similar to the below:
2023-10-31 05:04:58,736 | WARN | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine
9. CVE-2023-34362: Progress MOVEit (SQL Injection, RCE)
Why was it on our Spotlight? CVE-2023-34362, the critical vulnerability in MOVEit Transfer, was on our radar just days before news hit about its wide-reaching impact on numerous organisations utilising this popular file transfer solution.
Likely the most severe and damaging data breach of 2023, over 62 million individuals had their personal data compromised by the threat group known as Clop, who exploited this vulnerability in MOVEit. This extensive and coordinated attack led to significant data theft from a variety of global entities across government, public, and corporate sectors. High-profile victims included Sony, a major UK-based HR and payroll company with clients such as British Airways and the BBC, as well as other notable organisations like EY, Ireland's Health Service Executive (HSE), and the Dublin Airport Authority (DAA).
The potential for unauthenticated attackers to execute a SQL injection and gain unauthorised access to sensitive data posed a severe security threat. The ability of the exploit to facilitate remote code execution and data theft, as observed by Mandiant since late May 2023, highlighted the urgent need for awareness and remediation. The fact that both cloud-based and on-premises servers were vulnerable, and the scale and impact of this breach, underscored the necessity for its inclusion in our spotlight numerous times.
How to fix it
Below are high-level steps for remediation.
Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment
Delete Unauthorized Files and User Accounts. Reset Service Account Credentials
Apply the Patch
Enable HTTP and HTTPS traffic to your MOVEit Transfer environment
Verify that all unauthorized files are deleted, and no unauthorised accounts remain
For the full list of IOCs and YARA rules, see the related CISA, FBI Joint Advisory:
10. CVE-2023-20198: Cisco IOS XE (Privilege Escalation)
Why was it on our Spotlight?
The Cisco IOS XE Software Web UI Privilege Escalation Vulnerability, CVE-2023-20198, was a significant focus for us due to its widespread impact and the severity of its exploitation. Attackers exploited this vulnerability to create high-privilege user accounts on over 30,000 Cisco devices, encompassing a broad range of critical network infrastructure. This access allowed attackers to manipulate device configurations, steal data, and potentially disrupt services. The complexity of the attack, involving the creation of unauthorised accounts and installing backdoor implants, highlighted the sophistication and potential for extensive damage.
How to fix it Per their advisory, Cisco will provide updates on the status of this investigation and when a software patch is available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z#REC
Disable the HTTP Server Feature: To mitigate this vulnerability, it is strongly recommended to disable the HTTP Server feature on all systems that have it enabled.
Use the following commands in global configuration mode to disable the HTTP Server feature:
To disable the HTTP Server: no ip http server
To disable the HTTPS Server: no ip http secure-server
Ensure that you apply these commands to all systems exposed to the internet or untrusted networks.
Restrict Access to Trusted Networks: If your organisation requires HTTP/HTTPS communication for specific services, restrict access to these services to trusted networks only. Implement access controls to limit who can access the web UI feature.
Review and Test Access Controls: When implementing access controls, thoroughly review them to ensure they do not disrupt critical production services. Test the access controls to verify that they effectively limit access to authorised users and networks while still allowing necessary functionality.
Backup Configuration: After implementing these changes, use the following command to save the running configuration, ensuring that the changes are retained even after a system reload: copy running-configuration startup-configuration
Additionally:
Organisational devices should be rebooted to clear any non-persistent implants.
Review and monitor system logs to detect any unauthorized activities.
Examine devices to verify if only a reboot occurred or if changes were made.
Investigate to ensure no malicious user accounts remain and that device configurations are intact.
Regularly update and patch Cisco IOS XE software to prevent further exploitation.
As a precaution, even if the WebUI is disabled, a thorough investigation of the device is recommended.
Want trending vulnerability alerts in 2024?
With ISO27001:2022 introducing a new control for Threat Intelligence (A.5.7), we find ourselves talking to more and more business leaders looking for assistance with threat intelligence.
If your organisation wants to solve this ISO recommendation with Cytidel, or simply wants to keep ahead of rising threats, reach out to info@cytidel.com.