An analysis of the vulnerability trends observed by Cytidel in this first quarter, highlighting key vulnerabilities, observable patterns and associated threat actors. A detailed report providing essential insights for strategic security planning and risk management.
Executive Summary
Cytidel's intelligence software identified over 150 unique CVEs with prominent trending activity in Q1.
From this list, 31 CVEs were added to the Cytidel Spotlight by our CTI analysts, due to their severity, impact, or novel nature.
Microsoft is the Vendor appearing the most on our Spotlight, with 8 of the 31 CVEs (26%). Fortinet (3 CVEs/10%) and Ivanti (2 CVEs/6%) round out the top 3.
Other notable CVE’s we have been tracking in this quarter include vulnerabilities disclosed from Atlassian, ConnectWise, Fortra, F5, Minio, GitLab, Zoom, Apple, Adobe, JetBrains TeamCity and OpenEdge, among others.
The most recurring vulnerability type is Remote Code Execution, comprising 8 (26%) of the 31. Authentication bypass and Elevation of Privilege were joint second with 5 (16%) each.
KEY OBSERVATIONS
Two Windows SmartScreen vulnerabilities, CVE-2023-36025 and CVE-2024-21351, stand out for their exploitation in bypassing security measures, highlighting a recurring tactic among cybercriminals to circumvent Windows Defender SmartScreen.
CVE-2023-36025 was notably exploited by TA544 in deploying the Remcos remote access Trojan, marking it as a zero-day vulnerability used in sophisticated attacks targeting Europe and Japan.
CVE-2024-21351 has seen active exploitation by multiple hacking groups, including Water Hydra, to deploy malware such as DarkGate and Phemedrone Stealer, demonstrating a pattern of threat actors leveraging zero-day vulnerabilities in financial cyber espionage.
Another concerning observation is the exploitation of seemingly benign system features, as evidenced by CVE-2023-38146 in Windows Themes, which attackers exploited through crafted .theme files shared over SMB shares, bypassing traditional security warnings.
Beyond Microsoft, vulnerabilities in Fortinet, Ivanti, and VMware have been exploited for ransomware attacks and cyber espionage, with CVE-2024-21762 and CVE-2024-23113 being targeted by the Chinese state-sponsored group Volt Typhoon.
VMware's CVE-2023-34048 has also been a focal point for ransomware groups and network access brokers, indicating a growing interest in virtualisation platforms as entry points for broader network compromise.
Microsoft
Cytidel observed eight notable vulnerabilities affecting various Microsoft products, highlighting the critical role its software plays in global IT infrastructure and, consequently, the focus it receives from threat actors. These included security feature bypasses, remote code execution, and elevation of privilege across Windows SmartScreen, Windows Themes, Microsoft Streaming Service, Microsoft Exchange Server, Internet Shortcut Files, Microsoft Outlook, and the Windows Kernel.
OBSERVATIONS
4 of these vulnerabilities were disclosed on Microsoft’s February 2024 Patch Tuesday.
2 relate to Windows SmartScreen vulnerabilities, which are under active exploitation.
All 8 have publicly available Proof of Concepts.
5 confirmed as Exploitation Detected by Microsoft.
CVE PROFILE
CVE-2023-36025, a Windows SmartScreen Security Feature Bypass is a zero-day vulnerability identified in Microsoft's November 2023 Patch Tuesday release actively being exploited, as confirmed by Microsoft.
This security flaw requires user interaction, specifically clicking on a malicious link or Internet Shortcut, to bypass Windows Defender SmartScreen checks, leading to potential malicious outcomes like malware installation or unauthorised access to sensitive information. Due to its severity and active exploitation, it has been added to CISA's Known Exploited Vulnerabilities catalog, with a Proof of Concept (PoC) available publicly. Financially motivated cyber threat group TA544 has been exploiting this vulnerability, notably in deploying the Remcos remote access Trojan. Additionally, the Phemedrone Stealer malware has also been exploiting this vulnerability for defense evasion. Given its critical impact, CVE-2023-36025 has been flagged by Cytidel for immediate fixing.
CVE-2023-38146, a Windows Themes Remote Code Execution vulnerability, nicknamed "Themebleed," is a vulnerability in Windows Themes that poses an unexpected risk due to the feature's benign appearance.
Attackers exploit this by crafting a malicious .theme file, with the risk intensifying if the file is accessed from an external SMB share, bypassing the need for user download and execution. Despite being exploited in the wild, specific details on threat groups or malware remain undisclosed. Notably, Windows' usual security warning, the 'mark-of-the-web' (MOTW), can be circumvented by disguising the malicious theme within a .THEMEPACK file, facilitating automatic application without triggering warnings. Cytidel has marked CVE-2023-38146 as "high activity" due to its exploitation potential, publicly available PoC’s, and the sophisticated bypass techniques employed by attackers.
CVE-2024-21351, a Windows SmartScreen Security Feature Bypass vulnerability disclosed in Microsoft's February 2024 Patch Tuesday, is being actively exploited by various hacking groups, including the notable Water Hydra, to deploy malware like DarkGate, Phemedrone Stealer, and Mispadu.
This vulnerability, especially when used alongside CVE-2024-21412, targets financial market traders through advanced attack chains. With a Proof of Concept (PoC) available and its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog, the risk is significant. Exploitation requires user interaction, typically through social engineering tactics to open a malicious file. Given its active exploitation and potential impact, CVE-2024-21351 has been urgently rated by Cytidel as a "Significant" risk emphasiSing the critical need for immediate mitigation.
CVE-2023-29360, Microsoft's Streaming Service Elevation of Privilege vulnerability, specifically targets the "mskssrv driver" and allows for privilege escalation by enabling local attackers to gain System privileges.
This is achieved through the crafting of malicious Memory Descriptor Lists (MDLs) that exploit sensitive kernel memory locations. Highlighted during Pwn2Own 2023, this vulnerability has garnered attention, increasing the likelihood of wider exploitation. Microsoft categoriSes this issue as "Exploitation More Likely," and there is a Proof of Concept (PoC) available, indicating both its feasibility and the presence of active exploitation in the wild. Despite the lack of detailed information on the attacks from CISA, the vulnerability's inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog emphasiSes the critical need for immediate remediation efforts.
CVE-2024-21410, a critical Privilege Elevation vulnerability in Microsoft Exchange Server, enables attackers to obtain elevated privileges without any user interaction or initial privileges by exploiting relayed NTLM credentials to authenticate as the victim on the Exchange server.
This grants attackers unauthorised access to perform actions on the server, including accessing email communications, with potentially broader implications for server compromise. The vulnerability can be exploited remotely and may go undetected at first due to the subtlety of the initial exploitation steps.
Disclosed during the February 2024 Patch Tuesday, Microsoft has confirmed its active exploitation. While specific details about the exploitation techniques and attackers remain undisclosed, vulnerabilities like CVE-2024-21410 have historically attracted attention from various malicious actors. Microsoft's advisory initially did not mention active exploitation but was later updated to reflect that the vulnerability is being exploited in the wild. There are several Proof of Concepts (PoC) available and CISA's have included this in its Known Exploited Vulnerabilities (KEV) catalog. Cytidel rate the associated threat activity as Significant.
CVE-2024-21412 an Internet Shortcut Files Security Feature Bypass vulnerability is notable due to its low complexity and no prerequisites for attacker privileges, making it particularly accessible for exploitation.
It primarily exploits victims through social engineering, tricking them into opening a malicious file which then allows attackers to bypass security features and execute unauthorised actions on the victim's system. This vulnerability has been actively exploited as a zero-day by the advanced persistent threat (APT) group DarkCasino, also known as Water Hydra, which deploys malicious Microsoft Installer Files (.msi) to install remote access trojans (RATs) on compromised systems. This grants attackers extensive control and facilitates the bypassing of Microsoft Defender SmartScreen by manipulating Windows Explorer layouts and employing internet shortcuts to execute malicious payloads like the DarkMe malware undetected. Recognizing the threat, CISA has added CVE-2024-21412 to their Known Exploited Vulnerabilities Catalog, with a Proof of Concept (PoC) available, highlighting the urgency for mitigative actions.
CVE-2024-21413 is a critical Remote Code Execution vulnerability in Outlook that allows attackers to execute arbitrary code on a victim's system with minimal user interaction, specifically through the mere previewing of an email.
This critical vulnerability was revealed in the February 2024 Patch Tuesday updates and is known as MonikerLinkBug. The vulnerability exploits a flaw in how Outlook processes hyperlinks, circumventing security checks and enabling silent code execution upon email preview. This flaw grants attackers extensive control, allowing them to perform actions such as reading, writing, deleting files, installing malware, and potentially accessing sensitive information or escalating network privileges. The exploit's notable effectiveness lies in its ability to bypass Protected View and other Outlook security mechanisms by leveraging the application's handling of hyperlinks. The existence of a Proof of Concept (POC) highlights the immediate need for mitigation to prevent exploitation.
CVE-2024-21338, an Elevation of Privilege in the Windows Kernel, was identified in the February 2024 Patch Tuesday updates.
This is a significant vulnerability notably exploited as a zero-day by the Lazarus group, a North Korean threat actor. To exploit this vulnerability, attackers need initial access to the target system, followed by the execution of a specially crafted application targeting the appid.sys driver to escalate privileges to SYSTEM level. This exploitation facilitated the deployment and execution of an updated FudModule rootkit by Lazarus, notable for its "fileless" operation method, which evades certain security detections.
Initially underestimated in its exploitability, Microsoft later adjusted the advisory status for CVE-2024-21338 to "Exploitation Detected," indicating active exploitation. This delay might have offered attackers a critical window for exploitation before the vulnerability gained widespread recognition and countermeasures were fully deployed. The availability of a Proof of Concept (PoC) and its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog have also contributed to Cytidel rating this vulnerability as having "Significant" threat activity.
Fortinet
Fortinet vulnerabilities made up 10% of our list of 31 notables this quarter, coming in second to Microsoft. The three vulnerabilities of concern are outlined as follows:
CVE-2024-21762, is an out-of-bounds write vulnerability enabling remote code execution (RCE).
CVE-2024-23113, allows for arbitrary code execution.
These have emerged as significant security concerns due to their exploitation by threat actors for malicious purposes, including ransomware attacks and cyber espionage. A notable exploit has been attributed to the Chinese state-sponsored threat group, Volt Typhoon. This group has actively exploited these vulnerabilities, deploying a custom remote access trojan (RAT) named COATHANGER. This malware specifically targets FortiOS vulnerabilities to breach network security appliances. A prominent example of its impact includes cyber attacks against the Dutch Ministry of Defence.
Additionally, Fortinet also acknowledged that CVE-2023-48788 has also been under active exploitation.
The availability of Proof of Concept (PoC) exploit code to the public heightens this risk, signalling potential for broader exploitation. Despite FortiClientEMS not being a previous target, the historical targeting of various Fortinet products through CVE-2024-21762 and CVE-2024-23113 in February 2024 indicates a consistent pattern of vulnerability exploitation within Fortinet's suite of products. CISA has also added this to their Known Exploited Vulnerabilities catalog.
Ivanti
CVE-2024-21887, Ivanti Policy Secure Authentication Bypass Vulnerability (CVSS 9.1),
was being tracked by Cytidel in December 2023 and added to the National Vulnerability Database in mid-January. CISA has highlighted it in its Known Exploited Vulnerabilities catalog due to its exploitation by threat actors, notably UNC5221.
These actors have deployed a range of malicious tools, including LIGHTWIRE, WIREFIRE, WARPWIRE, and ZIPWIRE, with reports of Chinese-affiliated actors using it to deliver KrustyLoader malware for Sliver tool deployment. In response, CISA issued directives and advisories in collaboration with international partners, including the Five Eyes alliance, which also warned against the exploitation of related vulnerabilities CVE-2023-46805 and CVE-2024-21893. Additionally, NVISO researchers discovered sophisticated TLS-based backdoors, SparkCockpit and SparkTar, targeting critical sectors via Ivanti Pulse Secure appliances, indicating a high level of threat actor sophistication and the global scale of cybersecurity challenges. Cytidel has rated this as having significant activity.
CVE-2023-46805 Ivanti ICS and Ivanti Policy Secure Authentication Bypass Vulnerability (CVSS 8.2). This zero-day flaw is actively being exploited and allows attackers to circumvent the authentication mechanisms on Ivanti's VPN devices.
Attackers exploit this by sending specially crafted requests to the VPN appliance, manipulating the authentication process to gain unauthorised access without the need for valid user credentials.
When combined with CVE-2024-21887, which permits authenticated shell command injection, attackers can leverage both vulnerabilities to achieve unauthenticated remote code execution. This dangerous combination poses a significant security risk, enabling attackers to gain control over the affected systems remotely. In response to the severity of these vulnerabilities, CISA has issued a directive to address and mitigate the risks associated with these security flaws.
VMware
CVE-2023-34048, vCenter Server Out-of-Bounds Write Leading to Remote Code Execution (CVSS 9.8). CVE-2023-34048 has been officially recognized by VMware as a vulnerability that has been exploited in actual attacks.
This particular security flaw permits attackers to execute remote attacks with low complexity, without the need for authentication or any user interaction, making it a significant threat. Cybercriminals, especially those known as network access brokers, exploit this vulnerability to take control of VMware servers. They then offer these compromised servers for sale on cybercrime forums, providing ransomware groups with straightforward access to corporate networks. Notably, ransomware groups such as Royal, Black Basta, LockBit, RTM Locker, Qilin, ESXiArgs, Monti, and Akira have been exploiting VMware ESXi servers by leveraging this vulnerability to encrypt files and demand substantial ransoms.
The vulnerability has been linked to the China-associated threat group UNC3886, with Mandiant reporting that UNC3886 has been exploiting this vCenter Server zero-day since at least late 2021. It has been revealed that two backdoors, named VIRTUALPITA and VIRTUALPIE, were previously associated with this threat actor on ESXi hypervisors. These backdoors are part of VIBs (vSphere Installation Bundles), which are collections of files designed to manage virtual systems. They can create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine. It is believed that the threat actor exploited this zero-day vulnerability to deploy and repurpose their already developed toolkits within these virtual environments, highlighting the sophistication and strategic depth of their cyber operations. CISA has also added CVE-2023-34048 to its Known Exploited Vulnerabilities (KEV) list. Cytidel has rated this as having Significant activity.
CVE-2024-22252, VMware ESXi, Workstation, and Fusion Use-After-Free vulnerability (CVSS 9.3). CVE-2024-22252 is marked by a low attack complexity and requires no special privileges, making it a notable security concern.
It allows a malicious actor with local administrative access to a virtual machine (VM) to execute code on the host system. This capability opens the door to unauthorised access to the host system, putting all hosted VMs at risk of compromise and enabling the execution of malicious operations with elevated privileges. The vulnerability stems from use-after-free issues in the XHCI and UHCI USB controllers, which serve as the technical groundwork for this risk.
For environments running ESXi, the impact of this vulnerability is somewhat mitigated by the VMX sandbox, which offers a layer of isolation that helps contain the threat to some extent. However, in the case of VMware Workstation and Fusion, the vulnerability presents a more significant risk. Here, the flaw has the potential to affect the underlying host machine directly, significantly amplifying the possible damage. This distinction highlights the varying degrees of risk associated with different VMware products in the face of CVE-2024-22252. Cytidel is currently rating this as having 'moderate' activity, having seen its activity drop earlier this week.
Other Notable Vulnerabilities
CVE | Vendor | Type |
ConnectWise ScreenConnect | Authentication Bypass | |
Minio | Information Disclosure | |
F5 BIG-IP | Remote Code Execution | |
GitLab | Compromise user account security | |
Confluence Data Center and Server | Remote Code Execution | |
Fortra's GoAnywhere MFT | Authentication Bypass | |
Zoom Desktop Client | Elevation of Privilege | |
PostgreSQL JDBC Driver | SQL Injection | |
OpenEdge Authentication Gateway and AdminServer | Authentication Bypass | |
JetBrains TeamCity | Authentication Bypass | |
Adobe ColdFusion | Remote Code Execution | |
Apple | Remote Code Execution | |
Jenkins | Arbitrary File Read | |
Roundcube | XSS | |
Node.js | Elevation of Privilege | |
JetBrains TeamCity | Path Traversal |
Conclusion
The first quarter of 2024 has revealed the dynamic and increasingly sophisticated nature of cyber threats. Microsoft’s significant share of vulnerabilities underscores the critical need for vigilance in patch management and security configurations. The diversity of affected vendors and products further highlights the comprehensive approach required in cybersecurity defense strategies. As threat actors refine their tactics, continuous monitoring, rapid response, and a proactive security posture are indispensable in mitigating the evolving cyber risks.
Cytidel remains committed to providing actionable intelligence, early warning alerts, and recommendations to address these vulnerabilities, reinforcing our clients' cybersecurity frameworks against the advancing threat landscape.