Category: Security Feeds

2023 Top Routinely Exploited Vulnerabilities

Posted on by

 ​Summary
The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies):

United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
Canada: Canadian Centre for Cyber Security (CCCS)
New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.

Vendors, designers, and developers. Implement secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in your software.

Follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
Prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security.
Ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.

End-user organizations:

Apply timely patches to systems.Note: If CVEs identified in this advisory have not been patched, check for signs of compromise before patching.
Implement a centralized patch management system.
Use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Purpose
The authoring agencies developed this document in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
Download the PDF version of this report:

AA24-317A 2023 Top Routinely Exploited Vulnerabilities
(PDF, 907.24 KB
)

Technical Details
Key Findings
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. 
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
Cybersecurity Efforts to Include
Implementing security-centered product development lifecycles. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero-days. The use of more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities.
Increasing incentives for responsible vulnerability disclosure. Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber actors. For example, instituting vulnerability reporting bug bounty programs that allow researchers to receive compensation and recognition for their contributions to vulnerability research may boost disclosures.
Using sophisticated endpoint detection and response (EDR) tools. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.
Top Routinely Exploited Vulnerabilities
Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 with details also discussed below.

CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.

Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.

CVE-2023-4966: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.

Allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023.

CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI.

Allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access.

CVE-2023-20273: This vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198.

Allows privilege escalation, once a local user has been created, to root privileges.

CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN.

Allows a remote user to craft specific requests to execute arbitrary code or commands.

CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer.

Allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token.
Allows a malicious cyber actor to obtain remote code execution via this access by abusing a deserialization call.

CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server.

Allows exploit of an improper input validation issue.

Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time.
The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution.

CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide.

 Allows the execution of arbitrary code.

An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code.
The request allows a cyber actor to take full control of a system.
The actor can then steal information, launch ransomware, or conduct other malicious activity.
Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.

CVE-2023-2868: This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance.

Allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance.

CVE-2022-47966: This is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine.

Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.

CVE-2023-27350: This vulnerability affects PaperCut MF/NG.

Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code.

CVE-2020-1472: This vulnerability affects Microsoft Netlogon.

Allows privilege escalation.

An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol.Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021.

CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers.

Allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers.

CVE-2023-23397: This vulnerability affects Microsoft Office Outlook.

Allows elevation of privilege.

A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it.
This exploit occurs even without user interaction.

CVE-2023-49103: This vulnerability affects ownCloud graphapi.

Allows unauthenticated information disclosure.

An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.

Table 1: Top 15 Routinely Exploited Vulnerabilities in 2023

CVE
Vendor
Product(s)
Vulnerability Type
CWE

CVE-2023-3519
Citrix

NetScaler ADC 
NetScaler Gateway

Code Injection
CWE-94: Improper Control of Generation of Code (‘Code Injection’)

CVE-2023-4966
Citrix

NetScaler ADC 
NetScaler Gateway

Buffer Overflow
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CVE-2023-20198
Cisco
IOS XE Web UI
Privilege Escalation
CWE-420: Unprotected Alternate Channel

CVE-2023-20273
Cisco
IOS XE
Web UI Command Injection
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

CVE-2023-27997
Fortinet

FortiOS 
FortiProxy SSL-VPN

Heap-Based Buffer Overflow

CWE-787: Out-of-bounds Write
CWE-122: Heap-based Buffer Overflow

CVE-2023-34362
Progress
MOVEit Transfer
SQL Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

CVE-2023-22515
Atlassian
Confluence Data Center and Server
Broken Access Control
CWE-20 Improper Input Validation

CVE-2021- 44228
(Log4Shell)

Apache
Log4j2
Remote Code Execution (RCE)

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CWE-502: Deserialization of Untrusted Data
CWE-20 Improper Input Validation
CWE-400 Uncontrolled Resource Consumption

CVE-2023-2868
Barracuda Networks
ESG Appliance
Improper Input Validation

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-20: Improper Input Validation

CVE-2022-47966
Zoho
ManageEngine Multiple Products
Remote Code Execution
CWE-20 Improper Input Validation

CVE-2023-27350
PaperCut
MF/NG
Improper Access Control
CWE-284: Improper Access Control

CVE-2020-1472
Microsoft
Netlogon
Privilege Escalation
CWE-330: Use of Insufficiently Random Values

CVE-2023-42793
JetBrains
TeamCity
Authentication Bypass
CWE-288: Authentication Bypass Using an Alternate Path or Channel

CVE-2023-23397
Microsoft
Office Outlook
Privilege Escalation

CWE-294: Authentication Bypass by Capture-replay
CWE-20: Improper Input Validation

CVE-2023-49103
ownCloud
graphapi
Information Disclosure
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Additional Routinely Exploited Vulnerabilities
The authoring agencies identified other vulnerabilities, listed in Table 2, that malicious cyber actors also routinely exploited in 2023—in addition to the 15 vulnerabilities listed in Table 1.

Table 2: Additional Routinely Exploited Vulnerabilities in 2023

CVE
Vendor
Product
Vulnerability Type
CWE

CVE-2023-22518
Atlassian 
Confluence Data Center and Server 
Improper Authorization
CWE-863: Incorrect Authorization

CVE-2023- 29492
Novi
Novi Survey
Insecure Deserialization
CWE-94 Improper Control of Generation of Code (‘Code Injection’)

CVE-2021-27860 
FatPipe 
WARP, IPVPN, and MPVPN 
Configuration Upload Exploit
CWE-434: Unrestricted Upload of File with Dangerous Type

CVE-2021-40539 
Zoho 
ManageEngine ADSelfService Plus 
Authentication Bypass
CWE-706: Use of Incorrectly-Resolved Name or Reference

CVE-2023-0669
Fortra 
GoAnywhere MFT 
RCE
CWE-502: Deserialization of Untrusted Data

CVE-2021-22986
F5 
BIG-IP and BIG-IQ Centralized Management iControl REST 
RCE
CWE-918: Server-Side Request Forgery (SSRF)

CVE-2019-0708
Microsoft 
Remote Desktop Services
RCE
CWE-416: Use After Free

CVE-2018-13379
Fortinet 
FortiOS SSL VPN 
Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CVE-2022-31199 
Netwrix 
Auditor 
Insecure Object Deserialization
CWE-502: Deserialization of Untrusted Data

CVE-2023-35078 
Ivanti 
Endpoint Manager Mobile 
Authentication Bypass
CWE-287: Improper Authentication

CVE-2023-35081 
Ivanti 
Endpoint Manager Mobile (EPMM) 
Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CVE-2023-44487 
N/A
HTTP/2 
Rapid Reset Attack
CWE-400: Uncontrolled Resource Consumption

CVE-2023-36844
Juniper
Junos OS EX Series PHP 
External Variable Modification
CWE-473: PHP External Variable Modification

CVE-2023-36845
Juniper 
Junos OS EX Series and SRX Series PHP 
External Variable Modification
CWE-473: PHP External Variable Modification

CVE-2023-36846
Juniper 
Junos OS SRX Series
Missing Authentication for Critical Function
CWE-306: Missing Authentication for Critical Function

CVE-2023-36847
Juniper 
Junos OS EX Series 
Missing Authentication for Critical Function
CWE-306: Missing Authentication for Critical Function

CVE-2023-41064 
Apple
iOS, iPadOS, and macOS ImageIO
Buffer Overflow
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

CVE-2023-41061
Apple
Apple iOS, iPadOS, and watchOS Wallet 
Code Execution
CWE-20 Improper Input Validation

CVE-2021-22205
GitLab 
Community and Enterprise Editions 
RCE
CWE-94: Improper Control of Generation of Code (‘Code Injection’)

CVE-2019-11510
Ivanti
Pulse Connect Secure 
Arbitrary File Read
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CVE-2023-6448 
Unitronics 
Vision PLC and HMI
Insecure Default Password

CWE-798: Use of Hard-coded Credentials
CWE-1188: Initialization of a Resource with an Insecure Default

CVE-2017-6742
Cisco 
IOS and IOS XE Software SNMP 
RCE
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CVE-2021-4034
Red Hat 
Polkit
Out-of-Bounds Read and Write

CWE-125: Out-of-bounds Read
CWE-787: Out-of-bounds Write

CVE-2021-26084
Atlassian 
Confluence Server and Data Center 
Object-Graph Navigation Language (OGNL) Injection
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)

CVE-2021-33044
Dahua
Various products
Authentication Bypass
CWE-287: Improper Authentication

CVE-2021-33045
Dahua
Various products
Authentication Bypass
CWE-287: Improper Authentication

CVE-2022-3236
Sophos 
Firewall
Code Injection
CWE-94: Improper Control of Generation of Code (‘Code Injection’)

CVE-2022-26134
Atlassian
Confluence Server and Data Center 
RCE
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)

CVE-2022-41040
Microsoft
Exchange Server
Server-Side Request Forgery
CWE-918: Server-Side Request Forgery (SSRF)

CVE-2023-38831
RARLAB
WinRAR
Code Execution

CWE-345: Insufficient Verification of Data Authenticity
CWE-351: Insufficient Type Distinction

CVE-2019-18935
Progress Telerik
Progress Telerik UI for ASP.NET AJAX
Deserialization of Untrusted Data
CWE-502: Deserialization of Untrusted Data

CVE-2021-34473
Microsoft
Microsoft Exchange Server
RCE
CWE-918: Server-Side Request Forgery (SSRF)

Mitigations

Vendors and Developers
The authoring agencies recommend vendors and developers take the following steps to help ensure their products are secure by design and default:

Identify repeatedly exploited classes of vulnerability.

Perform an analysis of both CVEs and known exploited vulnerabilities (KEVs) to understand which classes of vulnerability are identified more than others.
Implement appropriate mitigations to eliminate those classes of vulnerability.
If a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries and prohibit other forms of queries.

Ensure business leaders are responsible for security.

Business leaders should ensure their teams take proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.

Follow SP 800-218 SSDF and implement secure by design practices into each stage of the SDLC; in particular, aim to perform the following SSDF recommendations:

Prioritize the use of memory safe languages wherever possible [SSDF PW 6.1].
Exercise due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
Set up secure software development team practices—this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language-specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3] and establish processes to determine root causes of discovered vulnerabilities.
Use static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].

Configure production-ready products to have the most secure settings by default and provide guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2].

Prioritize secure by default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration necessary and at no extra charge.

Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure by design and default products, including additional recommended secure by default configurations, see CISA’s joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default.
End-User Organizations
The authoring agencies recommend end-user organizations implement the mitigations below to improve their cybersecurity posture based on threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on CPGs, including additional recommended baseline protections.
Vulnerability and Configuration Management

Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E].

Prioritize patching KEVs, especially those CVEs identified in this advisory, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
For patch information on CVEs identified in this advisory, refer to the Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities.

If a patch for a KEV or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
Replace end-of-life software (i.e., software no longer supported by the vendor).

Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware, and software.
Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].

Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs).
Reputable MSPs can patch applications (such as webmail, file storage, file sharing, chat, and other employee collaboration tools) for their customers.Note: MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources:

CISA Insights’ Risk Considerations for MSP Customers.
CISA Insights’ Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses.
ACSC’s How to Manage Your Security When Engaging a MSP.

Document secure baseline configurations for all IT/OT components, including cloud infrastructure.

Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].

Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration.

Store copies off-network in physically secure locations and test regularly [CPG 2.R].

Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

Enforce phishing-resistant multifactor authentication (MFA) for all users without exception [CPG 2.H].
Enforce MFA on all VPN connections.

If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].

Regularly review, validate, or remove unprivileged accounts (annually at a minimum) [CPG 2.D, 2.E].
Configure access control under the principle of least privilege [CPG 2.O].

Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible).Note: See CISA’s Capacity Enhancement Guide – Implementing Strong Authentication and ACSC’s guidance on Implementing MFA for more information on authentication system hardening.

Protective Controls and Architecture

Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2.X].
Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X].Note: See CISA’s Zero Trust Maturity Model and the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools.
Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanners, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
Use web application firewalls to monitor and filter web traffic.
These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified, approved versions [CPG 2.Q].

Supply Chain Security

Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
Ensure contracts require vendors and/or third-party service providers to:
Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Resources

For information on the top vulnerabilities routinely exploited in 2016–2019, 2020, 2021, and 2022:

Joint CSA Top 10 Routinely Exploited Vulnerabilities.
Joint CSA Top Routinely Exploited Vulnerabilities.
Joint CSA 2021 Top Routinely Exploited Vulnerabilities.
Joint CSA 2022 Top Routinely Exploited Vulnerabilities.

See the Appendix for additional partner resources on the vulnerabilities mentioned in this advisory.
See ACSC’s Essential Eight Maturity Model for additional mitigations.
See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice.

References

Apache Log4j Vulnerability Guidance

Reporting
U.S. organizations: All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca. 
New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident at  gov.uk/report-cyber (monitored 24 hours).
Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
Version History
November 12, 2024: Initial version.

Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities

CVE
Vendor
Affected Products and Versions
Patch Information
Resources

CVE-2023-3519
Citrix

NetScaler ADC and NetScaler Gateway:
13.1 before 13.1-49.13 
13.0 before 13.0-91.13 
NetScaler ADC:
13.1-FIPS before 13.1-37.159
12.1-FIPS before 12.1-55.297
12.1-NDcPP before 12.1-55.297

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Critical Security Update for NetScaler ADC and NetScaler Gateway

CVE-2023-4966
Citrix

NetScaler ADC and NetScaler Gateway:
14.1 before 14.1-8.50
13.1 before 13.1-49.15
13.0 before 13.0-92.19
NetScaler ADC:
13.1-FIPS before 13.1-37.164
12.1-FIPS before 12.1-55.300
12.1-NDcPP before 12.1-55.300

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
Critical Security Update for NetScaler ADC and NetScaler Gateway

CVE-2023-20198
Cisco
Any Cisco IOS XE Software with web UI feature enabled
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities

CVE-2023-27997
Fortinet

FortiOS-6K7K versions:
7.0.10, 7.0.5, 6.4.12
6.4.10, 6.4.8, 6.4.6, 6.4.2
6.2.9 through 6.2.13
6.2.6 through 6.2.7
6.2.4
6.0.12 through 6.0.16
6.0.10

Heap buffer overflow in sslvpn pre-authentication
 

CVE-2023-34362
Progress

MOVEit Transfer:
2023.0.0 (15.0)
2022.1.x (14.1)
2022.0.x (14.0)
2021.1.x (13.1)
2021.0.x (13.0)
2020.1.x (12.1)
2020.0.x (12.0) or older MOVEit Cloud

MOVEit Transfer Critical Vulnerability
#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

CVE-2023-22515
Atlassian

8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4
8.1.0, 8.1.1, 8.1.3, 8.1.4
8.2.0, 8.2.1, 8.2.2, 8.2.38.3.0, 8.3.1, 8.3.2
8.4.0, 8.4.1, 8.4.28.5.0, 8.5.1

Broken Access Control Vulnerability in Confluence Data Center and Server
Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks

CVE-2021- 44228
(Log4Shell)

Apache

Log4j, all versions from 2.0-beta9 to 2.14.1
For other affected vendors and products, see CISA’s GitHub repository.

Apache Log4j Security Vulnerabilities
For additional information, see joint advisory: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

CVE-2023-2868
Barracuda Networks
5.1.3.001 through 9.2.0.006
Barracuda Email Security Gateway Appliance (ESG) Vulnerability
 

CVE-2022-47966
Zoho
Multiple products, multiple versions. (For more details, see Security advisory for remote code execution vulnerability in multiple ManageEngine products)
Security advisory for remote code execution vulnerability in multiple ManageEngine products
 

CVE-2023-27350
PaperCut

PaperCut MF or NG version 8.0 or later (excluding patched versions) on all OS platforms. This includes:
version 8.0.0 to 19.2.7 (inclusive)
version 20.0.0 to 20.1.6 (inclusive)
version 21.0.0 to 21.2.10 (inclusive)
version 22.0.0 to 22.0.8 (inclusive)

URGENT MF/NG vulnerability bulletin (March 2023)
Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG

CVE-2020-1472
Microsoft
Netlogon
Netlogon Elevation of Privilege Vulnerability
Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2023-23397
Microsoft
Outlook
Microsoft Outlook Elevation of Privilege Vulnerability
Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

CVE-2023-49103
ownCloud
graphapi
Disclosure of Sensitive Credentials and Configuration in Containerized Deployments
 

CVE-2023-20273
Cisco
Cisco IOS XE Software with web UI feature enabled
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities

CVE-2023-42793
JetBrains
In JetBrains TeamCity before 2023.05.4
CVE-2023-42793 Vulnerability in TeamCity: Post-Mortem
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

CVE-2023-22518
Atlassian
All versions of Confluence Data Cetner and Confluence Server
Improper Authorization in Confluence Data Center and Server
 

CVE-2023-29492



 

CVE-2021-27860 
FatPipe

WARP, MPVPN, IPVPN
10.1.2 and 10.2.2

FatPipe CVE List
 

CVE-2021-40539 
Zoho
ManageEngine ADSelfService Plus builds up to 6113
Security advisory – ADSelfService Plus authentication bypass vulnerability

ACSC Alert:
Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors

CVE-2023-0669
Fortra
GoAnywhere versions 2.3 through 7.1.2
Fortra deserialization RCE
#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

CVE-2021-22986
F5

BIG-IP versions:
16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2

K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
 

CVE-2019-0708
Microsoft
Remote Desktop Services
Remote Desktop Services Remote Code Execution Vulnerability
 

CVE-2018-13379
Fortinet
FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6
FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests
 

CVE-2023-35078 
Ivanti

All supported versions of Endpoint Manager Mobile (EPMM), including:
Version 11.4 releases 11.10, 11.9 and 11.8

CVE-2023-35078 – New Ivanti EPMM Vulnerability
Threat Actors Exploiting Ivanti EPMM Vulnerabilities

CVE-2023-35081 
Ivanti
All supported versions of Endpoint Manager Mobile (EPMM), including 11.10, 11.9 and 11.8
CVE-2023-35081 – Remote Arbitrary File Write
Threat Actors Exploiting Ivanti EPMM Vulnerabilities

CVE-2023-36844
Juniper

Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.

2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
 

CVE-2023-36845
Juniper

Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.

2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
 

CVE-2023-36846
Juniper

Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.

2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
 

CVE-2023-36847
Juniper

Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.

2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
 

CVE-2023-41064 
Apple

Versions prior to:
iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10

About the security content of iOS 16.6.1 and iPadOS 16.6.1
About the security content of macOS Ventura 13.5.2
About the security content of iOS 15.7.9 and iPadOS 15.7.9
About the security content of macOS Monterey 12.6.9
About the security content of macOS Big Sur 11.7.10

 

CVE-2023-41061
Apple
Versions prior to:watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1

About the security content of watchOS 9.6.2
About the security content of iOS 16.6.1 and iPadOS 16.6.1

 

CVE-2021-22205
GitLab
All versions starting from 11.9
RCE when removing metadata with ExifTool
 

CVE-2019-11510
Ivanti
Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12
SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
 

CVE-2023-6448 
Unitronics

VisiLogic versions before
9.9.00

Unitronics Cybersecurity Advisory 2023-001: Default administrative password
 

CVE-2017-6742
Cisco
Simple Network Management Protocol subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17
SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
 

CVE-2021-4034
Red Hat

Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Virtualization 4
Any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted.

RHSB-2022-001 Polkit Privilege Escalation – (CVE-2021-4034)
Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2021-26084
Atlassian
Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084
Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2021-33044
Dahua
Various products

Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2021-33045
Dahua
Various products

Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2022-3236
Sophos
Sophos Firewall v19.0 MR1 (19.0.1) and older
Resolved RCE in Sophos Firewall (CVE-2022-3236)
Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2022-26134
Atlassian
Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Confluence Security Advisory 2022-06-02
Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure

CVE-2022-41040
Microsoft
Microsoft Exchange servers
Microsoft Exchange Server Elevation of Privilege Vulnerability
 

CVE-2023-38831
RARLAB
WinRAR Versions prior to 6.23 Beta 1
WinRAR 6.23 Beta 1 Released
 

CVE-2019-18935
Progress Telerik
Telerik.Web.UI.dll versions: 
Allows JavaScriptSerializer Deserialization
Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers

CVE-2021-34473
Microsoft

Exchange Server, Multiple Versions:
Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)
R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917)
R3 2019 SP1 (2019.3.1023)
R1 2020 (2020.1.114) and later

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473
Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

  

Summary

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies):

  • United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
  • Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
  • Canada: Canadian Centre for Cyber Security (CCCS)
  • New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
  • United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.

  • Vendors, designers, and developers. Implement secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in your software.
    • Follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
    • Prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security.
    • Ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.
  • End-user organizations:
    • Apply timely patches to systems.
      Note: If CVEs identified in this advisory have not been patched, check for signs of compromise before patching.
    • Implement a centralized patch management system.
    • Use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
    • Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Purpose

The authoring agencies developed this document in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

Download the PDF version of this report:

AA24-317A 2023 Top Routinely Exploited Vulnerabilities
(PDF, 907.24 KB
)

Technical Details

Key Findings

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. 

Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.

Cybersecurity Efforts to Include

Implementing security-centered product development lifecycles. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero-days. The use of more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities.

Increasing incentives for responsible vulnerability disclosure. Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber actors. For example, instituting vulnerability reporting bug bounty programs that allow researchers to receive compensation and recognition for their contributions to vulnerability research may boost disclosures.

Using sophisticated endpoint detection and response (EDR) tools. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.

Top Routinely Exploited Vulnerabilities

Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 with details also discussed below.

  • CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.
    • Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.
  • CVE-2023-4966: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.
    • Allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023.
  • CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI.
    • Allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access.
  • CVE-2023-20273This vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198.
    • Allows privilege escalation, once a local user has been created, to root privileges.
  • CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN.
    • Allows a remote user to craft specific requests to execute arbitrary code or commands.
  • CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer.
    • Allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token.
    • Allows a malicious cyber actor to obtain remote code execution via this access by abusing a deserialization call.
  • CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server.
    • Allows exploit of an improper input validation issue.
      • Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time.
      • The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution.
  • CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide.
    •  Allows the execution of arbitrary code.
      • An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code.
      • The request allows a cyber actor to take full control of a system.
      • The actor can then steal information, launch ransomware, or conduct other malicious activity.
      • Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.
  • CVE-2023-2868This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance.
    • Allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance.
  • CVE-2022-47966: This is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine.
    • Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
  • CVE-2023-27350: This vulnerability affects PaperCut MF/NG.
    • Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code.
  • CVE-2020-1472: This vulnerability affects Microsoft Netlogon.
    • Allows privilege escalation.
      • An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol.
        Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021.
  • CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers.
    • Allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers.
  • CVE-2023-23397: This vulnerability affects Microsoft Office Outlook.
    • Allows elevation of privilege.
      • A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it.
      • This exploit occurs even without user interaction.
  • CVE-2023-49103: This vulnerability affects ownCloud graphapi.
    • Allows unauthenticated information disclosure.
      • An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.
Table 1: Top 15 Routinely Exploited Vulnerabilities in 2023
CVE Vendor Product(s) Vulnerability Type CWE
CVE-2023-3519 Citrix

NetScaler ADC 

NetScaler Gateway

 Code Injection CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CVE-2023-4966 Citrix

NetScaler ADC 

NetScaler Gateway

 Buffer Overflow CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2023-20198 Cisco IOS XE Web UI Privilege Escalation CWE-420: Unprotected Alternate Channel
CVE-2023-20273 Cisco IOS XE Web UI Command Injection CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CVE-2023-27997 Fortinet

FortiOS 

FortiProxy SSL-VPN

 Heap-Based Buffer Overflow

CWE-787: Out-of-bounds Write

CWE-122: Heap-based Buffer Overflow
CVE-2023-34362 Progress MOVEit Transfer SQL Injection CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control CWE-20 Improper Input Validation

CVE-2021- 44228

(Log4Shell)

 Apache Log4j2 Remote Code Execution (RCE)

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)

CWE-502: Deserialization of Untrusted Data

CWE-20 Improper Input Validation

CWE-400 Uncontrolled Resource Consumption
CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

CWE-20: Improper Input Validation
CVE-2022-47966 Zoho ManageEngine Multiple Products Remote Code Execution CWE-20 Improper Input Validation
CVE-2023-27350 PaperCut MF/NG Improper Access Control CWE-284: Improper Access Control
CVE-2020-1472 Microsoft Netlogon Privilege Escalation CWE-330: Use of Insufficiently Random Values
CVE-2023-42793 JetBrains TeamCity Authentication Bypass CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVE-2023-23397 Microsoft Office Outlook Privilege Escalation

CWE-294: Authentication Bypass by Capture-replay

CWE-20: Improper Input Validation
CVE-2023-49103 ownCloud graphapi Information Disclosure CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Additional Routinely Exploited Vulnerabilities

The authoring agencies identified other vulnerabilities, listed in Table 2, that malicious cyber actors also routinely exploited in 2023—in addition to the 15 vulnerabilities listed in Table 1.

Table 2: Additional Routinely Exploited Vulnerabilities in 2023
CVE Vendor Product Vulnerability Type CWE
CVE-2023-22518 Atlassian  Confluence Data Center and Server  Improper Authorization CWE-863: Incorrect Authorization
CVE-2023- 29492 Novi Novi Survey Insecure Deserialization CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CVE-2021-27860  FatPipe  WARP, IPVPN, and MPVPN  Configuration Upload Exploit CWE-434: Unrestricted Upload of File with Dangerous Type
CVE-2021-40539  Zoho  ManageEngine ADSelfService Plus  Authentication Bypass CWE-706: Use of Incorrectly-Resolved Name or Reference
CVE-2023-0669 Fortra  GoAnywhere MFT  RCE CWE-502: Deserialization of Untrusted Data
CVE-2021-22986 F5  BIG-IP and BIG-IQ Centralized Management iControl REST  RCE CWE-918: Server-Side Request Forgery (SSRF)
CVE-2019-0708 Microsoft  Remote Desktop Services RCE CWE-416: Use After Free
CVE-2018-13379 Fortinet  FortiOS SSL VPN  Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2022-31199  Netwrix  Auditor  Insecure Object Deserialization CWE-502: Deserialization of Untrusted Data
CVE-2023-35078  Ivanti  Endpoint Manager Mobile  Authentication Bypass CWE-287: Improper Authentication
CVE-2023-35081  Ivanti  Endpoint Manager Mobile (EPMM)  Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2023-44487  N/A HTTP/2  Rapid Reset Attack CWE-400: Uncontrolled Resource Consumption
CVE-2023-36844 Juniper Junos OS EX Series PHP  External Variable Modification CWE-473: PHP External Variable Modification
CVE-2023-36845 Juniper  Junos OS EX Series and SRX Series PHP  External Variable Modification CWE-473: PHP External Variable Modification
CVE-2023-36846 Juniper  Junos OS SRX Series Missing Authentication for Critical Function CWE-306: Missing Authentication for Critical Function
CVE-2023-36847 Juniper  Junos OS EX Series  Missing Authentication for Critical Function CWE-306: Missing Authentication for Critical Function
CVE-2023-41064  Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CVE-2023-41061 Apple Apple iOS, iPadOS, and watchOS Wallet  Code Execution CWE-20 Improper Input Validation
CVE-2021-22205 GitLab  Community and Enterprise Editions  RCE CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CVE-2019-11510 Ivanti Pulse Connect Secure  Arbitrary File Read CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2023-6448  Unitronics  Vision PLC and HMI Insecure Default Password

CWE-798: Use of Hard-coded Credentials

CWE-1188: Initialization of a Resource with an Insecure Default
CVE-2017-6742 Cisco  IOS and IOS XE Software SNMP  RCE CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2021-4034 Red Hat  Polkit Out-of-Bounds Read and Write

CWE-125: Out-of-bounds Read

CWE-787: Out-of-bounds Write
CVE-2021-26084 Atlassian  Confluence Server and Data Center  Object-Graph Navigation Language (OGNL) Injection CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2021-33044 Dahua Various products Authentication Bypass CWE-287: Improper Authentication
CVE-2021-33045 Dahua Various products Authentication Bypass CWE-287: Improper Authentication
CVE-2022-3236 Sophos  Firewall Code Injection CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CVE-2022-26134 Atlassian Confluence Server and Data Center  RCE CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-41040 Microsoft Exchange Server Server-Side Request Forgery CWE-918: Server-Side Request Forgery (SSRF)
CVE-2023-38831 RARLAB WinRAR Code Execution

CWE-345: Insufficient Verification of Data Authenticity

CWE-351: Insufficient Type Distinction
CVE-2019-18935 Progress Telerik Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data CWE-502: Deserialization of Untrusted Data
CVE-2021-34473 Microsoft Microsoft Exchange Server RCE CWE-918: Server-Side Request Forgery (SSRF)

Mitigations

Vendors and Developers

The authoring agencies recommend vendors and developers take the following steps to help ensure their products are secure by design and default:

  • Identify repeatedly exploited classes of vulnerability.
    • Perform an analysis of both CVEs and known exploited vulnerabilities (KEVs) to understand which classes of vulnerability are identified more than others.
    • Implement appropriate mitigations to eliminate those classes of vulnerability.
    • If a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries and prohibit other forms of queries.
  • Ensure business leaders are responsible for security.
    • Business leaders should ensure their teams take proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.
  • Follow SP 800-218 SSDF and implement secure by design practices into each stage of the SDLC; in particular, aim to perform the following SSDF recommendations:
    • Prioritize the use of memory safe languages wherever possible [SSDF PW 6.1].
    • Exercise due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
    • Set up secure software development team practices—this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language-specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
    • Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3] and establish processes to determine root causes of discovered vulnerabilities.
    • Use static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].
  • Configure production-ready products to have the most secure settings by default and provide guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2].
    • Prioritize secure by default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration necessary and at no extra charge.
  • Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure by design and default products, including additional recommended secure by default configurations, see CISA’s joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default.

End-User Organizations

The authoring agencies recommend end-user organizations implement the mitigations below to improve their cybersecurity posture based on threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on CPGs, including additional recommended baseline protections.

Vulnerability and Configuration Management

  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E].
    • Prioritize patching KEVs, especially those CVEs identified in this advisory, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
    • For patch information on CVEs identified in this advisory, refer to the Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities.
      • If a patch for a KEV or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
      • Replace end-of-life software (i.e., software no longer supported by the vendor).
  • Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware, and software.
  • Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].
    • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs).
    • Reputable MSPs can patch applications (such as webmail, file storage, file sharing, chat, and other employee collaboration tools) for their customers.
      Note: MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources:
  • Document secure baseline configurations for all IT/OT components, including cloud infrastructure.
    • Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].
  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration.
    • Store copies off-network in physically secure locations and test regularly [CPG 2.R].
  • Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

  • Enforce phishing-resistant multifactor authentication (MFA) for all users without exception [CPG 2.H].
  • Enforce MFA on all VPN connections.
    • If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
  • Regularly review, validate, or remove unprivileged accounts (annually at a minimum) [CPG 2.D, 2.E].
  • Configure access control under the principle of least privilege [CPG 2.O].

Protective Controls and Architecture

  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2.X].
  • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
  • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
  • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
  • Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X].
    Note: See CISA’s Zero Trust Maturity Model and the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
  • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools.
  • Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanners, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
  • Use web application firewalls to monitor and filter web traffic.
  • These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
  • Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified, approved versions [CPG 2.Q].

Supply Chain Security

  • Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
  • Ensure contracts require vendors and/or third-party service providers to:
  • Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
  • Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
  • Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Resources

References

Reporting

U.S. organizations: All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.

Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca

New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.

United Kingdom organizations: Report a significant cyber security incident at  gov.uk/report-cyber (monitored 24 hours).

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

Version History

November 12, 2024: Initial version.

Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities

CVE Vendor Affected Products and Versions Patch Information Resources
CVE-2023-3519 Citrix

NetScaler ADC and NetScaler Gateway:

13.1 before 13.1-49.13 

13.0 before 13.0-91.13 

NetScaler ADC:

13.1-FIPS before 13.1-37.159

12.1-FIPS before 12.1-55.297

12.1-NDcPP before 12.1-55.297

 Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

Critical Security Update for NetScaler ADC and NetScaler Gateway
CVE-2023-4966 Citrix

NetScaler ADC and NetScaler Gateway:

14.1 before 14.1-8.50

13.1 before 13.1-49.15

13.0 before 13.0-92.19

NetScaler ADC:

13.1-FIPS before 13.1-37.164

12.1-FIPS before 12.1-55.300

12.1-NDcPP before 12.1-55.300

 NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

Critical Security Update for NetScaler ADC and NetScaler Gateway
CVE-2023-20198 Cisco Any Cisco IOS XE Software with web UI feature enabled Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
CVE-2023-27997 Fortinet

FortiOS-6K7K versions:

7.0.10, 7.0.5, 6.4.12

6.4.10, 6.4.8, 6.4.6, 6.4.2

6.2.9 through 6.2.13

6.2.6 through 6.2.7

6.2.4

6.0.12 through 6.0.16

6.0.10

 Heap buffer overflow in sslvpn pre-authentication  
CVE-2023-34362 Progress

MOVEit Transfer:

2023.0.0 (15.0)

2022.1.x (14.1)

2022.0.x (14.0)

2021.1.x (13.1)

2021.0.x (13.0)

2020.1.x (12.1)

2020.0.x (12.0) or older MOVEit Cloud

 MOVEit Transfer Critical Vulnerability #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
CVE-2023-22515 Atlassian

8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4

8.1.0, 8.1.1, 8.1.3, 8.1.4

8.2.0, 8.2.1, 8.2.2, 8.2.38.3.0, 8.3.1, 8.3.2

8.4.0, 8.4.1, 8.4.28.5.0, 8.5.1

 Broken Access Control Vulnerability in Confluence Data Center and Server Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks

CVE-2021- 44228

(Log4Shell)

 Apache

Log4j, all versions from 2.0-beta9 to 2.14.1

For other affected vendors and products, see CISA’s GitHub repository.

Apache Log4j Security Vulnerabilities

For additional information, see joint advisory: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

 Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
CVE-2023-2868 Barracuda Networks 5.1.3.001 through 9.2.0.006 Barracuda Email Security Gateway Appliance (ESG) Vulnerability  
CVE-2022-47966 Zoho Multiple products, multiple versions. (For more details, see Security advisory for remote code execution vulnerability in multiple ManageEngine products) Security advisory for remote code execution vulnerability in multiple ManageEngine products  
CVE-2023-27350 PaperCut

PaperCut MF or NG version 8.0 or later (excluding patched versions) on all OS platforms. This includes:

version 8.0.0 to 19.2.7 (inclusive)

version 20.0.0 to 20.1.6 (inclusive)

version 21.0.0 to 21.2.10 (inclusive)

version 22.0.0 to 22.0.8 (inclusive)

 URGENT MF/NG vulnerability bulletin (March 2023) Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
CVE-2020-1472 Microsoft Netlogon Netlogon Elevation of Privilege Vulnerability Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2023-23397 Microsoft Outlook Microsoft Outlook Elevation of Privilege Vulnerability Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
CVE-2023-49103 ownCloud graphapi Disclosure of Sensitive Credentials and Configuration in Containerized Deployments  
CVE-2023-20273 Cisco Cisco IOS XE Software with web UI feature enabled Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
CVE-2023-42793 JetBrains In JetBrains TeamCity before 2023.05.4 CVE-2023-42793 Vulnerability in TeamCity: Post-Mortem Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
CVE-2023-22518 Atlassian All versions of Confluence Data Cetner and Confluence Server Improper Authorization in Confluence Data Center and Server  
CVE-2023-29492  
CVE-2021-27860  FatPipe

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2

 FatPipe CVE List  
CVE-2021-40539  Zoho ManageEngine ADSelfService Plus builds up to 6113 Security advisory – ADSelfService Plus authentication bypass vulnerability

ACSC Alert:

Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors
CVE-2023-0669 Fortra GoAnywhere versions 2.3 through 7.1.2 Fortra deserialization RCE #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
CVE-2021-22986 F5

BIG-IP versions:

16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2

 K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986  
CVE-2019-0708 Microsoft Remote Desktop Services Remote Desktop Services Remote Code Execution Vulnerability  
CVE-2018-13379 Fortinet FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6 FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests  
CVE-2023-35078  Ivanti

All supported versions of Endpoint Manager Mobile (EPMM), including:

Version 11.4 releases 11.10, 11.9 and 11.8

 CVE-2023-35078 – New Ivanti EPMM Vulnerability Threat Actors Exploiting Ivanti EPMM Vulnerabilities
CVE-2023-35081  Ivanti All supported versions of Endpoint Manager Mobile (EPMM), including 11.10, 11.9 and 11.8 CVE-2023-35081 – Remote Arbitrary File Write Threat Actors Exploiting Ivanti EPMM Vulnerabilities
CVE-2023-36844 Juniper

Juniper Networks Junos OS on SRX Series and EX Series:

All versions prior to 20.4R3-S9;

21.1 version 21.1R1 and later versions;

21.2 versions prior to 21.2R3-S7;

21.3 versions prior to 21.3R3-S5;

21.4 versions prior to 21.4R3-S5;

22.1 versions prior to 22.1R3-S4;

22.2 versions prior to 22.2R3-S2;

22.3 versions prior to 22.3R2-S2, 22.3R3-S1;

22.4 versions prior to 22.4R2-S1, 22.4R3;

23.2 versions prior to 23.2R1-S1, 23.2R2.

 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution  
CVE-2023-36845 Juniper

Juniper Networks Junos OS on SRX Series and EX Series:

All versions prior to 20.4R3-S9;

21.1 version 21.1R1 and later versions;

21.2 versions prior to 21.2R3-S7;

21.3 versions prior to 21.3R3-S5;

21.4 versions prior to 21.4R3-S5;

22.1 versions prior to 22.1R3-S4;

22.2 versions prior to 22.2R3-S2;

22.3 versions prior to 22.3R2-S2, 22.3R3-S1;

22.4 versions prior to 22.4R2-S1, 22.4R3;

23.2 versions prior to 23.2R1-S1, 23.2R2.

 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution  
CVE-2023-36846 Juniper

Juniper Networks Junos OS on SRX Series and EX Series:

All versions prior to 20.4R3-S9;

21.1 version 21.1R1 and later versions;

21.2 versions prior to 21.2R3-S7;

21.3 versions prior to 21.3R3-S5;

21.4 versions prior to 21.4R3-S5;

22.1 versions prior to 22.1R3-S4;

22.2 versions prior to 22.2R3-S2;

22.3 versions prior to 22.3R2-S2, 22.3R3-S1;

22.4 versions prior to 22.4R2-S1, 22.4R3;

23.2 versions prior to 23.2R1-S1, 23.2R2.

 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution  
CVE-2023-36847 Juniper

Juniper Networks Junos OS on SRX Series and EX Series:

All versions prior to 20.4R3-S9;

21.1 version 21.1R1 and later versions;

21.2 versions prior to 21.2R3-S7;

21.3 versions prior to 21.3R3-S5;

21.4 versions prior to 21.4R3-S5;

22.1 versions prior to 22.1R3-S4;

22.2 versions prior to 22.2R3-S2;

22.3 versions prior to 22.3R2-S2, 22.3R3-S1;

22.4 versions prior to 22.4R2-S1, 22.4R3;

23.2 versions prior to 23.2R1-S1, 23.2R2.

 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution  
CVE-2023-41064  Apple

Versions prior to:

iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10

About the security content of iOS 16.6.1 and iPadOS 16.6.1

About the security content of macOS Ventura 13.5.2

About the security content of iOS 15.7.9 and iPadOS 15.7.9

About the security content of macOS Monterey 12.6.9

About the security content of macOS Big Sur 11.7.10

  
CVE-2023-41061 Apple Versions prior to:
watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1

About the security content of watchOS 9.6.2

About the security content of iOS 16.6.1 and iPadOS 16.6.1

  
CVE-2021-22205 GitLab All versions starting from 11.9 RCE when removing metadata with ExifTool  
CVE-2019-11510 Ivanti Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12 SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX  
CVE-2023-6448  Unitronics

VisiLogic versions before

9.9.00

 Unitronics Cybersecurity Advisory 2023-001: Default administrative password  
CVE-2017-6742 Cisco Simple Network Management Protocol subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  
CVE-2021-4034 Red Hat

Red Hat Enterprise Linux 6

Red Hat Enterprise Linux 7

Red Hat Enterprise Linux 8

Red Hat Virtualization 4

Any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted.

 RHSB-2022-001 Polkit Privilege Escalation – (CVE-2021-4034) Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2021-26084 Atlassian Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084 Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2021-33044 Dahua Various products Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2021-33045 Dahua Various products Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2022-3236 Sophos Sophos Firewall v19.0 MR1 (19.0.1) and older Resolved RCE in Sophos Firewall (CVE-2022-3236) Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2022-26134 Atlassian Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 Confluence Security Advisory 2022-06-02 Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
CVE-2022-41040 Microsoft Microsoft Exchange servers Microsoft Exchange Server Elevation of Privilege Vulnerability  
CVE-2023-38831 RARLAB WinRAR Versions prior to 6.23 Beta 1 WinRAR 6.23 Beta 1 Released  
CVE-2019-18935 Progress Telerik Telerik.Web.UI.dll versions:

 

 Allows JavaScriptSerializer Deserialization Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers
CVE-2021-34473 Microsoft

Exchange Server, Multiple Versions:

Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)

R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917)

R3 2019 SP1 (2019.3.1023)

R1 2020 (2020.1.114) and later

 Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473 Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

 

 Read More

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Posted on by

​The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies. 

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.

In an alert (PDF) published this week, the FBI said it has seen un uptick in postings on criminal forums regarding the process of emergency data requests (EDRs) and the sale of email credentials stolen from police departments and government agencies.

“Cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI warned.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about an account at a technology provider — such as the account’s email address, or what Internet addresses a specific cell phone account has used in the past — they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted (eventually, and at least in part) as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

In some cases, a cybercriminal will offer to forge a court-approved subpoena and send that through a hacked police or government email account. But increasingly, thieves are relying on fake EDRs, which allow investigators to attest that people will be bodily harmed or killed unless a request for account data is granted expeditiously.

The trouble is, these EDRs largely bypass any official review and do not require the requester to supply any court-approved documents. Also, it is difficult for a company that receives one of these EDRs to immediately determine whether it is legitimate.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

Perhaps unsurprisingly, compliance with such requests tends to be extremely high. For example, in its most recent transparency report (PDF) Verizon said it received more than 127,000 law enforcement demands for customer data in the second half of 2023 — including more than 36,000 EDRs — and that the company provided records in response to approximately 90 percent of requests.

One English-speaking cybercriminal who goes by the nicknames “Pwnstar” and “Pwnipotent” has been selling fake EDR services on both Russian-language and English cybercrime forums. Their prices range from $1,000 to $3,000 per successful request, and they claim to control “gov emails from over 25 countries,” including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India, Kenya, Jordan, Lebanon, Laos, Malaysia, Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE), and Vietnam.

“I cannot 100% guarantee every order will go through,” Pwnstar explained. “This is social engineering at the highest level and there will be failed attempts at times. Don’t be discouraged. You can use escrow and I give full refund back if EDR doesn’t go through and you don’t receive your information.”

An ad from Pwnstar for fake EDR services.

A review of EDR vendors across many cybercrime forums shows that some fake EDR vendors sell the ability to send phony police requests to specific social media platforms, including forged court-approved documents. Others simply sell access to hacked government or police email accounts, and leave it up to the buyer to forge any needed documents.

“When you get account, it’s yours, your account, your liability,” reads an ad in October on BreachForums. “Unlimited Emergency Data Requests. Once Paid, the Logins are completely Yours. Reset as you please. You would need to Forge Documents to Successfully Emergency Data Request.”

Still other fake EDR service vendors claim to sell hacked or fraudulently created accounts on Kodex, a startup that aims to help tech companies do a better job screening out phony law enforcement data requests. Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, with an eye toward making it easier for everyone to spot an unauthorized EDR.

If police or government officials wish to request records regarding Coinbase customers, for example, they must first register an account on Kodexglobal.com. Kodex’s systems then assign that requestor a score or credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

It is not uncommon to see fake EDR vendors claim the ability to send data requests through Kodex, with some even sharing redacted screenshots of police accounts at Kodex.

Matt Donahue is the former FBI agent who founded Kodex in 2021. Donahue said just because someone can use a legitimate police department or government email to create a Kodex account doesn’t mean that user will be able to send anything. Donahue said even if one customer gets a fake request, Kodex is able to prevent the same thing from happening to another.

Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed a second-level verification. Kodex reports it has suspended nearly 4,000 law enforcement users in the past year, including:

-1,521 from the Asia-Pacific region;
-1,290 requests from Europe, the Middle East and Asia;
-460 from police departments and agencies in the United States;
-385 from entities in Latin America, and;
-285 from Brazil.

Donahue said 60 technology companies are now routing all law enforcement data requests through Kodex, including an increasing number of financial institutions and cryptocurrency platforms. He said one concern shared by recent prospective customers is that crooks are seeking to use phony law enforcement requests to freeze and in some cases seize funds in specific accounts.

“What’s being conflated [with EDRs] is anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include control over data, like an account freeze or preservation request.”

In a hypothetical example, a scammer uses a hacked government email account to request that a service provider place a hold on a specific bank or crypto account that is allegedly subject to a garnishment order, or party to crime that is globally sanctioned, such as terrorist financing or child exploitation.

A few days or weeks later, the same impersonator returns with a request to seize funds in the account, or to divert the funds to a custodial wallet supposedly controlled by government investigators.

“In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a freeze order, that’s a way to establish trust, because [the first time] they’re not asking for information. They’re just saying, ‘Hey can you do me a favor?’ And that makes the [recipient] feel valued.”

Echoing the FBI’s warning, Donahue said far too many police departments in the United States and other countries have poor account security hygiene, and often do not enforce basic account security precautions — such as requiring phishing-resistant multifactor authentication.

How are cybercriminals typically gaining access to police and government email accounts? Donahue said it’s still mostly email-based phishing, and credentials that are stolen by opportunistic malware infections and sold on the dark web. But as bad as things are internationally, he said, many law enforcement entities in the United States still have much room for improvement in account security.

“Unfortunately, a lot of this is phishing or malware campaigns,” Donahue said. “A lot of global police agencies don’t have stringent cybersecurity hygiene, but even U.S. dot-gov emails get hacked. Over the last nine months, I’ve reached out to CISA (the Cybersecurity and Infrastructure Security Agency) over a dozen times about .gov email addresses that were compromised and that CISA was unaware of.”

 

Read More

CISA Adds Four Known Exploited Vulnerabilities to Catalog

Posted on by

 ​CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-43093 Android Framework Privilege Escalation Vulnerability
CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability
CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability
CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-43093 Android Framework Privilege Escalation Vulnerability
  • CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability
  • CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability
  • CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

Bosch Rexroth IndraDrive

Posted on by

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Bosch Rexroth
Equipment: IndraDrive
Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Bosch Rexroth reports that the following versions of IndraDrive, servo drive system, are affected:

Bosch Rexroth AG IndraDrive FWA-INDRV*-MP*: 17VRS < 20V36

3.2 Vulnerability Overview
3.2.1 Uncontrolled Resource Consumption CWE-400
A vulnerability in the PROFINET stack implementation of the IndraDrive of Bosch Rexroth allows an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.
CVE-2024-48989 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48989. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Roni Gavrilov from OTORIO reported this vulnerability to CISA.
4. MITIGATIONS
Bosch Rexroth has fixed this vulnerability starting with FWA-INDRV-MP-20V36. Bosch Rexroth recommends updating as soon as possible.
In use cases in which a device update is not possible or not feasible, Bosch Rexroth recommends compensatory measures which prevent or at least complicate taking advantage of the vulnerability. Always define such compensatory measures individually, in the context of the operational environment.
Some possible measures are described in “Security Manual Electric Drives and Controls”, like network segmentation. In general, it is highly recommended to implement the measures described in “Security Manual Drives and Controls”.
For more information, refer to the Bosch PSIRT Security Advisory BOSCH-SA-2584444
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

November 7, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Bosch Rexroth
  • Equipment: IndraDrive
  • Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Bosch Rexroth reports that the following versions of IndraDrive, servo drive system, are affected:

  • Bosch Rexroth AG IndraDrive FWA-INDRV*MP*: 17VRS < 20V36

3.2 Vulnerability Overview

3.2.1 Uncontrolled Resource Consumption CWE-400

A vulnerability in the PROFINET stack implementation of the IndraDrive of Bosch Rexroth allows an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.

CVE-2024-48989 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48989. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Roni Gavrilov from OTORIO reported this vulnerability to CISA.

4. MITIGATIONS

Bosch Rexroth has fixed this vulnerability starting with FWA-INDRV-MP-20V36. Bosch Rexroth recommends updating as soon as possible.

In use cases in which a device update is not possible or not feasible, Bosch Rexroth recommends compensatory measures which prevent or at least complicate taking advantage of the vulnerability. Always define such compensatory measures individually, in the context of the operational environment.

Some possible measures are described in “Security Manual Electric Drives and Controls”, like network segmentation. In general, it is highly recommended to implement the measures described in “Security Manual Drives and Controls”.

For more information, refer to the Bosch PSIRT Security Advisory BOSCH-SA-2584444

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • November 7, 2024: Initial Publication

 Read More

CISA Releases Three Industrial Control Systems Advisories

Posted on by

 ​CISA released three Industrial Control Systems (ICS) advisories on November 7, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-312-01 Beckhoff Automation TwinCAT Package Manager
ICSA-24-312-02 Delta Electronics DIAScreen
ICSA-24-312-03 Bosch Rexroth IndraDrive

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy. 

CISA released three Industrial Control Systems (ICS) advisories on November 7, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

 Read More

Beckhoff Automation TwinCAT Package Manager

Posted on by

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low Attack Complexity
Vendor: Beckhoff Automation
Equipment: TwinCAT Package Manager
Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION
Successful exploitation this vulnerability could allow a local attacker with administrative access rights to execute arbitrary OS commands on the affected system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Beckhoff Automation products are affected:

TwinCAT Package Manager: Versions prior to 1.0.603.0

3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
A local user with administrative access rights can enter specially crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.
CVE-2024-8934 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-8934. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
elcazator of Elex Feigong Research Institute of Elex CyberSecurity, Inc. reported this vulnerability to CISA.
4. MITIGATIONS
Beckhoff Automation recommends users update to at least version 1.0.613.0.
Additionally, Beckhoff Automation has identified the following specific workarounds and mitigations users can apply to reduce risk:

Administrative users should always act thoroughly and inspect the values which they enter.
Please update to a recent version of the affected product.

For more information CERT@VDE has released security advisory VDE-2024-064
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

November 7, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.0
  • ATTENTION: Low Attack Complexity
  • Vendor: Beckhoff Automation
  • Equipment: TwinCAT Package Manager
  • Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation this vulnerability could allow a local attacker with administrative access rights to execute arbitrary OS commands on the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Beckhoff Automation products are affected:

  • TwinCAT Package Manager: Versions prior to 1.0.603.0

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

A local user with administrative access rights can enter specially crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.

CVE-2024-8934 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8934. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

elcazator of Elex Feigong Research Institute of Elex CyberSecurity, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Beckhoff Automation recommends users update to at least version 1.0.613.0.

Additionally, Beckhoff Automation has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Administrative users should always act thoroughly and inspect the values which they enter.
  • Please update to a recent version of the affected product.

For more information CERT@VDE has released security advisory VDE-2024-064

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • November 7, 2024: Initial Publication

 Read More

Delta Electronics DIAScreen

Posted on by

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: DIAScreen
Vulnerabilities: Stack-based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of this these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of DIAScreen, which is a component of Delta’s DIAStudio Smart Machine Suite integrated engineering software package, are affected:

DIAScreen: versions prior to v1.5.0

3.2 Vulnerability Overview
3.2.1 Stack-based Buffer Overflow CWE-121
If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetObjectInfo can be exploited, allowing the attacker to remotely execute arbitrary code.
CVE-2024-47131 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-47131. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Stack-based Buffer Overflow CWE-121
If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetParameter can be exploited, allowing the attacker to remotely execute arbitrary code.
CVE-2024-39605 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-39605. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Stack-based Buffer Overflow CWE-121
If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in CEtherIPTagItem can be exploited, allowing the attacker to remotely execute arbitrary code.
CVE-2024-39354 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-39354. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER
Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.
4. MITIGATIONS
Delta Electronics has released v1.5.0 of DIAScreen (login required) and recommends users install this update on all affected systems.
For more information, please see the Delta product cybersecurity advisory for these issues.
CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

November 7, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Delta Electronics
  • Equipment: DIAScreen
  • Vulnerabilities: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of DIAScreen, which is a component of Delta’s DIAStudio Smart Machine Suite integrated engineering software package, are affected:

  • DIAScreen: versions prior to v1.5.0

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetObjectInfo can be exploited, allowing the attacker to remotely execute arbitrary code.

CVE-2024-47131 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47131. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Stack-based Buffer Overflow CWE-121

If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetParameter can be exploited, allowing the attacker to remotely execute arbitrary code.

CVE-2024-39605 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39605. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Stack-based Buffer Overflow CWE-121

If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in CEtherIPTagItem can be exploited, allowing the attacker to remotely execute arbitrary code.

CVE-2024-39354 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39354. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics has released v1.5.0 of DIAScreen (login required) and recommends users install this update on all affected systems.

For more information, please see the Delta product cybersecurity advisory for these issues.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • November 7, 2024: Initial Publication

 Read More

Canadian Man Arrested in Snowflake Data Extortions

Posted on by

​A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday. At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations. 

A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake.

Image: https://www.pomerium.com/blog/the-real-lessons-from-the-snowflake-breach

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday.

At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations.

Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information and phone and text message records for roughly 110 million people — nearly all of its customers. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

A report on the extortion attacks from the incident response firm Mandiant notes that Snowflake victim companies were privately approached by the hackers, who demanded a ransom in exchange for a promise not to sell or leak the stolen data. All told, more than 160 Snowflake customers were relieved of data, including TicketMasterLending TreeAdvance Auto Parts and Neiman Marcus.

Moucka is alleged to have used the hacker handles Judische and Waifu, among many others. These monikers correspond to a prolific cybercriminal whose exploits were the subject of a recent story published here about the overlap between Western, English-speaking cybercriminals and extremist groups that harass and extort minors into harming themselves or others.

On May 2, 2024, Judische claimed on the fraud-focused Telegram channel Star Chat that they had hacked Santander Bank, one of the first known Snowflake victims. Judische would repeat that claim in Star Chat on May 13 — the day before Santander publicly disclosed a data breach — and would periodically blurt out the names of other Snowflake victims before their data even went up for sale on the cybercrime forums.

404 Media reports that at a court hearing in Ontario this morning, Moucka called in from a prison phone and said he was seeking legal aid to hire an attorney.

KrebsOnSecurity has learned that Moucka is currently named in multiple indictments issued by U.S. prosecutors and federal law enforcement agencies. However, it is unclear which specific charges the indictments contain, as all of those cases remain under seal.

TELECOM DOMINOES

Mandiant has attributed the Snowflake compromises to a group it calls “UNC5537,” with members based in North America and Turkey. Sources close to the investigation tell KrebsOnSecurity the UNC5537 member in Turkey is John Erin Binns, an elusive American man indicted by the U.S. Department of Justice (DOJ) for a 2021 breach at T-Mobile that exposed the personal information of at least 76.6 million customers.

In a statement on Moucka’s arrest, Mandiant said UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024.

“In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations,” wrote Austin Larsen, Mandiant’s senior threat analyst. “The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

Sources involved in the investigation said UNC5537 has focused on hacking into telecommunications companies around the world. Those sources told KrebsOnSecurity that Binns and Judische are suspected of stealing data from India’s largest state-run telecommunications firm Bharat Sanchar Nigam Ltd (BNSL), and that the duo even bragged about being able to intercept or divert phone calls and text messages for a large portion of the population of India.

Judische appears to have outsourced the sale of databases from victim companies who refuse to pay, delegating some of that work to a cybercriminal who uses the nickname Kiberphant0m on multiple forums. In late May 2024, Kiberphant0m began advertising the sale of hundreds of gigabytes of data stolen from BSNL.

“Information is worth several million dollars but I’m selling for pretty cheap,” Kiberphant0m wrote of the BSNL data in a post on the English-language cybercrime community Breach Forums. “Negotiate a deal in Telegram.”

Also in May 2024, Kiberphant0m took to the Russian-language hacking forum XSS to sell more than 250 gigabytes of data stolen from an unnamed mobile telecom provider in Asia, including a database of all active customers and software allowing the sending of text messages to all customers.

On September 3, 2024, Kiberphant0m posted a sales thread on XSS titled “Selling American Telecom Access (100B+ Revenue).” Kiberphant0m’s asking price of $200,000 was apparently too high because they reposted the sales thread on Breach Forums a month later, with a headline that more clearly explained the data was stolen from Verizon‘s “push-to-talk” (PTT) customers — primarily U.S. government agencies and first responders.

404Media reported recently that the breach does not appear to impact the main consumer Verizon network. Rather, the hackers broke into a third party provider and stole data on Verizon’s PTT systems, which are a separate product marketed towards public sector agencies, enterprises, and small businesses to communicate internally.

INTERVIEW WITH JUDISCHE

Investigators say Moucka shared a home in Kitchener with other tenants, but not his family. His mother was born in Chechnya, and he speaks Russian in addition to French and English. Moucka’s father died of a drug overdose at age 26, when the defendant was roughly five years old.

A person claiming to be Judische began communicating with this author more than three months ago on Signal after KrebsOnSecurity started asking around about hacker nicknames previously used by Judische over the years (Waifu, Ned, Nedral Onfroy, Noctuliuss, and November).

Judische admitted to stealing and ransoming data from Snowflake customers, but he said he’s not interested in selling the information, and that others have done this with some of the data sets he stole.

“I’m not really someone that sells data unless it’s crypto [databases] or credit cards because they’re the only thing I can find buyers for that actually have money for the data,” Judische told KrebsOnSecurity. “The rest is just ransom.”

Judische has sent this reporter dozens of unsolicited and often profane messages from several different Signal accounts, all of which claimed to be an anonymous tipster sharing different identifying details for Judische. This appears to have been an elaborate effort by Judische to “detrace” his movements online and muddy the waters about his identity.

Judische frequently claimed he had unparalleled “opsec” or operational security, a term that refers to the ability to compartmentalize and obfuscate one’s tracks online. On several occasions, he shared screenshots and other information indicating someone with access to intelligence gathered by Mandiant had given him the company’s assessment of who and where they thought he was.

But in a conversation with KrebsOnSecurity on October 26, Judische acknowledged it was likely that the authorities were closing in on him, and said he would seriously answer certain questions about his personal life.

“They’re coming after me for sure,” he said.

In several previous conversations, Judische referenced suffering from an unspecified personality disorder, and when pressed said he has a condition called “schizotypal personality disorder” (STPD).

According to the Cleveland Clinic, schizotypal personality disorder is marked by a consistent pattern of intense discomfort with relationships and social interactions: “People with STPD have unusual thoughts, speech and behaviors, which usually hinder their ability to form and maintain relationships.”

Judische said he was prescribed medication for his psychological issues, but that he doesn’t take his meds. Which might explain why he never leaves his home.

“I never go outside,” Judische allowed. “I’ve never had a friend or true relationship not online nor in person. I see people as vehicles to achieve my ends no matter how friendly I may seem on the surface, which you can see by how fast I discard people who are loyal or [that] I’ve known a long time.”

Judische later admitted he doesn’t have an official STPD diagnosis from a physician, but said he knows that he exhibits all the signs of someone with this condition.

“I can’t actually get diagnosed with that either,” Judische shared. “Most countries put you on lists and restrict you from certain things if you have it.”

Asked whether he has always lived at his current residence, Judische replied that he had to leave his hometown for his own safety.

“I can’t live safely where I’m from without getting robbed or arrested,” he said, without offering more details.

A source familiar with the investigation said Moucka previously lived in Quebec, which he allegedly fled after being charged with harassing others on the social network Discord.

Judische claims to have made at least $4 million in his Snowflake extortions. Judische said he and others frequently targeted business process outsourcing (BPO) companies, staffing firms that handle customer service for a wide range of organizations. They also went after managed service providers (MSPs) that oversee IT support and security for multiple companies, he claimed.

“Snowflake isn’t even the biggest BPO/MSP multi-company dataset on our networks, but what’s been exfiltrated from them is well over 100TB,” Judische bragged. “Only ones that don’t pay get disclosed (unless they disclose it themselves). A lot of them don’t even do their SEC filing and just pay us to fuck off.”

INTEL SECRETS

The other half of UNC5537 — 24-year-old John Erin Binns — was arrested in Turkey in late May 2024, and currently resides in a Turkish prison. However, it is unclear if Binns faces any immediate threat of extradition to the United States, where he is currently wanted on criminal hacking charges tied to the 2021 breach at T-Mobile.

A person familiar with the investigation said Binns’s application for Turkish citizenship was inexplicably approved after his incarceration, leading to speculation that Binns may have bought his way out of a sticky legal situation.

Under the Turkish constitution, a Turkish citizen cannot be extradited to a foreign state. Turkey has been criticized for its “golden passport” program, which provides citizenship and sanctuary for anyone willing to pay several hundred thousand dollars.

This is an image of a passport that Binns shared in one of many unsolicited emails to KrebsOnSecurity since 2021. Binns never explained why he sent this in Feb. 2023.

Binns’s alleged hacker alter egos — “IRDev” and “IntelSecrets” — were at once feared and revered on several cybercrime-focused Telegram communities, because he was known to possess a powerful weapon: A massive botnet. From reviewing the Telegram channels Binns frequented, we can see that others in those communities — including Judische — heavily relied on Binns and his botnet for a variety of cybercriminal purposes.

The IntelSecrets nickname corresponds to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted.

Since 2020, Binns has filed a flood of lawsuits naming various federal law enforcement officers and agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.

Binns claims he was kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his detention and torture by the Turkish authorities.

However, in a 2020 lawsuit he filed against the CIA, Binns himself acknowledged having visited a previously ISIS-controlled area of Syria prior to moving to Turkey in 2017.

A segment of a lawsuit Binns filed in 2020 against the CIA, in which he alleges U.S. put him on a terror watch list after he traveled to Syria in 2017.

Sources familiar with the investigation told KrebsOnSecurity that Binns was so paranoid about possible surveillance on him by American and Turkish intelligence agencies that his erratic behavior and online communications actually brought about the very government snooping that he feared.

In several online chats in late 2023 on Discord, IRDev lamented being lured into a law enforcement sting operation after trying to buy a rocket launcher online. A person close to the investigation confirmed that at the beginning of 2023, IRDev began making earnest inquiries about how to purchase a Stinger, an American-made portable weapon that operates as an infrared surface-to-air missile.

Sources told KrebsOnSecurity Binns’ repeated efforts to purchase the projectile earned him multiple visits from the Turkish authorities, who were justifiably curious why he kept seeking to acquire such a powerful weapon.

WAIFU

A careful study of Judische’s postings on Telegram and Discord since 2019 shows this user is more widely known under the nickname “Waifu,” a moniker that corresponds to one of the more accomplished “SIM swappers” in the English-language cybercrime community over the years.

SIM swapping involves phishing, tricking or bribing mobile phone company employees for credentials needed to redirect a target’s mobile phone number to a device the attackers control — allowing thieves to intercept incoming text messages and phone calls.

Several SIM-swapping channels on Telegram maintain a frequently updated leaderboard of the 100 richest SIM-swappers, as well as the hacker handles associated with specific cybercrime groups (Waifu is ranked #24). That list has long included Waifu on a roster of hackers for a group that called itself “Beige.”

The term “Beige Group” came up in reporting on two stories published here in 2020. The first was in an August 2020 piece called Voice Phishers Targeting Corporate VPNs, which warned that the COVID-19 epidemic had brought a wave of targeted voice phishing attacks that tried to trick work-at-home employees into providing access to their employers’ networks. Frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers.

The second time Beige Group was mentioned by sources was in reporting on a breach at the domain registrar GoDaddy. In November 2020, intruders thought to be associated with the Beige Group tricked a GoDaddy employee into installing malicious software, and with that access they were able to redirect the web and email traffic for multiple cryptocurrency trading platforms. Other frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers.

Judische’s various Telegram identities have long claimed involvement in the 2020 GoDaddy breach, and he didn’t deny his alleged role when asked directly. Judische said he prefers voice phishing or “vishing” attacks that result in the target installing data-stealing malware, as opposed to tricking the user into entering their username, password and one-time code.

“Most of my ops involve malware [because] credential access burns too fast,” Judische explained.

CRACKDOWN ON HARM GROUPS?

The Telegram channels that the Judische/Waifu accounts frequented over the years show this user divided their time between posting in channels dedicated to financial cybercrime, and harassing and stalking others in harm communities like Leak Society and Court.

Both of these Telegram communities are known for victimizing children through coordinated online campaigns of extortion, doxing, swatting and harassment. People affiliated with harm groups like Court and Leak Society will often recruit new members by lurking on gaming platforms, social media sites and mobile applications that are popular with young people, including DiscordMinecraftRobloxSteamTelegram, and Twitch.

“This type of offence usually starts with a direct message through gaming platforms and can move to more private chatrooms on other virtual platforms, typically one with video enabled features, where the conversation quickly becomes sexualized or violent,” warns a recent alert from the Royal Canadian Mounted Police (RCMP) about the rise of sextortion groups on social media channels.

“One of the tactics being used by these actors is sextortion, however, they are not using it to extract money or for sexual gratification,” the RCMP continued. “Instead they use it to further manipulate and control victims to produce more harmful and violent content as part of their ideological objectives and radicalization pathway.”

Some of the largest such known groups include those that go by the names 764, CVLT, Kaskar, 7997888429926996555Slit Town545404NMK303, and H3ll.

On the various cybercrime-oriented channels Judische frequented, he often lied about his or others’ involvement in various breaches. But Judische also at times shared nuggets of truth about his past, particularly when discussing the early history and membership of specific Telegram- and Discord-based cybercrime and harm groups.

Judische claimed in multiple chats, including on Leak Society and Court, that they were an early member of the Atomwaffen Division (AWD), a white supremacy group whose members are suspected of having committed multiple murders in the U.S. since 2017.

In 2019, KrebsOnSecurity exposed how a loose-knit group of neo-Nazis, some of whom were affiliated with AWD, had doxed and/or swatted nearly three dozen journalists at a range of media publications. Swatting involves communicating a false police report of a bomb threat or hostage situation and tricking authorities into sending a heavily armed police response to a targeted address.

Judsiche also told a fellow denizen of Court that years ago he was active in an older harm community called “RapeLash,” a truly vile Discord server known for attracting Atomwaffen members. A 2018 retrospective on RapeLash posted to the now defunct neo-Nazi forum Fascist Forge explains that RapeLash was awash in gory, violent images and child pornography.

A Fascist Forge member named “Huddy” recalled that RapeLash was the third incarnation of an extremist community also known as “FashWave,” short for Fascist Wave.

“I have no real knowledge of what happened with the intermediary phase known as ‘FashWave 2.0,’ but FashWave 3.0 houses multiple known Satanists and other degenerates connected with AWD, one of which got arrested on possession of child pornography charges, last I heard,” Huddy shared.

In June 2024, a Mandiant employee told Bloomberg that UNC5537 members have made death threats against cybersecurity experts investigating the hackers, and that in one case the group used artificial intelligence to create fake nude photos of a researcher to harass them.

Allison Nixon is chief research officer with the New York-based cybersecurity firm Unit 221B. Nixon is among several researchers who have faced harassment and specific threats of physical violence from Judische.

Nixon said Judische is likely to argue in court that his self-described psychological disorder(s) should somehow excuse his long career in cybercrime and in harming others.

“They ran a misinformation campaign in a sloppy attempt to cover up the hacking campaign,” Nixon said of Judische. “Coverups are an acknowledgment of guilt, which will undermine a mental illness defense in court. We expect that violent hackers from the [cybercrime community] will experience increasingly harsh sentences as the crackdown continues.”

 

Read More

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Posted on by

 ​CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
  • CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

Booking.com Phishers May Leave You With Reservations

Posted on by

​A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We’ll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world’s most visited travel website. 

A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We’ll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world’s most visited travel website.

According to the market share website statista.com, booking.com is by far the Internet’s busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California.

The missive bore the name of the hotel and referenced details from their reservation, claiming that booking.com’s anti-fraud system required additional information about the customer before the reservation could be finalized.

The phishing message our reader’s friend received after making a reservation at booking.com in late October.

In an email to KrebsOnSecurity, booking.com confirmed one of its partners had suffered a security incident that allowed unauthorized access to customer booking information.

“Our security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which unfortunately is not a new situation and quite common across industries,” booking.com replied. “Importantly, we want to clarify that there has been no compromise of Booking.com’s internal systems.”

The phony booking.com website generated by visiting the link in the text message.

Booking.com said it now requires 2FA, which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.

“2FA is required and enforced, including for partners to access payment details from customers securely,” a booking.com spokesperson wrote. “That’s why the cybercriminals follow-up with messages to try and get customers to make payments outside of our platform.”

“That said, the phishing attacks stem from partners’ machines being compromised with malware, which has enabled them to also gain access to the partners’ accounts and to send the messages that your reader has flagged,” they continued.

It’s unclear, however, if the company’s 2FA requirement is enforced for all or just newer partners. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.

A scan of social media networks showed this is not an uncommon scam.

In November 2023, the security firm SecureWorks detailed how scammers targeted booking.com hospitality partners with data-stealing malware. SecureWorks said these attacks had been going on since at least March 2023.

“The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy,” SecureWorks said of the booking.com partner it investigated.

In June 2024, booking.com told the BBC that phishing attacks targeting travelers had increased 900 percent, and that thieves taking advantage of new artificial intelligence (AI) tools were the primary driver of this trend.

Booking.com told the BCC the company had started using AI to fight AI-based phishing attacks. Booking.com’s statement said their investments in that arena “blocked 85 million fraudulent reservations over more than 1.5 million phishing attempts in 2023.”

The domain name in the phony booking.com website sent to our reader’s friend — guestssecureverification[.]com — was registered to the email address ilotirabec207@gmail.com. According to DomainTools.com, this email address was used to register more than 700 other phishing domains in the past month alone.

Many of the 700+ domains appear to target hospitality companies, including platforms like booking.com and Airbnb. Others seem crafted to phish users of Shopify, Steam, and a variety of financial platforms. A full, defanged list of domains is available here.

A cursory review of recent posts across dozens of cybercrime forums monitored by the security firm Intel 471 shows there is a great demand for compromised booking.com accounts belonging to hotels and other partners.

One post last month on the Russian-language hacking forum BHF offered up to $5,000 for each hotel account. This seller claims to help people monetize hacked booking.com partners, apparently by using the stolen credentials to set up fraudulent listings.

A service advertised on the English-language crime community BreachForums in October courts phishers who may need help with certain aspects of their phishing campaigns targeting booking.com partners. Those include more than two million hotel email addresses, and services designed to help phishers organize large volumes of phished records. Customers can interact with the service via an automated Telegram bot.

Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies catering to fellow scammers, with up to 50 percent discounts on hotel reservations through booking.com. Others are selling ready-to-use “config” files designed to make it simple to conduct automated login attempts against booking.com administrator accounts.

SecureWorks found the phishers targeting booking.com partner hotels used malware to steal credentials. But today’s thieves can just as easily just visit crime bazaars online and purchase stolen credentials to cloud services that do not enforce 2FA for all accounts.

That is exactly what transpired over the past year with many customers of the cloud data storage giant Snowflake. In late 2023, cybercriminals figured out that while tons of companies had stashed enormous amounts of customer data at Snowflake, many of those customer accounts were not protected by 2FA.

Snowflake responded by making 2FA mandatory for all new customers. But that change came only after thieves used stolen credentials to siphon data from 160 companies — including AT&T, Lending Tree and TicketMaster.

 

Read More

Scroll to Top