Features 14.09.2023
The Five Worst Cybersecurity Holes of 2023
Patching security holes is an exhausting but essential part of risk management. Assured Intelligence looks at some of 2023’s biggest security flaws
Features 14.09.2023
Patching security holes is an exhausting but essential part of risk management. Assured Intelligence looks at some of 2023’s biggest security flaws
Security holes are a matter of fact, but keeping up with them and patching on time can be exhausting. Never has this felt more apparent than in 2023. Nine months into the year, it feels like a decade’s worth of security vulnerabilities have been discovered since the clock struck midnight on New Year’s Day.
On the surface, this might seem like bad news. On the contrary, it’s actually a good thing because it shows security researchers are finding holes, and companies are (hopefully) keeping up with patching them.
With so many bugs being discovered, what does a bad security hole look like in 2023? We asked experts to share what they believe to be the five worst security flaws of the year so far, and they’ve kindly thrown in some advice on how to manage patching within your organisation.
Read on, take note, and make sure you’ve already applied the patches to fix these potentially catastrophic flaws.
As close to a household name as you get in the cyber world, experts cited the MOVEit flaw as the worst security bug of 2023. First exposed in May, the vulnerability in Progress Software’s MOVEit Transfer product was dangerous because it could ultimately allow an attacker to access precious information. “The vulnerability was a SQL injection flaw (click to learn what that means) that allowed the attackers to access customer data,” says independent security researcher Sean Wright.
Making things worse, the issue was already being used in attacks by the Cl0p ransomware group, who threatened to leak their victims’ data if they didn’t respond.
The beleaguered MOVEit product didn’t get away with just one issue – researchers later found additional flaws, creating the need for another patch release. In mid-June, a third and final patch was issued for yet more bugs, tracked as CVE-2023-35708.
Needless to say, the impact was wide-reaching, making MOVEit fully deserving of a place on this list. Numerous warnings were issued, including advisories from the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the UK’s National Cyber Security Centre.
Experts say Progress Software handled the process well, but the flaw is still having an impact two months after first being revealed. As of July 2023, it was believed that the criminal group behind the attack had managed to affect over 500 organisations. “It has also been estimated that the group could have made anywhere from $75 million to $100 million from the attack,” Wright says.
In addition, many businesses were slow to react, says Wright, and some have still not applied the patch.
Microsoft is a good patcher, issuing monthly fixes as part of its Patch Tuesday updates. But some of the flaws it fixes are more dangerous than others, and experts have picked March’s Outlook vulnerability as the worst of this year.
Tracked as CVE-2023-23397, the critical Microsoft Outlook issue was given a CVSS rating of 9.8. In case you’re wondering, that’s bad. This flaw was already being used in attacks by Russia-linked adversaries targeting critical infrastructure. The security hole was pretty easy to exploit: Cyber criminals could launch their attack by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client, Microsoft warned.
“The thing that made this vulnerability so dangerous is that it didn’t require any user interaction to exploit,” says Wright. He points out how widely Outlook and Exchange are used for work emails. “The vulnerability [enabled] the attacker to obtain a user’s NTLMv2 hashes, which is almost as good as obtaining login credentials. Many Microsoft services use this for authentication, so the attacker could potentially perform actions as the victim.”
The flaw was serious, but Wright praises Microsoft for its approach to the fix, which was urgently treated and detailed in an advisory.
First revealed in May, a severe vulnerability cited by experts as one of the worst of the year is CVE-2023-2868, a remote command injection vulnerability in Barracuda’s Email Security Gateway (ESG) Appliance. To clarify, this type of security flaw allows an attacker to execute commands or code on a remote system or device.
When a patch was issued, the flaw had already been used in attacks dating back to October 2022, with security outfit Mandiant explaining how adversaries exploited the vulnerability to gain initial access to victims’ systems and create backdoors.
With a CVSS score of 9.8 (again, ouch), the critical vulnerability could allow attackers to exploit the device and drop malware into it, says Ian Thornton-Trump, CISO at security firm Cyjax.“Mandiant assessed with high confidence that the threat actor, identified as UNC4841, conducted targeted information gathering activity from a subset of organisations supporting the People’s Republic of China,” he explains.
Barracuda later told customers to replace ESG appliances impacted by the vulnerability. While Thornton-Trump questions this advice, he says Barracuda and Mandiant were “both very transparent and fully disclosed the compromise”. However, given the seriousness of the bug and the evidence it was used in attacks, Thornton-Trump calls the CISA warning to “verify that threat actors have not compromised” customer enterprise networks “very ominous”.
“Customers who used enterprise privileged credentials for management of their Barracuda appliance (such as Active Directory Domain Admin or similar) should take immediate incident investigation steps to validate the use and behaviour of all credentials used on the appliance,” CISA said.
“That sounds like an absolute nightmare to deal with,” Thornton-Trump retorts.
A recently discovered flaw is the Invanti Endpoint Manager Mobile (EPMM) vulnerability, which has the official tracking ID of CVE-2023-35078.
Detailed in a security advisory on Invanti’s website in July 2023, the flaw could allow a remote attacker to access a user’s personal information and allow adversaries to make changes on an associated server.
Wright explains why the issue is worrying: “This software is responsible for managing a user’s device, and the vulnerability has already been actively exploited by attackers, with victims including Norwegian government agencies.”
Another recent vulnerability is CVE-2023-3519, a code execution issue in Citrix products already being used in attacks. The fix for the flaw – which again has a near maximum CVSS score of 9.8 – came alongside patches for multiple other vulnerabilities in its NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) tools.
CISA has also warned organisations about the Citrix bug, which it said was used in attacks in June against a critical infrastructure organisation. “In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organisation’s non-production environment NetScaler ADC appliance,” CISA said in an advisory.
So there you have it. Five ‘top-tier’ security holes in 2013. It’s time to dig out the Polyfilla…
As these alarming issues show, timely patching is integral to risk management and cybersecurity. First things first, it’s essential to understand what is vulnerable on your network, says Daniel Dos Santos, head of security research at Forescout. “In many cases, vulnerabilities affect multiple types of assets on a network and different versions at the same time, which makes it challenging to identify them.”
He cites the example of Log4Shell, the cyber issue that many cybersecurity experts call ‘the worst of 2022.’
It’s also important to be proactive. Security researcher Sean Wright advises paying attention to the CISA Known Exploited Vulnerabilities list and looking for vendor website updates. “If you find a vulnerability for software you run, you should update as a matter of urgency,” Wright says.
It’s also a good idea to ensure everyone is on board. Make all employees aware of the importance of your patching regime and ensure it is enforced across the organisation, ideally with tools such as Group Policy in Windows estates, says Duncan Wright, threat intelligence consultant at cybersecurity agency e2e Assure.
Be aware that patching can come with its own issues, says e2e Assure’s Wright. “A few times over the years, Microsoft has released a patch in good faith, and while it has had the desired effect, it’s also had an unintentional and negative impact. Aim to initially patch secondary or disaster-recovery environments and monitor for impact before moving on to live environments,” he advises.
The worst security issues of the year to date should be an incentive to ensure patching is done correctly in your organisation. Stay on top of it, read the news and ensure everyone is on board with your approach.