Top 5 Security Vulnerabilities of 2023
-
December 19, 2024Day in the Life of a CISO: A Vendor Breach: Assessing Our Exposure
-
December 17, 2024Securing Your Healthcare Supply Chain: A Guide to Supply Chain Detection and Response
-
December 17, 2024Scorecarder Spotlight: Portia Phillips
-
December 13, 2024Day in the Life of a CISO: Evaluating a Plugin Vendor
-
December 13, 2024A Day in the Life of a CISO: An Employee Email Discovered in a Password Dump
Why 2023 is a year of ‘digital forest fires’: New Attack Surface Intelligence Research from SecurityScorecard
2023 is a year of “digital forest fires.” The MOVEit and the Barracuda Networks’ email supply chain attacks underscore the massive butterfly effect a single software flaw can have on the threat landscape.
Supply chain attacks spread like a forest fire. Once cybercriminals compromise widely used software, attackers gain access to potentially all organizations that use that software.
MOVEit is a powerful reminder of the persistent threat cyberattacks pose to society. SecurityScorecard’S Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Teamresearchers were the first to report detecting 1,8002,500 vulnerable MOVEit servers across approximately 7,000 organizations, including 200 government agencies. It underscores the imminent threat posed by third-party cyber risk, yet many organizations still struggle to gain full visibility into the security posture of their third and fourth parties.
Forrester’s State of Third-Party Risk Management report shows that “among security decision-makers who experienced a breach in the past 12 months, 55% reported the incident or breach involved a supply chain or third-party provider.”
As we enter the second half of the year, the STRIKE team analyzed the top 5 most critical vulnerabilities thus far in 2023 based on proprietary attack surface intelligence. Despite recent developments with the MOVEit vulnerability, it surprisingly did not make the top 5 list.
Evolving tactics
Our analysis found that cybercriminal groups are evolving their tactics faster than organizations can pivot their cybersecurity measures. For example, cybercriminal groups such as Cl0P are increasingly targeting new software products, discovering zero-day vulnerabilities early, and waiting to exploit these until the product gains a significant user base.
Despite not making the top 5, the MOVEit vulnerability is unique and noteworthy due to its exploitation by hacker group Cl0P. The MOVEit exploit, where Cl0p sat on the vulnerability for two years before deployment, is a prime example of this shift. This broadens the potential ‘blast radius’ of attacks, leading to increased damage when they choose to strike.
Research methodology
STRIKE operates one of the largest SIGINT collection networks, enabling the identification of threat actors before they attack. STRIKE works to unmask and provide attribution (human tracking), by putting faces to cyber-criminals behind the keyboard.
STRIKE utilized access to exclusive Internet Traffic Flow (NetFlow) data from partners and combined this with SecurityScorecard’s Attack Surface Intelligence data to determine the top five vulnerabilities via various metrics, including counts of unique domains, unique observations, and the total issue count.
The team identified and carefully vetted vulnerabilities that topped any of these categories to understand better and analyze the impact of these vulnerabilities across various industries. The vulnerabilities that ended the rankings are not necessarily the ones that heavily affected all
Top 5 vulnerabilities of 2023…so far
1. CVE-2021-41617 (OpenSSH 6.2 through 8.7)
- Unique domain count: 628,357
- Unique measurement count: 9,749,419
- Most impacted industries: Food, Hospitality, Information Services
CVE-2021-41617 was discovered in OpenSSH, a widely used suite of networking software that includes the SSH protocol. The vulnerability allows an authenticated user to bypass source-address-dependent restrictions defined in the sshd_config file. This could allow unauthorized access to sensitive information or systems.
Exposure Management: The OpenSSH team has released a patch to address this vulnerability, and it’s recommended that users update their OpenSSH software to the latest version to protect against this exploit.
2. CVE-2020-14145 (OpenSSH 5.7 through 8.4)
- Unique domain count: 558,803
- Unique measurement count: 9,516,581
- Most impacted industries: Entertainment, Technology, Healthcare
CVE-2020-14145 was also discovered in OpenSSH, affecting versions 5.7 through 8.4. This vulnerability is characterized as an Observable Discrepancy leading to an information leak in the algorithm negotiation process.
This flaw allows a man-in-the-middle attacker to target initial connection attempts. This could allow an attacker to determine if a client already has prior knowledge of the remote host’s fingerprint.
Exposure Management: The OpenSSH team has not planned to change the behavior of OpenSSH regarding this issue. However, partial mitigation has been provided. It’s recommended that users always connect to SSH servers with verified host keys to avoid any possibility of a man-in-the-middle attack.
3. CVE-2022-22719 (Apache HTTP Server 2.4.48 and earlier)
- Unique domain count: 484,699
- Unique measurement count: 6,668,652
- Most impacted industries: Insurance, Pharmaceutical, Construction
Apache, the world’s widely used web server software, has been a victim of notorious vulnerabilities time and again. CVE-2022-22719 is a high-severity vulnerability associated with the Apache HTTP Server, first reported in 2022.
According to the Apache HTTP Server Project, this vulnerability could allow an attacker to cause a Denial of Service (DoS) condition. The issue arises from a flaw in how the server handles specific requests, which could lead to excessive CPU usage.
Exposure Management: The vulnerability affects Apache HTTP Server versions 2.4.48 and earlier. The Apache Software Foundation has released a fix in version 2.4.49. Users are strongly advised to update to the latest version to mitigate this vulnerability.
4. CVE-2022-22721 (Apache HTTP Server 2.4.52 and earlier)
- Unique domain count: 628,357
- Unique measurement count: 9,749,419
- Most impacted industries: Insurance, Pharmaceutical, Construction
CVE-2022-22721 is a flaw in the way Apache HTTP Server 2.4 versions before 2.4.52 handled certain requests. An attacker could use this flaw to cause a denial of service, or possibly execute arbitrary code.
Exposure Management: Impacted organizations should set the LimitXMLRequestBody option to a value smaller than 350MB, but they should not set it to 0. This will use a hard limit, which would lead to an overall system out-of-memory.
5. CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier)
- Unique domain count: 628,357
- Unique measurement count: 9,749,419
- Most impacted industries: Insurance, Pharmaceutical, Construction
CVE-2022-22720 is a vulnerability discovered in the Apache HTTP Server. It is a Denial of Service (DoS) vulnerability that affects versions 2.4.0 to 2.4.51 of the server. The vulnerability is due to an issue in the mod_proxy module of the Apache HTTP Server. The vulnerability is triggered when the server processes a specially crafted request to a proxied host. This causes the server to enter an infinite loop, consuming all available CPU resources and effectively causing a denial of service.
Exposure Management: The Apache Software Foundation has released a patch to address this vulnerability in version 2.4.52 of the Apache HTTP Server. It is recommended that all users of affected versions upgrade to this version or apply the patch to mitigate the risk associated with this vulnerability.
What lies ahead for 2023?
As we move into the second half of 2023, we anticipate a continuation of this trend of threat actors targeting newly released software products. Cybercriminals groups are likely to will continue to identify and exploit zero-day vulnerabilities, increasing the scope and severity of potential attacks. We foresee ransomware groups, in particular, employing this strategy to maximize their impact.
Other groups will seek to adopt the tactics employed by Cl0P in exploiting MOVEit, indicating a potential future trend of similar strategies. This hacker group discovered MOVEit and was the only one using it initially, making it a unique exploit at the time. Other hacker groups may follow suit, identifying unique vulnerabilities and holding onto them until the time is right to strike.
As the landscape of cyber threats continues to evolve, so must our strategies to combat them. Stay safe, stay updated, and stay one step ahead of the cybercriminals.
SCHEDULE TIME WITH SECURITYSCORECARD AT BLACKHAT 2023
About Jared Smith
Dr. Jared Smith is a Distinguished Engineer and leads Research & Development Strategy at SecurityScorecard. He supports the company’s mission of helping make the world a safer place, focusing on attack surface intelligence research for SecurityScorecard customers including Bank of America, Liberty Mutual, the Federal Bureau of Investigation, Department of Justice (DOJ), PricewaterhouseCoopers, Pepsi, and Google. Jared is also an Adjunct Professor at the University of Tennessee, Knoxville and New York University (NYU).
Prior to SecurityScorecard, Jared was the Lead Scientist for artificial intelligence in cybersecurity at Oak Ridge National Lab (ORNL), the nation’s largest open science Department of Energy (DOE) Research and Development (R&D) lab, where he led R&D projects for the Department of Defense, Department of Homeland Security, DOE, and United States Intelligence agencies. While at ORNL, he helped lead the design and execution of the U.S. Navy’s cyber grand challenges focused on evaluating commercial endpoint detection and response and network intrusion detection system tools. Prior to ORNL, Jared was a security researcher at Cisco and acting chief technology officer or consultant for several startups.
Jared has a Ph.D. in Computer Science from the University of Tennessee, where he founded and led the annual UT hackathon, VolHacks, and the Cyber Security student organization, HackUTK. Jared is a co-founder of the Knoxville City Hackathon, KNXHX, a Mayor-endorsed, public and privately sponsored hackathon with a focus on solving city and county challenges with open data.