Chapter 8: Unveiling the Unknown: Notable Developments on Zero-Day Vulnerabilities

 

Sophisticated assailants typically choose tactics that evade easy detection, circumventing standard protections by leveraging undiscovered flaws in systems and software, commonly known as zero-day vulnerabilities.

These vulnerabilities are attractive to attackers as they enable stealthy infiltrations, often without the victim’s interaction or awareness, marking them as a widespread and alarming tactic in the cyber threat environment.

 

Notes on top exploited zero-day vulnerabilities

  • A new variant of the P2Pinfect malware, targeting MIPS devices, was discovered exploiting the CVE-2022-0543 vulnerability, primarily affecting Redis servers. This evolved version of P2Pinfect is more stealthy and scans for SSH servers using weak credentials, attempting to upload its MIPS binary via SFTP and SCP. The enhanced evasion capabilities of this malware variant mark a significant development in its sophistication and targeting methodology.
  • Over three thousand Apache ActiveMQ servers, widely used in enterprise environments, were found exposed online and vulnerable to a critical remote code execution (RCE) vulnerability, identified as CVE-2023-46604. This vulnerability allows attackers to execute arbitrary shell commands by exploiting serialized class types in the OpenWire protocol.
  • A set of vulnerabilities collectively named LogoFAIL has been discovered, affecting image-parsing components in UEFI firmware across various vendors. These vulnerabilities can be exploited to hijack the booting process and install UEFI bootkits through manipulated bootup logos. LogoFAIL poses a significant security risk as it allows the execution of malicious payloads by injecting image files into the EFI System Partition (ESP). This vulnerability impacts a broad range of devices across x86 and ARM architectures and is not silicon-specific, affecting products from major device manufacturers and custom UEFI firmware providers.
  • A Mirai-based botnet named ‘InfectedSlurs’ is actively exploiting two zero-day vulnerabilities in QNAP VioStor NVR (Network Video Recorder) devices. The first vulnerability, tracked as CVE-2023-49897, affects FXC AE1021 and AE1021PE WiFi routers, while the second, CVE-2023-47565, is a high-severity OS command injection impacting certain QNAP VioStor NVR models. This botnet’s exploitation of these vulnerabilities enables it to hijack devices and integrate them into a DDoS swarm.
  • Comcast’s Xfinity disclosed a significant data breach affecting over 35 million people. The breach, identified in October 2023, occurred due to a critical vulnerability in Citrix servers, known as Citrix Bleed and tracked as CVE-2023-4966. The compromised data included usernames and hashed passwords, and for some customers, names, contact information, last four digits of social security numbers, dates of birth, and secret questions and answers.
  • The report from Securelist details Operation Triangulation, a sophisticated cyber espionage campaign targeting iPhones and iPads. This operation utilized a complex infection chain including a JavaScript validator and two exploits, one for WebKit and another for the iOS kernel. The campaign was remarkably stealthy, employing novel techniques like manipulating iMessage attachments to deliver malware. The ultimate goal was to install a binary validator stage on the target devices, indicating a high level of technical skill and resource investment by the attackers.
  • Internet-exposed WS_FTP servers unpatched against a critical vulnerability, tracked as CVE-2023-40044, are being targeted in ransomware attacks. This vulnerability, stemming from a .NET deserialization issue in the Ad Hoc Transfer Module, enables unauthenticated attackers to remotely execute commands via HTTP requests. The Reichsadler Cybercrime Group attempted to exploit this vulnerability to deploy ransomware payloads using a stolen LockBit 3.0 builder.
  • A Mirai-based DDoS malware variant, IZ1H9, has expanded its arsenal to target Linux-based routers with thirteen new exploits. These include vulnerabilities in D-Link, Zyxel, TP-Link, TOTOLINK routers, and other devices, with CVEs dating from 2015 to 2023. IZ1H9 compromises devices to create a powerful botnet for launching DDoS attacks. The botnet uses a range of exploits, such as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, among others.
  • Ransomware gangs have started exploiting a critical vulnerability in JetBrains’ TeamCity servers. This vulnerability, identified as CVE-2023-42793, allows unauthenticated attackers to achieve remote code execution (RCE) by exploiting an authentication bypass weakness.
  • Cisco disclosed a new zero-day vulnerability, CVE-2023-20273, in IOS XE software, actively exploited for deploying malicious implants on compromised devices. This flaw, used in conjunction with another zero-day, CVE-2023-20198, allows attackers to gain root access and complete control over Cisco IOS XE devices. Over 40,000 devices running the vulnerable IOS XE software have been compromised.

 

The Need to Implement Robust Security Tools to Combat Zero-Day Threats

These scenarios emphasize the advanced and evolving nature of cyber-attacks leveraging zero-day vulnerabilities, underscoring the importance of implementing strong and current security protocols to counter the threats posed by unknown and unrectified flaws in routinely used systems and software—often operating unnoticed in the background.

LIST OF SOME CVEs THAT HAVE BEEN OBSERVED IN ATTACKS:

2023

  • CVE-2023-38831,
  • CVE-2023-26369,
  • CVE-2023-46604,
  • CVE-2023-49897,
  • CVE-2023-47565,
  • CVE-2023-4966,
  • CVE-2023-40044,
  • CVE-2023-42793,
  • CVE-2023-20273,
  • CVE-2023-20198,
  • CVE-2023-1389,
  • CVE-2023-23295

2022

  • CVE-2022-0543,
  • CVE-2022-25080,
  • CVE-2022-40475,
  • CVE-2022-25079,
  • CVE-2022-25081,
  • CVE-2022-25082,
  • CVE-2022-25078,
  • CVE-2022-25084,
  • CVE-2022-25077,
  • CVE-2022-25076,
  • CVE-2022-38511,
  • CVE-2022-25075,
  • CVE-2022-25083

2021

  • CVE-2021-45382,
  • CVE-2021-36380,
  • CVE-2021-33544,
  • CVE-2021-33548,
  • CVE-2021-33549,
  • CVE-2021-33550,
  • CVE-2021-33551,
  • CVE-2021-33552,
  • CVE-2021-33553,
  • CVE-2021-33554,
  • CVE-2021-27561,
  • CVE-2021-27562

CVE-2020-25506

CVE-2019-19356

CVE-2016-20017

CVE-2015-1187

 

Remarkable Observations & High-profile targets

In Q4 of 2023, the cyber threat landscape saw significant law enforcement actions and high-profile targets. Multiple international law enforcement operations led to arrests, including Interpol’s seizure of $300 million from a gang involved in voice phishing, romance scams, and gambling. The FBI notably hacked into ALPHV ransomware servers to extract decryption keys and a man pled guilty to operating a crypto exchange used by ransomware gangs. Additionally, 40 nations pledged not to pay ransoms to cybercriminals.

Healthcare was a prime target, with several hospitals in Germany, the US, and Canada facing attacks. ESO Solutions, a software provider to hospitals, was compromised, along with other software vendors. Other high-profile targets included a US nuclear research lab, major corporations like Comcast, Xerox, Nissan Australia, Toyota, Boeing, courts, and defense contractors. This quarter’s activities underscore the global scope of cyber threats and the increasing efforts of law enforcement to combat these challenges.

 

Days
Hours
Minutes
Seconds

Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!