Risky Biz News: Most of 2023's top exploited vulnerabilities were initially zero-days

Summary

Risky Business News: Detailed Summary

Episode Title: Risky Biz News: Most of 2023's Top Exploited Vulnerabilities Were Initially Zero-Days
Host: Claire Aird
Release Date: November 12, 2024

1. Introduction

In this episode of Risky Business News, host Claire Aird delves into the cybersecurity landscape of 2023, highlighting significant vulnerabilities, geopolitical cyber developments, and notable cyber incidents affecting both corporations and governments. The episode provides a comprehensive analysis of the trends and threats that dominated the year, offering insights valuable to cybersecurity professionals and enthusiasts alike.

2. Top Exploited Vulnerabilities of 2023

Claire Aird opens the discussion by emphasizing that most of the most frequently exploited vulnerabilities in 2023 were initially zero-days. This revelation underscores the evolving threat landscape where unknown vulnerabilities are rapidly weaponized by malicious actors.

Notable Exploits:
- Barracuda ESG Appliances: A critical zero-day bug compelled Barracuda to advise customers to replace their ESG appliances.
- MoveIt Hacking Spree: The MoveIt vulnerabilities were exploited using a zero-day, leading to widespread security breaches.
- Citrix Bleed Vulnerability: This zero-day was among the top exploited flaws, affecting numerous organizations relying on Citrix solutions.
Trend Observation:
"2023 is also the first year on record when the most popular vulnerabilities were disclosed in the same older CVEs that dominated previous lists of popular exploits," Aird notes [00:04]. This indicates a shift towards the exploitation of long-standing vulnerabilities in enterprise environments.
Enterprise Software Focus:
All of the top 15 vulnerabilities identified were within enterprise software, highlighting a targeted focus on critical business infrastructure. Additionally, there was a noticeable trend towards exploiting enterprise and network perimeter devices.

3. Shutdown of the US State Department's Disinformation Centre

The episode covers the US Congress's decision to terminate the State Department's Global Engagement Centre (GEC), an office dedicated to combating foreign disinformation campaigns.

Details of the Shutdown:
- End of Mandate: The GEC will cease operations once its current seven-year mandate expires in December.
- Budget and Workforce: The centre operates with a yearly budget of $61 million and employs around 130 personnel.
Controversies and Criticisms:
- Elon Musk's Critique: Elon Musk was one of the prominent critics, accusing the GEC of attempting to shape social media content. This criticism came after the centre exposed Russian and Chinese information operations on Twitter.

4. US Support for a Controversial UN Cybercrime Treaty

A significant portion of the episode discusses the US government's backing of a contentious United Nations cybercrime treaty.

Origin and Criticism:
- Proposed by Russia: The treaty has been heavily criticized for potentially promoting surveillance under the guise of combating cybercrime.
- Digital Rights Concerns: Advocacy groups warn that the treaty could grant authoritarian regimes the authority to harass critics abroad.
US Perspective:
- Positive Aspects: US officials highlight benefits such as establishing new legal frameworks to pursue cybercriminals and offenders involved in Child Sexual Abuse Material (CSAM).
- Approval Process: A vote is scheduled for the week, with the treaty requiring approval from two-thirds of UN member states to be ratified.

5. Rebuilding of Chinese APT Vault Typhoon Botnet

Claire Aird reports that the Chinese Advanced Persistent Threat (APT) group Vault Typhoon has successfully rebuilt its KV botnet, following its takedown by US authorities ten months prior.

Reconstruction Efforts:
- Targeted Devices: The group targeted older Cisco RV and Netgear Prosafe routers, which were integral to the botnet's initial build.
- Persistence: After an initial failed attempt to rebuild the botnet immediately following the US takedown, Vault Typhoon managed to re-establish it, showcasing their resilience.
Operational Tactics:
- The botnet is primarily used to disguise the origin of attacks, with a focus on targeting US critical infrastructure.

6. Hamas-affiliated APT Group Expanding Operations

The episode highlights the expansion of a Hamas-affiliated APT group's activities beyond cyber espionage into data wiping attacks against Israeli organizations.

Details of the Attacks:
- Associated Malware: Checkpoint has linked the Wirt group's older malware to Same Coin, a data wiper deployed in February and October of the current year.
- Conflict Continuity: This group remains one of the few Hamas cyber entities actively operating amidst the ongoing Israeli-Palestinian conflict.

7. Ahold Delaires Cybersecurity Incident

Ahold Delaires, a global retail giant, experienced a significant cybersecurity incident affecting its US operations.

Impact:
- Disruption: Online stores for US brands such as Food Lion, Stop and Shop, and Henneford were offline over the weekend.
- Investigation: The company is currently investigating the incident, with EU operations remaining unaffected.
Company Profile:
Ahold Delaires is one of the world's largest retailers, boasting approximately $87 billion in annual revenue.

8. Crypto Brokerage Delta Prime's Hack

The podcast details a cyberattack on Delta Prime, a cryptocurrency brokerage platform, resulting in the theft of $4.8 million worth of assets.

Attack Mechanism:
- Flash Loan Attacks: The breach involved two vulnerabilities that facilitated Flash loan attacks, enabling the theft of Arbitrum and Avalanche tokens from the platform's wallets.
Industry Impact:
- Trend Decline: According to blockchain security firm Certik, Flash loan attacks have declined, totaling $104 million in losses this year compared to $313 million last year.
Delta Prime's Response:
The platform has confirmed the hack and stated that it has contained the incident.

9. Microsoft's Account Guard Expansion in Africa

Microsoft has expanded its Account Guard service to select African countries, enhancing security measures for sensitive user accounts.

Service Details:
- Protection Scope: The service offers additional protection for accounts associated with political campaigns, think tanks, NGOs, and journalists.
Initial Rollout and Future Plans:
- Current Availability: The program is now available in Nigeria, Kenya, and South Africa.
- Future Expansion: Microsoft plans to extend the service to Ghana and other African nations in the future.

10. Google Cloud's New CVE Assignment Policy

Google Cloud has announced a policy change regarding the assignment of Common Vulnerabilities and Exposures (CVE) identifiers.

Key Points:
- Automatic CVEs: Google Cloud will assign CVE identifiers to vulnerabilities reported within its services, including critical bugs that do not require customer action.
- Patch Management: Even if patching is handled automatically by Google, CVEs will still be issued to maintain transparency and standardized reporting.
Industry Position:
Google Cloud joins AWS and Microsoft as the third major cloud vendor to adopt this CVE issuance practice, enhancing the overall security framework across major cloud platforms.

11. Signal's New Call Links Feature

The messaging app Signal is enhancing its call functionalities by introducing call links, simplifying the process of initiating group video calls.

Feature Overview:
- Ease of Use: Users can now join secure group video calls by simply clicking a link, akin to Google Meet's Meeting Link generator.
- Improvement: Previously, users had to join the same Signal group before a group call could be initiated, making the process more cumbersome.
User Experience Enhancement:
This new feature streamlines the process, making it more intuitive and user-friendly for initiating secure communications.

12. UK Police Warn Against Heating Subsidy Scams

UK Police have issued warnings about an uptick in scam SMS messages purporting to offer heating subsidies.

Scam Details:
- Origin: The surge in these scams correlates with the UK Government's decision to cut winter heating subsidies for pensioners in September.
- Tactics: Scammers send SMS messages containing links that prompt recipients to enter personal or banking information.
Public Advisory:
Officials urge residents to avoid clicking on links received via SMS and to refrain from sharing sensitive information, emphasizing the fraudulent nature of these offers.

13. Citrix Virtual Apps and Desktop Client Vulnerability

The episode concludes with a discussion on a remote code execution (RCE) attack targeting the Citrix Virtual Apps and Desktop client.

Vulnerability Details:
- Exploitation Method: The attack leverages a deserialization bug in a feature that allows Citrix admins to record virtual desktop sessions.
- Patch Deployment: Citrix has released patches to address the vulnerability without notifying the researchers who discovered it.
Dispute Over Attack Vectors:
- Citrix's Claim: The company asserts that attackers must be authenticated to execute the attack.
- Watchtower Labs' Assertion: Contrarily, Watchtower Labs argues that unauthenticated attacks are possible, raising concerns over the vulnerability's severity.
Proof of Concept:
A proof of concept (PoC) code has been made available on GitHub, and Citrix released the November patch to mitigate the issue.

14. Security Update Reminder

In a final advisory, Claire Aird reminds listeners to install their Windows security updates, which this month include fixes for two actively exploited zero-days. Staying updated is crucial in defending against the latest threats and vulnerabilities.

Conclusion

This episode of Risky Business News offers a comprehensive overview of the dynamic and often perilous cybersecurity environment of 2023. From the prevalence of zero-day exploits in enterprise software to geopolitical cyber maneuvers and significant cyberattacks on major organizations, the discussions underscore the critical importance of robust cybersecurity measures. Listeners are encouraged to stay informed and proactive in securing their digital infrastructures against evolving threats.

For more detailed insights and updates, subscribe to Risky Business News and stay ahead in the cybersecurity landscape.

Summary

Risky Business News: Detailed Summary

Episode Title: Risky Biz News: Most of 2023's Top Exploited Vulnerabilities Were Initially Zero-Days
Host: Claire Aird
Release Date: November 12, 2024

1. Introduction

2. Top Exploited Vulnerabilities of 2023

Notable Exploits:
- Barracuda ESG Appliances: A critical zero-day bug compelled Barracuda to advise customers to replace their ESG appliances.
- MoveIt Hacking Spree: The MoveIt vulnerabilities were exploited using a zero-day, leading to widespread security breaches.
- Citrix Bleed Vulnerability: This zero-day was among the top exploited flaws, affecting numerous organizations relying on Citrix solutions.
Trend Observation:
"2023 is also the first year on record when the most popular vulnerabilities were disclosed in the same older CVEs that dominated previous lists of popular exploits," Aird notes [00:04]. This indicates a shift towards the exploitation of long-standing vulnerabilities in enterprise environments.
Enterprise Software Focus:
All of the top 15 vulnerabilities identified were within enterprise software, highlighting a targeted focus on critical business infrastructure. Additionally, there was a noticeable trend towards exploiting enterprise and network perimeter devices.

3. Shutdown of the US State Department's Disinformation Centre

The episode covers the US Congress's decision to terminate the State Department's Global Engagement Centre (GEC), an office dedicated to combating foreign disinformation campaigns.

Details of the Shutdown:
- End of Mandate: The GEC will cease operations once its current seven-year mandate expires in December.
- Budget and Workforce: The centre operates with a yearly budget of $61 million and employs around 130 personnel.
Controversies and Criticisms:
- Elon Musk's Critique: Elon Musk was one of the prominent critics, accusing the GEC of attempting to shape social media content. This criticism came after the centre exposed Russian and Chinese information operations on Twitter.

4. US Support for a Controversial UN Cybercrime Treaty

A significant portion of the episode discusses the US government's backing of a contentious United Nations cybercrime treaty.

Origin and Criticism:
- Proposed by Russia: The treaty has been heavily criticized for potentially promoting surveillance under the guise of combating cybercrime.
- Digital Rights Concerns: Advocacy groups warn that the treaty could grant authoritarian regimes the authority to harass critics abroad.
US Perspective:
- Positive Aspects: US officials highlight benefits such as establishing new legal frameworks to pursue cybercriminals and offenders involved in Child Sexual Abuse Material (CSAM).
- Approval Process: A vote is scheduled for the week, with the treaty requiring approval from two-thirds of UN member states to be ratified.

5. Rebuilding of Chinese APT Vault Typhoon Botnet

Claire Aird reports that the Chinese Advanced Persistent Threat (APT) group Vault Typhoon has successfully rebuilt its KV botnet, following its takedown by US authorities ten months prior.

Reconstruction Efforts:
- Targeted Devices: The group targeted older Cisco RV and Netgear Prosafe routers, which were integral to the botnet's initial build.
- Persistence: After an initial failed attempt to rebuild the botnet immediately following the US takedown, Vault Typhoon managed to re-establish it, showcasing their resilience.
Operational Tactics:
- The botnet is primarily used to disguise the origin of attacks, with a focus on targeting US critical infrastructure.

6. Hamas-affiliated APT Group Expanding Operations

The episode highlights the expansion of a Hamas-affiliated APT group's activities beyond cyber espionage into data wiping attacks against Israeli organizations.

Details of the Attacks:
- Associated Malware: Checkpoint has linked the Wirt group's older malware to Same Coin, a data wiper deployed in February and October of the current year.
- Conflict Continuity: This group remains one of the few Hamas cyber entities actively operating amidst the ongoing Israeli-Palestinian conflict.

7. Ahold Delaires Cybersecurity Incident

Ahold Delaires, a global retail giant, experienced a significant cybersecurity incident affecting its US operations.

Impact:
- Disruption: Online stores for US brands such as Food Lion, Stop and Shop, and Henneford were offline over the weekend.
- Investigation: The company is currently investigating the incident, with EU operations remaining unaffected.
Company Profile:
Ahold Delaires is one of the world's largest retailers, boasting approximately $87 billion in annual revenue.

8. Crypto Brokerage Delta Prime's Hack

The podcast details a cyberattack on Delta Prime, a cryptocurrency brokerage platform, resulting in the theft of $4.8 million worth of assets.

Attack Mechanism:
- Flash Loan Attacks: The breach involved two vulnerabilities that facilitated Flash loan attacks, enabling the theft of Arbitrum and Avalanche tokens from the platform's wallets.
Industry Impact:
- Trend Decline: According to blockchain security firm Certik, Flash loan attacks have declined, totaling $104 million in losses this year compared to $313 million last year.
Delta Prime's Response:
The platform has confirmed the hack and stated that it has contained the incident.

9. Microsoft's Account Guard Expansion in Africa

Microsoft has expanded its Account Guard service to select African countries, enhancing security measures for sensitive user accounts.

Service Details:
- Protection Scope: The service offers additional protection for accounts associated with political campaigns, think tanks, NGOs, and journalists.
Initial Rollout and Future Plans:
- Current Availability: The program is now available in Nigeria, Kenya, and South Africa.
- Future Expansion: Microsoft plans to extend the service to Ghana and other African nations in the future.

10. Google Cloud's New CVE Assignment Policy

Google Cloud has announced a policy change regarding the assignment of Common Vulnerabilities and Exposures (CVE) identifiers.

Key Points:
- Automatic CVEs: Google Cloud will assign CVE identifiers to vulnerabilities reported within its services, including critical bugs that do not require customer action.
- Patch Management: Even if patching is handled automatically by Google, CVEs will still be issued to maintain transparency and standardized reporting.
Industry Position:
Google Cloud joins AWS and Microsoft as the third major cloud vendor to adopt this CVE issuance practice, enhancing the overall security framework across major cloud platforms.

11. Signal's New Call Links Feature

The messaging app Signal is enhancing its call functionalities by introducing call links, simplifying the process of initiating group video calls.

Feature Overview:
- Ease of Use: Users can now join secure group video calls by simply clicking a link, akin to Google Meet's Meeting Link generator.
- Improvement: Previously, users had to join the same Signal group before a group call could be initiated, making the process more cumbersome.
User Experience Enhancement:
This new feature streamlines the process, making it more intuitive and user-friendly for initiating secure communications.

12. UK Police Warn Against Heating Subsidy Scams

UK Police have issued warnings about an uptick in scam SMS messages purporting to offer heating subsidies.

Scam Details:
- Origin: The surge in these scams correlates with the UK Government's decision to cut winter heating subsidies for pensioners in September.
- Tactics: Scammers send SMS messages containing links that prompt recipients to enter personal or banking information.
Public Advisory:
Officials urge residents to avoid clicking on links received via SMS and to refrain from sharing sensitive information, emphasizing the fraudulent nature of these offers.

13. Citrix Virtual Apps and Desktop Client Vulnerability

The episode concludes with a discussion on a remote code execution (RCE) attack targeting the Citrix Virtual Apps and Desktop client.

Vulnerability Details:
- Exploitation Method: The attack leverages a deserialization bug in a feature that allows Citrix admins to record virtual desktop sessions.
- Patch Deployment: Citrix has released patches to address the vulnerability without notifying the researchers who discovered it.
Dispute Over Attack Vectors:
- Citrix's Claim: The company asserts that attackers must be authenticated to execute the attack.
- Watchtower Labs' Assertion: Contrarily, Watchtower Labs argues that unauthenticated attacks are possible, raising concerns over the vulnerability's severity.
Proof of Concept:
A proof of concept (PoC) code has been made available on GitHub, and Citrix released the November patch to mitigate the issue.

14. Security Update Reminder

Conclusion

For more detailed insights and updates, subscribe to Risky Business News and stay ahead in the cybersecurity landscape.

wavePod

Powered by Wave AI

Summary

1. Introduction

2. Top Exploited Vulnerabilities of 2023

3. Shutdown of the US State Department's Disinformation Centre

4. US Support for a Controversial UN Cybercrime Treaty

5. Rebuilding of Chinese APT Vault Typhoon Botnet

6. Hamas-affiliated APT Group Expanding Operations

7. Ahold Delaires Cybersecurity Incident

8. Crypto Brokerage Delta Prime's Hack

9. Microsoft's Account Guard Expansion in Africa

10. Google Cloud's New CVE Assignment Policy

11. Signal's New Call Links Feature

12. UK Police Warn Against Heating Subsidy Scams

13. Citrix Virtual Apps and Desktop Client Vulnerability

14. Security Update Reminder

Conclusion

Summary

1. Introduction

2. Top Exploited Vulnerabilities of 2023

3. Shutdown of the US State Department's Disinformation Centre

4. US Support for a Controversial UN Cybercrime Treaty

5. Rebuilding of Chinese APT Vault Typhoon Botnet

6. Hamas-affiliated APT Group Expanding Operations

7. Ahold Delaires Cybersecurity Incident

8. Crypto Brokerage Delta Prime's Hack

9. Microsoft's Account Guard Expansion in Africa

10. Google Cloud's New CVE Assignment Policy

11. Signal's New Call Links Feature

12. UK Police Warn Against Heating Subsidy Scams

13. Citrix Virtual Apps and Desktop Client Vulnerability

14. Security Update Reminder

Conclusion