Risky Biz News: Most of 2023's top exploited vulnerabilities were initially zero-days - Risky Bulletin

Summary7 min read

Risky Business News: Detailed Summary

Episode Title: Risky Biz News: Most of 2023's Top Exploited Vulnerabilities Were Initially Zero-Days
Host: Claire Aird
Release Date: November 12, 2024

1. Introduction

In this episode of Risky Business News, host Claire Aird delves into the cybersecurity landscape of 2023, highlighting significant vulnerabilities, geopolitical cyber developments, and notable cyber incidents affecting both corporations and governments. The episode provides a comprehensive analysis of the trends and threats that dominated the year, offering insights valuable to cybersecurity professionals and enthusiasts alike.

2. Top Exploited Vulnerabilities of 2023

Claire Aird opens the discussion by emphasizing that most of the most frequently exploited vulnerabilities in 2023 were initially zero-days. This revelation underscores the evolving threat landscape where unknown vulnerabilities are rapidly weaponized by malicious actors.

Notable Exploits:
- Barracuda ESG Appliances: A critical zero-day bug compelled Barracuda to advise customers to replace their ESG appliances.
- MoveIt Hacking Spree: The MoveIt vulnerabilities were exploited using a zero-day, leading to widespread security breaches.
- Citrix Bleed Vulnerability: This zero-day was among the top exploited flaws, affecting numerous organizations relying on Citrix solutions.
Trend Observation:
"2023 is also the first year on record when the most popular vulnerabilities were disclosed in the same older CVEs that dominated previous lists of popular exploits," Aird notes [00:04]. This indicates a shift towards the exploitation of long-standing vulnerabilities in enterprise environments.
Enterprise Software Focus:
All of the top 15 vulnerabilities identified were within enterprise software, highlighting a targeted focus on critical business infrastructure. Additionally, there was a noticeable trend towards exploiting enterprise and network perimeter devices.

3. Shutdown of the US State Department's Disinformation Centre

The episode covers the US Congress's decision to terminate the State Department's Global Engagement Centre (GEC), an office dedicated to combating foreign disinformation campaigns.

Details of the Shutdown:
- End of Mandate: The GEC will cease operations once its current seven-year mandate expires in December.
- Budget and Workforce: The centre operates with a yearly budget of $61 million and employs around 130 personnel.
Controversies and Criticisms:
- Elon Musk's Critique: Elon Musk was one of the prominent critics, accusing the GEC of attempting to shape social media content. This criticism came after the centre exposed Russian and Chinese information operations on Twitter.

4. US Support for a Controversial UN Cybercrime Treaty

A significant portion of the episode discusses the US government's backing of a contentious United Nations cybercrime treaty.

Origin and Criticism:
- Proposed by Russia: The treaty has been heavily criticized for potentially promoting surveillance under the guise of combating cybercrime.
- Digital Rights Concerns: Advocacy groups warn that the treaty could grant authoritarian regimes the authority to harass critics abroad.
US Perspective:
- Positive Aspects: US officials highlight benefits such as establishing new legal frameworks to pursue cybercriminals and offenders involved in Child Sexual Abuse Material (CSAM).
- Approval Process: A vote is scheduled for the week, with the treaty requiring approval from two-thirds of UN member states to be ratified.

5. Rebuilding of Chinese APT Vault Typhoon Botnet

Claire Aird reports that the Chinese Advanced Persistent Threat (APT) group Vault Typhoon has successfully rebuilt its KV botnet, following its takedown by US authorities ten months prior.

Reconstruction Efforts:
- Targeted Devices: The group targeted older Cisco RV and Netgear Prosafe routers, which were integral to the botnet's initial build.
- Persistence: After an initial failed attempt to rebuild the botnet immediately following the US takedown, Vault Typhoon managed to re-establish it, showcasing their resilience.
Operational Tactics:
- The botnet is primarily used to disguise the origin of attacks, with a focus on targeting US critical infrastructure.

6. Hamas-affiliated APT Group Expanding Operations

The episode highlights the expansion of a Hamas-affiliated APT group's activities beyond cyber espionage into data wiping attacks against Israeli organizations.

Details of the Attacks:
- Associated Malware: Checkpoint has linked the Wirt group's older malware to Same Coin, a data wiper deployed in February and October of the current year.
- Conflict Continuity: This group remains one of the few Hamas cyber entities actively operating amidst the ongoing Israeli-Palestinian conflict.

7. Ahold Delaires Cybersecurity Incident

Ahold Delaires, a global retail giant, experienced a significant cybersecurity incident affecting its US operations.

Impact:
- Disruption: Online stores for US brands such as Food Lion, Stop and Shop, and Henneford were offline over the weekend.
- Investigation: The company is currently investigating the incident, with EU operations remaining unaffected.
Company Profile:
Ahold Delaires is one of the world's largest retailers, boasting approximately $87 billion in annual revenue.

8. Crypto Brokerage Delta Prime's Hack

The podcast details a cyberattack on Delta Prime, a cryptocurrency brokerage platform, resulting in the theft of $4.8 million worth of assets.

Attack Mechanism:
- Flash Loan Attacks: The breach involved two vulnerabilities that facilitated Flash loan attacks, enabling the theft of Arbitrum and Avalanche tokens from the platform's wallets.
Industry Impact:
- Trend Decline: According to blockchain security firm Certik, Flash loan attacks have declined, totaling $104 million in losses this year compared to $313 million last year.
Delta Prime's Response:
The platform has confirmed the hack and stated that it has contained the incident.

9. Microsoft's Account Guard Expansion in Africa

Microsoft has expanded its Account Guard service to select African countries, enhancing security measures for sensitive user accounts.

Service Details:
- Protection Scope: The service offers additional protection for accounts associated with political campaigns, think tanks, NGOs, and journalists.
Initial Rollout and Future Plans:
- Current Availability: The program is now available in Nigeria, Kenya, and South Africa.
- Future Expansion: Microsoft plans to extend the service to Ghana and other African nations in the future.

10. Google Cloud's New CVE Assignment Policy

Google Cloud has announced a policy change regarding the assignment of Common Vulnerabilities and Exposures (CVE) identifiers.

Key Points:
- Automatic CVEs: Google Cloud will assign CVE identifiers to vulnerabilities reported within its services, including critical bugs that do not require customer action.
- Patch Management: Even if patching is handled automatically by Google, CVEs will still be issued to maintain transparency and standardized reporting.
Industry Position:
Google Cloud joins AWS and Microsoft as the third major cloud vendor to adopt this CVE issuance practice, enhancing the overall security framework across major cloud platforms.

11. Signal's New Call Links Feature

The messaging app Signal is enhancing its call functionalities by introducing call links, simplifying the process of initiating group video calls.

Feature Overview:
- Ease of Use: Users can now join secure group video calls by simply clicking a link, akin to Google Meet's Meeting Link generator.
- Improvement: Previously, users had to join the same Signal group before a group call could be initiated, making the process more cumbersome.
User Experience Enhancement:
This new feature streamlines the process, making it more intuitive and user-friendly for initiating secure communications.

12. UK Police Warn Against Heating Subsidy Scams

UK Police have issued warnings about an uptick in scam SMS messages purporting to offer heating subsidies.

Scam Details:
- Origin: The surge in these scams correlates with the UK Government's decision to cut winter heating subsidies for pensioners in September.
- Tactics: Scammers send SMS messages containing links that prompt recipients to enter personal or banking information.
Public Advisory:
Officials urge residents to avoid clicking on links received via SMS and to refrain from sharing sensitive information, emphasizing the fraudulent nature of these offers.

13. Citrix Virtual Apps and Desktop Client Vulnerability

The episode concludes with a discussion on a remote code execution (RCE) attack targeting the Citrix Virtual Apps and Desktop client.

Vulnerability Details:
- Exploitation Method: The attack leverages a deserialization bug in a feature that allows Citrix admins to record virtual desktop sessions.
- Patch Deployment: Citrix has released patches to address the vulnerability without notifying the researchers who discovered it.
Dispute Over Attack Vectors:
- Citrix's Claim: The company asserts that attackers must be authenticated to execute the attack.
- Watchtower Labs' Assertion: Contrarily, Watchtower Labs argues that unauthenticated attacks are possible, raising concerns over the vulnerability's severity.
Proof of Concept:
A proof of concept (PoC) code has been made available on GitHub, and Citrix released the November patch to mitigate the issue.

14. Security Update Reminder

In a final advisory, Claire Aird reminds listeners to install their Windows security updates, which this month include fixes for two actively exploited zero-days. Staying updated is crucial in defending against the latest threats and vulnerabilities.

Conclusion

This episode of Risky Business News offers a comprehensive overview of the dynamic and often perilous cybersecurity environment of 2023. From the prevalence of zero-day exploits in enterprise software to geopolitical cyber maneuvers and significant cyberattacks on major organizations, the discussions underscore the critical importance of robust cybersecurity measures. Listeners are encouraged to stay informed and proactive in securing their digital infrastructures against evolving threats.

For more detailed insights and updates, subscribe to Risky Business News and stay ahead in the cybersecurity landscape.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Most of 2023's top exploited vulnerabilities were initially zero days a State Department disinfo centre faces shutdown the US will back a controversial UN cybercrime treaty and Google Cloud to issue Cloud CVEs. This is risky Business news prepared by Catalyn Kimpanu and read by me Claire aired today is the 13th of November and this podcast episode is brought to you by Kroll. Find them at kroll.com cyber the majority of the most frequently exploited vulnerabilities last year were zero days when they were first used in the wild, according to cisa. This includes the bug that forced Barracuda to tell customers to replace their ESG appliances, the Zero Day used in the MoveIt hacking spree, and the Citrix bleed vulnerability. 2023 is also the first year on record when the most popular vulnerabilities were disclosed in the same older CVEs dominated previous lists of popular exploits. The 2023 data also showed a trend toward the exploitation of enterprise and network perimeter devices. All the top 15 vulnerabilities were in enterprise software. In other news, the US Congress has killed off a State Department office that hunts down foreign disinformation campaigns. The Global Engagement Centre will cease operations when its current seven year mandate ends in December. One of the office's biggest critics has been Elon Musk, who accused it of trying shape social media content after it exposed Russian and Chinese information operations on Twitter. The centre has a yearly budget of $61 million and around 130 employees. In other news, the US government will support a controversial UN cybercrime treaty. According to a report from Politico. The treaty has been put forward by the Russian government and has been heavily criticised for promoting surveillance under the guise of policing cybercrime. Digital rights groups have warned the treaty gives authoritarian regimes the power to har critics located abroad. U.S. officials believe the treaty has positives such as new legal frameworks to pursue cybercriminals and CSAM offenders. A vote is scheduled for this week and the treaty needs approval from two thirds of UN members to be ratified. Chinese APT vault Typhoon has rebuilt its KV botnet 10 months after US authorities took it down. Security Scorecard says the group has rebuilt the botnet by targeting old Cisco RV and Netgear Prosafe routers. Both device types were a core part of the botnet's earlier iteration. Fault Typhoon first attempted to rebuild its botnet days after the US takedown, but that initial attempt failed. The Chinese group has used the botnet to disguise the origin of its attacks, many of which target US Critical infrastructure. A Hamas affiliated APT group has expanded operations beyond cyber espionage and is now conducting data wiping attacks against Israeli organizations. Checkpoint says it's connected the Wirt group's older malware to Same Coin, a data wiper deployed across Israel in February and October this year. The company says it's one of the few Hamas cyber groups that has remained active through the current Israeli Palestine conflict. Retail store giant Ahol Delaires says a cybersecurity incident has disrupted its US Network operations. Online stores for the company's US Brands were offline over the weekend. The company says it's still investigating the incident. EU operations are not affected. Ahold Del is one of the world's largest retailers, with around $87 billion in annual revenue. Its US brands include food Lion, Stop and Shop and Henneford. A threat actor has stolen $4.8 million worth of assets from the Delta prime crypto brokerage platform, according to blockchain security firm Certik. The attack combined two vulnerabilities to execute Flash loan attacks and steal arbitrum and avalanche tokens from the platform's wallets. Delta has confirmed the hack and says it has contained the incident. Certik researchers say Flash loan attacks have declined, accounting for only $104 million in losses this year compared to $313 million last year. Microsoft has expanded the account guard service to African countries. The service provides extra protection for sensitive user accounts belonging to political campaigns, think tanks, NGOs and journalists. The program will initially be available in Nigeria, Kenya and South Microsoft plans to expand it to Ghana and other countries in the future. Google says it will begin assigning CVE identifiers to vulnerabilities reported in its Google Cloud service. The company says it will issue CVEs for critical bugs even if no customer action is required and patching is managed automatically. Google Cloud is the third major cloud Vendor to issue CVEs for cloud vulnerabilities. Alongside AWS and Microsoft. Signal is rolling out call links, a new feature that allows users to easily join a secure group video call by just clicking a link, similar to Google Meet's Meeting Link generator. This is an improvement over the old system, where users had to join the same signal group before initiating a group call. UK Police say that scammers are sending SMS messages offering heating subsidies. The scams exploded after the UK Government cut winter heating subsidies for pensioners in September. Officials have warned residents not to enter any personal or banking information into links they receive via sms. Watchtower Labs has identified a remote code execution attack against the Citrix virtual apps and Desktop client. The vulnerability exploits a deserialization bug in a feature that allows Citrix admins to record virtual desktop sessions. Citrix appears to have released patches without notifying the researchers. The company claims attackers must be authenticated to execute an attack, while Watchtower says unauthenticated attacks are possible. Proof of concept Code has been released on GitHub this week, and finally yesterday was the November patch. Tuesday don't forget to install your Windows security updates, which this month include fixes for two actively exploited zero days. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Kroll. Find them@kroll.com cyber thanks to your company.