In 2023, the cyber security realm was severely impacted (again) by the aggressive maneuvers of threat actors, who exploited critical vulnerabilities with devastating precision. The exploitation of these vulnerabilities not only underscored the adeptness of threat actors in leveraging security weaknesses but also highlighted the extensive damages inflicted across various sectors. The top ten vulnerabilities that were most exploited offer a glimpse into the methods employed by these adversaries, revealing a pattern of abuse that led to significant incidents, both in terms of frequency and impact.
1. CVE-2023-27350 (PaperCut NG/MF Multiple Security Vulnerabilities) - Discovered as a critical threat affecting popular print management software, PaperCut, CVE-2023-27350 allowed attackers to bypass authentication procedures and execute arbitrary codes with heightened privileges. This vulnerability was leveraged to deploy ransomware across various organisations, highlighting a severe threat to network security. It was identified and addressed with a patch rate of approximately 59%, indicating an urgent need for faster patching actions to mitigate exploits. The vulnerability had an average age of 97 days and an MTTR (Mean Time to Respond/Remediate) of about 23 days, emphasising the swift action taken by some but not all affected entities.
2. CVE-2023-34362 (MOVEit Transfer Injection Vulnerability) - CVE-2023-34362 is an SQL injection vulnerability in Progress Software's MOVEit Transfer software, which was exploited by attackers to gain access to databases and steal sensitive information. This flaw saw a wide range of exploitation, including by the Clop ransomware gang, leading to data theft and extortion campaigns affecting over 2,095 organisations and more than 62 million individuals. The significant impact of this vulnerability underscores the importance of securing applications against SQL injection attacks.
3. CVE-2023-0669 (Fortra GoAnywhere Managed File Transfer (MFT) RCE Vulnerability) - A pre-authentication command injection vulnerability in Fortra's GoAnywhere MFT product, CVE-2023-0669, was exploited in a series of data extortion attacks by the Clop ransomware gang. The vulnerability was patched swiftly after its discovery; however, it led to breaches in several organisations, including Procter & Gamble and Community Health Systems. This incident points to the critical need for secure file transfer solutions and the rapid patching of known vulnerabilities.
4. CVE-2023-22952 (SugarCRM Remote Code Execution (RCE) Vulnerability) - Exploited by a threat actor to inject malicious PHP code through a CRM platform module, CVE-2023-22952 in SugarCRM posed a significant threat by allowing attackers to escalate intrusions to AWS environments. Despite a relatively swift mean time to respond and remediate, a patch rate of only 36% indicated that many systems remained vulnerable, highlighting the challenge of securing complex CRM platforms against RCE attacks.
5. CVE-2023-20887 (VMware Aria Operations for Networks Command Injection Vulnerability) - Identified in VMware Aria Operations for Networks, CVE-2023-20887 was a command injection vulnerability that saw limited but targeted exploitation in the wild. The threat landscape around this vulnerability underscores the importance of securing network operations platforms against command injection attacks, a common vector for cyber attackers.
6. CVE-2023-28252 (Windows Common Log File System Driver Privilege Escalation) - This vulnerability allowed attackers with access to systems to run code with SYSTEM privileges, highlighting a significant security flaw within Windows operating systems. It was exploited by the Nokoyawa ransomware group, emphasising the necessity for regular system updates and patches to prevent privilege escalation attacks.
7. CVE-2023-22515 (Atlassian Confluence Elevation of Privilege) - Tracked as CVE-2023-22515, this vulnerability in Atlassian Confluence Data Center and Server products was exploited by a nation-state threat actor linked to the Chinese government. The flaw related to broken access control, and its exploitation in the wild since September 14 points to the critical need for securing enterprise collaboration tools against unauthorised access.
8. CVE-2023-4966 (Citrix NetScaler ADC and NetScaler Gateway Sensitive Information Disclosure) - Known as Citrix Bleed, this critical vulnerability allowed threat actors to hijack authenticated sessions, bypassing MFA and other identity verification checks. The widespread exploitation of this flaw by groups including the LockBit ransomware gang underscores the importance of comprehensive security measures beyond patching to protect against session hijacking.
9. CVE-2023-20198 (Cisco IOS XE Remote Code Execution Vulnerability) - Affecting Cisco IOS XE software, CVE-2023-20198 enabled remote attackers to gain the highest level of privileged access to devices. The mass exploitation of this flaw, including the deployment of the BadCandy implant, illustrates the critical need for securing networking devices against remote code execution threats.
10. CVE-2023-2868 (Barracuda Email Security Gateway Vulnerability) - CVE-2023-2868 in the Barracuda Email Security Gateway was another noteworthy vulnerability that highlighted the ongoing challenges in securing email gateways against sophisticated cyber threats. The specifics of its exploitation underscore the importance of robust email security practices and the prompt patching of known vulnerabilities.
These vulnerabilities and their exploitation in 2023 serve as a reminder of the ever-evolving threat landscape and the critical need for vigilant cyber security practices, including the rapid detection, response, and remediation of security flaws.
The Web3 space also experienced several significant hacks, collectively resulting in substantial financial losses. Here are details on the top ten Web3 hacks of the year, including how they were exploited, when they were discovered, and the reported losses.
1. Mixin Network Hack - In one of the largest incidents, the Mixin Network's cloud provider was compromised on September 23rd, leading to a loss of around $200 million. The attackers primarily targeted BTC assets, with minimal losses in BOX and XIN tokens. This incident underscores the importance of securing cloud infrastructure in Web3 platforms.
2. Euler Finance Exploit - Euler Finance fell victim to a hack on March 13th, resulting in approximately $197 million in losses. The attackers exploited a failure in the protocol to properly verify users' token balances and ledger health after donations. Remarkably, all stolen funds were eventually returned by the attacker, highlighting a rare outcome in the realm of Web3 security breaches.
3. Poloniex Exchange Hack - On November 10th, the Poloniex exchange, associated with Justin Sun, was hacked, leading to the theft of about $126 million. This incident was quickly confirmed by Sun and Poloniex via social media, illustrating the ongoing vulnerabilities faced by centralised exchanges in the Web3 ecosystem.
4. HTX & Heco Bridge Hack - The HTX exchange and Heco Bridge, also linked to Justin Sun, experienced a combined hack on November 22nd, resulting in a total loss of $110 million. This attack highlighted the vulnerabilities inherent in cross-chain bridges and exchanges, with significant financial repercussions.
5. Curve/Vyper Bug Exploit - On July 31st, a reentrancy bug in Vyper versions 0.2.15, 0.2.16, and 0.3.0 was exploited, affecting linked ETH/stablecoin pools and resulting in around $73 million in losses. This incident underscored the critical importance of secure contract programming and the potential for significant financial damage from contract vulnerabilities.
6. CoinEx Withdrawal Anomaly - CoinEx detected suspicious large withdrawals from its temporary hot wallets on September 12th, leading to a loss of approximately $70 million. The stolen assets included ETH, TRON, and Polygon tokens, demonstrating the risks associated with hot wallet storage and the need for robust risk control systems.
7. Atomic Wallet Security Breach - In early June, the Atomic Wallet was hacked, with estimated losses of at least $67 million. This event was identified through on-chain victim data, highlighting the challenges of securing wallet platforms against unauthorised access and theft.
8. Alphapo Hot Wallet Hack - On July 23rd, Alphapo's hot wallet was compromised by the North Korean hacker group Lazarus, resulting in a $60 million loss. This attack not only demonstrated the financial impact of such breaches but also the geopolitical dimensions of Web3 security threats.
9. KyberSwap Exploit - KyberSwap suffered a $54.7 million exploit on November 22nd, described as one of DeFi's most complex attacks. This incident required precise on-chain execution by the hacker, showcasing the sophisticated nature of threats in the decentralised finance space.
10. Stake.com Casino Hack - On September 4th, the crypto casino site Stake.com was hacked, leading to unauthorised transactions from its ETH and BSC hot wallets. Attributed to the North Korean APT group Lazarus, this breach highlighted the vulnerabilities of online gambling platforms in the Web3 ecosystem.
These incidents collectively highlight the diverse and sophisticated nature of security threats in the Web3 space, spanning from cloud infrastructure and contract vulnerabilities to wallet and exchange breaches.
Cobalt Strike is a highly sophisticated tool designed for red team operations and adversary simulations, but its robust features have also made it a favourite among cyber criminals, particularly those involved in Ransomware-as-a-Service (RaaS) activities. Below are detailed descriptions of Cobalt Strike's features that contribute to its popularity in both legitimate cyber security testing and illicit activities, backed by references from various sources.
As reported by Google Cloud, there have been 34 different hacked release versions identified in the wild, showcasing the tool's significant illicit proliferation. These cracked versions have been weaponised by threat actors to advance their post-exploitation activities, contributing to its popularity in the cybercriminal ecosystem. Moreover, the ease of access to these unauthorised versions exacerbates the problem, making effective cyber security measures and the ability to differentiate between legitimate and malicious use of Cobalt Strike crucial for organisations.
Microsoft and its partners, recognising the threat posed by the misuse of cracked Cobalt Strike copies, have taken legal actions to disrupt the operations of cybercriminals leveraging these illegal copies for ransomware attacks. This initiative aims to significantly hinder the monetisation of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. The court order obtained allows for the seizure of infrastructure used by these groups, demonstrating a proactive approach to combating the abuse of security tools like Cobalt Strike.
Author: G. Botha