Table of Contents
In the intricate landscape of cyber threats, assailants adeptly exploit undiscovered vulnerabilities known as zero-day vulnerabilities. These flaws allow stealthy infiltrations, often without user interaction, making them a prevalent and alarming tactic.
This chapter unravels the sophisticated maneuvers of cyber assailants, detailing instances like Gafgyt malware exploiting a five-year-old router defect and the strategic deployment of zero-days in prominent software. As we delve into real-world scenarios, the critical need for awareness and proactive measures against these elusive vulnerabilities becomes increasingly apparent.
Notes on top exploited zero-day vulnerabilities
Sophisticated assailants typically choose tactics that evade easy detection, circumventing standard protections by leveraging undiscovered flaws in systems and software, commonly known as zero-day vulnerabilities.
These vulnerabilities are attractive to attackers as they enable stealthy infiltrations, often without the victim’s interaction or awareness, marking them as a widespread and alarming tactic in the cyber threat environment.
- A significant example includes the exploitation of a five-year-old defect in an End-Of-Life Zyxel router by Gafgyt malware. This malware, renowned for initiating DDoS attacks, can infect IoT devices. The flaw, a command injection vulnerability, enabled the malware to breach the router, potentially granting attackers unauthorized entry to the network and linked devices.
- The FBI, CISA, and NSA have also released a list of the most exploited vulnerabilities of 2022, highlighting the critical need for awareness and preventive actions in these domains.
- Mozilla had to release fixes for Firefox and Thunderbird due to an actively exploited zero-day, and Cisco alerted users about a VPN zero-day exploited by ransomware groups. This flaw allowed attackers to breach VPN appliances and potentially access internal networks, facilitating the launch of ransomware to encrypt crucial data and extort ransoms.
- Apple users also faced threats, with a zero-click iMessage exploit chain named BLASTPASS employed to infect iPhones with spyware. Developed by the controversial NSO Group, this exploit enabled attackers to infiltrate devices without user interaction, installing spyware capable of extracting sensitive data, monitoring user behaviours, and potentially controlling the infected device.
- A zero-day flaw in WinRAR, identified as CVE-2023-38831, was manipulated to install malware when users accessed seemingly safe files in an archive, enabling the compromise of online cryptocurrency trading accounts. Various malware families, including DarkMe, GuLoader, and Remcos, exploited this vulnerability by creating harmful .RAR and .ZIP archives displaying seemingly safe files. Opening the document triggered a script due to the flaw, installing malware on the device.
- Attackers exploited a severe vulnerability in Adobe Acrobat and Reader, impacting both Windows and macOS systems, enabling them to execute code after successfully exploiting an out-of-bounds write vulnerability, identified as CVE-2023-26369.
- In a different scenario, assailants exploited a zero-day vulnerability to target security researchers. Google’s Threat Analysis Group revealed that North Korean state hackers targeted security researchers using at least one undisclosed zero-day in popular software. The attackers connected with researchers via social media and sent them files designed to exploit the zero-day, aiming primarily to acquire undisclosed security flaws and exploits.
The Need to Implement Robust Security Tools to Combat Zero-Day Threats
These scenarios emphasize the advanced and evolving nature of cyber-attacks leveraging zero-day vulnerabilities, underscoring the importance of implementing strong and current security protocols to counter the threats posed by unknown and unrectified flaws in routinely used systems and software—often operating unnoticed in the background.
LIST OF SOME CVEs THAT HAVE BEEN OBSERVED IN ATTACKS:
- CVE-2017-18368: Command injection in Zyxel router
- CVE-2023-4863: Heap-overflow in libwebp
- CVE-2023-20269: Brute-force vulnerability in Cisco VPN
- CVE-2023-41064: Buffer overflow in iOS
- CVE-2023-41061: A validation issue in iOS can lead to code execution
- CVE-2023-28432: Information disclosure in MinIO
- CVE-2023-28434: Data change vulnerability in MinIO
- CVE-2023-33246: Remote code execution in RocketMQ
- CVE-2023-38831: Code execution in WinRAR
- CVE-2023-40477: Buffer overflow in WinRAR
- CVE-2020-1472: Privilege escalation in Windows Server
- CVE-2023-26369: Out-of-bounds write in Acrobat Reader
- CVE-2023-35078: Authentication bypass in EPMM
- CVE-2023-35081: Path traversal in EPMM
- CVE-2023-27532: Information leakage in Veeam Backup
- Top exploited vulnerabilities in 2022 (compiled by FBI, CISA, NSA):
- CVE-2018-13379: Path traversal in FortiOS
- CVE-2021-34473: Remote Code Execution in Microsoft Exchange
- CVE-2021-31207: Security feature bypass in Microsoft Exchange
- CVE-2021-34523: Privilege escalation in Microsoft Exchange
- CVE-2021-40539: Authentication bypass in Zoho ManageEngine
- CVE-2021-26084: Injection vulnerability in Confluence
- CVE-2021-44228: Command injection in log4j
- CVE-2022-22954: Remote code execution in VMWare Workspace ONE
- CVE-2022-22960: Privilege escalation in VMWare Workspace ONE
- CVE-2022-1388: Authentication bypass in F5 BIG-IP
- CVE-2022-30190: Remote code execution in MSDT
- CVE-2022-26134: Remote code execution in confluence
VMRay Malware & Phishing Threat Landscape – Q3/2023