Australian Cyber Security Center Highlights Key Vulnerabilities Exploited in 2023

Key Takeaways  

• Common vulnerabilities in 2023 include Citrix NetScaler, Fortinet FortiOS, and Atlassian Confluence, with attacks involving remote code execution, buffer overflows, and session token leakage. 

• The advisory was coauthored by international agencies, including ACSC, CISA, the FBI, and cybersecurity bodies from Canada, New Zealand, and the UK, highlighting global collaboration in combating cyber threats. 

•  Exploited vulnerabilities often stem from code injection, buffer overflows, and improper input validation, emphasizing the need for secure coding practices. 

• Organizations should implement security by design, adopt secure software development frameworks, and prioritize patch management to protect against known vulnerabilities. 

• The advisory recommends deploying tools like EDR systems and employing Zero Trust Network Architecture (ZTNA) to detect zero-day exploits and limit lateral movement within networks. 

Overview 

The Australian Cyber Security Center (ACSC) has issued an important cybersecurity advisory detailing a range of vulnerabilities in 2023. The report, which was coauthored by cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom, provides a comprehensive overview of the vulnerabilities most targeted by cybercriminals, including the risks posed by zero-day exploits.  

These advisory aims to inform organizations worldwide about the growing cyber threat landscape and offers guidance to minimize the risks posed by these vulnerabilities. The ACSC’s advisory identifies the most frequently exploited Common Vulnerabilities and Exposures (CVEs) of 2023 and their associated Common Weakness Enumerations (CWEs). 

This security advisory is a collaborative effort from cybersecurity agencies around the world, including the Australian Cyber Security Center (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies from Canada, New Zealand, and the United Kingdom.  

In particular, CISA has worked closely with international partners to monitor, identify, and mitigate common vulnerabilities, reinforcing their shared commitment to securing digital infrastructure. The FBI has also been actively involved in identifying cyber threat actors exploiting these vulnerabilities, especially those targeting critical infrastructure in both the public and private sectors.  

Key Findings: Zero-Day Exploits on the Rise 

One of the most concerning trends identified in the advisory is the increasing exploitation of zero-day vulnerabilities. These vulnerabilities, which are unknown to the software vendor or the public at the time of exploitation, allow attackers to bypass security defenses and gain unauthorized access to systems.  

In 2023, cybercriminals used zero-day vulnerabilities to exploit systems rapidly after their disclosure. Notably, these exploits were used to compromise high-value targets, including organizations in critical sectors such as healthcare, finance, and government. 

The ACSC’s advisory highlights that reducing the lifespan of zero-day exploits can be achieved by improving security lifecycles and ensuring responsible vulnerability disclosure. Both vendors and developers are urged to adopt secure-by-design principles and frameworks like the SP 800-218 Secure Software Development Framework (SSDF) to enhance the security of software from the ground up. 

Top Vulnerabilities Exploited in 2023 

The advisory identifies several CVEs that were routinely exploited in 2023. Among the most frequently targeted vulnerabilities are: 

• CVE-2023-3519: Citrix NetScaler buffer overflow vulnerability. 
• CVE-2023-4966: Citrix NetScaler session token leakage. 
• CVE-2023-27997: Fortinet FortiOS remote code execution. 
• CVE-2023-34362: Progress MOVEit Transfer SQL injection vulnerability. 
• CVE-2023-22515: Atlassian Confluence arbitrary code execution. 

These vulnerabilities were exploited by a variety of cyber threat actors, including advanced persistent threat (APT) groups and ransomware operators. For instance, CVE-2023-34362, which affects the MOVEit Transfer product, was actively targeted by the CL0P ransomware gang. Similarly, CVE-2023-22515 in Atlassian Confluence was exploited by threat actors to gain unauthorized access to corporate networks, compromising sensitive data. 

In many cases, these exploits were used to execute remote code, bypass authentication, or escalate privileges within affected systems. These vulnerabilities often result in significant disruption, financial loss, and reputational damage to affected organizations. 

Common Weakness Enumerations (CWEs) 

The advisory also sheds light on the associated Common Weakness Enumerations (CWEs) that underlie many of the vulnerabilities exploited in 2023. For example: 

• CWE-94: Code injection, which was present in vulnerabilities like CVE-2023-3519 (Citrix NetScaler buffer overflow). 
• CWE-119: Buffer overflow, as seen in CVE-2023-4966 (Citrix NetScaler session token leakage). 
• CWE-20: Improper input validation, which was implicated in CVE-2023-22515 (Atlassian Confluence arbitrary code execution). 

By understanding the CWEs associated with these CVEs, organizations can implement more targeted defenses to mitigate the risk of exploitation. Developers are encouraged to adopt practices that prevent these weaknesses from being introduced in the first place, such as using memory-safe languages and conducting regular security testing. 

Recommendations for Vendors, Developers, and End-Users 

In response to these findings, the advisory provides several key recommendations for organizations and developers to enhance their cybersecurity posture and reduce the risk of exploitation: 

• Vendors are encouraged to integrate security into the development process from the start, using frameworks like SP 800-218 SSDF to guide their efforts. 

• Developers should ensure that vulnerabilities are disclosed responsibly, including the root causes and associated CWEs, to help the broader community implement effective mitigation measures. 

• Regularly applying patches is critical to mitigating known vulnerabilities. End-users should also implement centralized patch management systems to streamline the process and ensure that vulnerabilities are addressed promptly. 

• Security tools like EDR systems are essential for detecting zero-day exploits. Organizations should prioritize their deployment to help identify suspicious activities and mitigate risks before they escalate. 

• Employing a Zero Trust Network Architecture (ZTNA) can help reduce lateral movement within networks and limit the damage from compromised systems. Organizations should also enforce multi-factor authentication (MFA) to prevent unauthorized access. 

• Organizations are urged to have up-to-date incident response plans in place and ensure that system backups are securely stored and regularly tested to recover from potential attacks. 

Conclusion 

The Australian Cyber Security Center (ACSC), in partnership with CISA, the FBI, and other international cybersecurity agencies, is calling on vendors, developers, and end-users to take immediate action to address these vulnerabilities and enhance their overall cybersecurity posture.  

By following the advisory’s recommendations, organizations can reduce their exposure to cyber threats and strengthen their defenses against cyberattacks. The collaboration between global cybersecurity agencies emphasizes the importance of shared intelligence and international cooperation in the fight against cybercrime.