TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare | EducationTARGETED COUNTRIES -> United States | Russian Federation | China | United Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia & Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand (ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 | 7bdbd180c081fa63ca94f9c22c457376 | 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 | 2915b3f8b703eb744fc54c81f4a9c67f | 2.2.2.2CVEs -> CVE-2024-21887 | CVE-2023-46805 | CVE-2024-21893 | CVE-2024-21412 | CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1083 | T1190 | T1486TACTICS -> TA0011 | TA0007 | TA0010 | TA577 | TA0005TAGS -> security | the-cyber-express | firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit | Blackcat | VoltTyphoon | Lazarus | MidnightBlizzardMALWARE -> CobaltStrike | Mirai | Lockbit | Xmrig | DarkgateSOURCES -> Darkreading | Bleepingcomputer | The Hacker News | The Cyber Express | Infosecurity Magazine
Vulnerability Blog

Unmasking the Critical Risk of Internet-Exposed Assets to Public and Private Organizations

Cyble investigates the Current vulnerability Threat landscape and observes the distribution of Proof Of Concepts over the Darkweb.
Odin ad

MOVEit, VMware, and Fortinet Global Internet Exposure Enticing Cybercriminals

Organizations face a significant threat when their internet-exposed assets are misconfigured or outdated, as it greatly expands the potential attack surface for Threat Actors (TAs). In previous research articles, Cyble Research & Intelligence Labs (CRIL) researchers have extensively discussed impact and attacks via internet-exposed assets – Active exploitation of multiple CVEs,  and Exposed Network Monitor Tool increases the risk of intrusion.

Recently several companies worldwide, including Oil & Gas giant Shell Organisation and US state agencies, were targeted by Clop Ransomware (Figure 1- Note shared by CL0P, indicating exploitation of MOVEit). TAs’ keen focus on public-facing internet-exposed assets becomes evident through their systematic exploitation of vulnerabilities to target numerous organizations simultaneously, intending to extort and demand ransom.

Figure 1 CLOP ransomware group indicating exploitation of MOVEit Vulnerability
Figure 1 – CL0P ransomware group indicating exploitation of MOVEit Vulnerability

Within a month, multiple vendors and state agencies have released alerts for the active exploitation of vulnerabilities impacting a wide range of audiences. It has become critical to understand the scope of exposure of affected products.

Vulnerability Details

Command Injection Vulnerabilities in Aria Operations for Networks (Formerly vRealize Network Insight)


The affected versions of VMWare Aria Operations for Networks are vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The vulnerability falls under the critical severity category. One online scanner shows over 27 public-facing internet-exposed assets that might be vulnerable to CVE-2023-20877.

Given below is the graphical representation of internet-exposed vRealize Network Insight.

Figure 2 Internet exposure of vRealize Network Insights
Figure 2 – Internet exposure of vRealize Network Insights

It is important to note that the POC for CVE-2023-20877 is available in the public domain and is being discussed in cybercrime forums, as shown in the figure below.

Figure 3 CVE 2023 20877 POC discussion in cybercrime forum
Figure 3 – CVE-2023-20877 POC discussion in cybercrime forum

Multiple vulnerabilities in MOVEit

MOVEit transfer has released multiple Critical severity vulnerabilities starting from early June 2023. Below, we have listed recent SQL Injection vulnerabilities that allow unauthenticated attackers to gain unauthorized access to MOVEit Transfer’s database:

CVE-2023-34362

CVE-2023-35063

CVE-2023-35708

Earlier this month CRIL team released a detailed blog on MOVEit vulnerability.

Shown below is a geographical representation of MOVEit.

Figure 4 Internet exposure of MOVEit
Figure 4 – Internet exposure of MOVEit

Among the exposure of MOVEit, Cyble researchers noticed that multiple state and private entities have public facing MOVEit exposures, as shown below. It should be noted that the Proof Of Concept (PoC) of CVE-2023-34362 is available in the public domain.

Figure 5 Screenshot indication of State Entities using MOVEit
Figure 5 – Screenshot indication of State Entities using MOVEit

Heap buffer overflow in SSL-VPN pre-authentication

The critical severity vulnerability CVE-2023-27997 affects multiple Fortinet products. It does not require prior authentication, which allows a remote attacker to execute code on the device by exploiting a heap-based buffer overflow. One of the online scanners indicates that there are over 900,000 internet-exposed instances.

 The chart given below shows exposure from the top 5 countries.

Figure 6 Top 5 countries with the highest FORTINET SSL VPN
Figure 6 – Top 5 countries with the highest FORTINET-SSL/VPN Exposure

During routine Darkweb monitoring, it was observed that one of the Russian language cybercrime forum members released an alleged POC for CVE-2023-27997, as shown in the figure below.

Figure 7 – Distribution POC of CVE 2023 27997
Figure 7 – Distribution POC of CVE-2023-27997

Conclusion

Recently there has been a surge in critical vulnerabilities being actively exploited by TAs. Cyble researchers have noticed that TAs are exploiting recent vulnerabilities within a short span of their announcement in the public domain. Ransomware group such as CLOP indicates that public-facing assets running on outdated software can be easily used to launch ransomware operations on Critical Infrastructure Sectors and other state entities. Proof of Concept distribution over the Dark web is also intensifying the situation for vulnerability management teams.

Recommendations

  • Conduct Regular Vulnerability Assessments: Perform routine vulnerability assessments to identify and prioritize vulnerabilities within your systems and applications. Utilize automated tools and manual testing to ensure comprehensive coverage.
  • Patch Management: Establish a robust patch management process to promptly apply security patches and updates across all systems and applications. Regularly monitor vendor releases and security advisories to stay informed about potential vulnerabilities and their patches.
  • Secure Code Development: Implement secure coding practices from the early stages of application development. Train developers on secure coding techniques, perform code reviews, and utilize static and dynamic analysis tools to identify and fix vulnerabilities in the codebase.
  • Vulnerability Remediation: Establish a clear process for addressing identified vulnerabilities. Define roles and responsibilities, set timelines for remediation, and track progress to ensure vulnerabilities are addressed promptly and effectively.
  • Regular Security Training: Provide ongoing security awareness and training programs for employees, contractors, and stakeholders. Educate them about common attack vectors, phishing scams, and safe computing practices to reduce the risk of human error leading to vulnerabilities.
  • Incident Response Planning: Develop a comprehensive incident response plan that outlines the steps to be taken during a security incident. Define roles, establish communication channels, and conduct regular drills to test and improve the plan’s effectiveness.
  • Vulnerability Monitoring and Threat Intelligence: Implement a system for continuous vulnerability monitoring and threat intelligence gathering. Monitor the dark web for discussions or mentions related to your organization and proactively respond to potential threats or breaches.
  • Zero Trust Policy: Adopt a zero trust approach to network security, where every user, device, and application is treated as potentially untrusted. Implement strict access controls, multi-factor authentication, and continuous monitoring to verify and authenticate all network activity.
  • Proper Network Segmentation: Implement proper network segmentation to compartmentalize sensitive systems and data. This limits the potential impact of a security breach and reduces lateral movement within the network.
  • Security Testing and Penetration Testing: Conduct regular security testing, including penetration testing, to identify vulnerabilities and validate the effectiveness of security controls. Engage external security experts to perform independent assessments for unbiased results.

Share the Post:

Related Posts

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top