HIGH PROFILE GLOBAL VULNERABILITIES

The following list of top vulnerabilities is based on data collected by the Check Point Intrusion Prevention System (IPS) sensor net and details some of the most popular and interesting attack techniques and exploits observed by CP in 2023.

The following list of top vulnerabilities is based on data collected by the Check Point Intrusion Prevention System (IPS) sensor net and details some of the most popular and interesting attack techniques and exploits observed by CP in 2023.

MOVEit (CVE-2023-34362)

This critical SQL injection vulnerability in MOVEit MFT (Managed File Transfer Software) was exploited in 2023’smost prolific ransomware campaign, impacting more than 2,700 organizations globally. The vulnerability was exploited by the CL0P ransomware group prior to its public disclosure and utilized to deploy a web shell named LEMURLOOT, which was then used to steal data from MOVEit Transfer databases. The large number of victims and the amount of data led CL0P to change its extortion techniques, relying on data extortion instead of encrypting and publishing stolen data on Torrents. Check Point data shows that 7% of organizations have been impacted by this vulnerability in 2023.

GoAnywhere (CVE-2023-0669)

This is a critical RCE vulnerability in the GoAnywhere MFT software (Managed File Transfer) disclosed in February 2023. Prior to its disclosure, the flaw was actively exploited by the CL0P ransomware gang, leading to significant data breaches in more than 130 organizations. This incident highlights the growing trend of ransomware operators using zero-day vulnerabilities to conduct their attacks. Check Point data shows that 2.5% of organizations have been impacted by this vulnerability in 2023.

Barracuda (CVE-2023-2868)

This is a critical remote command injection vulnerability identified in the Barracuda Email Security Gateway (ESG) appliance, which is exploited using malicious file attachments. The vulnerability was actively exploited as early as October 2022 by a Chinese APT actor in an aggressive campaign that impacted organizations on a global scale, with a significant focus on government agencies. Following the release of patches and containment efforts, the attackers adapted their techniques by altering their malware and employing additional persistence mechanisms to maintain access. As a result, both Barracuda and the FBI recommended that customers immediately replace compromised ESG devices.

Microsoft Outlook (CVE-2023-23397)

This is a critical privilege escalation vulnerably in Microsoft Outlook, discovered in March 2023 with a CVSS rating of 9.8. The flaw enables attackers to hijack users’ authentication hashes via specially crafted emails. The vulnerability was actively exploited by groups including the Russian-affiliated APT28.

CitrixBleed (CVE-2023-4966)

This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.

PaperCut (CVE-2023-27350)

This is a critical RCE (Remote Code Execution) vulnerability with a CVSS score of 9.8 in PaperCut, a print management software with a user base of more than 100 million users. Disclosed with a patch-released in March of 2023, this flaw can lead to the exposure of sensitive information and breach of entire networks. Following its disclosure, it was quickly leveraged by various malicious actors, including the delivery of Lockbit and CL0P ransomware. It was also exploitated by state-sponsored APT groups. Check Point data shows that 9% of organizations have been impacted by this vulnerability in 2023.

Percentage of attacks leveraging vulnerabilities by disclosure year in 2023

2023
0%
2022
0%
2021
0%
2020
0%
2019
0%
2018
0%
2017
0%
2016
0%
2015
0%
2014
0%
2013
0%
Earlier
0%

Percentage of new malicious domains by TLD per month 2022-2023

2022
2023

In 2023, there was a noticeable shift in the cyber threat landscape, with newly disclosed vulnerabilities being rapidly exploited by attackers. Data indicates that vulnerabilities reported in 2023 and 2022 were responsible for 6% and 14% of all exploitation attempts, respectively. This demonstrates that recent vulnerabilities are more severe and easy to exploit and are adopted and weaponized by threat actors much faster than others. In comparison, relatively new vulnerabilities, disclosed between 2021 and 2023, accounted for over 30% of exploitation attempts, a marked increase from only 17% observed in 2021 for vulnerabilities disclosed between 2019 and 2021. This trend represents a departure from previous reliance on delayed update practices, by exploiting older, unpatched vulnerabilities, as evidenced by the “long-tail” distribution pattern seen in previous years.

Malicious Infrastructure by TLD (Top Level Domain)

This section highlights the most frequently used malicious Top-Level Domains (TLDs) as observed through Check Point’s ThreatCloud AI in 2023. Domains, whether used to disguise phishing sites or serving as command and control (C&C) centers for major botnets, are critical components in a threat actor’s infrastructure. Understanding trends associated with various TLDs equips defenders with another tool for assessing potential risks. Several factors may influence threat actors’ preference for a specific TLD, including the targeted organization they aim to impersonate, the availability of the TLD with their preferred domain registrar, or the cost associated with acquiring the TLD.

Percentage of new malicious domains by TLD per month 2022-2023

2022
2023

This section highlights the most frequently used malicious Top-Level Domains (TLDs) as observed through Check Point’s ThreatCloud AI in 2023. Domains, whether used to disguise phishing sites or serving as command and control (C&C) centers for major botnets, are critical components in a threat actor’s infrastructure. Understanding trends associated with various TLDs equips defenders with another tool for assessing potential risks. Several factors may influence threat actors’ preference for a specific TLD, including the targeted organization they aim to impersonate, the availability of the TLD with their preferred domain registrar, or the cost associated with acquiring the TLD.

CHAPTER 04
BACK TO TOP
CHAPTER 06