CISA Reveals the Top 15 Most Exploited Vulnerabilities of 2023

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively..

KNOW WHO IS TARGETING YOU: GET YOUR FREE THREAT INTELLIGENCE REPORT

The Top 15 Most Exploited Vulnerabilities of 2023

In November 2024, the CISA, in collaboration with the FBI, the National Security Agency (NSA), and international cybersecurity partners, released a joint advisory identifying the top 15 vulnerabilities most frequently exploited by malicious actors in 2023. Notably, the majority of these vulnerabilities were initially exploited as zero-days, underscoring the critical importance of timely patch management.

Organizations are strongly advised to prioritize the remediation of these vulnerabilities to mitigate potential threats. Implementing robust patch management practices is essential to safeguard systems against exploitation. For a comprehensive list of known exploited vulnerabilities, refer to CISA's Known Exploited Vulnerabilities Catalog.

CVE ID	Vendor	Affected Product	Type of the Vulnerability
CVE-2023-3519	Citrix	NetScaler ADC/Gateway	Code Injection
CVE-2023-4966	Citrix	NetScaler ADC/Gateway	Buffer Overflow
CVE-2023-20198	Cisco	IOS XE Web UI	Privilege Escalation
CVE-2023-20273	Cisco	IOS XE	Web UI Command Injection
CVE-2023-27997	Fortinet	FortiOS/FortiProxy SSL-VPN	Heap-Based Buffer Overflow
CVE-2023-34362	Progress	MOVEit Transfer	SQL Injection
CVE-2023-22515	Atlassian	Confluence Data Center/Server	Broken Access Control
CVE-2021- 44228 (Log4Shell)	Apache	Log4j2	Remote Code Execution
CVE-2023-2868	Barracuda Networks	ESG Appliance	Improper Input Validation
CVE-2022-47966	Zoho	ManageEngine Multiple Products	Remote Code Execution
CVE-2023-27350	PaperCut	MF/NG	Improper Access Control
CVE-2020-1472	Microsoft	Netlogon	Privilege Escalation
CVE-2023-42793	JetBrains	TeamCity	Authentication Bypass
CVE-2023-23397	Microsoft	Office Outlook	Privilege Escalation
CVE-2023-49103	ownCloud	graphapi	Information Disclosure

Staying informed about such vulnerabilities and promptly applying security updates are crucial steps in safeguarding systems against potential cyber threats.

Latest Vulnerabilities and Exploits in November 2024

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

Palo Alto Networks Vulnerabilities CVE-2024-9463 and CVE-2024-9465 Are Being Actively Exploited  

• Affected Vendor: Palo Alto Networks
• Affected Product: Expedition Migration Tool
• CVEs: CVE-2024-9463, CVE-2024-9465
• Available Fixes: Update to Expedition version 1.2.96 or later.

In November 2024, CISA warned that critical vulnerabilities in Palo Alto Networks' Expedition migration tool, CVE-2024-9463, and CVE-2024-9465, are being actively exploited. These flaws allow attackers to execute OS commands as root and access sensitive data, including usernames, passwords, device configurations, and API keys. Palo Alto Networks has released fixes in version 1.2.96 and urged administrators to update or restrict network access if updating is not possible. 

CISA has mandated federal agencies to patch these systems by December 5 and 9, respectively, and added the vulnerabilities to its Known Exploited Vulnerabilities Catalog.

Figure 1. CISA Added CVE-2024-9463 & CVE-2024-9463 to Its KEV

Organizations must also rotate credentials associated with Expedition and affected firewalls. These advisories underscore the urgency of addressing vulnerabilities to prevent further exploitation.

CISA Warns of Active Exploitation of Palo Alto Networks' CVE-2024-5910 Vulnerability 

• Affected Vendor: Palo Alto Networks
• Affected Product: Expedition Migration Tool
• CVEs: CVE-2024-5910
• Available Fixes: Update to Expedition version 1.2.96 or later.

CISA alerted federal agencies to active exploitation of another critical vulnerability in Palo Alto Networks' Expedition tool, identified as CVE-2024-5910. This missing authentication flaw allows attackers with network access to take over administrative accounts, compromising configuration secrets and credentials. 

Despite a patch released in July 2024, exploitation has been observed, prompting CISA to add CVE-2024-5910 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure vulnerable systems by November 28. Organizations are urged to update Expedition to version 1.2.92 or later and restrict network access to authorized users to mitigate this threat.

CVE-2024-10924: Critical Vulnerability in Popular WordPress Plugin Exposes Sites to Admin Takeover

A critical authentication bypass vulnerability, designated CVE-2024-10924, was identified in the WordPress plugin 'Really Simple Security' (formerly 'Really Simple SSL') [1]. This flaw affects both free and Pro versions, potentially allowing remote attackers to gain full administrative access to affected sites. The vulnerability arises from improper handling of user authentication in the plugin's two-factor REST API actions, enabling unauthorized access to any user account, including administrators. 

Given the plugin's extensive use—over four million installations—this issue poses a significant security risk. Users are strongly advised to update to version 9.1.2 or later to mitigate potential exploitation.

In November 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in Array Networks' AG and vxAG secure access gateways, identified as CVE-2023-28461, to its Known Exploited Vulnerabilities catalog. This vulnerability, which allows unauthenticated remote code execution, has been actively exploited in the wild. Array Networks released patches addressing this issue in March 2023 with version 9.4.0.484. CISA has mandated that Federal Civilian Executive Branch agencies apply these patches by December 16, 2024, to secure their networks. Organizations are urged to update their systems promptly to mitigate potential risks.

Apple Urgently Patches Two Actively Exploited Zero-Day Vulnerabilities: CVE-2024-44308 and CVE-2024-44309

• Affected Vendor: Apple
• Affected Product: macOS (Intel-based), iOS, iPadOS, visionOS, Safari
• CVEs: CVE-2024-44308, CVE-2024-44309
• Available Fixes: Update to iOS 18.1.1, iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1, or Safari 18.1.1

Apple released urgent security updates to address two zero-day vulnerabilities—CVE-2024-44308 and CVE-2024-44309—actively exploited on Intel-based Mac systems [2]. Discovered by Google's Threat Analysis Group, these flaws affect JavaScriptCore and WebKit, potentially allowing arbitrary code execution and cross-site scripting attacks through malicious web content. 

Apple has provided patches across multiple platforms, including iOS 18.1.1, iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1, and Safari 18.1.1. Users are strongly advised to update their devices promptly to mitigate potential threats.

CISA Urges Agencies to Patch Critical CVE-2023-28461 Vulnerability in Array Networks Gateways

• Affected Vendor: Array Networks
• Affected Product: AG and vxAG Secure Access Gateways
• CVEs: CVE-2023-28461
• Available Fixes: Update to version 9.4.0.484 or later (released in March 2023).

In November 2024, CISA added a critical vulnerability in Array Networks' AG and vxAG secure access gateways, identified as CVE-2023-28461, to its Known Exploited Vulnerabilities catalog following reports of active exploitation. 

This vulnerability, which allows unauthenticated remote code execution, was patched by Array Networks in March 2023 with the release of version 9.4.0.484. CISA has mandated that Federal Civilian Executive Branch agencies apply these patches by December 16, 2024, to secure their networks. Notably, Trend Micro reported that the China-linked cyber espionage group Earth Kasha (also known as MirrorFace) has been exploiting this vulnerability, among others, to target organizations in Japan, Taiwan, and India. Organizations are urged to update their systems promptly to mitigate potential risks.

Figure 2. CISA Added CVE-2024-28461 to Its KEV

Top Threat Actors Observed in the Wild: November 2024

Here are the most active threat actors that were observed in the wild in November.

Salt Typhoon Hackers Target Telcos with New GhostSpider Malware

• Victim Location: Global (Telecommunications service providers) [3]
• Sectors: Telecommunications, Critical Infrastructure
• Threat Actor: Salt Typhoon (Earth Estries)
• Actor Motivation: Cyber espionage, likely state-sponsored by China
• Malware: GhostSpider, Masol RAT, Demodex rootkit, SnappyBee

In November 2024, security researchers reported that Salt Typhoon, a Chinese state-sponsored hacking group also known as Earth Estries, has been deploying a new backdoor malware named GhostSpider in attacks targeting telecommunications service providers [4]. This sophisticated, multi-modular backdoor facilitates unauthorized access and long-term espionage. 

Alongside GhostSpider, Salt Typhoon utilizes other malicious tools, including the Masol RAT, a Linux backdoor; the Demodex rootkit; and SnappyBee, a modular backdoor shared among Chinese APT groups. These tools enable the group to breach critical infrastructure and government organizations worldwide, underscoring the persistent threat posed by state-sponsored cyber espionage activities.

Helldown Ransomware Exploits CVE-2024-42057 to Breach Networks and Target SMEs

• Victim Location: United States and Europe
• Sectors: Small and Medium-Sized Enterprises (SMEs)
• Threat Actor: Helldown Ransomware Group
• Actor Motivations: Financial gain through data exfiltration and ransomware encryption
• Malware: Helldown ransomware (derived from LockBit 3 builder)
• CVE: CVE-2024-42057
  

In November 2024, researchers reported that the 'Helldown' ransomware group is exploiting vulnerabilities in Zyxel firewalls, notably CVE-2024-42057, to infiltrate corporate networks. This command injection flaw in the IPSec VPN feature allows unauthenticated attackers to execute OS commands on affected devices. Helldown, active since August 2024, has compromised at least 31 organizations, primarily small and medium-sized enterprises in the U.S. and Europe. 

The group employs tactics such as data exfiltration and system encryption, utilizing malware variants derived from the leaked LockBit 3 builder [5]. Zyxel released firmware version 5.39 in September 2024 to address this vulnerability. Organizations are urged to update their systems promptly and implement robust security measures to mitigate this threat.

RomCom Exploits CVE-2024-9680 and CVE-2024-49039 to Deploy Advanced Backdoor

• Victim Location: Europe and North America
• Sectors: Likely government, critical infrastructure, and private sectors (based on typical APT targeting)
• Threat Actor: RomCom (Russia-aligned threat group)
• Actor Motivations: Espionage and disruption
• Malware: RomCom Backdoor
• CVE: CVE-2024-9680, CVE-2024-49039

In late November 2024, the Russia-aligned threat group RomCom was found exploiting two newly discovered vulnerabilities—CVE-2024-9680 and CVE-2024-49039—to distribute their advanced backdoor malware [6]. 

CVE-2024-9680, a use-after-free flaw in Firefox's animation timeline, allowed attackers to execute code within the browser's sandbox.CVE-2024-49039, a privilege escalation vulnerability in Windows Task Scheduler, enabled code execution beyond the sandbox environment. When chained, these zero-days facilitated a seamless zero-click exploit, requiring no user interaction. Simply visiting a compromised site triggered the attack, allowing RomCom to deploy their backdoor malware with full control over affected systems. This campaign primarily targeted users in Europe and North America. Mozilla and Microsoft have since patched these vulnerabilities.

Recent Malware Attacks in November

In November 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month.

SteelFox Malware Exploits Vulnerable Drivers to Hijack Windows PCs Globally 

• Victim Location: Global
• Sectors: Individual users, small businesses, and professionals relying on pirated software
• Threat Actor: Unknown (likely cybercriminal group)
• Actor Motivations: Financial gain through cryptocurrency mining and credit card data theft
• Malware: SteelFox (info-stealer and cryptocurrency miner)

Cybersecurity researchers identified a malicious campaign distributing 'SteelFox,' a malware package that mines cryptocurrency and steals credit card data. SteelFox is disseminated through forums and torrent trackers, masquerading as software cracks for applications like Foxit PDF Editor, JetBrains, and AutoCAD. 

Upon execution, it employs the "bring your own vulnerable driver" (BYOVD) technique, installing a vulnerable driver to escalate privileges to SYSTEM level on Windows machines [7]. This method, previously associated with state-sponsored actors and ransomware groups, is now utilized by info-stealing malware. SteelFox establishes a secure connection with its command-and-control server using SSL pinning and TLS v1.3, facilitating the exfiltration of sensitive data. Researchers have detected and blocked over 11,000 SteelFox attacks, underscoring the importance of caution when downloading software from unverified sources.

Botnet Exploits CVE-2024-11120 in GeoVision Devices to Deploy Mirai Malware

• Victim Location: Primarily United States, globally exposed devices
• Sectors: Critical infrastructure, surveillance systems, small businesses
• Threat Actor: Unidentified botnet operators
• Actor Motivations: DDoS attacks, cryptomining, and botnet expansion
• Malware: Mirai malware variant

In November 2024, a critical zero-day vulnerability, CVE-2024-11120, was discovered in discontinued GeoVision devices, allowing attackers to deploy Mirai malware [8]. This OS command injection flaw enables unauthenticated remote access, leading to device compromise. The affected models, including GV-VS12, GV-VS11, GV-DSP LPR V3, and GV-LX4C V2/V3, are no longer supported, leaving approximately 17,000 devices exposed online, primarily in the United States. 

The attackers utilize a Mirai variant to hijack these devices, often repurposing them for Distributed Denial-of-Service (DDoS) attacks or cryptomining operations. To mitigate this threat, users are strongly encouraged to replace outdated devices or ensure they are removed from internet exposure.

References

[1] B. Toulas, “Security plugin flaw in millions of WordPress sites gives admin access,” BleepingComputer, Nov. 17, 2024. Available: https://www.bleepingcomputer.com/news/security/security-plugin-flaw-in-millions-of-wordpress-sites-gives-admin-access/. [Accessed: Dec. 02, 2024]

[2] The Hacker News, “Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities,” The Hacker News, Nov. 20, 2024. Available: https://thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html. [Accessed: Dec. 02, 2024]

[3] D. Ahmed, “Chinese Salt Typhoon Hacked T-Mobile in US Telecom Breach Spree,” Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News, Nov. 18, 2024. Available: https://hackread.com/chinese-salt-typhoon-hacked-t-mobile-telecom-breach/. [Accessed: Dec. 02, 2024]

[4] B. Toulas, “Salt Typhoon hackers backdoor telcos with new GhostSpider malware,” BleepingComputer, Nov. 25, 2024. Available: https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/. [Accessed: Dec. 02, 2024]

[5] J. Scion, T. D. R. Sekoia, and J. S. A. Tdr, “Helldown Ransomware: an overview of this emerging threat,” Sekoia.io Blog, Nov. 19, 2024. Available: https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/. [Accessed: Dec. 02, 2024]

[6] Z. Zorz, “RomCom hackers chained Firefox and Windows zero-days to deliver backdoor,” Help Net Security, Nov. 26, 2024. Available: https://www.helpnetsecurity.com/2024/11/26/romcom-backdoor-cve-2024-9680-cve-2024-49039/. [Accessed: Dec. 02, 2024]

[7] K. Korchemny, “New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency,” Kaspersky, Nov. 06, 2024. Available: https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/. [Accessed: Dec. 02, 2024]

[8] B. Toulas, “Botnet exploits GeoVision zero-day to install Mirai malware,” BleepingComputer, Nov. 15, 2024. Available: https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/. [Accessed: Dec. 02, 2024]