Once again, the number of security vulnerabilities exploded again in 2022. According to the database maintained by MITER, their number rose to 25,059 – an increase of 20% compared to 2021. These have been widely exploited by groups of cyberattackers, and the first trends of the year 2023 do not bode any changes in this regard. Discover the 10 vulnerabilities to watch out for in 2023.
ESXiArgs campaign
This ransomware campaign, which raged around the world in February 2023, attacks VMWare’s virtualization technology: ESXi. Its overall impact is still complicated to assess, but many ESXi servers – exposed on the internet and not up to date – have been affected and encrypted.
The vulnerability used by this campaign (listed as CVE-2021-21974) affects the OpenSLP (Open Service Location Protocol) protocol, which is enabled as standard on ESXi, and allows remote code execution. The affected servers were therefore mostly exposed on the internet and not up to date. The versions affected by this flaw are: ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG and ESXi versions 6.5.x prior to ESXi650-202102101-SG.
The singularity of this campaign is that the vulnerability on OpenSLP was however two years old, and exploits have been publicly available since mid-2021. To this day, no one knows why the campaign was not launched earlier. The attackers, on the other hand, were reactive by adapting their method of encrypting the servers just a few days after the CISA (Cybersecurity & Infrastructure Security Agency) published a decryption assistance script for the victims.
Wiper Aikido
Wipers are a category of malware whose role is to delete things from the file system – usually to render the system unusable.
As for him, aikido is a martial art of which one of the master principles is to use the force of the adversary to beat him. It is this very idea that the eponymous wiper uses, by forcing an anti-virus/EDR agent present on the system to remove vital components from it. In practice, Aïkido uses symbolic links/junctions so that the agent – supposed to protect the system – deletes critical files or drivers by confusing them with threats.
Several antiviruses and EDRs have been affected by this flaw, and the publishers have all made patches available to correct it. It is obviously recommended to apply them as soon as possible.
OpenSSL
OpenSSL is a cross-platform library that implements many cryptographic functions. It is very regularly implemented in solutions handling certificates – or more broadly cryptographic objects.
CVE-2023-0286 affects OpenSSL versions 3.0.0, 1.1.1, and 1.0.2 and allows an attacker to remotely read the memory of the server running OpenSSL (as well as enabling denial of service) . Theoretically, it could be used with several replays to determine the keys used in a cryptographic exchange (such as a TLS communication for example).
OpenSSL has already released patches (3.0.8, 1.1.1t, and 1.0.2zg) fixing this vulnerability, but all applications that embed a version of OpenSSL should also be checked and patched if necessary.
Active Directory Setup
The Active Directory (AD) is the heart of the information system (IS) for most modern IS: it groups Windows workstations and servers (sometimes even Linux) and serves as an identity provider for many systems. on-premise (but also cloud with systems like Azure AD Connect). It is therefore a target of choice for attackers, the compromise of an AD administrator generally leading to that of the entire system.
The vulnerabilities on AD are numerous, but among the most recent: PrintNightmare (manipulation of the print spooler service), the presence of obsolete protocols (NTLMv1, SMBv1, LMHash, LLMNR) or poor management of service accounts. Many tools exist to help in the detection, prioritization and remediation of these vulnerabilities.
Focus on vulnerabilities related to AD CS
Active Directory Certificate Services is a popular Microsoft PKI (Private Key Infrastructure) service, particularly because it is free and easy to use. For the same reasons as on AD, it is therefore very common to encounter vulnerabilities on this service. A good example of this criticality is the exploitation of the PetitPotam flaw. This consists of exploiting a vulnerability in the Encrypting File System Remote protocol in order to carry out an NTLM relay attack on the PKI server – to impersonate the targeted server (for example, a domain controller). Microsoft has recommended different hardening configurations to prevent PetitPotam from being exploited.
Outlook thick client flaw
Microsoft communicated on March 14, 2023 on a flaw (CVE-2023-23397) affecting a large part of the versions of Microsoft Outlook (mail client). With a score of 9.8, this critical vulnerability is exploited when an attacker sends a link by email pointing to an SMB (file sharing protocol) resource that he controls. The attacker can then retrieve the NTLMv2 hash of the user’s password and replay it on other resources in order to impersonate the user.
No correction of the flaw seems to have been communicated for the moment.
Bypassing Strong Authentication Methods
Faced with increasingly frequent identity theft attempts, the use of multi-factor authentication (MFA) is an increasingly strong recommendation. This can involve sending a code by SMS or e-mail, the use of cryptographic media such as smartcards or security keys, or even the use of a code obtained via an application on the phone.
But with the appearance of services such as EvilProxy, even MFA is no longer sufficient. How it works? A phishing link is sent to the target, directing them to a site that is a copy of the “real” site (such as the Microsoft 365 authentication page). The user will then enter these login details (including an MFA token), which the malicious site will replay to authenticate the user to the real site. Thus, the operation is transparent on the user side, while the attacker can use the connection cookie, thus recovered, to connect as well.
Configuring CI/CD development pipelines
It is increasingly common to use CI/CD (Continuous Integration / Continuous Deployment) automation pipelines to automate virtual machine deployment tasks in cloud environments. But security-related recommendations are still too infrequently integrated into these processes, which makes them very vulnerable to attacks.
It is not uncommon to find authentication elements in the clear in these pipelines, without them being properly protected. Pipeline poisoning attacks also exist, allowing attackers to modify deployment procedures to embed flaws or malicious code. Given the resurgence of CI/CD, it is expected that this type of attack will increase in the future.
Attacks on industrial equipment
With the advent of Industry 4.0, industrial machines are increasingly connected, within corporate networks and sometimes even on the Internet. However, their security is often at the margins, in particular because of the plurality of technologies involved.
As the Colonial Pipeline attack in May 2021 showed, cyberattacks on industrial equipment can have enormous impacts. It is therefore essential to closely monitor the securing of equipment in the factory, to detect the vulnerabilities that affect it and to remedy them as quickly as possible.
Attacks related to machine learning and artificial intelligence
The race for artificial intelligence tools is constantly accelerating, as we have seen at the start of the year with the various communications from players such as Microsoft and Google. Two axes are to be considered in relation to the security of these innovations: firstly, such tools could be used by attackers to adapt their attack methods on a large scale – and make them more effective. Finally, these tools based on statistical models require a training phase, which can be corrupted. Thus, if an individual managed to access them, he could modify them to alter the effectiveness of the tool. We are thinking in particular of EDR type solutions which often today include machine learning for behavioral detection.