Zero-day exploits increasingly sought out by attackers

Threat actors – both state-backed and financially-motivated – are increasingly taking advantage of previously unknown vulnerabilities, or zero-days, to compromise their victims before fixes or patches are made available by the tech industry, according to a new advisory published by the Five Eyes cyber agencies, including the UK’s National Cyber Security Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA).

The agencies have collectively drawn up a list of the 15 most exploited vulnerabilities of 2023 and found that the majority of exploited vulnerabilities were zero-days compared to less than half in 2022. The trend has continued through 2024, said the NCSC.

The NCSC said that defenders needed to up their game when it comes to vulnerability management, paying particular attention to applying updates as quickly as possible when they do arrive, and to making sure they have identified all the potentially affected IT assets in their estates.

The organisation also urged suppliers and developers to do more to implement secure-by-design principles into their products, something that the Five Eyes governments – Australia, Canada, New Zealand, the UK and the United States – have become particularly vocal about in the past 18 months. Doing so helps reduce the risk of vulnerabilities being accidentally introduced during development, only to be taken advantage off further down the line.

“More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organisations and vendors alike as malicious actors seek to infiltrate networks,” said NCSC chief technology officer (CTO) Ollie Whitehouse.

“To reduce the risk of compromise, it is vital all organisations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace,” said Whitehouse.

“We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source,” he added.

The full list of the vulnerabilities most frequently exploited during 2023 is as follows:

• CVE-2023-3519, a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway;
• CVE-2023-4966, a buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway, aka Citrix Bleed;
• CVE-2023-20198, an elevation of privilege (EoP) issue in Cisco IOS XE Web UI;
• CVE-2023-20273, a web UI command injection bug in Cisco IOS XE;
• CVE-2023-27997, a heap-based buffer overflow flaw in Fortinet FortiOS and FortiProxy SSL-VPN;
• CVE-2023-34362, a SQL injection vulnerability in Progress MOVEit Transfer, infamously exploited by the Cl0p ransomware gang, the fall-out from which is still being felt;
• CVE-2023-22515, a broken access control vuln it Atlassian Confluence Data Center and Server;
• CVE-2021-44228, a remote code execution (RCE) issue in Apache Log4j2, aka Log4Shell, the source of a major incident at the end of 2021 and still being widely-abused years later;
• CVE-2023-2868, an improper input validation flaw in Barracuda Networks ESG Appliance;
• CVE-2022-47966, an RCE issue in Zoho ManageEngine;
• CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG;
• CVE-2020-1472, an EoP vuln in Microsoft Netlogon, the source of another high-profile historic incident that there is now no excuse for not having addressed;
• CVE-2023-427983, an authentication bypass flaw in JetBrains TeamCity;
• CVE-2023-23397, an EoP issue in Microsoft Office Outlook, widely-used by Russian spooks;
• And last but not least, CVE-2023-49103, an information disclosure vuln in ownCloud graphapi.

The full list, which can be downloaded from CISA, also contains details of a number of other issues that were observed being routinely exploited during 2023, prominent among them two vulnerabilities in Ivanti products disclosed in August 2023, and the infamous Fortra GoAnywhere flaw exploited, yet again, by the Cl0p gang.