Key Findings

About the Vulnerabilities

Adobe ColdFusion
The U.S. CISA warned organizations that an Adobe ColdFusion vulnerability, CVE-2023-26359 (CVSS 9.8), was being exploited in attacks. Both disclosed and patched in March 2023, this critical data deserialization vulnerability can lead to arbitrary code execution. CISA instructed government organizations to address the vulnerability by September 11, 2023. No details of the attacks were released. However, CISA stated previously that vulnerabilities are only added to the Known Exploited Vulnerabilities (KEV) Catalog when there is credible evidence that the vulnerability has been exploited. This vulnerability was patched alongside CVE-2023-26360 (CVSS 8.6), which was exploited in the wild and added to the KEV Catalog in March 2023. Adobe ColdFusion vulnerabilities have been previously exploited to execute PowerShell commands and create a web shell to give threat actors access to the targeted endpoint. CISA’s KEV Catalog has 12 ColdFusion vulnerabilities listed, with 4 reported in 2023.

Citrix
In June 2023, Citrix released an update for CVE-2023-24489 (CVSS 9.8) affecting Citrix ShareFile, a cloud-based file-sharing and collaboration application. The vulnerability impacts the customer-managed ShareFile storage zones controller. Security researchers found that “an unauthenticated, remote attacker can trigger the vulnerability to compromise the controller by uploading arbitrary files or executing arbitrary code.” The vulnerability was patched in June 2023 with the release of version 5.11.24. In July 2023, security researchers with GreyNoise reported that threat actors had begun targeting the vulnerability to target victim organizations. In August 2023, CISA added CVE-2023-24489 to its KEV Catalog. PoC exploits have been made publicly available for this vulnerability, and searches have shown between 1,000-6,000 internet-accessible instances. GreyNoise reported a massive spike in exploitation attempts from 72 unique IPs.

VPN and Proxy Clients

Citrix NetScaler ADC & Gateway
In July 2023, Citrix alerted customers of 3 vulnerabilities affecting NetScaler ADC and NetScaler Gateway that already have exploits in the wild. The most severe, CVE-2023-3519 (CVSS 9.8), could be exploited to remotely execute code without authentication. The vulnerability was patched on July 18, 2023, and it was previously exploited as a zero-day to breach the network of a U.S. critical infrastructure organization. In early August, security researchers at the Shadowserver Foundation reported that over 640 Citrix NetScaler ADC and Gateway servers had been breached in attacks targeting CVE-2023-3519. Many compromised servers are in Europe. However, Canada, Russia, and the U.S. also have thousands of vulnerable NetScaler devices.

Security researchers with Sophos reported that a threat group called STAC4663 has targeted unpatched Citrix NetScaler systems in apparent ransomware attacks. The attackers exploited CVE-2023-3519 to gain persistent access. Researchers reported that in one August 2023 attack, STAC4663 exploited CVE-2023-3519 “to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe)…Sophus said the modus operandi aligns ‘closely’ with that of an attack campaign that NCC Group Fox-IT disclosed…in which nearly 2,000 Citrix NetScaler systems were breached.”

Remote Access and IT Management

Zoho ManageEngine Service Desk
Security researchers with Cisco Talos reported that Lazarus Group, an adversary supported by the North Korean government, had been exploiting an older remote code execution (RCE) vulnerability, CVE-2022-47966 (CVSS 9.8), in Zoho’s ManageEngine ServiceDesk to compromise an “internet backbone infrastructure company in Europe” and “healthcare entities in Europe and the United States.” The campaign deployed the QuiteRAT and CollectionRAT malware.

Honorable Mentions

Ivanti Sentry
Ivanti warned that a Sentry API authentication bypass vulnerability, CVE-2023-38035 (CVSS 9.8), was being exploited in the wild. Although Ivanti Pulse Connect Secure is on the Optiv gTIC’s Prioritized Software and Services List, the Sentry products are not. Researchers found that the vulnerability “enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS). Successful exploitation allows [threat actors] to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior.”

Milesight Industrial Router
Security researchers at Cisco’s Talos reported that threat actors could potentially exploit numerous vulnerabilities impacting the Milesight UR32L industrial router to perform arbitrary code or command execution. The most critical of these vulnerabilities, CVE-2023-23902 (CVSS 9.8), is a pre-authentication buffer overflow vulnerability that SecurityWeek states “could lead to RCE via network requests.”

PaperCut Software
Security researchers with Horizon3.ai reported a path traversal and file upload vulnerability in the Windows PaperCut print management software, which could lead to RCE. Horizon3.ai argues that the vulnerability, CVE-2023-39143 (CVSS 8.4), “enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations”. The patches for this vulnerability include a fix for CVE-2023-3486 (CVSS 7.4), a DoS vulnerability that researchers claim “could allow an unauthenticated attacker with direct server IP access to upload arbitrary files into a target directory.”

In April 2023, ransomware groups, including Cl0p and Iran-linked APT groups actively exploited CVE-2023-23750 (CVSS 6.3), another PaperCut software vulnerability. Company printers are an attractive target for threat actors, as they can offer an entryway into an organization’s networks. As previously observed with the “PrintNightmare” flaws (CVE-2021-34527 and CVE-2021-1675), threat actors can exploit these vulnerabilities to access internal networks. Once there, they can steal sensitive data and deploy malware, including ransomware, wipers, and backdoors.

Barracuda ESG
On August 9, 2023, the U.S. CISA released an alert warning of a malware variant, Whirlpool, that was employed in attacks targeting Barracuda ESG devices by exploiting CVE-2023-2868 (CVSS 9.8), a vulnerability disclosed in May 2023. According to Security Affairs, the vulnerability “resides in the module for email attachment screening [that was exploited] to obtain unauthorized access to a subset of ESG appliances.” Mandiant researchers attributed the attacks to a threat group named UNC4841. The U.S. FBI warned that patches for CVE-2023-2868 are “ineffective,” and patched appliances are still being targeted. The FBI echoed Barracuda’s advice to replace compromised appliances.

CODESYS SDK
Security researchers with Microsoft reported 16 high-severity vulnerabilities affecting the CODESYS V3 software development kit (SDK), which could result in RCE and DoS attacks. The vulnerabilities, which have been labeled "CoDe16," include CVE-2022-47378 through CVE-2022-47393. 15 of the vulnerabilities have a CVSS score of 8.8, while CVE-2022-47391 has a CVSS score of 7.5. The vulnerabilities were patched in April 2023.

Analysis and Potential Impacts of These Vulnerabilities

Optiv’s gTIC assesses with High Confidence that threat actors will continue to, or begin, targeting these vulnerabilities over the next 12 months to steal sensitive information and credentials, or deploy malware, including backdoors, cryptocurrency miners, ransomware, and information stealers, over the next 12 months. It is likely that these vulnerabilities will be targeted by both cybercriminal and APT groups.

Based on the knowledge that threat actors often mimic each other's behavior and tools, the Optiv gTIC provides its Prioritized Software and Services list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries, including hacktivists, cybercriminals, and state-sponsored entities. These are products and services that are currently, and forecasted with high confidence to be, targeted and exploited by adversaries. Many of the vulnerabilities discussed above impact software and services included on the gTIC’s prioritized list.

Advanced cyber threat actors are observed to employ what Optiv’s gTIC refers to as a “weakest-link” approach to reconnaissance and initial access in most campaigns. These include using opportunistic phishing campaigns with malicious Microsoft Office attachments or links distributed to multiple organizations and potential victims, or the exploitation of older and/or publicly reported vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange, and Oracle WebLogic. Cyber adversaries are also observed to be creatures of habit and will likely attempt to exploit vulnerabilities in software that have previously proved to be successful in previous campaigns. For example, it is Highly Likely that APT groups from China will attempt to leverage old and new vulnerabilities in Zoho ManageEngine and Citrix NetScaler ADC/Gateway, including the vulnerabilities mentioned in this report, in future campaigns.

Optiv’s gTIC estimates that over the next 12 months, initial access will Very Likely remain the predominant and most important ATT&CK tactic associated with adversary campaigns and attempts, as it is the first step in a successful attack before the execution of any other tactic or technique. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment, in addition to other risk-based variables (i.e., industry vertical, geography, etc.), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, one can prioritize defensive measures and counteractions efforts, as well as propose to supplement existing security and risk management policies.