Key Findings

About the Vulnerabilities

MOVEit
Over the last month, the Optiv Global Threat Intelligence Center (gTIC) has released several updates regarding the MOVEit Transfer vulnerabilities. On May 31, 2023, Progress issued a security notice to users of MOVEit Transfer regarding a vulnerability that allows for privilege escalation and potential unauthorized access to the environment. On June 09, 2023, Progress released an update to the security notice related to the MOVEit Transfer vulnerability, CVE-2023-34362, stating that the company partnered with third-party cybersecurity experts who identified an additional vulnerability, CVE-2023-35036, that threat actors could potentially leverage to stage an exploit. Progress also disclosed CVE-2023-35708, a vulnerability that adversaries can exploit to elevate privileges and achieve potential unauthorized access to the environment.

Attacks exploiting CVE-2023-34362 have been attributed to the Clop ransomware group. The group posted on their data leak site that victims of the exploited vulnerability had until June 14, 2023, to contact the group before their data was leaked. Clop operators announced that data would be leaked seven days after the company was named, starting on June 21, 2023.

On June 14, 2023, the Clop group began listing victims that were purportedly compromised using the MOVEit vulnerability on their data leak site, CL0P^_- LEAKS. At the time of writing, dozens of victims have been listed, and several have been removed—indicating that those victims have paid the ransom or started negotiations. Additionally, on June 21, Clop began posting links to some victim’s stolen data on their data leak site. It is likely that the Clop group will continue to list victims on their data leak site over the next 30 days. Additionally, it is likely that additional threat actors will attempt to exploit the MOVEit vulnerabilities over the next 12 months.

The Optiv gTIC has released numerous notifications regarding this vulnerability to include indicators of compromise (IoCs) and MITRE ATT&CK mapping. Please see the most recent notification on June 16, 2023, for more information regarding the MOVEit vulnerabilities.

Image

Figure 1: Cl0p ransomware group’s extortion message Posted to CL0P^_- LEAKS

Despite the high-profile nature of the MOVEit vulnerabilities and their widespread impact, the Optiv gTIC has decided to provide a high-level overview of several recent critical vulnerabilities. Considering security teams’ focus on MOVEit, threat actors are likely to use this as an opportunity to exploit other vulnerabilities. Several critical vulnerabilities reported this month impact software and services on the gTIC’s prioritized list of the most targeted and exploited software and services that organizations should prioritize regarding patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries including hacktivists, cybercriminals, and state-sponsored entities.

Critical Enterprise Software

VMware
Two critical vulnerabilities affecting VMware products were reported in June. The first vulnerability, CVE-2023-20887 (CVSS 9.8) could allow a threat actor with network access to perform a command injection attack resulting in RCE. The second vulnerability, CVE-2023-20888 (CVSS 9.1), could allow a threat actor with network access and valid "member" role credentials to launch a deserialization attack resulting in RCE. VMware confirmed the exploitation of CVE-2023-20887 in the wild. The attacks exploiting this vulnerability started on June 13 and originated from two IP addresses. The POC exploit code for the vulnerability is publicly available online.

Content Management System Sites

WordPress
In June, CVE-2023-2986 (CVSS 9.8) was disclosed, which affects the WordPress "Abandoned Cart Lite for WooCommerce" plugin that has been installed over 30,000 times. According to Defiant’s Wordfence, “The vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met.” It impacts all plugin versions, including 5.14.2 and prior. Researchers found that “An authentication bypass issue arises because of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase. Specifically, the encryption key is hard coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.”

CVE-2023-2834 (CVSS 9.8) is another authentication bypass vulnerability disclosed in June and impacts StylemixThemes’ "Booking Calendar | Appointment Booking | BookIt" plugin, which has been installed over 10,000 times. This vulnerability results from insufficient verification of the user being supplied while booking an appointment through the plugin.

A critical security flaw was observed and disclosed in miniOrange’s Social Login and Register plugin for WordPress, which could allow a threat actor to log in as any user if they have information about an email address. The vulnerability, CVE-2023-2982 (CVSS 9.8), is an authentication bypass flaw that impacts all plugin versions including 7.6.4 and prior. An attacker can leverage this vulnerability and enter any associated email address to gain access to any account on a site, including administrator accounts. The issue occurs because the encryption key used to secure the information during a login via social media accounts is hard-coded, allowing a threat actor to create a valid request with a properly encrypted email address to identify the user. If the account belonged to a WordPress site administrator, over 30,000 sites could be compromised. The vulnerability was patched with the release of version 7.6.5 on June 14, 2023.

Also in June, WPScan issued an alert warning of a vulnerability, CVE-2023-3460 (CVSS 9.8), affecting all versions of the Ultimate Member plugin. This includes the version released on June 29, 2023, which is actively being exploited. Ultimate Member allows one to create and manage WordPress user profiles and communities. Researchers found that the vulnerability “stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator and gain full access to the site.” Partial fixes for the vulnerability were released in earlier versions but WPScan’s advisory warned that attackers can still circumvent the patches using numerous methods, and the vulnerability is still exploitable. In the observed attacks, threat actors are leveraging the vulnerability to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes through the site’s administration panel. Addressing the vulnerability, the Ultimate Member authors released version 2.6.7 on July 1, 2023, and they reported that they will release a feature to enable site admins to reset all user passwords.

VPN and Proxy Clients

Fortinet
In June, CVE-2023-27997 (CVSS 9.7), which impacts FortiOS and FortiProxy, may have been exploited in a limited number of cases to target government, manufacturing, and critical infrastructure organizations. Fortinet released new FortiGate firmware updates that fixed this critical pre-authentication RCE vulnerability in SSL VPN devices. Researchers found that the vulnerability is “a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.” Moreover, security researchers at Bishop Fox “developed an exploit for the vulnerability and found 490,000 affected SSL VPN interfaces exposed on the internet, and 69% of them are currently unpatched.” Additionally, the same Bishop Fox researchers identified 8-year-old FortiOS versions exposed to the internet that remain unpatched to multiple vulnerabilities in the software and many FortiOS version 5s, which has passed its end of life and no longer receives support for vulnerabilities.

In June, Fortinet released updates to address a critical vulnerability affecting its FortiNAC network access control solution, CVE-2023-33299 (CVSS 9.6), which could lead to arbitrary code execution. Fortinet described this vulnerability as a case of Java untrusted object deserialization.

Remote Access and IT Management

Zoho ManageEngine
In June 2023, CVE-2021-40539 (CVSS 9.8) was targeted by a recently discovered Chinese state-sponsored threat actor, Volt Typhoon (aka Vanguard Panda). This two-year-old critical vulnerability in Zoho’s ManageEngine ADSelfService Plus was patched in September 2021. Volt Typhoon exploited this vulnerability to gain initial access, masked its webshell as a legitimate process, and erased logs—allowing them to maintain access to the environment for an extensive time. The group was then observed stealing administrator credentials and moving laterally into the network.

Honorable Mentions

The vulnerabilities below do not affect software and services on the Optiv gTIC’s prioritized list. But they are of critical severity in commonly used or highly prevalent software and services that provide a large attack surface to threat actors.

Zyxel
CVE-2023-27992 (CVSS 9.8) is an OS command injection vulnerability in some of Zyxel’s consumer network-attached storage (NAS) devices. An attacker could remotely trigger the vulnerability using a specially crafted HTTP request.

ASUS
Two critical vulnerabilities in multiple ASUS router models, CVE-2022-26376 (CVSS 9.8) and CVE-2018-1160 (CVSS 9.8) were addressed with new firmware. Researchers found that CVE-2022-26376 is “a memory corruption weakness in the Asuswrt firmware for Asus routers that could let attackers trigger denial-of-services states or gain code execution.” These same researchers identified CVE-2018-1160 as a vulnerability “caused by an out-of-bounds write Netatalk weakness that can also be exploited to gain arbitrary code execution on unpatched devices.”

Barracuda ESG
CVE-2023-2868 (CVSS 9.8) is a remote command injection vulnerability affecting a module designed for the initial screening of email attachments. It has been exploited since at least October 2022, and most recently, it was exploited in attacks targeting Barracuda Networks ESG appliances in May 2023. Research shows that the vulnerability results from “a failure to comprehensively sanitize the processing of .tar files [and] stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive.” Barracuda released a patch, but as of June 6, 2023, the company updated its announcement to report that impacted ESG appliances must be immediately replaced regardless of patch version level.

Windows
Six reported critical Windows vulnerabilities could expose users to RCE attacks, three of which occur in Windows Pragmatic General Multicast (PGM), the protocol used to deliver packets between multiple network members reliably. The three vulnerabilities, tracked as CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, all have a 9.8 CVSS score. This is the third consecutive month for PGM to have a vulnerability scoring 9.8. PGM is a common configuration that is not enabled by default. Another critical vulnerability highlighted in Microsoft’s Patch Tuesday is CVE-2023-32021 (CVSS 8.8), a RCE bug in Microsoft Exchange Server allowing attackers to bypass issues that were previously exploited in the wild.

Cisco
CVE-2023-20151 (CVSS 9.6) is a vulnerability in Cisco’s Expressway series and TelePresence Video Communication Server enterprise collaboration. This flaw allows an attacker to send a crafted request to change the password for any user account on the system, including that of the read-write administrator. Resulting from the improper handling of password change requests, a threat actor could exploit this vulnerability to send a specially crafted request to change the password for any user account on the system, including that of the read-write administrator.

Analysis and Potential Impacts of Those Vulnerabilities
Optiv’s gTIC assesses with High Confidence that threat actors will continue to exploit the MOVEit Transfer vulnerability in an attempt to steal sensitive information and credentials, as well as deploy malware, over the next 30 days. It is Likely that additional threat actors, including APT groups and cybercriminals, will begin targeting the vulnerability over the next 30 days.

Based on the knowledge that threat actors often mimic each other's behavior and tools, the Optiv gTIC provides its Prioritized Software and Services list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries, including hacktivists, cybercriminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries. Many of the vulnerabilities discussed above impact software and services included on the gTIC’s prioritized list.

Advanced cyber threat actors are observed to employ what Optiv’s gTIC refers to as a “weakest-link” approach to reconnaissance and initial access in most campaigns. These include using opportunistic phishing campaigns with malicious Microsoft Office attachments or links distributed to multiple organizations and potential victims, or the exploitation of older and/or publicly reported vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange, and Oracle WebLogic. Threat actors often share tools and techniques, which frequently overlap with not only other state-sponsored APT campaigns, but also with techniques observed in common cyber-criminal activity. Optiv’s gTIC acknowledges there are exceptions among notable groups who modify or create bespoke post-exploitation malware. But it is important to note that in most instances, they achieve Initial Access, Persistence, and Lateral Movement via commonly observed tools and techniques.

Additionally, Optiv’s gTIC estimates that over the next 12 months, Initial Access will Very Likely remain the predominant and most important ATT&CK tactic associated with adversary campaigns and attempts, as it is the first step in a successful attack before the execution of any other tactic or technique. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment, in addition to other risk-based variables (i.e., industry vertical, geography, etc.), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, one can prioritize defensive measures and counteractions efforts, as well as propose to supplement existing security and risk management policies.

References
Marton, Istvan (2023, June 19) Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin.
(2023, June 20) VMSA-2023-0012.2.
(2023, June 7) Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities.
(2023, June 13) Security Update Guide.
Toulas, Bill (2023, June 15) Barracuda ESG Zero-Day Attacks Linked to Suspected Chinese Hackers.
(2023, May 19) ASUS Product Security Advisory.
(2023, June 20) Zyxel Security Advisory For Pre-Authentication Command Injection Vulnerability in NAS Products.