Key Findings

Vulnerabilities

Microsoft
Microsoft patched two zero-day vulnerabilities during its September Patch Tuesday updates. The first is CVE-2023-36761 (CVSS 6.2), an information disclosure vulnerability in Microsoft Word that Rapid7 argues could result in NTLM hash disclosure and the ability to subsequently “Pass the Hash” and remotely authenticate. The second vulnerability is CVE-2023-36802 (CVSS 7.8), an elevation of privilege vulnerability in the Microsoft Streaming Service Proxy. This could give an attacker system privileges via exploitation of a kernel driver. No user interaction is required to exploit the vulnerability; however, the attacker would need to be on the machine with low-level privileges before they could elevate their privileges.

Microsoft products are included on the Optiv gTIC’s Prioritized List of Software and Services due to the frequent targeting of these devices. Threat actors are consistently identifying new ways to conduct attacks, and they can exploit such vulnerabilities to gain access to AD environments and elevate privileges. From there, adversaries can then steal sensitive data and deploy malware, such as backdoors, web shells, and ransomware. It is Likely that threat actors will continue targeting critical business software, such as Microsoft, over the next 12 months.

Content Management Systems

Adobe
During Adobe’s Patch Tuesday updates for September 2023, a patch was released for an actively exploited vulnerability, CVE-2023-26369 (CVSS 7.8). This out-of-bounds write flaw in the Windows and macOS versions of Acrobat and Reader could allow attackers to execute malicious code on vulnerable systems. The vulnerability could lead to code execution by opening a specially crafted PDF document. Details about the observed attacks have not been released at this time. A full list of the affected and updated versions can be found in the advisory.

Threat actors target Adobe products and other critical enterprise software for various actions, including accessing and exfiltrating data, gaining initial entry through phishing and malware disguised as legitimate files, installing backdoors and web shells, enumerating user credentials and privileges, and mapping out other parts of the network. It is Very Likely that threat actors will continue targeting this vulnerability over the next 12 months.

VPN and Proxy Clients

Fortinet
The U.S. Cyber Command reported that state-sponsored threat actors breached a U.S. aeronautical organization. Although the article did not name a specific threat group, it did mention that Iranian APT groups were Likely responsible for the activity. To gain initial access, the unnamed APT group exploited CVE-2022-47966 (CVSS 9.8), an RCE vulnerability in Zoho ManageEngine. The threat actors then targeted CVE-2022-42475 (CVSS 9.8), a heap-based buffer overflow vulnerability, to establish persistence on the organization’s Fortinet firewall device. The Cyber National Mission Force urged organizations to review and implement recommended mitigation strategies.

In 2022, Iranian APT groups exploited the Log4Shell vulnerabilities to breach the U.S. Federal Civilian Executive Branch systems and deploy malware. U.S. organizations are often a target of Eastern APT groups. However, many APT groups operate using the same TTPs, which can make post-incident attribution difficult. Both Zoho ManageEngine and Fortinet firewall devices are included on Optiv’s gTIC’s Prioritized List of Software and Services due to the frequency of attacks targeting these software and products. Threat actors will Likely continue targeting vulnerabilities in ubiquitous software to gain initial access, persistence, and lateral movement over the next 12 months.

Also this month, Fortinet released security updates to address critical vulnerabilities. As noted in the advisories, CVE-2023-29183 (CVSS 7.3) is an XSS vulnerability in FortiOS and FortiProxy GUI that adversaries could exploit to execute malicious JavaScript code. CVE-2023-34984 (CVSS 7.1) is a protection mechanism failure vulnerability of FortiWeb that threat actors could leverage “to bypass XSS and XSRF protections”. Both of these vulnerabilities could allow threat actors to take control of an affected system.

Fortinet products are included on Optiv’s gTIC’s Prioritized Software and Services list due to the frequency of attacks targeting these products. These vulnerabilities will Likely be attractive targets for threat actors, including both cybercriminal and APT groups, due to the impact an attack can have, the type of information that can be accessed, and the ability to deploy malware. It is Likely that attackers will begin exploiting these vulnerabilities over the next 30 days.

Remote Access and IT Management

Zoho ManageEngine
As discussed in the VPN and Proxy Clients section above, the U.S. Cyber Command released an article reporting that state-sponsored threat actors exploited vulnerabilities in Zoho ManageEngine and Fortinet firewalls to breach a U.S. organization.

Software Development, Documentation, Code/Project Repositories

Atlassian
Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial of services and remote code execution. CVE-2023-25647 (CVSS 7.5), is a deserialization vulnerability in the Google Gson package impacting patch management in Jira Service Management Data Center and Server. CVE-2023-22512 (CVSS 7.5) is a DoS vulnerability in Confluence Data Center and Server, CVE-2023-22513 (CVSS 8.5) is a RCE vulnerability in Bitbucket Data Center and Server, and CVE-2023-28709 (CVSS 7.5) is a DoS vulnerability in Apache Tomcat server impacting Bamboo Data Center and Server. ISC patched two vulnerabilities affecting the BIND 9 DNS software suite that could lead to denial-of-service conditions, including CVE-2023-3341 (CVSS 7.5) and CVE-2023-4236 (CVSS 7.5).

The successful compromise of Atlassian products, including Confluence and Jira, can allow attackers to access sensitive data; discover user credentials and other sensitive directories; or manipulate, destroy, or compromise existing code and projects, which can be distributed as a supply-chain attack. It is Likely that threat actors will target these vulnerabilities over the next 12 months.

Honorable Mentions

Progress
Progress Software, an enterprise technology vendor, released updates for critical vulnerabilities in its WS_FTP file transfer software. The security bulletin documented at least eight security defects that could be exploited remotely and urged customers to upgrade to WS_FTP Server 2020.0.4 (8.7.4) and WS_FTP Server 2022.0.2 (8.8.2). Two of these vulnerabilities, CVE-2023-40044 (CVSS 10.0) and CVE-2023-42657 (CVS 9.9) are critical because of the risk of pre-authentication RCE attacks.

Earlier this year, Progress responded to multiple critical vulnerabilities in the MOVEit managed file transfer product that led to a series of serious ransomware attacks. It is Likely that threat actors will begin attempting to exploit these vulnerabilities over the next 30-90 days. Previous vulnerabilities in file transfer software have been leveraged for lateral movement, the installation of web shells for persistence, and the deployment of ransomware for impact. Such is the case for critical GoAnywhere MFT (2023) and Accellion FTA (2020-2021) vulnerabilities.

libwebp
Researchers with Bleeping Computer report that Google “assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day.” The vulnerability was patched at the time of disclosure. Bleeping Computer writes that Google initially disclosed the vulnerability “as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format.” The vulnerability has now been assigned a new CVE, given a maximum CVSS score of 10.0, and recognized as a libwebp flaw involving a heap buffer overflow in WebP. Bleeping Computer argues that the vulnerability “enables attackers to execute out-of-bounds memory writes using maliciously crafted HTML pages,” which could result in anything from “crashes to arbitrary code execution and unauthorized access to sensitive information.” Bleeping Computer writes that the libwebp library is used in projects for “1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers,” and the reclassification of the vulnerability heightens the potential threat of this vulnerability on those platforms.

The number of platforms that utilize the libwebp library, the high level of access that the vulnerability can provide, and the in-the-wild exploitation indicate that it is Highly Likely that more threat actors will begin exploiting this vulnerability over the next 90 days.

Analysis and Potential Impacts of These Vulnerabilities

Optiv’s gTIC assesses with High Confidence that threat actors will continue or begin to target these vulnerabilities over the next 12 months to steal sensitive information and credentials, or to deploy malware, including backdoors, cryptominers, ransomware, and information stealers, over the next 12 months. It is Likely that both cybercriminal and APT groups will target these vulnerabilities.

Based on the knowledge that threat actors often mimic each other's behavior and tools, Optiv’s gTIC provides its Prioritized Software and Services list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries, including hacktivists, cybercriminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries. Many of the vulnerabilities discussed above impact software and services included on the gTIC’s prioritized list.

Advanced cyber threat actors are observed to employ what Optiv’s gTIC refers to as a “weakest-link” approach to reconnaissance and initial access in most campaigns. These include using opportunistic phishing campaigns with malicious Microsoft Office attachments or links distributed to multiple organizations and potential victims, or the exploitation of older and/or publicly reported vulnerabilities in popular public-facing software and services like VPN clients, RDP, Microsoft Exchange, and Oracle WebLogic. Threat actors often share tools and techniques, which frequently overlap with not only other state-sponsored APT campaigns, but also with techniques observed in common cyber-criminal activity. Optiv’s gTIC acknowledges there are exceptions among notable groups who modify or create bespoke post-exploitation malware. But it is important to note that in most instances, they achieve initial access, persistence, and lateral movement via commonly observed tools and procedures.

Optiv’s gTIC estimates that over the next 12 months, initial access will Very Likely remain the predominant and most important MITRE ATT&CK tactic associated with adversary campaigns and attempts, as it is the first step in a successful attack before the execution of any other tactic or technique. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment, in addition to other risk-based variables (i.e., industry vertical, geography, etc.), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, one can prioritize defensive measures and counteractions efforts, as well as propose to supplement existing security and risk management policies.