Five Eyes nations detail dirty dozen most exploited vulnerabilities
PLUS: FBI admits buying NSO spyware; "IT" company busted for drugs 'n guns biz; this week's critical vulns
Infosec in brief If you're wondering what patches to prioritize, ponder no longer: An international group of cybersecurity agencies has published a list of the 12 most commonly exploited vulnerabilities of 2022 – a list many will recognize.
The coalition of officials from the US, Australia, Canada, New Zealand and United Kingdom's various intelligence and cyber security bodies – known as the Five Eyes – is urging organizations to get serious about dealing with old vulnerabilities that are being overlooked.
"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," The US Cybersecurity and Infrastructure Security Agency warned in its release of the list.
Leading the dastardly dozen is a vulnerability in Fortinet SSL VPNs. Yes, we know this is an ongoing problem, but this particular vulnerability has been around since 2018 and involves a path traversal bug that can be used to hijack system files. "The continued exploitation indicates that many organizations failed to patch software in a timely manner," CISA said.
Remember in late 2021 when Chinese hackers were spotted leveraging an RCE vulnerability in Zoho ManageEngine ADSelfService Plus? Despite a patch being issued in September of that year, it's still a popular one for attackers.
You may also recall that Atlassian's Confluence Server and Data Center was hit with a nasty RCE bug in 2021, and the weakness is apparently still common. A related vulnerability identified in June last year is still being exploited, too.
And who can forget Log4Shell, the 2021 Apache Log4j exploit that caused havoc around the world? Despite the high profile it remains a leading way for crims to pry their way into otherwise secure systems.
Additionally:
- ProxyShell vulnerabilities in Microsoft Exchange continue to be a popular target for hackers and APTs;
- Two exploits in VMware products that could allow an attacker to gain RCE capabilities are still hot ingress routes;
- An exploit in iControl REST authentication on F5 BIG-IP products that F5 and Cisco identified last year is still being used to bypass authentication;
- Microsoft's Windows Support Diagnostic Tool can be tricked into running code for an attacker, which we learned last year and is still a problem.
Time to double-check your patch status.
Critical vulnerabilities of the week: Check your Ether balance!
It was a relatively quiet week in terms of critical vulnerabilities we didn't cover elsewhere, but one does stand out: An exploit in a popular Web3 programming language that has allowed attackers to drain millions of dollars in cryptocurrency.
Developers for Vyper, a programming language commonly used to create smart contracts on the Ethereum blockchain, warned over the weekend that versions 0.2.15, 0.2.16 and 0.3.0 are "vulnerable to malfunctioning reentrancy locks," and urged any project relying on those versions of Vyper to reach out to them asap.
Too little too late for many users of the DeFi platform Curve Finance, which revealed on Monday that more than $61 million in crypto was stolen from wallets on its site thanks to the vulnerability. The attacker has returned some of the funds, but not all.
We'd say patch, but maybe just stay away from Web3 and crypto altogether to be on the safe side.
Elsewhere:
- Mozilla released security updates for Firefox, Firefox ESR and Thunderbird this week that address several vulnerabilities attackers could exploit to take control of affected systems;
- CISA warned that, despite the fact it only rates a 7.2 CVSS score, a path traversal vulnerability in some versions of Ivanti EPMM is under active exploitation, so be sure to patch asap;
- CVSS 9.8 – CVE-2023-28343: APSystems Altenergy Power Control Software contains an OS command injection vulnerability that could allow RCE.
The spyware is coming from inside the house, FBI discovers
After the Biden administration was caught earlier this year buying snooping software from notorious Israeli spyware maker NSO Group, the FBI was tasked with figuring out who in the federal government was using it.
According to the FBI, it was the FBI.
Despite the fact that the Biden administration blacklisted NSO Group in late 2021, government contractor Riva Networks purchased Landmark, one of NSO's mobile spyware products, for use to track people in Mexico without their knowledge.
According to the FBI, the purchase was Riva's fault – it misled the Bureau, and once use of Landmark was discovered the contract was terminated.
NSO's more well-known spyware product is Pegasus, which has been used in various nations to target journalists and dissidents. NSO itself has claimed that "more than five" EU nations were using Pegasus as of a year ago. Pegasus has also been found on devices belonging to US diplomats, and US House officials believe it's been deployed far more widely against US officials than is currently known.
Talk about a line of business
EncroChat, an encrypted communications service infiltrated by European police forces in 2020, is still paying dividends – like a case this week that saw a group of criminals who started a fake computer company used to import "industrial supplies of cocaine" jailed.
According to the UK National Crime Agency, Clarke Computers and Software Limited – despite having its own merch like fleece jackets with company logos on them – was really just a front for cocaine and gun runners based in Widnes, Cheshire.
Along with using the fake tech company to import "at least 100kg (220lbs) of cocaine" worth about £8 million ($10.2m), the NCA said the group also imported guns like AR-15 assault rifles, AK47s, and several pistols – including machine and self-loading models.
"These men formed a very dangerous and damaging criminal organization," said Mike Beigan, NCA operations manager. "They brought in industrial volumes of cocaine that have no doubt contributed to further waves of crime and misery in our communities."
Craig Gallagher, the ringleader, was jailed this week for 24 years, per the NCA. ®
Biting the hand that feeds IT
