2024 New year resolution for security - One less concession

Looking back to this year, we saw a surge in the exploitation of vulnerabilities by cybercriminals - mostly for profit or political interests.

Some of the vulnerabilities were known to the hackers long before the fix was published, but most had a fix which was not implemented on time - whether due to optimism, lack of focus and resources or fear of breaking something with the fix.

Review the vulnerabilities that caused most issues in 2023, and join us in a pledge for 2024:

Accept one less compromise when pushing for security discipline, penetration tests and patching.

The top exploited vulnerabilities

1. MOVEit Vulnerability (CVE-2023-34362): This SQL injection exposed several versions of Progress MOVEit Transfer and enabled unauthenticated threat actors to exploit it to access and ransom hundreds of the largest organizations in the world. This one is down to unsufficient internal testing, since it came to light that the hackers had known about the vulnerability long before the official patch.
2. Microsoft Outlook Privilege Escalation (CVE-2023-23397): This zero-click vulnerability affected all versions of Outlook Clients. It allowed attackers to trigger exploitation automatically by sending a specially crafted email, leading to the leakage of Net-NTLMv2 hashes. A threat actor targeted sectors like government, transportation, energy, and military in Europe using this vulnerability. This one is mostly to delays in patching by organizations.
3. Fortinet FortiOS (CVE-2022-41328): A path traversal vulnerability in various versions of FortiOS allowed privileged threat actors to manipulate files via crafted CLI commands. The Fortinet vulnerability and patch was promptly announced, yet the fixes were very very slow.
4. Barracuda Email Security Gateway Vulnerability (CVE-2023-2868): This vulnerability, resulting from improper .tar file processing, allowed system command execution with product privileges. The vulnerability was known to hackers before the patch and exploited by chinese state-sponsored hackers. It also didn't help that a lot of users hadn't patched their Barracuda ESG on time.
5. Adobe ColdFusion (CVE-2023-26360): Affecting older versions of Adobe ColdFusion, this vulnerability allowed arbitrary code execution due to improper access control. Several major organizations were hacked because they didn't patch on time, although the vulnerability and patch was properly released and publicized.
6. Citrix Bleed Vulnerability (CVE 2023-4966): Present in Citrix NetScaler ADC and Gateway appliances, this vulnerability allowed sensitive data retrieval. LockBit 3.0 Ransomware group exploited this in November 2023. Much like the ColdFusion issue, several major organizations were hacked because they didn't patch on time, although the vulnerability and patch was properly released and publicized.

We hope to deliver more value and awareness to you in 2024