Report Name: Check Point 2024 Cyber Security ReportGenerated: 2024-02-22 14:43:45
Product Name | Prevalence | U | C | H | M | L | A | Comment |
---|---|---|---|---|---|---|---|---|
Microsoft Message Queuing | 0.9 | 1 | 2 | 3 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |||
Windows Win32k | 0.9 | 2 | 2 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | ||||
Cisco ASA | 0.8 | 1 | 1 | A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities | ||||
Cisco IOS | 0.8 | 1 | 1 | The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems | ||||
WinRAR | 0.8 | 1 | 1 | WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH | ||||
Windows Common Log File System Driver | 0.8 | 1 | 1 | Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs | ||||
Apache Tomcat | 0.7 | 1 | 1 | Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies | ||||
ESXi | 0.7 | 2 | 2 | VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers | ||||
GoAnywhere Managed File Transfery | 0.6 | 1 | 1 | GoAnywhere MFT is a secure managed file transfer software solution that streamlines the exchange of data between systems, employees, customers, and trading partners | ||||
MOVEit Transfer | 0.6 | 1 | 1 | Progress MOVEit is a secure Managed File Transfer (MFT) software. MOVEit enables organizations to meet compliance standards, easily ensure the reliability of core business processes, and secure the transfer of sensitive data between partners, customers, users and systems. | ||||
Microsoft Outlook | 0.6 | 1 | 1 | Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites | ||||
PaperCut NG | 0.6 | 1 | 1 | PaperCut NG is a comprehensive print management system designed to seamlessly monitor and control your resources with easy to use administrative and user tools that can be securely accessed from anywhere on the network though a web browser | ||||
3CX DesktopApp | 0.5 | 1 | 1 | The 3CX Phone System is the software-based private branch exchange (PBX) phone system developed and marketed by the company, 3CX | ||||
Barracuda Email Security Gateway | 0.5 | 1 | 1 | The Barracuda Email Security Gateway is an email security gateway that manages and filters all inbound and outbound email traffic to protect organizations from email-borne threats and data leaks | ||||
NetScaler Application Delivery Controller | 0.5 | 2 | 2 | Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict) |
Vulnerability Type | Criticality | U | C | H | M | L | A |
---|---|---|---|---|---|---|---|
Remote Code Execution | 1.0 | 5 | 3 | 8 | |||
Authentication Bypass | 0.98 | 1 | 1 | 2 | |||
Code Injection | 0.97 | 1 | 1 | ||||
Command Injection | 0.97 | 2 | 2 | ||||
Elevation of Privilege | 0.85 | 3 | 3 | ||||
Information Disclosure | 0.83 | 1 | 1 | ||||
Denial of Service | 0.7 | 2 | 2 | ||||
Memory Corruption | 0.5 | 1 | 1 |
Source | U | C | H | M | L | A |
---|---|---|---|---|---|---|
Check Point | 14 | 4 | 2 | 20 |
1. Remote Code Execution - Apache Tomcat (CVE-2023-47246) - Urgent [950]
Description: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:www.sysaid.com website | |
1.0 | 15 | Remote Code Execution | |
0.7 | 14 | Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.94354, EPSS Percentile is 0.99127 |
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
2. Remote Code Execution - WinRAR (CVE-2023-38831) - Urgent [942]
Description: RARLAB
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:www.group-ib.com website | |
1.0 | 15 | Remote Code Execution | |
0.8 | 14 | WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.33602, EPSS Percentile is 0.96921 |
Check Point: vulnerability (CVE-2023-38831) to steal from
3. Remote Code Execution - ESXi (CVE-2021-21974) - Urgent [938]
Description: OpenSLP as used in
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object), AttackerKB websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
1.0 | 15 | Remote Code Execution | |
0.7 | 14 | VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers | |
0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.87964, EPSS Percentile is 0.98558 |
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
4. Remote Code Execution - PaperCut NG (CVE-2023-27350) - Urgent [933]
Description: This vulnerability allows remote attackers to bypass authentication on affected installations of
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
1.0 | 15 | Remote Code Execution | |
0.6 | 14 | PaperCut NG is a comprehensive print management system designed to seamlessly monitor and control your resources with easy to use administrative and user tools that can be securely accessed from anywhere on the network though a web browser | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.97227, EPSS Percentile is 0.99817 |
Check Point: PAPERCUT (CVE-2023-27350) This is a critical RCE (Remote Code Execution) vulnerability with a CVSS score of 9.8 in PaperCut, a print management software with a user base of more than 100 million users. Disclosed with a patch-released in March of 2023, this flaw can lead to the exposure of sensitive information and breach of entire networks. Following its disclosure, it was quickly leveraged by various malicious actors, including the delivery of Lockbit and CL0P ransomware. It was also exploitated by state-sponsored APT groups. Check Point data shows that 9% of organizations have been impacted by this vulnerability in 2023.
5. Authentication Bypass - Microsoft Outlook (CVE-2023-23397) - Urgent [929]
Description:
Check Point: MICROSOFT OUTLOOK (CVE-2023-23397) This is a critical privilege escalation vulnerably in Microsoft Outlook, discovered in March 2023 with a CVSS rating of 9.8. The flaw enables attackers to hijack users’ authentication hashes via specially crafted emails. The vulnerability was actively exploited by groups including the XXXXn-affiliated APT28.
6. Code Injection - MOVEit Transfer (CVE-2023-34362) - Urgent [927]
Description: In
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for SQL Injection in Progress Moveit Cloud, [githubexploit] Exploit for SQL Injection in Progress Moveit Cloud, [githubexploit] Exploit for SQL Injection in Progress Moveit Cloud, [githubexploit] Exploit for SQL Injection in Progress Moveit Cloud, [githubexploit] Exploit for SQL Injection in Progress Moveit Cloud, [packetstorm] MOVEit SQL Injection, [metasploit] MOVEit SQL Injection vulnerability, [zdt] MOVEit SQL Injection Exploit) | |
0.97 | 15 | Code Injection | |
0.6 | 14 | Progress MOVEit is a secure Managed File Transfer (MFT) software. MOVEit enables organizations to meet compliance standards, easily ensure the reliability of core business processes, and secure the transfer of sensitive data between partners, customers, users and systems. | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.95904, EPSS Percentile is 0.99395 |
Check Point: JUNE Progress disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment. Upon discovery, Progress launched an investigation, provided mitigation steps and released a security patch, all within 48 hours. Unfortunately, during that time, cybercriminals associated with XXXXn-affiliated ransomware group Clop exploited the vulnerability and launched a supply chain attack against MOVEit users. Among them was payroll services provider Zellis, who was the first to disclose a security breach, although many others have been impacted.
Check Point: Check Point IPS blade provides protection against this threat (MOVEit Transfer SQL Injection (CVE-2023-34362)) Check Point Research has published an analysis of a backdoor tool used by the Chinese APT group Camaro Dragon. The backdoor tool, dubbed TinyNote, is written in Go and includes a feature bypassing Indonesian antivirus software SmadAV, which is popular in Southeast Asian countries. The APT group’s victims likely include embassies in Southeast Asian countries.
Check Point: MOVEIT (CVE-2023-34362) This critical SQL injection vulnerability in MOVEit MFT (Managed File Transfer Software) was exploited in 2023’smost prolific ransomware campaign, impacting more than 2,700 organizations globally. The vulnerability was exploited by the CL0P ransomware group prior to its public disclosure and utilized to deploy a web shell named LEMURLOOT, which was then used to steal data from MOVEit Transfer databases. The large number of victims and the amount of data led CL0P to change its extortion techniques, relying on data extortion instead of encrypting and publishing stolen data on Torrents. Check Point data shows that 7% of organizations have been impacted by this vulnerability in 2023.
Check Point: LEMURLOOT LEMURLOOT is a web shell malware associated with the CL0P ransomware group, designed to exploit a critical SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer managed file transfer (MFT) application. LEMURLOOT is written in C# and requires a hard-coded password for authentication. This malware was instrumental in significant data theft and extortion attempts by the CL0P group.
7. Remote Code Execution - NetScaler Application Delivery Controller (CVE-2023-3519) - Urgent [916]
Description: Unauthenticated
Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.
Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.
8. Elevation of Privilege - Windows Common Log File System Driver (CVE-2023-28252) - Urgent [904]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([metasploit] Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability, [githubexploit] Exploit for Vulnerability in Microsoft, [zdt] Windows Common Log File System Driver (clfs.sys) Privilege Escalation Exploit, [packetstorm] Windows Common Log File System Driver (clfs.sys) Privilege Escalation) | |
0.85 | 15 | Elevation of Privilege | |
0.8 | 14 | Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
0.9 | 10 | EPSS Probability is 0.01815, EPSS Percentile is 0.87784 |
Check Point: Nokoyawa Nokoyawa is a Windows-based ransomware family first identified in February 2022 and is known for double extortion attacks. This ransomware, initially written in C and later rewritten in Rust, demonstrates coding similarities with the Nemty and Karma ransomware families. The ransomware is known to exploit vulnerabilities like CVE-2023-28252 in attacks.
9. Elevation of Privilege - Windows Win32k (CVE-2021-1732) - Urgent [897]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
0.85 | 15 | Elevation of Privilege | |
0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
0.7 | 10 | EPSS Probability is 0.00436, EPSS Percentile is 0.74044 |
Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
10. Command Injection - GoAnywhere Managed File Transfery (CVE-2023-0669) - Urgent [892]
Description: Fortra (formerly, HelpSystems)
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:frycos.github.io website | |
0.97 | 15 | Command Injection | |
0.6 | 14 | GoAnywhere MFT is a secure managed file transfer software solution that streamlines the exchange of data between systems, employees, customers, and trading partners | |
0.7 | 10 | CVSS Base Score is 7.2. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.96802, EPSS Percentile is 0.99656 |
Check Point: GOANY WHERE (CVE-2023-0669) This is a critical RCE vulnerability in the GoAnywhere MFT software (Managed File Transfer) disclosed in February 2023. Prior to its disclosure, the flaw was actively exploited by the CL0P ransomware gang, leading to significant data breaches in more than 130 organizations. This incident highlights the growing trend of ransomware operators using zero-day vulnerabilities to conduct their attacks. Check Point data shows that 2.5% of organizations have been impacted by this vulnerability in 2023.
11. Command Injection - Barracuda Email Security Gateway (CVE-2023-2868) - Urgent [887]
Description: A remote command injection vulnerability exists in the
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Command Injection in Barracuda Email Security Gateway 300 Firmware) | |
0.97 | 15 | Command Injection | |
0.5 | 14 | The Barracuda Email Security Gateway is an email security gateway that manages and filters all inbound and outbound email traffic to protect organizations from email-borne threats and data leaks | |
0.9 | 10 | CVSS Base Score is 9.4. According to NVD data source | |
0.9 | 10 | EPSS Probability is 0.05351, EPSS Percentile is 0.92836 |
Check Point: BARRACUDA (CVE-2023-2868) This is a critical remote command injection vulnerability identified in the Barracuda Email Security Gateway (ESG) appliance, which is exploited using malicious file attachments. The vulnerability was actively exploited as early as October 2022 by a Chinese APT actor in an aggressive campaign that impacted organizations on a global scale, with a significant focus on government agencies. Following the release of patches and containment efforts, the attackers adapted their techniques by altering their malware and employing additional persistence mechanisms to maintain access. As a result, both Barracuda and the FBI recommended that customers immediately replace compromised ESG devices.
12. Elevation of Privilege - Windows Win32k (CVE-2020-1054) - Urgent [885]
Description: An
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
0.85 | 15 | Elevation of Privilege | |
0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
0.6 | 10 | EPSS Probability is 0.00228, EPSS Percentile is 0.60109 |
Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
13. Information Disclosure - NetScaler Application Delivery Controller (CVE-2023-4966) - Urgent [874]
Description: Sensitive
Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.
14. Memory Corruption - ESXi (CVE-2019-5544) - Urgent [848]
Description: OpenSLP as used in
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Out-of-bounds Write in Vmware Horizon Daas, [githubexploit] Exploit for Out-of-bounds Write in Vmware Horizon Daas) | |
0.5 | 15 | Memory Corruption | |
0.7 | 14 | VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
0.9 | 10 | EPSS Probability is 0.04189, EPSS Percentile is 0.9193 |
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
15. Remote Code Execution - 3CX DesktopApp (CVE-2023-29059) - Critical [797]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object), AttackerKB websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:www.huntress.com website | |
1.0 | 15 | Remote Code Execution | |
0.5 | 14 | The 3CX Phone System is the software-based private branch exchange (PBX) phone system developed and marketed by the company, 3CX | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
0.2 | 10 | EPSS Probability is 0.00056, EPSS Percentile is 0.20741 |
Check Point: APRIL Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company, were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loaded using 3CXDesktopApp and beacons to the attacker’s infrastructure. More than 600,000 companies worldwide which use 3CX may be affected by this attack. The attack is linked to the North Korean Lazarus group, and is tracked as CVE-2023-29059.
16. Remote Code Execution - Microsoft Message Queuing (CVE-2023-21554) - Critical [769]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Vulnerability in Microsoft, [githubexploit] Exploit for Vulnerability in Microsoft, [metasploit] CVE-2023-21554 - QueueJumper - MSMQ RCE Check) | |
1.0 | 15 | Remote Code Execution | |
0.9 | 14 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.96122, EPSS Percentile is 0.99445 |
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.
17. Remote Code Execution - Cisco IOS (CVE-2017-6742) - Critical [728]
Description: The Simple Network Management Protocol (SNMP) subsystem of
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
1.0 | 15 | Remote Code Execution | |
0.8 | 14 | The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems | |
0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
0.8 | 10 | EPSS Probability is 0.00613, EPSS Percentile is 0.78089 |
Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.
18. Authentication Bypass - Cisco ASA (CVE-2023-20269) - Critical [689]
Description: A vulnerability in the remote access VPN feature of
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
0.98 | 15 | Authentication Bypass | |
0.8 | 14 | A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities | |
0.5 | 10 | CVSS Base Score is 5.0. According to NVD data source | |
0.9 | 10 | EPSS Probability is 0.02588, EPSS Percentile is 0.89937 |
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
19. Denial of Service - Microsoft Message Queuing (CVE-2023-21769) - Medium [394]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
0.7 | 15 | Denial of Service | |
0.9 | 14 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |
0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source | |
0.2 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.24648 |
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
20. Denial of Service - Microsoft Message Queuing (CVE-2023-28302) - Medium [394]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
0.7 | 15 | Denial of Service | |
0.9 | 14 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |
0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source | |
0.2 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.24648 |
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
Check Point: vulnerability (CVE-2023-38831) to steal from
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
Check Point: PAPERCUT (CVE-2023-27350) This is a critical RCE (Remote Code Execution) vulnerability with a CVSS score of 9.8 in PaperCut, a print management software with a user base of more than 100 million users. Disclosed with a patch-released in March of 2023, this flaw can lead to the exposure of sensitive information and breach of entire networks. Following its disclosure, it was quickly leveraged by various malicious actors, including the delivery of Lockbit and CL0P ransomware. It was also exploitated by state-sponsored APT groups. Check Point data shows that 9% of organizations have been impacted by this vulnerability in 2023.
Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.
Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.
Check Point: APRIL Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company, were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loaded using 3CXDesktopApp and beacons to the attacker’s infrastructure. More than 600,000 companies worldwide which use 3CX may be affected by this attack. The attack is linked to the North Korean Lazarus group, and is tracked as CVE-2023-29059.
Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.
Check Point: MICROSOFT OUTLOOK (CVE-2023-23397) This is a critical privilege escalation vulnerably in Microsoft Outlook, discovered in March 2023 with a CVSS rating of 9.8. The flaw enables attackers to hijack users’ authentication hashes via specially crafted emails. The vulnerability was actively exploited by groups including the XXXXn-affiliated APT28.
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
Check Point: JUNE Progress disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment. Upon discovery, Progress launched an investigation, provided mitigation steps and released a security patch, all within 48 hours. Unfortunately, during that time, cybercriminals associated with XXXXn-affiliated ransomware group Clop exploited the vulnerability and launched a supply chain attack against MOVEit users. Among them was payroll services provider Zellis, who was the first to disclose a security breach, although many others have been impacted.
Check Point: Check Point IPS blade provides protection against this threat (MOVEit Transfer SQL Injection (CVE-2023-34362)) Check Point Research has published an analysis of a backdoor tool used by the Chinese APT group Camaro Dragon. The backdoor tool, dubbed TinyNote, is written in Go and includes a feature bypassing Indonesian antivirus software SmadAV, which is popular in Southeast Asian countries. The APT group’s victims likely include embassies in Southeast Asian countries.
Check Point: MOVEIT (CVE-2023-34362) This critical SQL injection vulnerability in MOVEit MFT (Managed File Transfer Software) was exploited in 2023’smost prolific ransomware campaign, impacting more than 2,700 organizations globally. The vulnerability was exploited by the CL0P ransomware group prior to its public disclosure and utilized to deploy a web shell named LEMURLOOT, which was then used to steal data from MOVEit Transfer databases. The large number of victims and the amount of data led CL0P to change its extortion techniques, relying on data extortion instead of encrypting and publishing stolen data on Torrents. Check Point data shows that 7% of organizations have been impacted by this vulnerability in 2023.
Check Point: LEMURLOOT LEMURLOOT is a web shell malware associated with the CL0P ransomware group, designed to exploit a critical SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer managed file transfer (MFT) application. LEMURLOOT is written in C# and requires a hard-coded password for authentication. This malware was instrumental in significant data theft and extortion attempts by the CL0P group.
Check Point: Nokoyawa Nokoyawa is a Windows-based ransomware family first identified in February 2022 and is known for double extortion attacks. This ransomware, initially written in C and later rewritten in Rust, demonstrates coding similarities with the Nemty and Karma ransomware families. The ransomware is known to exploit vulnerabilities like CVE-2023-28252 in attacks.
Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
Check Point: GOANY WHERE (CVE-2023-0669) This is a critical RCE vulnerability in the GoAnywhere MFT software (Managed File Transfer) disclosed in February 2023. Prior to its disclosure, the flaw was actively exploited by the CL0P ransomware gang, leading to significant data breaches in more than 130 organizations. This incident highlights the growing trend of ransomware operators using zero-day vulnerabilities to conduct their attacks. Check Point data shows that 2.5% of organizations have been impacted by this vulnerability in 2023.
Check Point: BARRACUDA (CVE-2023-2868) This is a critical remote command injection vulnerability identified in the Barracuda Email Security Gateway (ESG) appliance, which is exploited using malicious file attachments. The vulnerability was actively exploited as early as October 2022 by a Chinese APT actor in an aggressive campaign that impacted organizations on a global scale, with a significant focus on government agencies. Following the release of patches and containment efforts, the attackers adapted their techniques by altering their malware and employing additional persistence mechanisms to maintain access. As a result, both Barracuda and the FBI recommended that customers immediately replace compromised ESG devices.
Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.