Report Name: Check Point 2024 Cyber Security Report
Generated: 2024-02-22 14:43:45

Product Name	Prevalence	U	C	H	M	L	A	Comment
Microsoft Message Queuing	0.9		1		2		3	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
Windows Win32k	0.9	2					2	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
Cisco ASA	0.8		1				1	A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities
Cisco IOS	0.8		1				1	The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems
WinRAR	0.8	1					1	WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH
Windows Common Log File System Driver	0.8	1					1	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Apache Tomcat	0.7	1					1	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
ESXi	0.7	2					2	VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers
GoAnywhere Managed File Transfery	0.6	1					1	GoAnywhere MFT is a secure managed file transfer software solution that streamlines the exchange of data between systems, employees, customers, and trading partners
MOVEit Transfer	0.6	1					1	Progress MOVEit is a secure Managed File Transfer (MFT) software. MOVEit enables organizations to meet compliance standards, easily ensure the reliability of core business processes, and secure the transfer of sensitive data between partners, customers, users and systems.
Microsoft Outlook	0.6	1					1	Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites
PaperCut NG	0.6	1					1	PaperCut NG is a comprehensive print management system designed to seamlessly monitor and control your resources with easy to use administrative and user tools that can be securely accessed from anywhere on the network though a web browser
3CX DesktopApp	0.5		1				1	The 3CX Phone System is the software-based private branch exchange (PBX) phone system developed and marketed by the company, 3CX
Barracuda Email Security Gateway	0.5	1					1	The Barracuda Email Security Gateway is an email security gateway that manages and filters all inbound and outbound email traffic to protect organizations from email-borne threats and data leaks
NetScaler Application Delivery Controller	0.5	2					2	Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict)

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0	5	3				8
Authentication Bypass	0.98	1	1				2
Code Injection	0.97	1					1
Command Injection	0.97	2					2
Elevation of Privilege	0.85	3					3
Information Disclosure	0.83	1					1
Denial of Service	0.7				2		2
Memory Corruption	0.5	1					1

Source	U	C	H	M	L	A
Check Point	14	4		2		20

Urgent (14)

1. Remote Code Execution - Apache Tomcat (CVE-2023-47246) - Urgent [950]

Description: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

2. Remote Code Execution - WinRAR (CVE-2023-38831) - Urgent [942]

Description: RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Check Point: vulnerability (CVE-2023-38831) to steal from

3. Remote Code Execution - ESXi (CVE-2021-21974) - Urgent [938]

Description: OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.

4. Remote Code Execution - PaperCut NG (CVE-2023-27350) - Urgent [933]

Description: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Check Point: PAPERCUT (CVE-2023-27350) This is a critical RCE (Remote Code Execution) vulnerability with a CVSS score of 9.8 in PaperCut, a print management software with a user base of more than 100 million users. Disclosed with a patch-released in March of 2023, this flaw can lead to the exposure of sensitive information and breach of entire networks. Following its disclosure, it was quickly leveraged by various malicious actors, including the delivery of Lockbit and CL0P ransomware. It was also exploitated by state-sponsored APT groups. Check Point data shows that 9% of organizations have been impacted by this vulnerability in 2023.

5. Authentication Bypass - Microsoft Outlook (CVE-2023-23397) - Urgent [929]

Description: Microsoft Outlook Elevation of Privilege Vulnerability

Check Point: MICROSOFT OUTLOOK (CVE-2023-23397) This is a critical privilege escalation vulnerably in Microsoft Outlook, discovered in March 2023 with a CVSS rating of 9.8. The flaw enables attackers to hijack users’ authentication hashes via specially crafted emails. The vulnerability was actively exploited by groups including the XXXXn-affiliated APT28.

6. Code Injection - MOVEit Transfer (CVE-2023-34362) - Urgent [927]

Description: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Check Point: JUNE Progress disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment. Upon discovery, Progress launched an investigation, provided mitigation steps and released a security patch, all within 48 hours. Unfortunately, during that time, cybercriminals associated with XXXXn-affiliated ransomware group Clop exploited the vulnerability and launched a supply chain attack against MOVEit users. Among them was payroll services provider Zellis, who was the first to disclose a security breach, although many others have been impacted.

Check Point: Check Point IPS blade provides protection against this threat (MOVEit Transfer SQL Injection (CVE-2023-34362)) Check Point Research has published an analysis of a backdoor tool used by the Chinese APT group Camaro Dragon. The backdoor tool, dubbed TinyNote, is written in Go and includes a feature bypassing Indonesian antivirus software SmadAV, which is popular in Southeast Asian countries. The APT group’s victims likely include embassies in Southeast Asian countries.

Check Point: MOVEIT (CVE-2023-34362) This critical SQL injection vulnerability in MOVEit MFT (Managed File Transfer Software) was exploited in 2023’smost prolific ransomware campaign, impacting more than 2,700 organizations globally. The vulnerability was exploited by the CL0P ransomware group prior to its public disclosure and utilized to deploy a web shell named LEMURLOOT, which was then used to steal data from MOVEit Transfer databases. The large number of victims and the amount of data led CL0P to change its extortion techniques, relying on data extortion instead of encrypting and publishing stolen data on Torrents. Check Point data shows that 7% of organizations have been impacted by this vulnerability in 2023.

Check Point: LEMURLOOT LEMURLOOT is a web shell malware associated with the CL0P ransomware group, designed to exploit a critical SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer managed file transfer (MFT) application. LEMURLOOT is written in C# and requires a hard-coded password for authentication. This malware was instrumental in significant data theft and extortion attempts by the CL0P group.

7. Remote Code Execution - NetScaler Application Delivery Controller (CVE-2023-3519) - Urgent [916]

Description: Unauthenticated remote code execution

Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.

Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.

8. Elevation of Privilege - Windows Common Log File System Driver (CVE-2023-28252) - Urgent [904]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Check Point: Nokoyawa Nokoyawa is a Windows-based ransomware family first identified in February 2022 and is known for double extortion attacks. This ransomware, initially written in C and later rewritten in Rust, demonstrates coding similarities with the Nemty and Karma ransomware families. The ransomware is known to exploit vulnerabilities like CVE-2023-28252 in attacks.

9. Elevation of Privilege - Windows Win32k (CVE-2021-1732) - Urgent [897]

Description: Windows Win32k Elevation of Privilege Vulnerability

Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))

10. Command Injection - GoAnywhere Managed File Transfery (CVE-2023-0669) - Urgent [892]

Description: Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

Check Point: GOANY WHERE (CVE-2023-0669) This is a critical RCE vulnerability in the GoAnywhere MFT software (Managed File Transfer) disclosed in February 2023. Prior to its disclosure, the flaw was actively exploited by the CL0P ransomware gang, leading to significant data breaches in more than 130 organizations. This incident highlights the growing trend of ransomware operators using zero-day vulnerabilities to conduct their attacks. Check Point data shows that 2.5% of organizations have been impacted by this vulnerability in 2023.

11. Command Injection - Barracuda Email Security Gateway (CVE-2023-2868) - Urgent [887]

Description: A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Check Point: BARRACUDA (CVE-2023-2868) This is a critical remote command injection vulnerability identified in the Barracuda Email Security Gateway (ESG) appliance, which is exploited using malicious file attachments. The vulnerability was actively exploited as early as October 2022 by a Chinese APT actor in an aggressive campaign that impacted organizations on a global scale, with a significant focus on government agencies. Following the release of patches and containment efforts, the attackers adapted their techniques by altering their malware and employing additional persistence mechanisms to maintain access. As a result, both Barracuda and the FBI recommended that customers immediately replace compromised ESG devices.

12. Elevation of Privilege - Windows Win32k (CVE-2020-1054) - Urgent [885]

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.

Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))

13. Information Disclosure - NetScaler Application Delivery Controller (CVE-2023-4966) - Urgent [874]

Description: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. 

Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.

14. Memory Corruption - ESXi (CVE-2019-5544) - Urgent [848]

Description: OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.

Critical (4)

15. Remote Code Execution - 3CX DesktopApp (CVE-2023-29059) - Critical [797]

Description: 3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.

Check Point: APRIL Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company, were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loaded using 3CXDesktopApp and beacons to the attacker’s infrastructure. More than 600,000 companies worldwide which use 3CX may be affected by this attack. The attack is linked to the North Korean Lazarus group, and is tracked as CVE-2023-29059.

16. Remote Code Execution - Microsoft Message Queuing (CVE-2023-21554) - Critical [769]

Description: Microsoft Message Queuing Remote Code Execution Vulnerability

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.

17. Remote Code Execution - Cisco IOS (CVE-2017-6742) - Critical [728]

Description: The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. Cisco Bug IDs: CSCve54313.

Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.

18. Authentication Bypass - Cisco ASA (CVE-2023-20269) - Critical [689]

Description: A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

High (0)

Medium (2)

19. Denial of Service - Microsoft Message Queuing (CVE-2023-21769) - Medium [394]

Description: Microsoft Message Queuing Denial of Service Vulnerability

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

20. Denial of Service - Microsoft Message Queuing (CVE-2023-28302) - Medium [394]

Description: Microsoft Message Queuing Denial of Service Vulnerability

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Low (0)

Exploitation in the wild detected (17)

Remote Code Execution (7)

• Apache Tomcat (CVE-2023-47246)

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

• WinRAR (CVE-2023-38831)

Check Point: vulnerability (CVE-2023-38831) to steal from

• ESXi (CVE-2021-21974)

Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.

• PaperCut NG (CVE-2023-27350)

Check Point: PAPERCUT (CVE-2023-27350) This is a critical RCE (Remote Code Execution) vulnerability with a CVSS score of 9.8 in PaperCut, a print management software with a user base of more than 100 million users. Disclosed with a patch-released in March of 2023, this flaw can lead to the exposure of sensitive information and breach of entire networks. Following its disclosure, it was quickly leveraged by various malicious actors, including the delivery of Lockbit and CL0P ransomware. It was also exploitated by state-sponsored APT groups. Check Point data shows that 9% of organizations have been impacted by this vulnerability in 2023.

• NetScaler Application Delivery Controller (CVE-2023-3519)

Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.

Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.

• 3CX DesktopApp (CVE-2023-29059)

Check Point: APRIL Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company, were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loaded using 3CXDesktopApp and beacons to the attacker’s infrastructure. More than 600,000 companies worldwide which use 3CX may be affected by this attack. The attack is linked to the North Korean Lazarus group, and is tracked as CVE-2023-29059.

• Cisco IOS (CVE-2017-6742)

Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.

Authentication Bypass (2)

• Microsoft Outlook (CVE-2023-23397)

Check Point: MICROSOFT OUTLOOK (CVE-2023-23397) This is a critical privilege escalation vulnerably in Microsoft Outlook, discovered in March 2023 with a CVSS rating of 9.8. The flaw enables attackers to hijack users’ authentication hashes via specially crafted emails. The vulnerability was actively exploited by groups including the XXXXn-affiliated APT28.

• Cisco ASA (CVE-2023-20269)

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

Code Injection (1)

• MOVEit Transfer (CVE-2023-34362)

Check Point: JUNE Progress disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment. Upon discovery, Progress launched an investigation, provided mitigation steps and released a security patch, all within 48 hours. Unfortunately, during that time, cybercriminals associated with XXXXn-affiliated ransomware group Clop exploited the vulnerability and launched a supply chain attack against MOVEit users. Among them was payroll services provider Zellis, who was the first to disclose a security breach, although many others have been impacted.

Check Point: Check Point IPS blade provides protection against this threat (MOVEit Transfer SQL Injection (CVE-2023-34362)) Check Point Research has published an analysis of a backdoor tool used by the Chinese APT group Camaro Dragon. The backdoor tool, dubbed TinyNote, is written in Go and includes a feature bypassing Indonesian antivirus software SmadAV, which is popular in Southeast Asian countries. The APT group’s victims likely include embassies in Southeast Asian countries.

Check Point: MOVEIT (CVE-2023-34362) This critical SQL injection vulnerability in MOVEit MFT (Managed File Transfer Software) was exploited in 2023’smost prolific ransomware campaign, impacting more than 2,700 organizations globally. The vulnerability was exploited by the CL0P ransomware group prior to its public disclosure and utilized to deploy a web shell named LEMURLOOT, which was then used to steal data from MOVEit Transfer databases. The large number of victims and the amount of data led CL0P to change its extortion techniques, relying on data extortion instead of encrypting and publishing stolen data on Torrents. Check Point data shows that 7% of organizations have been impacted by this vulnerability in 2023.

Check Point: LEMURLOOT LEMURLOOT is a web shell malware associated with the CL0P ransomware group, designed to exploit a critical SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer managed file transfer (MFT) application. LEMURLOOT is written in C# and requires a hard-coded password for authentication. This malware was instrumental in significant data theft and extortion attempts by the CL0P group.

Elevation of Privilege (3)

• Windows Common Log File System Driver (CVE-2023-28252)

Check Point: Nokoyawa Nokoyawa is a Windows-based ransomware family first identified in February 2022 and is known for double extortion attacks. This ransomware, initially written in C and later rewritten in Rust, demonstrates coding similarities with the Nemty and Karma ransomware families. The ransomware is known to exploit vulnerabilities like CVE-2023-28252 in attacks.

• Windows Win32k (CVE-2020-1054, CVE-2021-1732)

Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))

Command Injection (2)

• GoAnywhere Managed File Transfery (CVE-2023-0669)

Check Point: GOANY WHERE (CVE-2023-0669) This is a critical RCE vulnerability in the GoAnywhere MFT software (Managed File Transfer) disclosed in February 2023. Prior to its disclosure, the flaw was actively exploited by the CL0P ransomware gang, leading to significant data breaches in more than 130 organizations. This incident highlights the growing trend of ransomware operators using zero-day vulnerabilities to conduct their attacks. Check Point data shows that 2.5% of organizations have been impacted by this vulnerability in 2023.

• Barracuda Email Security Gateway (CVE-2023-2868)

Check Point: BARRACUDA (CVE-2023-2868) This is a critical remote command injection vulnerability identified in the Barracuda Email Security Gateway (ESG) appliance, which is exploited using malicious file attachments. The vulnerability was actively exploited as early as October 2022 by a Chinese APT actor in an aggressive campaign that impacted organizations on a global scale, with a significant focus on government agencies. Following the release of patches and containment efforts, the attackers adapted their techniques by altering their malware and employing additional persistence mechanisms to maintain access. As a result, both Barracuda and the FBI recommended that customers immediately replace compromised ESG devices.

Information Disclosure (1)

• NetScaler Application Delivery Controller (CVE-2023-4966)

Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.

Memory Corruption (1)

• ESXi (CVE-2019-5544)

Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.

Public exploit exists, but exploitation in the wild is NOT detected (1)

Remote Code Execution (1)

• Microsoft Message Queuing (CVE-2023-21554)

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.

Other Vulnerabilities (2)

Denial of Service (2)

• Microsoft Message Queuing (CVE-2023-21769, CVE-2023-28302)

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.