Report Name: Check Point 2024 Cyber Security Report WITHOUT QualysGenerated: 2024-02-22 14:44:01
Product Name | Prevalence | U | C | H | M | L | A | Comment |
---|---|---|---|---|---|---|---|---|
Microsoft Message Queuing | 0.9 | 1 | 2 | 3 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |||
Windows Win32k | 0.9 | 2 | 2 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | ||||
Cisco ASA | 0.8 | 1 | 1 | A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities | ||||
Cisco IOS | 0.8 | 1 | 1 | The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems | ||||
WinRAR | 0.8 | 1 | 1 | WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH | ||||
Apache Tomcat | 0.7 | 1 | 1 | Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies | ||||
ESXi | 0.7 | 2 | 2 | VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers | ||||
NetScaler Application Delivery Controller | 0.5 | 2 | 2 | Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict) |
Vulnerability Type | Criticality | U | C | H | M | L | A |
---|---|---|---|---|---|---|---|
Remote Code Execution | 1.0 | 4 | 2 | 6 | |||
Authentication Bypass | 0.98 | 1 | 1 | ||||
Elevation of Privilege | 0.85 | 2 | 2 | ||||
Information Disclosure | 0.83 | 1 | 1 | ||||
Denial of Service | 0.7 | 2 | 2 | ||||
Memory Corruption | 0.5 | 1 | 1 |
Source | U | C | H | M | L | A |
---|---|---|---|---|---|---|
Check Point | 8 | 3 | 2 | 13 |
1. Remote Code Execution - Apache Tomcat (CVE-2023-47246) - Urgent [950]
Description: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:www.sysaid.com website | |
1.0 | 15 | Remote Code Execution | |
0.7 | 14 | Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.94354, EPSS Percentile is 0.99127 |
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
2. Remote Code Execution - WinRAR (CVE-2023-38831) - Urgent [942]
Description: RARLAB
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:www.group-ib.com website | |
1.0 | 15 | Remote Code Execution | |
0.8 | 14 | WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.33602, EPSS Percentile is 0.96921 |
Check Point: vulnerability (CVE-2023-38831) to steal from
3. Remote Code Execution - ESXi (CVE-2021-21974) - Urgent [938]
Description: OpenSLP as used in
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object), AttackerKB websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
1.0 | 15 | Remote Code Execution | |
0.7 | 14 | VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers | |
0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.87964, EPSS Percentile is 0.98558 |
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
4. Remote Code Execution - NetScaler Application Delivery Controller (CVE-2023-3519) - Urgent [916]
Description: Unauthenticated remote
Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.
Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.
5. Elevation of Privilege - Windows Win32k (CVE-2021-1732) - Urgent [897]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
0.85 | 15 | Elevation of Privilege | |
0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
0.7 | 10 | EPSS Probability is 0.00436, EPSS Percentile is 0.74044 |
Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
6. Elevation of Privilege - Windows Win32k (CVE-2020-1054) - Urgent [885]
Description: An
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website | |
0.85 | 15 | Elevation of Privilege | |
0.9 | 14 | The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management. | |
0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source | |
0.6 | 10 | EPSS Probability is 0.00228, EPSS Percentile is 0.60109 |
Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
7. Information Disclosure - NetScaler Application Delivery Controller (CVE-2023-4966) - Urgent [874]
Description: Sensitive
Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.
8. Memory Corruption - ESXi (CVE-2019-5544) - Urgent [848]
Description: OpenSLP as used in
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Out-of-bounds Write in Vmware Horizon Daas, [githubexploit] Exploit for Out-of-bounds Write in Vmware Horizon Daas) | |
0.5 | 15 | Memory Corruption | |
0.7 | 14 | VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
0.9 | 10 | EPSS Probability is 0.04189, EPSS Percentile is 0.9193 |
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
9. Remote Code Execution - Microsoft Message Queuing (CVE-2023-21554) - Critical [769]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Vulnerability in Microsoft, [githubexploit] Exploit for Vulnerability in Microsoft, [metasploit] CVE-2023-21554 - QueueJumper - MSMQ RCE Check) | |
1.0 | 15 | Remote Code Execution | |
0.9 | 14 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |
1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source | |
1.0 | 10 | EPSS Probability is 0.96122, EPSS Percentile is 0.99445 |
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.
10. Remote Code Execution - Cisco IOS (CVE-2017-6742) - Critical [728]
Description: The Simple Network Management Protocol (SNMP) subsystem of
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
1.0 | 15 | Remote Code Execution | |
0.8 | 14 | The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems | |
0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source | |
0.8 | 10 | EPSS Probability is 0.00613, EPSS Percentile is 0.78089 |
Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.
11. Authentication Bypass - Cisco ASA (CVE-2023-20269) - Critical [689]
Description: A vulnerability in the remote access VPN feature of
Component | Value | Weight | Comment |
---|---|---|---|
1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
0.98 | 15 | Authentication Bypass | |
0.8 | 14 | A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities | |
0.5 | 10 | CVSS Base Score is 5.0. According to NVD data source | |
0.9 | 10 | EPSS Probability is 0.02588, EPSS Percentile is 0.89937 |
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
12. Denial of Service - Microsoft Message Queuing (CVE-2023-21769) - Medium [394]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
0.7 | 15 | Denial of Service | |
0.9 | 14 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |
0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source | |
0.2 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.24648 |
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
13. Denial of Service - Microsoft Message Queuing (CVE-2023-28302) - Medium [394]
Description:
Component | Value | Weight | Comment |
---|---|---|---|
0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
0 | 17 | The exploit's existence is NOT mentioned in available Data Sources | |
0.7 | 15 | Denial of Service | |
0.9 | 14 | Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95 | |
0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source | |
0.2 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.24648 |
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
Check Point: vulnerability (CVE-2023-38831) to steal from
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.
Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.
Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.
Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.
Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.
Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.
Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.