From Widespread Damage to Failure to Launch: The Celebrity CVEs of 2023
The number of common vulnerabilities and exposures (CVEs) discovered grows yearly, and for many security professionals, managing a constant flow of vulnerabilities has become their new normal. The influx of emerging risks can make it challenging for organizations to prioritize vulnerability management, as few teams have the means to patch thousands of new CVEs every month.
Adding fuel to the fire, some CVEs ascend to impressive levels of notoriety, which can quickly create an "all hands on deck" situation for security teams. Some vulnerabilities deserve their celebrity status for the risk they pose to businesses. However, other times, the hype seems less warranted.
Let's revisit some of the celebrity CVEs from 2023 — from the riskiest and most impactful to those that failed to live up to their hype.
Most widespread damage — MOVEit Transfer
On May 31, 2023, Progress Software disclosed a critical vulnerability in its file transfer program, MOVEit. Over time, MOVEit emerged as the CVE with the most significant impact in 2023.
MOVEit Transfer installs became an aggregation point for all sorts of information never intended to become public— both from companies that had purchased the software and partner organizations that needed to use MOVEit.
The Cl0p ransomware gang capitalized on the vulnerability, seizing the opportunity to compromise thousands of organizations globally with data exfiltration and not data encryption.
Security defenders will likely be grappling with the impacts of MOVEit for years. Cl0p was highly successful in compromising a diverse list of over 2,000 organizations, which will likely impact the behavior patterns of other attackers. Additionally, the MOVEit vulnerability left minimal evidence of attack, making cleanup challenging for victims and making it difficult to rule out possible reinfections.
Coalition proactively notified impacted policyholders on June 1, 2023, and sent follow-up communications after subsequent vulnerabilities were disclosed. The majority of reported incidents among Coalition policyholders were due to third-party compromise, in which the vendors or suppliers of policyholders were directly compromised. This number reached a high point in June 2023.
As of October 11, 2023, individuals claiming impacts from the breach have filed 58 lawsuits that are underway against Progress Software.
Most over-hyped vulnerability — Exim Mail Transfer Agent
Coalition ESS Score — N/A, this vulnerability only has a reserved CVE
Zero Day Initiative (ZDI) published an advisory on September 27, 2023, about a remote code execution vulnerability in the Exim Mail Transfer Agent. This announcement had a substantial media presence for good reasons. With more than 330,000 global Exim installs on the internet, the results of a vulnerability that was easy to exploit combined with a common configuration would have been catastrophic.
A serious vulnerability in an email software like Exim could potentially result in numerous account takeovers or start a spam storm for the ages. If the vulnerability allowed for spam, hundreds of thousands of domains could have their reputation of trustworthiness disappear in automated systems, and the overall reliability of email delivery would plummet.
The vulnerability turned out to be an exceedingly rare configuration. Because of the low likelihood of exploitation, Coalition did not manually notify policyholders and instead notified the impacted policyholder base via Coalition Control™.
The numerical impact of this vulnerability is extremely low. However, the reputation of those involved in the disclosure may see the most significant impact. ZDI's advisory lists the initial discovery as June 2022. Exim developers complained that ZDI failed to clarify their findings between June 2022 and May 2023, when they informed Exim that a public disclosure would occur. Exim was still working on patches as of October 2, 2022.
The opaque timeline and finger-pointing call into question how each party will handle future events and what obligations, if any, free and open-source software projects have to their user bases.
Most avoidable vulnerability — Cisco IOS XE
On October 16, 2023, the Cisco-owned company, Talos, announced a vulnerability in the web UI feature of Cisco IOS XE Software. The vulnerability allowed threat actors to gain access to affected systems and elevate their privilege level, effectively taking full control over the network.
The Cisco IOS XE vulnerability was a departure from some of the more traditional vulnerabilities seen in Cisco products. Cisco IOS XE can be installed on many different classes of network devices, which all vary in abilities and function, from basic wireless access points to core infrastructure routers. In this way, it's difficult to say the functionalities that may be exposed for any given vulnerable device. This unifying management layer also enables an economy of scale in attacking a particular piece of software: the web-based management interface.
Talos provided indicators-of-compromise (IOCs) that could be remotely checked, and tens of thousands of compromised hosts responded. Over the next several days after the vulnerability's release, a small turf war took place. Attackers appeared to be deploying updated tactics, and the initial attackers were displaced by an unknown group of more sophisticated threat actors.
The initial pool of compromised hosts shrank rapidly, only for Talos to discover that the initial implant had been replaced by a mildly more sophisticated implant. From that point forward, several iterations of the new "BadCandy" Lua-based web shell implant were observed in compromised hosts. This shows the evolution of an attack from initial access to more persistent access, which will make compromised systems more valuable to access brokers on the dark web.
Few Coalition policyholders were impacted by this vulnerability. However, Coalition Incident Response (CIR), an affiliate of Coalition, Inc., proactively contacted policyholders running the impacted version of Cisco IOS XE, due to the ability it afforded threat actors to quickly and easily elevate their privilege level.
The Cisco IOS XE vulnerability highlights the risk of leaving administrative web panels accessible over the public internet. Coalition data has shown the dangers of leaving software with any administrative function accessible to the public internet — threat actors routinely seek out exposed admin panels because they make it easy for attackers to elevate their access level and then spread their attacks laterally within the network.
How organizations can stay on top of CVEs
Managing cybersecurity resources is already hard — it becomes even harder in the face of a new critical vulnerability. Here's how organizations of all sizes and all resource levels can approach vulnerability management to avoid the whiplash that comes from a continuously increasing number of CVEs:
Understand your organization's attack surface using tools such as Coalition Control™.
Implement a regular patch program, especially for critical resources, which may include subscribing to vendor notifications for critical vulnerabilities.
Limit how many services/devices are exposed to the public internet.
Use security controls like multi-factor authentication (MFA) and endpoint detection and response (EDR) to protect your business.
Train employees to be aware of cybersecurity risks and to report suspicious activity.
Coalition Exploit Scoring System (Coalition ESS) is our early source of truth for security risk managers. With Coalition ESS, IT and security teams have a prioritization list outlining which vulnerabilities pose the greatest threat. ESS scores are dynamic, updated as more information becomes available, and with accompanying histories of scores and changes over time.
Coalition ESS is available for public use at ess.coalitioninc.com.