Media Coverage

Rockwell Automation has released patches for a critical remote code execution vulnerability that affects many versions of its communications modules, and is warning customers that an exploit for the bug exists, although no exploitation has been observed yet. Rockwell discovered the vulnerability internally, and reported it to the Cybersecurity and Infrastructure Security Agency, which published an advisory on Wednesday. There is a separate bug (CVE-2023-3596) identifier for the vulnerability in the 1756-EN4* series of products, since exploitation results in a denial of service rather than RCE. Rockwell said that it had discovered and analyzed an exploit for the bug, which it attributed to an unnamed APT actor. The affected modules are used in critical manufacturing settings, and Rockwell has released firmware updates for all of the modules. The Shadowserver Foundation, which tracks exploit activity and vulnerabilities, identified about 107 vulnerable modules exposed to the Internet on Thursday. One of the interesting aspects of this vulnerability is that researchers were able to identify the exploit and discover that an APT actor had also discovered the bug, before the actor actually used the exploit. Organizations running affected Rockwell ControlLogix modules should install the updated firmware as soon as possible.

The third iteration of the Exploit Prediction Scoring System helps security teams prioritize vulnerabilities through prediction. In late 2022, we compared the Exploit Prediction Scoring System (EPSS) and the widely used Common Vulnerability Scoring System (CVSS). Now EPSS 3.0 brings a more comprehensive, efficient, and effective model to the industry looking to prioritize vulnerabilities that pose the greatest threat and offers a robust API and resource open for anyone to access and consume as part of their vulnerability management program. The introduction of the EPSS, which attempts to aid vulnerability prioritization efforts by providing a numerical score of how likely a vulnerability is to be exploited over the next 30-day window, has been a boon to security practitioners and organizations looking to improve their vulnerability management activities. EPSS utilizes a variety of sources when it comes to exploits, such as Fortiguard, Alienvault OTX, the Shadow Server Foundation, and GreyNoise, all of which utilize various techniques to identify exploitation attempts in digital environments around the globe.

On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution. In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC. Both flaws were disclosed to Fortinet by security researcher Florian Hauser. Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots.

Shadowserver has recently been funded by the UK Foreign, Commonwealth and Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to economies in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, the Philippines, and Thailand. These activities included obtaining a better understanding of the device makeup of the attack surface exposed in these economies, vulnerability exposure (especially related to emerging threats), and observed attacks/infected devices — both originating from and directed at the region. The intention is to enrich Shadowserver’s free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.

We kick off this week’s list of critical vulnerabilities and active exploits with the ongoing exploitation of CVE-2023-28771 – a flaw in Zyxel firewall, VPN and ATP firmware that could let an unauthenticated attacker remotely execute OS commands. First identified in April, the flaw has been exploited on tens of thousands of affected devices, according to security firm Rapid7. According to Shadowserver, “at this stage if you have a vulnerable device exposed, assume compromise.” That’s a safe bet, since a patch has been out since April – install it now.

Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10. “At this stage if you have a vulnerable device exposed, assume compromise,” officials from Shadowserver, an organization that monitors Internet threats in real time, warned four days ago. The officials said the exploits are coming from a botnet that’s similar to Mirai, which harnesses the collective bandwidth of thousands of compromised Internet devices to knock sites offline with distributed denial-of-service attacks. According to data from Shadowserver collected over the past 10 days, 25 of the top 62 Internet-connected devices waging “downstream attacks”—meaning attempting to hack other Internet-connected devices—were made by Zyxel as measured by IP addresses. The software bug used to compromise the Zyxel devices is tracked as CVE-2023-28771, an unauthenticated command-injection vulnerability with a severity rating of 9.8. The flaw, which Zyxel patched on April 25, can be exploited to execute malicious code with a specially crafted IKEv2 packet to UDP port 500 on the device. The critical vulnerability exists in default configurations of the manufacturer’s firewall and VPN devices.  On Wednesday, the Cybersecurity and Infrastructure Security Agency placed CVE-2023-28771 on its list of known exploited vulnerabilities. The agency has given federal agencies until June 21 to fix any vulnerable devices in their networks. With infections from CVE-2023-28771 still occurring five weeks after Zyxel fixed it, it’s clear many device owners aren’t installing security updates in a timely manner. If the poor patching hygiene carries over to the more recently fixed vulnerabilities, there likely will be more Zyxel compromises occurring soon.

Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware. The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability. Today, CISA published an alert warning that CVE-2023-28771 is being actively exploited by attackers, urging federal agencies to apply the available update by June 21, 2023. This alert coincides with additional verification from Rapid7 today that confirms the active exploitation of the flaw. One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware that, according to Shadowserver, started launching attacks on May 26, 2023. Similar activity was spotted by cybersecurity researcher Kevin Beaumont a day earlier, who highlighted the use of a publicly available PoC (proof of concept) exploit. While the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations. It is also important to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products. The two flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code.

After the device vulnerability (CVE-2023-28771) patched by Zyxel on April 25 was released in May, security experts warned that the Mirai botnet began to threaten unpatched Zyxel devices to launch attacks. The ShadowServer Foundation, a security nonprofit, has detected that multiple Zhaoqin devices have been used to launch attacks. Since the abused PoC program has been made public, the foundation also expects the attacks to increase further. Zyxel patched the major vulnerability CVE-2023-28771 in firewall and VPN equipment products in April , and urged users to install the new firmware as soon as possible. This vulnerability originates from the IKE packet decryption component in the firmware, which may allow unauthorized attackers to send malicious packets to remotely execute OS commands. It is a major vulnerability with a risk value of 9.8. Last week, the information security company Rapid7 also warned that at least 40,000 firewall devices have been exposed because they have not been updated, and they believe that there will be exploit attacks. Since May 26, more than 700 decoy systems set up by the security nonprofit The ShadowServer Foundation have detected about 3,773 attacks. According to the statistics of the Foundation , the users of Zhaoqin’s firewall and VPN products are the most in France (13,800 units), Italy (13,100 units), the United States (9,300 units), and Switzerland (7,800 units). In addition, they also detect Multiple Zhaoqin devices have been used to launch attacks . Since the abused PoC program has been made public, the foundation also expects the attacks to increase further .

State Technical Service JSC reports that during the monitoring of the Kazakhstani segment of the Internet, 17 IP addresses were found that are presumably subject to critical vulnerabilities with identifiers CVE-2022-24816 and CVE-2023-25157. The detected IP addresses belong to large companies in the quasi-public sector of Kazakhstan. GeoServer is used in various industries such as geology, ecology, geodesy, agriculture, urban management, etc., where spatial data is an important component for making strategic decisions. The National Computer Incident Response Service (KZ-CERT) sent notifications to owners of IP addresses and telecom operators recommending the need to immediately apply updates to avoid possible risks and threats to information security. Failure to address vulnerabilities in a timely manner can lead to the compromise of sensitive data and further attacks on the network, including the introduction of malicious software into other systems, which will compromise the security of the entire network infrastructure. The Shadowserver Foundation (an information security organization that sends daily online reports to subscribers and cooperates with law enforcement agencies around the world in investigating cybercrime) published information about vulnerabilities in the GeoServer software. We recommend that all companies pay attention to updates of systems and software used in the infrastructure,” KZ-Cert noted.

Have you seen the Shadowserver Dashboard? Did you know it provides critical information on what people outside your network can see into your network? Did you know that the Dashboard and free reports can save your network …. all you need to do is track down the exposure and fix it (before the criminals use it to break into your network? Shadowserer provides one of the most critical tools to protect your network. Organizations that do not leverage this free “Cyber-Civil Defense” resource are missing out on critical security information about your network that is provided as a free public benefit. Shadowserver’s Dashboard is one of those free-public benefit tools. The Dashboard provides a map of vulnerabilities, risks, and unpatched systems with a global view. Shadowserver is expanding the language options of their Dashboard. Indonesian, Malay, Filipino, Thai, and Arabic will be offered. While the translations are done with professional translators, the Shadowserver team asks for help. The team seeks network/security professionals to help provide validation and context. If you are interested, please email contact@shadowserver.org. New vulnerabilities, attacks, and other risks are announced every day. Shadowserver’s suite of services is combined to provide each organization with their Daily Network Reporting and the update to Shadowserver’s Dashboard. With the dashboard, you can explore active risk and attack vectors.