Media Coverage

Thousands of Citrix Netscaler ADC and Gateway servers exposed online are vulnerable to attacks exploiting a critical remote code execution (RCE) bug that was previously abused in the wild as a zero-day. Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, revealed this week that at least 15,000 appliances were identified as exposed to attacks leveraging the flaw (CVE-2023-3519) based on their version information. “We tag all IPs where we see a version hash in a Citrix instance. This is due fact that Citrix has removed version hash information in recent revisions,” Shadowserver said. “Thus safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.” They also noted that they’re also undercounting since some revisions known to be vulnerable but with no version hashes have not been tagged and added to the total number of exposed Citrix servers. Citrix released security updates to address this RCE vulnerability on July 18th, saying that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and urging customers to install the patches as soon as possible. The company added that unpatched Netscaler appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (the so-called AAA server) to be vulnerable to attacks. The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.

Organizations that have yet to patch a 9.8-severity vulnerability in network devices made by Zyxel have emerged as public nuisance No. 1 as a sizable number of them continue to be exploited and wrangled into botnets that wage DDoS attacks. Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. The Shadowserver assessment at the time was: “If you have a vulnerable device exposed, assume compromise.” On Wednesday—12 weeks since Zyxel delivered a patch and seven weeks since Shadowserver sounded the alarm—security firm Fortinet published research reporting a surge in exploit activity being carried out by multiple threat actors in recent weeks. As was the case with the active compromises Shadowserver reported, the attacks came overwhelmingly from variants based on Mirai, an open source application hackers use to identify and exploit common vulnerabilities in routers and other Internet of Things devices.

In today’s interconnected world, cybersecurity has become a critical concern for nations. Asean countries, for example, with their rapidly growing digital economies and expanding online presence, face increasing cyberthreats. To effectively address these challenges and build a robust cybersecurity environment, partnerships and collaborations are essential. According to the United Kingdom’s Foreign, Commonwealth and Development Office (FCDO) cyberpolicy lead for the Indo-Pacific, Henry Carver, cybersecurity has become a global challenge. “The whole world has been more reliant on digitalisation since the Covid-19 pandemic. More and more technology and the way we live are moving online. Just as it’s true for every citizen, it’s also true for government services, and its critical infrastructure. As a result, we have a larger footprint, which means we have a greater surface area where cybercriminals and people with malicious intentions can come in and pursue their objectives,” he said. “We’ve been working with an organisation called Shadowserver, which has done a lot of Internet scanning for business and government on some of the cyber insights that they have.” The FCDO also shares a lot of good practice on how we protect our own system with our Malaysian counterparts, like our public services cybersecurity strategy, skills and education. “Although it may not be 100 per cent relevant here, it’s about sharing what works for us and for countries to take the good practices and make them their own, and we are really excited to continue our collaboration,” he added.

Rockwell Automation has released patches for a critical remote code execution vulnerability that affects many versions of its communications modules, and is warning customers that an exploit for the bug exists, although no exploitation has been observed yet. Rockwell discovered the vulnerability internally, and reported it to the Cybersecurity and Infrastructure Security Agency, which published an advisory on Wednesday. There is a separate bug (CVE-2023-3596) identifier for the vulnerability in the 1756-EN4* series of products, since exploitation results in a denial of service rather than RCE. Rockwell said that it had discovered and analyzed an exploit for the bug, which it attributed to an unnamed APT actor. The affected modules are used in critical manufacturing settings, and Rockwell has released firmware updates for all of the modules. The Shadowserver Foundation, which tracks exploit activity and vulnerabilities, identified about 107 vulnerable modules exposed to the Internet on Thursday. One of the interesting aspects of this vulnerability is that researchers were able to identify the exploit and discover that an APT actor had also discovered the bug, before the actor actually used the exploit. Organizations running affected Rockwell ControlLogix modules should install the updated firmware as soon as possible.

The third iteration of the Exploit Prediction Scoring System helps security teams prioritize vulnerabilities through prediction. In late 2022, we compared the Exploit Prediction Scoring System (EPSS) and the widely used Common Vulnerability Scoring System (CVSS). Now EPSS 3.0 brings a more comprehensive, efficient, and effective model to the industry looking to prioritize vulnerabilities that pose the greatest threat and offers a robust API and resource open for anyone to access and consume as part of their vulnerability management program. The introduction of the EPSS, which attempts to aid vulnerability prioritization efforts by providing a numerical score of how likely a vulnerability is to be exploited over the next 30-day window, has been a boon to security practitioners and organizations looking to improve their vulnerability management activities. EPSS utilizes a variety of sources when it comes to exploits, such as Fortiguard, Alienvault OTX, the Shadow Server Foundation, and GreyNoise, all of which utilize various techniques to identify exploitation attempts in digital environments around the globe.

On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution. In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC. Both flaws were disclosed to Fortinet by security researcher Florian Hauser. Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots.

Shadowserver has recently been funded by the UK Foreign, Commonwealth and Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to economies in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, the Philippines, and Thailand. These activities included obtaining a better understanding of the device makeup of the attack surface exposed in these economies, vulnerability exposure (especially related to emerging threats), and observed attacks/infected devices — both originating from and directed at the region. The intention is to enrich Shadowserver’s free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.

We kick off this week’s list of critical vulnerabilities and active exploits with the ongoing exploitation of CVE-2023-28771 – a flaw in Zyxel firewall, VPN and ATP firmware that could let an unauthenticated attacker remotely execute OS commands. First identified in April, the flaw has been exploited on tens of thousands of affected devices, according to security firm Rapid7. According to Shadowserver, “at this stage if you have a vulnerable device exposed, assume compromise.” That’s a safe bet, since a patch has been out since April – install it now.

Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10. “At this stage if you have a vulnerable device exposed, assume compromise,” officials from Shadowserver, an organization that monitors Internet threats in real time, warned four days ago. The officials said the exploits are coming from a botnet that’s similar to Mirai, which harnesses the collective bandwidth of thousands of compromised Internet devices to knock sites offline with distributed denial-of-service attacks. According to data from Shadowserver collected over the past 10 days, 25 of the top 62 Internet-connected devices waging “downstream attacks”—meaning attempting to hack other Internet-connected devices—were made by Zyxel as measured by IP addresses. The software bug used to compromise the Zyxel devices is tracked as CVE-2023-28771, an unauthenticated command-injection vulnerability with a severity rating of 9.8. The flaw, which Zyxel patched on April 25, can be exploited to execute malicious code with a specially crafted IKEv2 packet to UDP port 500 on the device. The critical vulnerability exists in default configurations of the manufacturer’s firewall and VPN devices.  On Wednesday, the Cybersecurity and Infrastructure Security Agency placed CVE-2023-28771 on its list of known exploited vulnerabilities. The agency has given federal agencies until June 21 to fix any vulnerable devices in their networks. With infections from CVE-2023-28771 still occurring five weeks after Zyxel fixed it, it’s clear many device owners aren’t installing security updates in a timely manner. If the poor patching hygiene carries over to the more recently fixed vulnerabilities, there likely will be more Zyxel compromises occurring soon.

Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware. The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability. Today, CISA published an alert warning that CVE-2023-28771 is being actively exploited by attackers, urging federal agencies to apply the available update by June 21, 2023. This alert coincides with additional verification from Rapid7 today that confirms the active exploitation of the flaw. One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware that, according to Shadowserver, started launching attacks on May 26, 2023. Similar activity was spotted by cybersecurity researcher Kevin Beaumont a day earlier, who highlighted the use of a publicly available PoC (proof of concept) exploit. While the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations. It is also important to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products. The two flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code.