CISA and the “Five Eyes” national intelligence agencies have issued their annual advisory on the top exploited vulnerabilities for the prior year, and its findings bolster some other recent reports that a successful attack is becoming increasingly likely to be the result of a zero-day.
MOVEit unsurprisingly appears on the list, but the Log4Shell vulnerability is not far behind it despite having seen its final remediation patch issued at the end of 2021. The results suggest that once a zero-day makes the news, organized hacking groups will continue to actively hunt for unpatched instances and can expect to continue finding success with it years after the fact.
2023’s top exploited vulnerabilities once again stress the importance of timely patching
The count of zero-days among 2023’s most frequently exploited vulnerabilities was up to over 50%, a significant increase from 2022. The vulnerability window is not just in the immediate days prior to a patch being released, however. Slow patching is allowing attackers to feast on zero-days at a sustained rate for about two years after public disclosure.
Log4Shell, which remains on the list of most commonly exploited vulnerabilities in the #8 position, is one of the clearest illustrations. It was disclosed to the public in November 2021 and considered fully remediated by December 28 of that year, but continues to haunt organizations https://www.securityweek.com/two-years-on-log4shell-vulnerability-still-being-exploited-to-deploy-malware/ as everyone from nation-state hacking teams to illicit crypto miners continue to hunt for unpatched instances and exploit them.
But both the #1 and #2 exploited vulnerabilities for 2023 belong to Citrix NetScaler ADC and NetScaler Gateway. This is in spite of the CVEs not being published until August and October of that year, respectively. Cisco IOS XE holds the #3 and 4 spots, with both of those similarly made public late in the year.
The Fortinet FortiOS and FortiProxy SSL-VPN vulnerability discovered in June 2023 is next up, followed by MOVEit. Major fallout is still appearing from the latter of those exploited vulnerabilities, as Amazon just revealed that employee data was stolen in connection with that incident. Other major companies, such as McDonalds and HP, may also have been similarly compromised as a hacker has appeared on an underground forum offering more employee information for sale.
Of the 15 exploited vulnerabilities that topped the 2023 list, 12 had been addressed with patches at some point that year.
“Timely patching” headlines advice on exploited vulnerabilities
CISA’s first and most prominent piece of advice for organizations is thus an expected one: timely patching. That continues to be an “easier said than done” proposition for many, however, due to a combination of instances of vulnerabilities being buried in the guts of software and a simple lack of manpower to keep pace.
If organizations are slow to get patches in place, for whatever reason, CISA also stresses that it is imperative to check for exploited vulnerabilities before patching. The third and fourth pieces of advice, use of a centralized patch management system and implementation of security tools such as web application firewalls and network protocol analyzers, can assist with that.
CISA also advises that organizations open dialogue with their software providers about what they are doing on the “secure by design” front and how they are addressing known exploited vulnerabilities. The agency also reminds developers to follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle. CISA notes that there is good financial incentive for developers here: the cost of improving testing environments and threat modeling during development is very likely to pale in comparison to the cost of an eventual patch deployment and remediation campaign when a vulnerability emerges.
CISA also urges organizations to adopt modern endpoint detection and response (EDR) tools. The report finds that at least three of the zero-day exploited vulnerabilities from 2023 were discovered due to reports of anomalous behavior or device malfunction from an EDR system.
Vulnerability disclosure is usually seen as a matter for regulators to take up, putting tighter time limits and conditions of expected material damage in place. But CISA urges that the issue be looked at from the opposite end; the removal of barriers to responsible vulnerability disclosure, better incentivising bug bounty programs that could shift many exploited vulnerabilities to “first contact” with ethical researchers instead.
Jared Smith, Distinguished Engineer, R&D Strategy at SecurityScorecard, adds that both developers and organizations that use their products have roles to play in the security process. Developers should consider more secure programming languages, while organizations must carefully review how supply chain partners potentially impact their security posture: “Some of these products are written in languages that cannot be made bulletproof against zero-days. Two of the top exploited vulnerabilities were due to insecure memory access issues (buffer overflows). While CISA pushes for the software community to stop writing code in languages like C, which are extremely error-prone to memory issues, developers working on more secure versions of software to replace those written in C using languages like Rust are retiring due to burnout and near-religious debates about the (in)security of C and why it should or should not be used, despite the amount of issues it has led to in the products named in the list.”
“Furthermore, it serves as an important reminder of the importance of limiting third-party applications and establishing clean notification processes for security incidents from third-party service providers. With 75% of third-party breaches targeting software and technology supply chains, embedding security from the outset can significantly enhance resilience across the supply chain. With the rise in vulnerabilities in 2023, this upward trend demands a proactive, trust-centered approach to limit the impact of exploited weaknesses and strengthen defenses across the board,” added Smith.
