During 2023, our Threat Intelligence team at Reliance Cyber have reported on a number of significant cybersecurity events.
Looking back on them, we see many common themes; and can learn from these as we head into 2024.
Significant Events during 2023
1. Papercut Vulnerabilities (CVE-2023–27350 / CVE-2023–27351)
On the 8th of March, two vulnerabilities were announced in the printing software PaperCut MF/NG. These vulnerabilities allowed an authentication bypass followed by arbitrary code execution on a system.
By mid-April, in the wild, exploitation was seen across environments running Papercut that had not patched or mitigated the vulnerabilities. Various groups such as Lace Tempest and Bl00dy Ransomware Gang were known to exploit the vulnerability as part of campaigns. Also seen abusing vulnerable hosts were Truebot malware, and various crypto mining software.
2. 3CX supply chain attack
At the end of March, Crowdstrike Falcon’s Overwatch team reported seeing unusual behaviour emanating from suspected legitimate installations of the 3CXDesktop, a popular VoIP application. This included beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
In the weeks that followed, it was discovered that 3CX themselves had fallen victim to a supply chain compromise, where an employee installed a Trojanised version of X_TRADER. This allowed the threat actor to pivot to a software development server within the 3CX environment, trojanise their own installer, leading to the worlds first known double supply chain attack.
3. MOVEit Mass Data Theft (CVE-2023-35708, CVE-2023-35036, CVE-2023-34362)
At the end of May, Progress Software published an advisory relating to their MOVEit transfer solution. This advised of a SQL injection vulnerability that had been found in the MOVEit Transfer web application, that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Huntress Labs reported shortly thereafter that the vulnerability also allowed full remote code execution.
The vulnerability quickly led to widespread data theft from many companies around the globe, primarily at the hands of Cl0p, who posted household names such as Shell, PwC, Deutsche Bank and Siemens Energy on their leak site. In the UK, payroll provider Zellis was impacted; which in turn impacted their customers including the BBC, British Airways and Boots.
4. Phishing delivery via Microsoft Teams
Starting in May and increasing in the months that followed, was the usage of Microsoft Teams to send messages of a malicious nature. This targeted the fact that Microsoft Teams by default allows users to message other organisations, and many end users are not aware of, or educated around the risks of using Microsoft Teams compared to traditional vectors such as email.
Threat actors such as Midnight Blizzard targeted users with credential theft lures starting as far back as May, gathering MFA tokens for users who had already had their credentials stolen, or with password-less authentication enabled.
Other major campaigns included Storm-0324 distributing JSS loader using the TeamPhisher tool and handing off access to ransomware actor Sangria Tempest. In addition to this, DarkGate (A Remote Access Trojan) was also sent heavily via the same methods as above.
5. Citrix ADC and Citrix Gateway vulnerabilities and mass exploitation (CVE-2023-3519)
In July, an unauthenticated remote code execution vulnerability was announced and patched in Citrix ADC and Citrix Gateway. This was discovered during an attempted intrusion where threat actors exploited this vulnerability as a zero-day, to drop a webshell on a critical infrastructure organisation’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s Active Directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.
In the following month, NCC group announced that around 2000 devices were compromised, with a web shell being placed on unpatched hosts to gain persistence, allowing arbitrary code execution even when a device was rebooted and / or patched.
6. Compromised Microsoft consumer signing key
Microsoft released a blog in July detailing that threat actor Storm-0558 had, during May, compromised a Microsoft consumer signing key. This led to at least 25 organisations having their Outlook Web Access in Exchange Online and Outlook.com being breached, with the threat actor able to login to email accounts with forged tokens created with the above sign-in key.
Microsoft later advised that the key was stolen due to its accidental presence in a crash dump. A Microsoft engineer’s account – containing the crash dump and therefore the Signing Key – was breached between April 2021 and May 2023, leading to the overall compromise.
In addition, Wiz.io also commented on the matter, advising that Storm-0558 could have theoretically used the private key it acquired to forge tokens to authenticate as any user to any affected application that trusts Microsoft OpenID v2.0 mixed audience and personal-accounts certificates. They provided further IOAs for Microsoft customers to identify any further breaches which may have occurred.
7. CitrixBleed (CVE-2023–4966)
In October we were dealing with a Citrix vulnerability again, in this case deemed “CitrixBleed”, a sensitive information disclosure vulnerability in Citrix ADC and Citrix Gateway appliances.
This particular vulnerability in the preceding months had been exploited heavily by Lockbit, as reported by Kevin Beaumont and CISA.
Disclosed victims include Boeing, Industrial & Commercial Bank of China (ICBC), DP World, and Allen & Overy. Many of these companies purportedly had not patched their Citrix instances prior to the breaches occurring, with over 5000 organisations running vulnerable, unpatched Citrix installations over a month after it was first reported.
8. Okta support breach
Also in October, Okta suffered a breach wherein data for most of their customers was stolen from their support system. Initially, support case data for around 134 customers had been breached, with HAR files including session tokens from the likes of CloudFlare, BeyondTrust and 1Password. This allowed the threat actor to pivot onto these environments, where no further serious breaches occurred due to stringent cybersecurity practices.
Okta was heavily chastised for the breach at the time, with CloudFlare questioning the 2-week response time to the initial findings and poor communications by Okta to their customer base.
Reporting in December revealed that in fact full names, email addresses – and in some cases, further personally identifiable information (PII) such as phone numbers and usernames – were leaked, as the above threat actor ran a report for the these details against the whole Okta customer database.
Lessons we can learn for 2024
As we go into 2024, there are a number of measures businesses can take to improve their cybersecurity and limit the likelihood of being impacted by the events we observed during 2023.
Regardless of how much you may read about Artificial Intelligence, Machine Learning or Large Language Models this year, most cyber-attacks will target businesses who have not implemented best practices, so it is best to focus on those first.
1. Attack surface monitoring and asset management
Before a business can secure itself, it must understand what assets it has, both internally externally facing. Reliance Cyber recommend internal asset scanning combined with an external attack surface monitoring platform, to fully map your estate. This is not a one-off process either and must be done continuously to make sure information is kept up to date.
The above takes a lot of effort, however it will provide you with the knowledge of what security monitoring you require, and which devices you must be aware of for patching when the time comes.
In addition to this, during the process you are likely to find devices which are not meant to be publicly facing or are misconfigured in other ways. Your company should only have devices publicly accessible where there is an explicit need to do so, and even in those cases, mitigations such as IP or user allowlisting access, should take place.
2. Threat intelligence, vulnerability management and a patching process
Once a company understands and documents the assets that it has, the next step is regularly monitoring these systems for updates and required patches.
Reliance Cyber recommends regularly reviewing threat intelligence news – particularly monitoring vulnerability disclosures from vendors that you use – so that you are aware when vulnerabilities affecting your business are announced.
You can then follow a vulnerability management process to identify vulnerable assets, and finally perform emergency patching if appropriate following a pre-agreed patching process.
Even in lower priority scenarios, scheduled vulnerability scanning in addition to patching schedules are extremely important. Ensuring an environment is kept up to date and patched will limit your businesses exposure to various threats.
3. Security monitoring
You are happy that you know what assets you have, and that they are being patched on a regular basis. The next step is ensuring that your environment is being regularly monitored; using technologies such as SIEM (Security and Information Monitoring) and EDR (Endpoint Detection and Response) to detect and prevent threat actor behaviour.
Networks can be breached in days, if not sometimes hours, so it is critical that your SOC team have the tools to respond to behaviour on the network on a 24/7/365 basis. Pre-authorised access should be in place to isolate devices, lock user accounts and block various entities, for example; at a moment’s notice when required.
Ransomware attacks can occur in a matter of days, so it is imperative that your SOC team have the right tools and processes to stop threats in their tracks.
An additional layer to stop many common threats, is having your users enrolled in Multi Factor Authentication (MFA).
If MFA is not in place whatsoever, it is trivial for threat actors to either buy credentials, brute force environments, or phish user credentials. A high percentage of breaches seen are due to credential access.
If possible, phishing resistant MFA such as YubiKey; should be used. Although implementation of any standard of MFA is advantageous to not having it whatsoever.
5. User education
Although cybersecurity tools and personnel are ultimately responsible for securing a network; a good first line of defence are educated users. Every business should have a cybersecurity awareness training program in place; which is regularly updated to make end users aware of the threats they are likely to face, how to spot these; and how to report them where necessary.
6. Supply Chain Security
Businesses should be aware of the risks associated with their supply chain, the level of access they have to their environment, what they are installing from suppliers and importantly – the security practices of their supply chain.
Reliance Cyber recommend reviewing the advice from the NCSC to ensure that your supply chain is considered as part of your cyber security strategy.
7. Incident Response
Despite following best practices, there can come the time that you suffer a cyber security breach. We recommend that you have a tested CIRP (Cyber Incident Response Plan) in place for these scenarios. As part of this, you should have an Incident Response Team in place ready to react if this scenario ever does occur.
Want to understand your businesses exposure to threats?
Get your free bespoke threat intelligence report now
If you would like to understand the threats that your business may be exposed to, click here to get access your free bespoke threat intelligence report.
Reliance Cyber are here to help
If you require any support or assistance in dealing with implementing the above best practices, Reliance Cyber are here to help. Get in touch or speak to us on +44 (02) 0 3872 9000 and we will be happy to assist you.