Boo! Eek! Yikes!
Scares don’t just happen on October 31st, they happen all year long. In our most recent installment of the For [ FIX ] Sake series, the Automox team met with three expert panelists to discuss the year’s most Spine-Chilling CVEs so far.
Spine-Chilling CVE panelists
Before they got into the nitty-gritty, our panelists defined the following terms so attendees were all on the same page.
CVE definitions and basics
The acronym CVE stands for Common Vulnerabilities and Exposures and refers to the glossary built to classify, organize, and assign a threat level to vulnerabilities.
CVSS stands for Common Vulnerability Scoring System. The system works on a scale of zero to ten, with ten representing the most critical threats.
NIST stands for the National Institute of Standards and Technology. According to NIST.gov, “NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.”
Patch Tuesday falls on the second Tuesday every month when Microsoft releases software patches so their users can improve their security resilience.
Now that we've covered the basics, here’s what our panelists had to say about the top vulnerability exploitation tactics to be on the lookout for in the coming year.
Top vulnerability exploitation techniques to be aware of in 2023
Dustin: We’re seeing a lot of replay attacks. The truth is, vendors just aren’t learning their lessons. If we're seeing the same vulnerabilities over and over, then vendors didn’t really fix the code in the first place. If bad actors are still figuring out how to get through, it means the code was only ever slightly adjusted.
My advice - focus on isolating your systems as best you can. Be on the lookout for things that look similar to what you've already seen.
Laura: I agree with Dustin about seeing several replays. We always see the same threats occur, time and time again. If you're a bad actor who was able to do it once, chances are you'll only get smarter, hone in on weaknesses, and learn to can exploit the same people.
I also see a lot of cloud trends, supply chain trends, and worry how current events and the global situation might affect things.
Mark: In my experience, where the rubber meets the road in terms of exploitation of vulnerability happens in remote code execution. With Log4j and Exchange it was the same. You need good visibility into the communication between the entities in your environment. You’ve really got to be able to drill into that.
Remember, you don’t have remote code execution without remote. Remote code execution feels like a biggie threat for the long-haul. It’s always a core component of the worst attacks.
Automox: We’ve also noticed remote code execution and privilege escalation in the same threat. Sometimes, you’re dealing with a single patch missing, but without that, the attacker not only gains access to the system but also a chance to escalate their privileges.
What are the scariest CVEs you've seen this year?
Mark: The scariest CVE this year has to be the Apple iOS vulnerability. With Apple, we often take for granted there’s not malware out there or it’s not ubiquitous, but that’s not true. IT admins have suffered six zero days by Apple across all their devices, some of which have been truly nefarious.
And Apple doesn’t do a ton to work with known systems like CVSS. In the end, I think we all need to remember software is written by human beings which means it's fallible. We can't let down our guard.
Laura: To me, Log4Shell which became Log4j was the scariest. Though it actually dropped on Dec. 29 of 2021, it was worrisome because it was so prevalent.
Log4j was a vulnerability in the Apache library. It was a zero-day situation, but also everyone uses that library. Also, everyone’s third-party apps and people in their supply chain could also be using that library. It was clearly a huge deal as there were a ton of online threads, people were talking about it. But it took a really long time before anyone discussed actually patching it.
Log4j interrupted the supply chain. Plus, it was ubiquitous across the industry. We’ll likely see more vulnerabilities like Log4j because it was really prevalent in the cloud and in apps. That makes it all the more troubling.
Dustin: One of the scariest CVEs for me was Microsoft Exchange on-prem. It still hasn’t stopped. Even in the last 30 days there was a new one. And we still don’t have a patch. Will they release the patch next Tuesday or will they release out of band?
Sometimes it seems like all we can do is hold down the fort as best we can and hope that whoever’s exploiting these attacks doesn’t shine their light on us. But you can’t just patch the device. Even with the mitigations Microsoft put out, you still have to go in an change configurations beyond their mitigations, otherwise you’re still vulnerable.
Automox: We think the scariest CVEs tend to drop at 4:28 pm on a Friday and leave something deep in the kernel. Suddenly, there are IT admins who’ve lost their entire weekend to these vulnerabilities. And sometimes it happens weekend after weekend.
But patches are being released off-band. And we do see weaponization happening in a matter of hours now, not days or months or longer. The speed with which these attacks occur is maybe what scares us the most.
See something? Say something.
At the end of the day, we need to follow our own good standards. If you’re affected, you need to share that with the cybersecurity community. And you have to follow the responsible process.
We don't want vendors to hide. We know they don’t want to advertise they’ve been hit, but that communication can lead to rapid response from the security community. We need to communicate and hold each other accountable because we really are stronger together.
We've also got to amp up our discovery to meet the increasing velocity of vulnerabilities. We can’t just wait for Patch Tuesdays. We need to continuously patch and remediate, as quickly as possible.
There’s a culture of safety where you can't penalize a vendor for announcing an error was made. If you announce a vulnerability, it’s an imperfection. But again, software isn't perfect. Vulnerabilities exist and vendors need to do right by their customers and report them. It’s called responsible disclosure and it can really help protect us all.
Here's another way to look at it: it's basic parenting to celebrate the failures. We can’t slap the hands of vendors who disclose. We need to encourage them to disclose. It's the most sure-fire way we've got to stay safe.
From Otto’s patch to yours... Happy Halloween!