Vulnerabilities across an entire system can be chained together during exploitation, to increase the blast area.
Analyses of the top vulnerabilities disclosed by eight major software vendors — Microsoft, Adobe, Oracle, Google, Apple, Apache, Linux and Cisco — have indicated that 18 out of the approximately 2,400 vulnerabilities in August 2023 had “high-risk” scores, two of which have been confirmed to be Zero Day vulnerabilities affecting Microsoft and Ivanti products.
Additionally, threat researchers from Recorded Future have highlighted the increased use of exploit chains — also known as vulnerability chains — by cybercriminals to enable greater success or impact of attacks on systems or devices. Exploitation chaining was identified in recently patched vulnerabilities across Juniper Network’s J-Web, where threat actors exploited four vulnerabilities to target Juniper EX switches and SRX firewalls, and to enable remote code execution.
Other key findings for August 2023 vulnerabilities in the eight major software vendors include:
- The software vendor most consistently affected by actively exploited zero-day vulnerabilities, month-to-month, was Microsoft. The latter firm had patched one new Zero Day vulnerability and released a Defence in Depth Update to fix a patch-bypass flaw affecting a vulnerability that was patched in July 2023 and previously exploited by RomCom to target guests of the July 2023 NATO Summit.
- The firm Ivanti has warned customers about a new, critical, authentication-bypass Zero Day vulnerability, tracked as CVE-2023-38035, affecting its Sentry (formerly known as MobileIron Sentry) security product. This CVE was chained together with two previously disclosed vulnerabilities affecting the firm’s Endpoint Manager Mobile (EPMM), tracked as CVE-2023-35078 (an authentication bypass flaw) and CVE-2023-35081 (a vulnerability that enables arbitrary file-write). CVE-2023-35078 and CVE-2023-35081 were patched in July 2023.
According to Maggie Coleman, Intelligence Analyst, Insikt Group, Recorded Future, which disclosed the above analyses:
“Combining multiple vulnerabilities into a chain of attack is not a new tactic used by cybercriminals, but is an evolving tactic that organisations need to be aware of. “Rather than focusing on basic cybersecurity hygiene and best practices, organizations should instead identify and implement the right cybersecurity playbooks, processes, and tools to proactively protect their businesses, customers, and people. This proactiveness can be done through the quick identification and remediation of high-impact vulnerabilities before they can be exploited by threat actors.”