In 2023, threat actors continued to exploit a variety of vulnerabilities — both newly discovered weaknesses and unresolved issues — to carry out sophisticated attacks on global organizations. The number of documented software vulnerabilities continued to rise, and threat actors were quick to capitalize on new vulnerabilities and leverage recent releases of publicly available vulnerability research and exploit code to target entities. However, while there was a high number of vulnerabilities released in the reporting period, only a handful actually were weaponized in attacks. The ones of most interest are those that threat actors use for exploitation. In this report, we’ll analyze the numbers and types of vulnerabilities in 2023 with a view to understanding attack trends and how organizations can better defend themselves.
The National Vulnerability Database (NVD), which is part of the National Institute of Standards and Technology, tracks disclosed vulnerabilities. The NVD recorded 28,831 vulnerabilities in 2023, up from 25,081 in 2022. This is an enormous number of vulnerabilities and underscores the challenges organizations — particularly those enterprises with large estates that use thousands of applications — have in tracking, prioritizing and patches.
Not all vulnerabilities necessarily pose risks that must be mitigated immediately. To help organizations prioritize patching efforts, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) created the Known Exploited Vulnerabilities catalog, known as the KEV. Flaws that are added to this list are known to have been actively exploited. Federal agencies are bound to remediate the flaws listed on the KEV within certain time frames and use the KEV as a guiding document for their vulnerability management programs.
In 2022, CISA added 555 vulnerabilities to the KEV catalog. However, only 91 of the vulnerabilities were assigned CVE numbers in that year. In 2023, CISA added just 187 vulnerabilities to the KEV, with 121 of those vulnerabilities assigned CVE numbers in 2023. This shows that threat actors appeared to prefer newer vulnerabilities versus older ones. This could be due to organizations catching up with patching as well as a desire by threat actors to maximize their impacts.
According to CISA data, vulnerabilities played a significant role in ransomware campaigns in 2022. Out of a total of 110 vulnerabilities used in ransomware attacks, 16 were linked to vulnerabilities cataloged in 2022. The remaining 94 vulnerabilities were from previous years. This trend continued in 2023, although the overall number of vulnerabilities used in ransomware campaigns decreased to 34. However, 18 of those 34 vulnerabilities were cataloged in 2023. This suggests ransomware attackers favored using exploits for more recent vulnerabilities.
[Image: Fig1 - The image depicts the total vulnerabilities used by ransomware actors versus those vulnerabilities cataloged in 2022 or 2023 versus vulnerabilities prior to those years.]
The top five software vendors with the most disclosed vulnerabilities should be no surprise. The deep reach of these vendors and the widespread use of their products mean they’re most scrutinized by developers, bug hunters, threat actors and penetration testers. This list isn’t intended to imply that these companies produce software of any less quality than any other vendor, but rather gives organizations a greater perspective on their concentration of risk. Google retained its position as the most impacted vendor, with the number of reported vulnerabilities in its products numbering 1,681 in 2023. It was followed by Microsoft at 1,017, Adobe at 671, Apple at 461 and IBM at 414 vulnerabilities.
[Image: Fig2 - The image depicts the top five vendors impacted by vulnerabilities in 2022 and 2023.]
An analysis of the types of vulnerabilities reported in 2022 and 2023 reveals several trends. In 2023, the top five most common vulnerability types were cross-site scripting (XSS) at 5,297 occurrences, followed by structured query language-injection (SQLi) at 2,261, out-of-bounds write at 2,066, cross-site request forgery (CSRF) at 1,324 and out-of-bounds read at 1,068. Comparatively in 2022, XSS still topped the list with 3,927 occurrences, followed by out-of-bounds write at 2,423, then SQLi at 1,950, out-of-bounds read at 1,028 and improper input validation flaws at 953. Consequently, CSRF was a new entrant to the top five list in 2023, while improper input validation did not make the top five. The appearance of CSRF highlights how the ever-evolving nature of vulnerabilities calls for enhanced security measures to combat new attack vectors. Conversely, the absence of improper input validation from 2023 suggests a decline in its occurrence or a shift in attacker tactics.
[Image: Fig3 - The image depicts the top five most common vulnerability types in 2022 and 2023.]
Our approach to vulnerability monitoring focuses on those vulnerabilities that are likely to be exploited by threat actors. We draw on our extensive knowledge of the cyber underground and known threat actors, monitoring their conversations and deriving intelligence. The results of these analyses are available in our Vulnerability Intelligence Dashboard, which is a quick reference tool designed to assist patch prioritization and vulnerability management decision-making. This regularly updated dashboard tracks the life cycle of significant vulnerabilities observed in the underground.
We assess whether a vulnerability has been researched or disclosed publicly and where those discussions have taken place (underground forums vs. open source). We also assess if a proof-of-concept (PoC) exploit is available, if it has been “weaponized” — such as inserted into exploit kits — and the final stage, whether an exploit has been “productized.” Productized means that an exploit is available for use by lesser skilled threat actors, such as via a Metasploit module or Armitage.
In 2023, we reported 510 vulnerabilities, marking a significant increase from 424 the previous year. In 2023, 28% of vulnerabilities were classified as high risk — up 1% from 2022, 47% as medium risk — up 4% and 25% as low risk — down 5%. Additionally, of the 510 vulnerabilities, 10% were productized, 60% were weaponized and 16% had PoC code available, whereas the statistics from 2022 consisted of 18% productized, 47% weaponized and 19% PoC code available.
[Image: Fig4 - The image depicts the percentage of vulnerabilities we assigned a high, medium or low risk in 2022 and 2023 and the percentage of vulnerabilities we assigned a productized, weaponized, code available or PoC unavailable status in 2022 and 2023.]
Monitoring threat actors can give clues as to which vulnerabilities and subsequently, exploits, may be of most interest to threat actors. This information is bought and sold, and the markets and forums are populated by known vendors with reputations. This helps us categorize based on past behavior, past sales and reputation in the underground whether a threat actor is likely telling the truth, about, say the development of PoC code. To understand more how this underground insight can help guide our decision on whether to include a vulnerability on our dashboard, below are profiles of threat actors that we have observed in the last year related to vulnerabilities that surfaced. The nicknames of the threat actors have been changed for this public-facing blog post, but the summaries of the threat actors and their tactics, techniques and procedures (TTPs) are accurate.
Actor Profile: XPLT
The actor XPLT has an extensive history as an exploit and vulnerability broker and holds a positive reputation on well-known underground forums. The actor’s TTPs include offering to sell exploits for alleged zero-day vulnerabilities impacting hardware products and operating systems. The actor continued this activity throughout 2023 by advertising alleged zero-day vulnerabilities impacting Windows, the Webuzo web server management platform, Cisco routers and Juniper SRX firewalls.
TTPs:
Actor Profile: Impax
The threat actor Impax is an exploit developer and seller of compromised databases as well as cracked penetration-testing and security-auditing software. The actor continued this activity throughout 2023. The actor allegedly integrated several prominent vulnerabilities into Impax’s toolkit, which included more than 20 exploits.
On June 7, 2023, the operator or operators behind the CLOP ransomware blog claimed to have gained access to information of "hundreds" of companies that use Progress Transfer MOVEit managed file transfer (MFT) software. One of the vulnerabilities exploited by CLOP was CVE-2023-34362. CLOP’s attacks eventually affected more than 2,700 organizations, marking one of the most widespread data extortion events of all time. Impax was one of several threat actors who also acted on the MOVEit flaws. We observed the actor announce that Impax’s version of the Core Impact 21.3 penetration-testing tool was weaponized with a new exploit based on CVE-2023-34362. Another actor also posted a link to a blog sharing a walk-through demonstration of an exploit of CVE-2023-34362 on a cybercrime forum. Due to the highly publicized nature of this vulnerability and the release of a full remote code execution (RCE) exploit PoC in open sources, CVE-2023-34362 was likely used in additional attacks by a variety of threat actors.
TTPs:
Actor Profile: Anmiguel
The actor Anmiguel is a prolific exploit vendor who maintained a positive reputation on underground forums. The actor developed exploits for numerous vulnerabilities, and Anmiguel’s reputation has been confirmed by reputable forum members. Throughout 2023, the actor offered to sell exploits for CVE-2023-21822 and CVE-2022-26925. Additionally, the actor offered an alleged zero-day local privilege escalation (LPE) vulnerability impacting Windows 10 and 11 and Windows Server 2019 and 2022 operating system versions. We later observed the actor advertise an additional exploit impacting the same operating systems Dec. 16, 2023.
TTPs:
In 2023, threat actors persisted in prioritizing new vulnerabilities that enabled them to obtain an initial foothold within their target infrastructure. They appeared to prefer recent vulnerabilities in public-facing applications to target instances that were not yet patched. As a result, ransomware operators likely were provided with increased opportunities to carry out illicit activity for financial gain.
We also witnessed increasing interest in zero-day vulnerabilities throughout 2023 as attackers are investing more effort and time in discovering and exploiting them. Organizations therefore should prioritize monitoring of network traffic, particularly focusing on public-facing applications as potential points of entry for malicious actors. Additionally, it is important for organizations to maintain awareness regarding the advertisement and trading of specific zero-day vulnerabilities on underground forums since this activity likely corresponds to increased risk and could serve as a warning to future exploitation attempts.
Other trends should be taken into consideration as we move through 2024. First, the increasing reliance on application programming interfaces (APIs) makes them a prime target for attackers. Vulnerabilities in these interfaces can expose sensitive data and grant unauthorized access to critical systems. Therefore, organizations could benefit from bolstering API security measures including authentication, authorization and regular vulnerability assessments. Second, exposed sensitive data such as API keys and leaked credentials continue to be a major concern. This highlights the crucial need for robust data management practices, emphasizing encryption, access control and regular rotation of sensitive information.
Overall, 2023 served as a reminder that even the most fundamental and trusted software is not immune to flaws, underscoring the ongoing need for more fortified vulnerability management strategies. Organizations should maintain asset inventories, prioritize patching and put proper countermeasures in place when new information is obtained from open source and underground vulnerability intelligence data to minimize possible compromises. Moreover, we continue to recommend tailoring prioritization based on threat intelligence provided by our Vulnerability Intelligence team and corresponding Dashboard in our TITAN platform.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
The Android malware landscape is expanding, with new malware families, innovative distribution methods and a rise in underground offerings appealing to nontechnical cybercriminals. This poses new threats to enterprises.
Google SecOps customers can now access and use Intel 471’s library of advanced behavioral threat hunt packages on the HUNTER behavioral threat hunting content platform. HUNTER hunt packages go beyond reactive detections for indicators of compromise (IOCs) and provide threat hunters with security platform queries verified to identify advanced threat behaviors and adversary tactics, techniques and procedures (TTPs).
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.