Threat Landscape

Update Report
January 2024
 Threat Landscape Update Report January 2024 2

Contents Foreword

1 Monthly highlights....................................... 3 This month saw a complex, rapidly evolving situation involving We also report on several attacks by hacktivist groups that had
2 Ransomware: Trends and multiple zero-days in Ivanti Connect Secure VPN appliances significant impacts not normally achieved by such groups, as
notable reports .............................................. 8 which are under active exploitation by multiple actors, the well as a series of security failures which lead to outages for
3 Hacktivism................................................ 10 compromise of Microsoft and HP Enterprise by Russian state Orange Spain.
4 Other notable highlights in brief.................12 actors, and a spike in Akira ransomware activity targeting the
5 Threat data................................................14 Nordics, which impacted multiple significant Swedish entities. - Stephen Robinson, Senior Threat Intelligence Analyst,
WithSecure
The exploitation of appliances and network infrastructure was
a hot topic this month. There were also multiple vulnerabilities
in GitLab and GitHub, which are concerning due to the recent
prevalence of CI/CD pipeline supply chain attacks.
 Threat Landscape Update Report January 2024 3

1 Monthly highlights
1.1 Ivanti – ICS VPN and MobileIron Ivanti did release a mitigation tool, but they stated that no sophisticated threat actors have subverted the external ICT,
exploitation patch would be available until the 22nd of January at the further minimizing traces of their intrusion."
earliest, with patches for different versions to be released
A significant and evolving story this month has concerned from the 22nd of January onwards. In more bad news for Ivanti The external ICT is an Integrity Checker Tool which runs on
the zero-day vulnerabilities in Ivanti ICS VPN appliances. and their customers, on January 20th Ivanti announced that another device and essentially audits the ICS appliance to
Researchers at Volexity identified two zero-days which could while the mitigation tool reconfigures the device to disable the verify that it has not been compromised or modified.
be chained together to allow full, unauthenticated remote vulnerable functionality, once the mitigation has been applied,
code execution on all versions of the appliances. When if any kind of configuration is pushed to the device from a Finally, Ivanti have also been in the news regarding another
this was first publicly reported on the 10th of January there central management tool as an XML file (as is commonly done appliance product, as a previously patched vulnerability in
were reported to be 10-20 known victims, indicating a very in enterprise environments) the mitigation will be de-activated, the Ivanti Endpoint Management Mobile and MobileIron
targeted campaign. This activity was a single actor who had leaving the device vulnerable again. Core appliances, CVE-2023-35082 has been added to
deployed custom webshells to the appliances, followed by CISA’s Known Exploited Vulnerabilities catalogue. This
a Rust based downloader which downloaded and executed On January 26th Ivanti updated their advisory to state that vulnerability is from August 2023, and is a patch bypass for
a Sliver based payload. It may seem unusual that this could they would not be able to release patches on time, and on CVE-2023-35078, which was used as a zero-day against the
be done on an appliance type device, but remember, most January 31st they at last released their first patch, alongside Norwegian government in a campaign from April 2023. These
appliances are simply locked down Linux servers. After this, a notification that two further Zero-days had been identified, vulnerabilities can be chained with CVE-2023-35081 to write
the actor could then move laterally within the victim networks. CVE-2024-21888 (privilege escalation) and CVE-2024-21893 malicious webshells to these appliances.
In the days after it was made public the number of devices (auth bypass), stating that of these CVE-2024-21893 was
that were compromised and had the actor’s custom webshell known to have been exploited by attackers. At the same time
deployed rose to over 1,500, and 20-30 more IP addresses Ivanti announced this, CISA put out the following statement
were detected scanning for the vulnerability using information about the Ivanti ICS exploitation activity:
which was not in the public domain. These scanning IPs used
different methods and varying levels of OpSec, which strongly "Some threat actors have recently developed workarounds to
suggested that multiple actors had begun targeting these current mitigations and detection methods and have been able
vulnerabilities. to exploit weaknesses, move laterally, and escalate privileges
without detection. CISA is aware of instances in which
 Threat Landscape Update Report January 2024 4

WithSecureTM Insight What can you do?

Ivanti ICS VPNs, formerly known as PulseSecure, are a major Ivanti have provided a mitigation tool, but applying the
player in the enterprise VPN market. Because of this, many mitigation means that appliance configuration can no longer
large organizations suddenly became vulnerable to a 0-day be centrally managed and pushed. This tool is not an update,
vulnerability in an externally facing service. The issue whereby and while it was intended to protect appliances against future
pushing configuration to a “mitigated” device removes the compromise and detect indicators of previous compromise,
mitigation is even more concerning as the mitigation itself has the latest update from CISA indicates that there are methods
been distributed as an XML configuration file, so it is likely that to subvert/bypass this functionality, which calls into question
simply applying the mitigation a second time would leave the how useful it really is. There is also the concern that if an
device vulnerable again, which is not ideal. attacker has already moved laterally into the network, then
it is very possible that they have set up other C2 channels
The attack pattern against the Ivanti ICS and EPMM and webshells with which to maintain access. As such,
appliances is very similar, exploit a vulnerability chain to get standard security best practices of logging, monitoring, and
access to the appliance, then drop a webshell to enable further investigating unusual activity all come into play as vital parts of
activity. As explored later in this report, this has been found a successful defense in depth.
to be an extremely effective methodology for attackers when
targeting Linux based appliances such as these, as such we
will likely see this behavior in future campaigns.
 Threat Landscape Update Report January 2024 5

1.2 APT28 compromises Microsoft, it successfully against Microsoft customers, and Microsoft can be used to trigger NTLM hashes being sent to untrusted
a software and services company that have stated that through investigating their own compromise, destinations, the other similar methods leveraged Windows
also sells security they have identified multiple Microsoft customers who have Performance Analyzer in one case, and Windows File Explorer
also been victims of this campaign. Additional reporting in the other. However, Microsoft’s response to the researchers
This month Microsoft announced that they have been (paywalled) suggests that at present there are at least ten was that only the Outlook CVE was important enough to get a
compromised by the Russian state linked hackers known further known victims of this activity. CVE. The other two, very similar methods that could be used
as Cozy Bear/APT28, and data was exfiltrated from multiple for NTLM harvesting were deemed to only be of “moderate”
business functions, including cybersecurity. Microsoft were Unfortunately for Microsoft’s customers, their recommended severity, and so no CVEs were issued. This seems like a rather
compromised at least as far back as November 2023. steps for detection, investigation, and remediation of unusual approach, which once again highlights that Microsoft
such activity are to purchase additional security products is a Software and Services company, that happens to also sell
Of course, it gets worse. The attack began with a password and services from Microsoft. As pointed out by other a security service.
spray attack which compromised what is described as a commentators, that is a very interesting and hard to justify
legacy, non-production test tenant OAuth application, which stance to take, particularly when this appears to be a campaign
was not protected with MFA. That was used to create a new enabled by the Azure AD hybrid operating model, which (to
user and grant that user the permission to access Microsoft paraphrase the previous linked article) combines the flaws
corporate email accounts. This new privileged user account of on premise identity models with the flaws of cloud identity
was then used to access the email accounts of senior models.
leadership and other employees in Cybersecurity, legal, and
other functions, exfiltrating emails and attached documents. An news item unrelated to that incident, but which still feeds
Microsoft’s investigation indicates that the attackers began by to “the Microsoft problem” is that researchers at Varonis
looking for information relating to Microsoft’s investigation into discovered another way to harvest NTLM hashes via outlook
the APT28/Cozy Bear group itself. This is a pretty astounding via CVE-2023-35636. The vulnerability can be triggered by
configuration failure by Microsoft of their own, Microsoft sending a calendar sharing email. When the recipient clicks
products, and raises the distinct question that if Microsoft’s on the “Open this iCal” button in the email, their machine will
Azure AD/Entra ID solution is too complex for they themselves automatically try to connect to the sharing URL specified
to configure it securely, what chance do their customers have? by the attacker, and if the destination specifies NTLM
authentication, the victim’s device will send their NTLM hash.
In addition, since this method was successful in compromising What makes this story particularly interesting is that this is one
Microsoft, it is very likely that the attackers were able to deploy of three new methods that the researchers identified which
 Threat Landscape Update Report January 2024 6

1.3 The infrastructure issue and persistence for attackers. These devices are often “out
of sight, out of mind”, meaning that they may not be patched
The situation Ivanti and their customers find themselves in is regularly, and as network administrators may interact with
itself part of a wider trend that has really made itself known this them only rarely, they may not understand how to configure
month, and that is infrastructure and appliance compromise. In them correctly and securely. In addition, devices such as these
January alone there have been vulnerabilities and campaigns are often not included in detection and monitoring solutions,
affecting appliance and infrastructure devices from Citrix, so when they are compromised it may only be detected based
Cisco, allegedly including a zero-day, Juniper twice, SonicWall, upon their interactions with the rest of the network. Could EDR
QNAP, and of course Ivanti (see above), to name a few. And or other monitoring solutions be installed upon these devices?
there are multiple reasons why these types of devices make Technically, if the device runs Linux and has the correct
such good targets for attackers. dependencies, yes, but altering the software installed on these
devices in any way could have an impact on their performance
An appliance is typically just a specific piece of server and would almost certainly void any kind of warranty or
hardware running an OS/application, provided together as support contract from the vendor.
a bundle by a vendor. Infrastructure tends to refer to more
custom, networking specific pieces of hardware and software,
such as switches, routers, and firewalls, however even in these
cases the actual processing/computing function of the device
is almost always provided by a standard, off the shelf CPU
architecture. If your device is running a standard type of CPU
architecture, it can probably run a standard operating system.
Often, a lightweight Linux variant is chosen as the operating
system, upon which custom software components can then
be run to provide the specific desired functionality. Even
Cisco, (in)famous for their custom operating system named
IOS have moved to IOS XE, a Linux based operating system
which has the appearance of IOS to a casual observer. And the
key thing here is that if you are running a standard operating
system, then there are standard avenues of compromise
 Threat Landscape Update Report January 2024 7

1.4 Akira ransomware spikes the retail chain Granngården and cinema chain Filmstaden TTPs which are known to be effective, including using
who had to close branches and halt e-commerce, and the retail legitimate RMM for remote control, encrypting and exfiltrating
The Akira multipoint of extortion ransomware brand has been chains Systembolaget, Stadium, and Rusta, who’s websites data for double extortion, and the use of renamed Rclone
particular active in the Nordic region this month. were taken down by the attack. As well as these hosting binaries to exfiltrate data from the victims to either an FTP
customers, TietoEvry’s managed payroll and HR service server or to a legitimate cloud storage service.
NCSC-FI issued an alert regarding increased Akira system, Primula, was also affected. Primula is used by multiple
ransomware activity observed in December, with six out of Swedish government entities, universities, and colleges. The full impact of this compromise may not yet be known, but
seven Ransomware incidents in Finland that month being There was also significant impact to the Uppsala regional TietoEvry has not been listed on the Akira ransomware group’s
attributed to Akira. NCSC-FI also stated that in these incidents government, where the healthcare record system has affected. leak site yet. Considering that TietoEvry have confirmed that
Akira gained access by exploiting CVE-2023-20269 in Cisco they are a victim of Akira, this highlights just how difficult it is
ASA and FTD firewalls, which enables brute force attacks Some reporting suggests that the company’s virtualization and to get an accurate assessment of the ransomware landscape
against these devices. This closely aligns with previous management servers, which are used to host websites and when our best source of information is the ransomware groups
reporting from Sophos about similar activity from Akira in 2023. applications for their customers, have been encrypted. This aligns themselves, via their leak sites.
In all of the Finnish incidents the threat actor made specific with the service they provide and the result of the attack, but also
efforts to destroy backups, both Network Attached Storage with other Akira activity that WithSecure has observed this month. What can you do?
(NAS) and tape backups. Other open-source reporting stated
that there was elevated Akira activity in January, characterized This is the second publicly reported successful ransomware This incident impacts on both the initial victim, TietoEvry, and
by short dwell times, Cisco ASA compromise for access, and attack that TietoEvry have suffered in the last 3 years. the downstream supply chain victims, their customers. It is
abuse of the tools WinSCP and WinRAR for exfiltration, and well documented that defending against supply chain attacks
Anydesk RMM for remote access and persistence. WithSecureTM Insight is challenging and requires a Zero Trust or Defence in Depth
approach, with multiple different security controls to verify
The most significant known activity attributed to Akira in In our internal WithSecure telemetry, multiple Akira incidents any trust relationship. While the cause of the compromise of
January was the compromise of TietoEvry, a large Finnish were detected, and in one case three different ransomware TietoEvry is not yet known, the information from NCSC-FI is
MSP which provides IT services and enterprise cloud hosting. locker binaries were dropped by the attacker, one for Windows that unpatched firewalls were to blame for other Akira incidents
Based on current reporting, a single Swedish data center servers, one for VMware ESXI 6.5 hypervisors, and one for ESXI in Finland in this timeframe. As such, being aware of and
which provides enterprise managed cloud hosting services 7 hypervisors, which indicates that they are perfectly capable managing your attack surface is key.
was compromised in an attack which occurred on the night and equipped to target and encrypt virtual hosting environments.
of the 19th/morning of the 20th of January. Customers of If you are concerned about your organization’s security, you
TietoEvry who were affected by this appear to be entirely In another case an Akira Megazord locker variant was used. need to know where you could be attacked from, and you need
Swedish, and include the Riksbank (Swedish central bank), In these incidents Akira was seen to use typical ransomware to verify that you as secure as you can be in those areas.
 Threat Landscape Update Report January 2024 8

2 Ransomware: Trends and notable reports

The following data is limited to ransomware and data leak groups who operate a leak site which
is parseable. The following data was captured between 1st January– 31st January 2024.

Insane 1 +1
Ransomware Jan '24 Change
Knight 11 +7
0mega 1 +1 LockBit 92 +11
3AM 2 -2 Lorenz 0 -1
8BASE 44 +21 MalekTeam 1 -3
Abyss 3 +2 Medusa 12 +2
Akira 28 +11 Meow 1 -5
Alphv (BlackCat) 31 +7 MetaEncryptor 0 -2
BianLian 17 +5 Money Message 1 +1
BlackBasta 19 +2 Monti 2 -
Blacksuit 4 -1 MyData 7 +7
Cactus 7 -10 NoEscape 0 -2
CiphBit 1 +1 Play 4 -29
Cloak 1 - Qilin 11 +6
Cloak Ransomware 4 +4 RA Group 0 -5
CL0P 1 -1 Ransomed 1 +1
CUBA 1 +1 RansomExx 2 +2
Daixin 0 -1 Ransomhouse 5 +3
Data Leak 1 +1 Rhysida 0 -10
Defray777 0 -1 SiegedSec 0 -16
DragonForce 2 -19 slug 1 +1
Dunghill Leak (News) 1 +1 Snatch 6 +4
Everest 3 +3 Stormous 2 -6
Hunters International 15 +10 Trigona 10 +10
INC Ransom 10 +3 Unsafe 3 +3
 Threat Landscape Update Report January 2024 9

2.1 Observations Akira were of course a theme this month and were highly 2.3 Ransomware gangs hack healthcare,
active in high-profile cases and this has been mentioned sell patient data
Ransomware numbers in January 2024 are roughly akin but already. In terms of other high-profile organizations impacted,
slightly higher to those of the previous month (December Akira also posted LUSH, as UK cosmetics retailer. ‘Hospitals and Healthcare’ is the most common sector
2023). This is unfortunately much higher than January 2023, amongst victim posts this month across all Ransomware
which itself was the ‘quietest’ month of the year by some Lockbit, as is usual, posted the most victims throughout families. Three victims in this sector were posted by Lockbit,
margin. Significant declines in PLAY victims have been January and there are two items worth exploring further. These with one; Capital Health releasing a statement that surgeries,
balanced out by increases in 8base, Lockbit and Akira – three are documented below. outpatient radiology appointments, neurophysiology, and
topical ransomware families explored in more detail across non-invasive cardiology testing were all delayed. Lockbit have
this report and last month’s. 2.2 Lockbit go to APAC historically attacked a range of healthcare services, including
pediatric hospitals, despite previously claiming affiliate ‘rules’
A new ransomware leak site has been initialized by Lockbit have claimed a hack and theft of five terabytes of forbidding the targeting of such institutions.
a ransomware variant which refers to itself as ‘Alpha ‘Fox Semicon’ data, one of Taiwan’s largest semiconductor
ransomware’. Its leak site is simply titled ‘Blog’, but as with companies. Lockbit have also posted Cheng Mei Materials, A major part of the extortion of activity of ransomware gangs
many other ransomware flavors, it is also referred to by the a Taiwanese electronics manufacturing company in January. is to demand payment otherwise data will be leaked or stolen.
opening strings of its leak site ‘MyData’. It has posted a Taiwan and the semiconductor industry are often thought of This happens with healthcare also, where the data can contain
relatively small number of victims (eight at the time of writing) as a pair, and it is difficult not to also consider the geopolitical confidential patient data. Indeed in the case of the Seattle
in January and samples do not appear to be widely available. turmoil surrounding China and Taiwan. Analysis by Cloudflare Fred Hutch cancer center and Intigris Health, ransomware
registered a 3,370% growth of DDoS attacks targeting Taiwan actors used stolen data to extort patients individually, echoing
Other, new ransomware sites have emerged in January: throughout Q4 2023 for example. Despite this, is no evidence the activities of the hackers who compromised the Finnish
‘Cloak Ransomware’ (appearing not to be associated with to suggest that Lockbit are operating with a pro-China political psychotherapy firm Vastaamo in 2018.
previously tracked brand ‘Cloak’), ‘Slug’, and ‘Insane’. These motive. In fact, Lockbit also posted one Chinese victim this
combined represent a small number of breaches – with only month, which comes after a few high-profile hacks of Chinese
six combined postings. How successful these brands will be organizations – most notably the fifth largest bank in the world,
is yet to be seen, however one of Cloak Ransomware’s victims state-owned Industrial and Commercial Bank of China (ICBC)
was a food and business service organization with a reported in November 2023.
revenue of over $21 Billion.
 Threat Landscape Update Report January 2024 10

3 Hacktivism
3.1 Chad move from Anonymous Sudan 3.2 Cyber Toufan are not fans of Israeli 3.3 Iranian aligned group wipes out
hosting services Albania
Anonymous Sudan, a Russian aligned hacktivist/DDoS
group more commonly seen targeting Europe, this month While the hacktivist groups operating on the sidelines of Researchers at ClearSky security have published an
launched a DDoS attack against the telecommunications the current Middle East conflict have been generally rather interesting write up of a recent campaign by the hacktivist
company Sudachad, the sole provider of wholesale Internet ineffective, there are a few exceptions to that rule. One such group HomeLand Justice, targeting Albania.
access in the African state of Chad. This appears to have led exception is the Iranian linked group Cyber Toufan. Since
to a total collapse in Internet connectivity to Sudachad, and November 2023, this group have compromised over 100 HomeLand Justice are a hacktivist group which the US FBI
by extension Chad. Taking a country offline may be seen as Israeli, or Israeli hosted organizations, deleting or leaking data and CISA have attributed as an Iranian state threat actor.
quite a feat, however Chad has a population of only 18 million and performing follow on supply chain attacks. This successful Since 2022 they have launched multiple attacks against
and is one of the poorest countries in the world, so it is likely campaign is itself a series of supply chain attacks, as Cyber Albania, most likely due to Albania’s support of the Iranian
that, relatively speaking, they have very little infrastructure or Toufan compromised the Israeli hosting provider Signature- opposition group MEK. Their most recent attack was in
resilience. This is unusual targeting for Anonymous Sudan, IT. Signature-IT host websites and web applications for many December 2023, when they launched wiper attacks against
however it appears to be because Chad have supported Israeli government organizations and large companies, as the Albanian telecom company One, Air Albania, and the
a paramilitary group operating in Sudan named the Rapid well as the Israeli subsidiaries of international companies. Albanian Parliament. Interestingly, the group’s logo specifically
Support Forces (RSF). This may seem an unusual thing for IT appears that the group exfiltrated and wiped data from references the logo of the Israeli aligned group Predatory
a Russian aligned group to take offence over, but it appears the compromised servers and has regularly leaked stolen Sparrow, who we covered in last month’s report.
RSF previously worked with Wagner group, and are currently data over the last few months. Indeed, they appear to be fully
operating in opposition to the government of Sudan, with utilizing the data that they have stolen, as they are performing
whom the Putin regime aligned. follow on attacks which include sending mass emails to stolen
customer lists asking the recipients to stop doing business
with Israeli organizations.
 Threat Landscape Update Report January 2024 11

3.4 Bangladesh election DDoS: A sign of

things to come?

Data from Cloudflare has shown that the last quarter of 2023
saw a 33% quarter over quarter jump in HTTP DDoS traffic
targeting Bangladesh, with a particular focus on the telecoms,
news/media, and financial sectors. This seems to coincide
with the lead up to the national elections, which occurred
on January 7th, and the Bangladeshi Election Commission
reported that it had been targeted by DDoS attacks. In
addition, it was announced that a government supplied
mobile app which provided election related information to
voters was targeted by a DDoS attack which seemed to
cause performance issues, although the app remained live.
Considering the upcoming national elections in the US, EU,
and UK in 2024, it is very likely that we will see further similar
attacks targeting democratic processes.
 Threat Landscape Update Report January 2024 12

4 Other notable highlights in brief

4.1 Orange Spain were RIPE for the 4.2 HPE, another software and services 4.3 PixieFail – Multiple vulnerabilities in
picking company that sells security IPv6 PXE protocol software supply chain
announced
Orange Spain experienced a telecoms outage earlier this HPE announced that they have been compromised by APT28/
month when for 3 hours their traffic throughput dropped Cozy Bear, and have been since at least May 2023. This is the Many enterprise desktop networks, data centers and cloud
by 50% due to a BGP hack. It turned out that the incident same actor who compromised Microsoft, and that, combined environments have been quietly relying upon the PXE
began when an Orange Spain employee was compromised with both organizations announcing their compromises at the network boot protocol without incident for the last 25 years
by Racoon infostealer. Among the credentials stolen was same time does raise questions as to whether these incidents or so, but this month researchers from QuarkLab have
their RIPE administration account. Using this account, the are linked. announced 9 CVEs, including 2 RCE, in the TianoCore EDK
attacker was able to change the AS number associated with II UEFI reference IPv6 PXE implementation. You may not
Orange’s IP addresses, and then enabled Resource Public Much like Microsoft, HPE revealed that the attackers had have heard of TianoCore, but they make the PXE reference
Key Infrastructure on those addresses. This was a particularly breached the email inboxes of individuals in cybersecurity and implementation and set of libraries that are used in UEFI
cunning attack, as by changing the AS number and enabling other functions and had been exfiltrating data since at least implementations by the likes of Microsoft, Intel, ARM, Phoenix
RPKI those IP addresses were essentially removed from the May 2023. Technologies, and AMI (American Megatrends), to name a few.
Internet.
A further, eye-opening part of HPE’s statement was that If an attacker can get network access to a network where PXE
As a result of this incident, two concerning things came to they believe this attack was related to the compromise of and IPv6 are in use (for example, by remotely compromising
light. The Orange Spain “ripeadmin” account password was HPE’s SharePoint instance by this same attacker, which they a device) they can send malicious responses to PXE boot
“ripeadmin”, and while RIPE advised users to enable MFA, were notified of in June 2023. They hired external experts requests and execute code pre-boot. Patched software is
it does not it, which does seem like an oversight when these to investigate that compromise at the time, but they did not starting to be pushed out to address these vulnerabilities, with
accounts control the routing of Internet traffic. publicize the incident, and they believed it did not “materially TianoCore themselves having patched the RCE vulnerabilities
impact” their operations. and most of the lower severity CVEs as well, however it is
unknown when all downstream vendors will have patches
available.
 Threat Landscape Update Report January 2024 13

4.4 Researchers poison LLMs to create 4.6 ActiveMQ taken advantage of by was patched. In fact, it appears that this zero day was used by
sleeper agents strange looking Godzilla this attacker as a first step to then exploit CVE-2023-20867,
behavior that Mandiant reported in June 2023, then again in
Researchers at Anthropic published research showing that While ActiveMQ CVE-2023-46604 is now several months September 2023.
LLMs can be trained to appear normal, while actually being old, it is a 10.0 CVSS that is still being targeted by attackers.
sleeper agents. Upon being triggered by certain conditions Researchers at Trustwave have published details of an 4.8 GitHub has a bad month
being met, such an LLM will begin exhibiting malicious unusual campaign they have observed which is deploying a
behavior, such as intentionally supplying vulnerable code or binary file with an unknown format to vulnerable ActiveMQ Things have not gone well for GitHub this month, as they have
subtly incorrect responses. The triggering conditions could servers. While that file format was unknown, and so was not turned up in the security news for the wrong reason a number
be a phrase in the prompt, or just the current date. What was detected as malicious by security scanners, it was interpreted of times. Critical GitLab CVEs CVE-2023-7028 (authenticated
quite concerning was that it was not possible to remove a as valid JSP by ActiveMQ’s JSP engine, and was in fact the arbitrary file write), CVE-2023-5356 (execute Mattermost/
trigger through standard LLM safety training or challenging the extremely common, widely used Godzilla webshell. Details Slack integration slash commands as another user) and
behavior. Instead, the LLM simply hid the malicious behavior on the file format from Trustwave show a binary file with Magic CVE-2024-0402 (zero-click account takeover), and critical
even better. Bytes of FLR, containing the malicious JSP within the file. GitHub Enterprise CVE-2024-0200 were announced and
patched, research was published by Recorded Future detailing
4.5 Cryptojacking given a face and a price 4.7 VMWare zero day was exploited for 2 the use/abuse of GitHub as malicious infrastructure by cyber
years before discovery attackers, and Praetorian published details of an attack using
A 29-year-old was arrested in Ukraine under suspicion of self-hosted GitHub Actions runners to compromise CI/CD
running a cryptojacking operation which mined $2 million of Back in October 2023 VMware issued a patch for CVE-2023- pipelines. The researchers were able to use this attack against
cryptocurrency using compromised devices. It is believed that 34048, a CVSS 9.8 RCE in vCenter Server. Earlier this month GitHub’s own repository, gaining access for a number of days
the operation began in 2021 when ~1,500 accounts at a major VMware’s advisory for this vulnerability was updated to state without detection before they reported the issue to GitHub.
e-commerce entity were brute-forced. These accounts were then that this vulnerability is known to have been exploited in While GitHub mitigated the issue in their own repository,
used to gain elevated privileges and create more than a million the wild. As the headline here gives away, that is a bit of an Praetorian then went on to find thousands of other vulnerable
virtual machines which were used for cryptomining. While $2 understatement. repositories operated by companies who were entirely unaware
million of ill-gotten gains were generated by this activity, research of this type of attack. Unfortunately, while all that is needed to
from Sysdig in 2022 estimates that every $1 of cryptojacking Researchers from Mandiant have stated that they believe protect against this attack is choosing a more secure/restrictive
profit costs victims $53. Using this we can estimate the cost of the vulnerability was first exploited by a China-associated self-hosted runner configuration for a GitHub repository, the
this activity to the victims at over $105 million. attacker in late 2021, a whole 2 years before the vulnerability default setting is still the permissive, vulnerable setting.
 Threat Landscape Update Report January 2024 14

5 Threat data Figure 1: WithSecure 2023-24 CVE detections Current Previous Difference

100 %

75 %
5.1 Exploits
50 %
In WithSecure’s exploit detection data this month (Figure 1) there has been a significant drop
in CVE-2023-23397, the Outlook custom notification sound NTLM hash harvesting exploit
25 %
discussed in last month’s report, which has dropped to less than 20% of last month’s volumes.
There was also a ~50% drop in volumes of CVE-2023-21716, the RTF font table buffer overflow
vulnerability. Interestingly, no significant change in these vulnerabilities was observed in 0%

VirusTotal detections. There are many different possible reasons why this might be the case,

1
9

6
3
6

7
83
87
35

37
82
71

39
36

38
21

23
35
21

23
one of which is that WithSecure data is more heavily Europe focused, and as such a European

3-

3-

3-
3-

3-
3-

3-
02

02

02
02

02
02

02
based trend which shows up in WithSecure data might not be reflected in higher volume, more

-2

-2

-2
-2

-2
-2

-2
VE

VE

VE
VE

VE
VE

VE
international data.

C
C

C
C

C
Figure 2: WithSecure exploit detections - All Current Previous Difference
WithSecure data on older CVEs (Figure 2) shows some quite large changes in volume of exploit 100 %
detections for old versions of Microsoft Office and Windows, as well as old VBA vulnerabilities.

75 %

50 %

25 %

0%

33
88

06
2

23
28
03

33
99

7
88

39
33
01

39
17
15
00

00
01
11

23
0-

2-
2-
0-

3-
7-
2-

0-
7-

3-
01

01
01
01

01

01
01

01
01

02
-2

-2
-2
-2

-2

-2
-2

-2
-2

-2
VE

VE
VE
VE

VE

VE
VE

VE
VE

VE
C

C
C
C

C
C

C
C

C
 Threat Landscape Update Report January 2024 15

In VirusTotal data (Figures 3, 4, and 5), there was a significant increase in CVE-2023-32046, a Figure 4: VirusTotal 2023-24 CVEs submitted in 2023-24 - Decreasing Current Previous Difference
Windows ML Platform Elevation of Privilege Vulnerability, and smaller increases in CVE-2023- 100 %
38831 (WinRAR), and CVE-2023-4863 (LibWebP buffer overflow), and CVE-2023-36025
(Windows SmartScreen bypass). 75 %

There were also some significant changes in older CVE detection volumes, including a
50 %
large increase in CVE-2015-2387 detections, an Adobe Type Manager Font Driver privilege
escalation vulnerability that applies to old versions of windows, and large decreases in
25 %
CVE-2018-0802, a Microsoft Office Equation Editor remote code execution vulnerability, and
the truly ancient Squid 2.0 denial of service vulnerability CVE-2005-0446. The appearance
of such an old CVE does rather indicate that VirusTotal detection data does need to be sanity 0%

checked, although it is not the only old Squid CVE to appear in the data. CVE-2016-2569,

84
14

04
78

46

60
76
59
68

86
62

68

66
01

81

33

93
53
17
another Squid denial of service vulnerability also appeared. This vulnerability showed an

-2
-4

-2

-3
-3

-4
-2

-2

-2
-3

23
23

23

23
23

23
23

23

23
23
increase of ~21,000 from last month to this month, which by raw numbers is much larger, yet

20
20

20

20
20

20
20

20

20
20

e-
e-

e-

e-
e-

e-
e-

e-

e-
e-

cv
represents a smaller percentage change compared to last month.

cv

cv

cv
cv

cv
cv

cv

cv
cv
Figure 5: VirusTotal CVEs, submitted in 2023-24 - All Current Previous Difference
Figure 3: VirusTotal 2023-24 CVEs submitted in 2023-24 - Increasing Current Previous Difference
100 %
100 %

75 %
75 %

50 %
50 %

25 %
25 %

0%
0%

8
2

6
3

82
9

2
74
34
31
3

5
7
46

93
25

05

43
15

79
12

86

44
18

80
56
86

38

53
88

68

18
24
20

05
60

23

22
68

-1

-0
-0
-2

-3
-2

-0
-4

-2

-1
-1
-3

-3

-3
-3

-2
-3

-3

-3
-4

09

18
05
16

06
16

18
23

09
15

17
23

23

23
23

23
23

23

23

23

20

20
20

20
20
20

20
20
20

20
20
20

20

20
20

20
20

20

20

20

e-

e-
e-

e-
e-
e-

e-
e-
e-

e-
e-
e-

e-

e-
e-

e-
e-

e-

e-

e-

cv

cv
cv

cv
cv
cv

cv
cv
cv

cv
cv
cv

cv

cv
cv

cv
cv

cv

cv

cv
 Threat Landscape Update Report January 2024 16

5.2 Newly Exploited Vulnerabilities

The following vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalogue in January:

CVE ID Vendor Product Name Date Added Description

CVE-2022-48618 Apple Multiple Products Apple Multiple Products Improper 31/01/2024 Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an improper authentication vulnerability that allows an attacker
Authentication Vulnerability with read and write capabilities to bypass Pointer Authentication.

CVE-2023-22527 Atlassian Confluence Data Atlassian Confluence Data Center and 24/01/2024 Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can
Center and Server Server Template Injection Vulnerability lead to remote code execution.

CVE-2024-23222 Apple Multiple Products Apple Multiple Products Type 23/01/2024 Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution
Confusion Vulnerability when processing maliciously crafted web content.

CVE-2023-34048 VMware vCenter Server VMware vCenter Server Out-of-Bounds 22/01/2024 VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that
Write Vulnerability allows an attacker to conduct remote code execution.

CVE-2023-35082 Ivanti Endpoint Manager Ivanti Endpoint Manager Mobile 18/01/2024 Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows
Mobile (EPMM) and (EPMM) and MobileIron Core unauthorized users to access restricted functionality or resources of the application.
MobileIron Core Authentication Bypass Vulnerability

CVE-2024-0519 Google Chromium V8 Google Chromium V8 Out-of-Bounds 17/01/2024 Google Chromium V8 contains an out-of-bounds memory access vulnerability. Specific impacts from exploitation are not
Memory Access Vulnerability available at this time.

CVE-2023-6549 Citrix NetScaler ADC and Citrix NetScaler ADC and NetScaler 17/01/2024 Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for a denial-of-service
NetScaler Gateway Gateway Buffer Overflow Vulnerability when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CVE-2023-6548 Citrix NetScaler ADC and Citrix NetScaler ADC and NetScaler 17/01/2024 Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote
NetScaler Gateway Gateway Code Injection Vulnerability code execution on the management interface with access to NSIP, CLIP, or SNIP.

CVE-2018-15133 Laravel Laravel Framework Laravel Deserialization of Untrusted 16/01/2024 Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution.
Data Vulnerability This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY
environment variable).
 Threat Landscape Update Report January 2024 17

CVE ID Vendor Product Name Date Added Description

CVE-2023-29357 Microsoft SharePoint Server Microsoft SharePoint Server Privilege 10/01/2024 Microsoft SharePoint Server contains an unspecified vulnerability that allows an unauthenticated attacker, who has
Escalation Vulnerability gained access to spoofed JWT authentication tokens, to use them for executing a network attack. This attack bypasses
authentication, enabling the attacker to gain administrator privileges.

CVE-2023-46805 Ivanti Connect Secure and Ivanti Connect Secure and Policy 10/01/2024 Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an
Policy Secure Secure Authentication Bypass authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing
Vulnerability control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.

CVE-2024-21887 Ivanti Connect Secure and Ivanti Connect Secure and Policy 10/01/2024 Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command
Policy Secure Secure Command Injection injection vulnerability in the web components of these products, which can allow an authenticated administrator to send
Vulnerability crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-
46805, an authenticated bypass issue.

CVE-2023-23752 Joomla! Joomla! Joomla! Improper Access Control 08/01/2024 Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints.
Vulnerability

CVE-2016-20017 D-Link DSL-2750B Devices D-Link DSL-2750B Devices 08/01/2024 D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command
Command Injection Vulnerability injection via the login.cgi cli parameter.

CVE-2023-41990 Apple Multiple Products Apple Multiple Products Code 08/01/2024 Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when
Execution Vulnerability processing a font file.

CVE-2023-27524 Apache Superset Apache Superset Insecure Default 08/01/2024 Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate
Initialization of Resource Vulnerability and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to
installation instructions.

CVE-2023-29300 Adobe ColdFusion Adobe ColdFusion Deserialization of 08/01/2024 Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
Untrusted Data Vulnerability

CVE-2023-38203 Adobe ColdFusion Adobe ColdFusion Deserialization of 08/01/2024 Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
Untrusted Data Vulnerability

CVE-2023-7101 PERL Spreadsheet::ParseExcel Spreadsheet::ParseExcel Remote 02/01/2024 Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a
Code Execution Vulnerability string-type “evalâ€. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.

CVE-2023-7024 Google WebRTC Google Chromium WebRTC Heap 02/01/2024 Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains
Chromium Buffer Overflow Vulnerability a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution. This vulnerability could
impact web browsers using WebRTC, including but not limited to Google Chrome.
Who We Are
WithSecureTM, formerly F-Secure Business, is cyber security's reliable
partner. IT service providers, MSSPs and businesses – along with the
largest financial institutions, manufacturers, and thousands of the
world's most advanced communications and technology providers –
trust us for outcome-based cyber security that protects and enables
their operations. Our AI-driven protection secures endpoints and
cloud collaboration, and our intelligent detection and response are
powered by experts who identify business risks by proactively hunting
for threats and confronting live attacks. Our consultants partner with
enterprises and tech challengers to build resilience through evidence-
based security advice. With more than 30 years of experience in
building technology that meets business objectives, we've built our
portfolio to grow with our partners through flexible commercial models.

WithSecureTM Corporation was founded in 1988, and is listed on

NASDAQ OMX Helsinki Ltd.

Our latest reports: Threat-Research