Media Coverage

Previous U.S. approaches to cyber strategy have treated technology security largely as fixed in nature—working under the assumption that the relative vulnerability of software products, hardware devices, and systems is predetermined, something for policymakers to maneuver around rather than to shape. This comes from a recognition of the difficulties inherent in cybersecurity: Patching vulnerabilities is reliably slow and incomplete, companies face incentives to prioritize time to market over security, and vulnerabilities are uniformly inevitable, no matter the precautions taken. But approaching cybersecurity as competition over a static terrain is a mistake—and strategies that merely accept the given circumstances of cyberspace compound that error.  The new 2023 National Cybersecurity Strategy (NCS) departs from the previous 2018 National Cyber Strategy in two important ways. First, the new strategy calls to “rebalance the responsibility” of defending cyberspace, moving away from end users and toward the “most capable and best-positioned actors,” including owners and operators of key technologies and infrastructures. Second, it seeks to “realign incentives” through various regulatory, grantmaking, and budgetary measures.  One of the most important aspects of the terrain of cyberspace is the layout and security of the internet, as determined by the overlapping national and global networks that comprise it. As this layout continues to evolve, the role of private technology firms—especially cloud service providers in running it—has grown considerably. The strategy correctly connects greater cybersecurity with the openness of online networks, but it stops short of making that connection meaningful. Tangible progress toward a more open, secure, interoperable internet would combat the structural influence of prolific cyber threats and better enable the open market of Western security researchers to identify and combat these harms. Operational goals about the cybersecurity of internet technologies can and should flow from normative debates about the future of the internet. Openness and integrity aren’t just values: Purely through a security lens, they create space for independent researchers, small companies, and civil society groups to play outsized roles in rapidly detecting and mitigating threats to networks and users. Preserving openness and placing power in the hands of users rather than institutions has enabled community-led security efforts like the Shadowserver Foundation and the monitoring and open-source intelligence work of the Digital Forensic Research Lab and Bellingcat. Protecting the open internet is in America’s national interest and advances its core cybersecurity goals as much as, if not more than, prioritizing operational superiority over its adversaries.

In less than a month, Microsoft will stop supporting Exchange Server 2013. There will be no more security updates for found vulnerabilities, Microsoft has announced again . The mail server software appeared on January 9, 2013 and introduced a completely new “servicing model”, which no longer used Service Packs and Update Rollups, but worked with Cumulative Updates. Over the past year, Microsoft has repeatedly warned that after April 11, it will no longer release patches and bug fixes for Exchange Server 2013, technical support, or time zone updates. Some estimates state that there are three hundred thousand Exchange servers on the Internet. According to the Shadowserver Foundation, more than 71,000 of its servers contain a known vulnerability. Organizations that are still working with Exchange Server 2013 are urged by Microsoft to switch to Exchange Server 2019 or Exchange Server Online as soon as possible. Last month, the French government announced that many of the attacks it investigated exploited vulnerabilities in mail server software.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.The list of vulnerabilities is below –

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package. The exact specifics surrounding the nature of attacks are unknown, but the Shadowserver Foundation in October 2022 noted that it has seen exploitation attempts against its honeypots. Since then, a cURL-based one-line proof of concept (PoC) has been made available on GitHub and a “mass” scanner has been advertised for sale, VulnCheck security researcher Jacob Baines said in December 2022.

An information base on the vulnerabilities of Internet of Things devices was created as part of the VARIoT project, which was coordinated by the NASK National Research Institute. Thanks to the work of scientists, everyone can easily check whether the equipment they use is vulnerable to cybercriminal attacks. The Internet of Things (IoT) is a concept based on creating a network of devices that exchange data with each other. The developing IoT market means not only convenience for the end user, but also brings many benefits for the economy, creating new areas of device application, and what is more – it has the potential for development in virtually all its sectors, from energy, through telecommunications, to health care. An increasing number of devices connected to the Internet of Things – e.g. electronics and household appliances, medical devices, cars – and a significant increase in network traffic, however, will not be without impact on cybersecurity. The VARIoT project (“Vulnerability and Attack Repository for IoT”) was implemented by a consortium of five institutions: NASK – PIB (coordinator), Stichting The Shadowserver Foundation Europe (Shadowserver, Netherlands), Security Made In Letzebuerg GIE (SMILE, Luxembourg), Institut Mines -Télécom (IMT, France), Mondragon Goi Eskola Politeknikoa Jose Maria Arizmendiarrieta S COOP (MGEP, Spain). The main task of NASK specialists in the project was to create a universal database of information on vulnerabilities and exploits of IoT devices.  The effects of the work of experts involved in the project will be useful to network owners, specialists who deal with cybersecurity research or CSIRT teams.

Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to boost the servers’ security. As the company explained, exclusions targeting the Temporary ASP.NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they’re no longer affecting stability or performance. However, admins should make a point out of scanning these locations and processes because they’re often abused in attacks to deploy malware. “Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange Team said. This comes after threat actors have been using malicious Internet Information Services (IIS) web server extensions and modules to backdoor unpatched Microsoft Exchange servers worldwide. Redmond also recently urged customers to keep on-premises Exchange servers up-to-date by applying the latest Cumulative Update (CU) to have them ready to deploy emergency security updates. It is also recommended to always run the Exchange Server Health Checker script after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change. As security researchers at the Shadowserver Foundation found in January, tens of thousands of Internet-exposed Microsoft Exchange servers (over 60,000 at the time) are still vulnerable to attacks leveraging ProxyNotShell exploits.

In-the-wild exploitation of a Fortinet FortiNAC vulnerability tracked as CVE-2022-39952 was seen just days after a patch was announced, and on the same day a proof-of-concept (PoC) exploit was made public. Fortinet published 40 security advisories on February 16, including one describing a critical vulnerability in the company’s FortiNAC network access control (NAC) solution. The security hole was discovered internally by Fortinet. The flaw, an external file name and path control issue, can be exploited by an unauthenticated attacker to write data on a system, which can result in arbitrary code execution.  On February 21, autonomous pentesting company Horizon3 released a blog post detailing how CVE-2022-39952 can be exploited and also released a PoC exploit. On the same day, the nonprofit cybersecurity organization Shadowserver warned that its honeypots had started seeing exploitation attempts coming from multiple IP addresses. Several Fortinet product vulnerabilities have been exploited in attacks in the past years. The US Cybersecurity and Infrastructure Security Agency (CISA) lists nine such flaws in its known exploited vulnerabilities catalog. The most recent is CVE-2022-42475, which has been leveraged by a China-linked threat actor in attacks aimed at government organizations in Europe.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows –

• CVE-2022-47986 (CVSS score: 9.8) – IBM Aspera Faspex Code Execution Vulnerability
• CVE-2022-41223 (CVSS score: 6.8) – Mitel MiVoice Connect Code Injection Vulnerability
• CVE-2022-40765 (CVSS score: 6.8) – Mitel MiVoice Connect Command Injection Vulnerability

CVE-2022-47986 is described as a YAML deserialization flaw in the file transfer solution that could allow a remote attacker to execute code on the system.Details of the flaw and a proof-of-concept (PoC) were shared by Assetnote on February 2, a day after which the Shadowserver Foundation said it “picked up exploitation attempts” in the wild. CISA also added two flaws impacting Mitel MiVoice Connect (CVE-2022-41223 and CVE-2022-40765) that could permit an authenticated attacker with internal network access to execute arbitrary code.

Attackers are actively exploiting critical vulnerabilities in IBM Aspera Faspex and Mitel MiVoice Connect to attack organizations, the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security warns. This would include ransomware attacks. IBM Aspera Faspex is a web-based file exchange application running on an Aspera server. On January 26, IBM released a security update for a critical vulnerability in Aspera Faspex, identified as CVE-2022-47986 . By sending a specially crafted API call, an attacker can execute arbitrary code on the system. The impact of the vulnerability was rated on a scale of 1 to 10 with a 9.8. On February 13, the Shadowserver Foundation , a non-profit foundation registered in the Netherlands and the United States that fights botnets and cybercrime, reported that attackers are exploiting the vulnerability. The first detected attack attempts appeared to date from February 3, a week after the release of the security update. The CISA is now also reporting abuse of the Aspera leak. The US government agency also states that attackers are also exploiting two vulnerabilities in Mitel MiVoice Connect. These are CVE-2022-41223 and CVE-2022-40765 . Mitel MiVoice Connect is a voip platform for organizations that offers communication and collaboration tools through a single interface. The two Mitel vulnerabilities that the CISA is now warning of have also been found by CrowdStrike. 

ESXiArgs has turned into one of the highest-profile threat campaigns in recent memory, despite only having a moderate scale. ESXiArgs is the name of the ransomware campaign involving a series of attacks against servers with vulnerable instances of VMware ESXi. Initial attack reports came in early February, and an updated advisory from French cyber agency CERT-FR listed vulnerabilities CVE-2020-3992 and CVE-2021-21974 as possible attack vectors. Thousands of servers have apparently been infected by the ransomware so far.  The Shadowserver Foundation CEO Piotr Kijewski told TechTarget Editorial last week that ESXiArgs lacks the scale of Log4Shell and ProxyShell threats, but it has perhaps proven notable because it’s an enterprise-focused campaign that spread quickly. There are also looming questions about ESXiArgs’ attack vector and which threat actor — or actors — is behind the campaign.

Exploitation attempts targeting a critical-severity Oracle E-Business Suite vulnerability have been observed shortly after proof-of-concept (PoC) code was published. One of the major Oracle product lines, the E-Business Suite is a set of enterprise applications that help organizations automate processes such as supply chain management (SCM), enterprise resource planning (ERP), and customer relationship management (CRM). Tracked as CVE-2022-21587 (CVSS score of 9.8), the exploited flaw was identified in the Web Applications Desktop Integrator of Oracle’s enterprise product and was addressed as part of Oracle’s October 2022 Critical Patch Update. According to a NIST advisory, unauthenticated attackers with network access via HTTP can easily exploit the security defect to compromise the Web Applications Desktop Integrator and take it over. This week, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog, urging Oracle customers to apply the available patches as soon as possible. The first exploitation attempts, however, were observed on January 21, Shadowserver warned last week. “Since Jan 21st we are seeing exploitation attempts in our honeypot sensors for Oracle E-Business Suite CVE-2022-21587 (CVSS 9.8 RCE) shortly after a PoC was published, (by Viettel Cyber Security)” Shadowserver said. According to Shadowserver data, the number of observed exploitation attempts is currently low. However, threat actors are known to target unpatched Oracle products, and the number of attacks may increase shortly. This week, CISA also warned of observed exploitation of CVE-2023-22952, a high-severity remote code execution flaw in SugarCRM.