News Bytes: zero-day hay day, the top vulnerabilities, and Log4Shell in retrospect 

Written By: Austin Miller

More 0-day attacks are being logged than ever

If you’ve been responsible for audits over the last year and a half, you may have noticed something that cybersecurity firms such as Mandiant and Project Zero are now officially stating in public – 0-day attacks are on the rise, jumping up well over 100% between 2020 and 2021. 

Mandiant observed 30 zero-day attacks in 2020, but this increased to 80 overall in 2021. Project Zero, on the other hand, discovered 25 in 2020 and 58 in 2021. What is leading to this drastic increase? Has the adversary gotten that much better at identifying novel weaknesses in software that they are now several steps ahead of the security researchers? 

The answer is, probably, no. Although the adversary is becoming more sophisticated and new threats seemingly emerge every day, security researcher Maddie Stone says that the rise in observed 0-days is actually a good thing. Much like a disease that goes undiagnosed is still a problem for a person, 0-day vulnerabilities would have gone undiagnosed in the past. Now, the defensive team is finding them before the adversary can weaponize them. 

Although it would be too much to say that security researchers are now 100% ahead of threat actors or no longer in cahoots with government agencies such as in the Russia-Ukraine crisis or the Eternal Blue leak, it does mean that we can expect to hear more about 0-days and patch issues before they become issues. 

The Mandiant report is not publicly available at this present time, but the Project Zero report can be accessed here. 

The Top Vulnerabilities of 2021 

In a joint declaration by the CSA of the US, Australia, Canada, New Zealand, and the UK (along with multiple declarations from international intelligence committees), the top 15 vulnerabilities from last year have been released to the public with methods for mitigating the issues and securing your systems. 

Altogether, the most serious issues that cybersecurity professionals have been dealing with are: 

• CVE-2021-44228, or Log4Shell 
• CVE-2021-40539, an RCE on Zoho ManageEngine AD SelfService Plus 
• CVE-2021-34523, or ProxyShell – elevation of privilege 
• CVE-2021-34473, or ProxyShell – RCE 
• CVE-2021-31207, or ProxyShell – security feature bypass 
• CVE-2021-27065, or ProxyLogon – RCE 
• CVE-2021-26858, or ProxyLogon – RCE 
• CVE-2021-26857, or ProxyLogon – RCE 
• CVE-2021-26855, or ProxyLogon – RCE 
• CVE-2021-26084, an abitrary code execution 
• CVE-2021-21972, or VMware vSphere Client vulnerability – RCE 
• CVE-2020-1472, or ZeroLogon 
• CVE-2020-0688, a Microsoft Exchange Server RCE 
• CVE-2019-11510, a Pulse Secure Pulse Connect Secure arbitrary file reading 
• CVE-2018-13379, a Fortinet FortiOS and FortiProxy path traversal vulnerability 

In retrospect, the number of issues from the previous years is somewhat startling to see first-hand, but unsurprising in the world we live in. For many organizations, it simply shows that cybersecurity is overlooked until it is too late and simply adhering to existing advice would be enough to stop the adversary in their tracks. 

If anyone is surprised that Log4Shell is top, I assume you’ve been living in a cave for the past year. The fallout that followed that particular leak was truly spectacular and I predict that exploits of Log4Shell and its derivatives will be felt by disorganized or underfunded IT teams in the years to come as well. 

If you would like to see more vulnerabilities that the international coalition has identified as exploitable over the course of 2020, check out the full CISA document here. 

Python module hijacking is here – what do we look out for?

In a warning on GitHub, security researcher echo-devim has shown that their pyjacktrick proof of concept (POC) has real legs in hijacking Python modules and starting code execution illegitimately. The researcher showed that the problem is realted to the search path used in the current working directory, meaning that this issue could potentially affect anyone that is using python3. 

Although this might not be news to some people – the issue has been noted in the past – the POC best serves as a warning for people who are reguarly using python3 and may occassionally access modules that they don’t know they can trust 100%. Just like the expansive libraries of JavaScript are starting to show vulnerabilities intentionally built in by the adversary, caution is always necessary when using previously unknown code. 

If you would like to run through the POC and compare it to your own usage of python3, check out this GitHub write up here.

Threat actors have stopped using BazaLoader and IcedID, causing havoc for security professionals 

Although not everyone has been affected by this change in adversarial policy so far, it seems that threat actors have switched from using the tried and tested BazaLoader to a new piece of software named Bumblebee. Although this has been spotted by security researchers quickly – having first been identified in March 2022 – and announced fairly shortly after discoverly, it has put cyber teams on high alert to see what is to come. 

The SecPro will investigate this change in adversarial technique as more details become available.