Threat Trends
5 mins
Breakdown of exploits in Q1 2024
The first quarter of 2024 has seen an exceptional volume of malicious cyber activity. Less than a month into the year the Mother of All Breaches (MOAB) was discovered by Bob Diachenko and investigators from Cybernews, uncovering more than 26 billion compromised data records. Alarmingly there are predictions that the number of common vulnerabilities and exposures (CVE) will be a 25% rise in 2024.
For cybersecurity professionals, keeping track of all 2,900 new CVEs that are predicted to be published per month is an impossible task. The number of Known Exploited Vulnerabilities (KEV) tracked by CISA has grown by a fraction of the amount, only 39 over the last 3 months.
Overview of the new exploits
The total volume of the new exploits (39) added to the KEV Catalog in 2024 is in line with the quarterly average from last year of 46.25. Of these, 33.3% were for CVE published this year, substantially less than the 64.8% that were published and added to the KEV Catalog last year. This is to be expected as this is the first quarter of the year and a large number of exploits (48.7%) had their CVE published in 2023.
The rapid development of exploits is a trend that Melvin Lammerts, Hacking Manager at Hadrian, predicted earlier this year. A factor in this trend of zero-day usage over the last three years is increased activity by top state-sponsored threat actors.
"Observing the trend of zero-days, especially the exploitation of known vulnerabilities in Fortinet firewalls, indicates a methodical approach by attackers. They are not just finding new vulnerabilities; they're adept at recognizing and leveraging regression in security patches."
by Melvin Lammerts, Hacking Manager at Hadrian
The oldest vulnerability to be added to the catalog is CVE-2016-20017, a D-Link DSL-2750B Devices Command Injection Vulnerability that was first discovered in 2016. This vulnerability has been repeatedly observed being exploited in the wild several times, demonstrating threat actors’ ability to develop workarounds to vendor fixes.
Key exploits identified in Q1 2024
Jenkin Automation Server
Two notable vulnerabilities, CVE-2024-23897 and CVE-2024-23898, have been discovered, presenting considerable threats to Jenkins installations globally. CVE-2024-23897, deemed critical, enables unauthorized attackers with 'overall/read' permission to view arbitrary files on Jenkins servers. Additionally, even users lacking this permission may access the initial lines of files, contingent on the CLI commands at their disposal.
Ivanti Connect Secure and Policy Secure Gateways
In January 2024, four vulnerabilities affecting Ivanti were uncovered. On January 10, Ivanti reported CVE-2023-46805 and CVE-2024-21887, as detailed in the table provided. Subsequently, while investigating these vulnerabilities, CVE-2024-21888 and CVE-2024-21893 were identified. Ivanti has disclosed that CVE-2024-21893, with a CVSS score of 8.2, impacts several of its customers, leading to its inclusion in the KEV catalog by CISA.
TeamCity CI/CD Server
Recently, two vulnerabilities within JetBrains TeamCity, a widely utilized CI/CD application, have been discovered that present a substantial security threat to software development and deployment operations. Designated as CVE-2024-27198 and CVE-2024-27199, these vulnerabilities allow for authentication bypass, potentially resulting in unauthorized administrative entry or, in severe cases, remote code execution on impacted servers.
Time to exploitation
In 2023, the mean time to exploitation of a vulnerability was just 44 days, much shorter than the average 215 days it takes organizations to patch. This explains why organizations were continuing to be breached by the MOVEit vulnerability nearly a year after the vulnerability was announced. The total number of known victim organizations is just under 2,800 - a staggering figure considering that the 9.8 CVSS score should have triggered organizations to be patched immediately.
The major factor in the speed and volume of attacks that are conducted is the level of automation that can be achieved. Web applications, which can be attacked from any location, are a prime target for threat actors. In fact, OWASP maintains a list of techniques that can be automated by attackers. By employing these same techniques, security teams can identify the exploitable targets that could be attacked by a malicious party.
Exploit prioritization
Threat intelligence, such as using the KEV Catalogue, can reduce the noise from the thousands of CVEs that are discovered monthly. However, an additional layer can be applied by validating which exploits can actually be leveraged in an attack. Organizations should use automated penetration testing to find weaknesses at scale. To learn how to implement continuous and autonomous exposure management get in touch with one of our experts.
