Full Report
Written by: Maddie Stone, Jared Semrau, James Sadowski Combined data from Google’s Threat Analysis Group (TAG) and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021's peak of 106 zero-days. This finding comes from the first-ever joint zero-day report by TAG and Mandiant. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end user platforms and products such as mobile devices, operating systems, browsers, and other applications. The second is enterprise-focused technologies such as security software and appliances. Key zero-day findings from the report include: Vendors' security investments are working, making certain attacks harder. Attacks increasingly target third-party components, affecting multiple products. Enterprise targeting is rising, with more focus on security software and appliances. Commercial surveillance vendors lead browser and mobile device exploits. People’s Republic of China (PRC) remains the top state-backed exploiter of zero-days. Financially-motivated attacks proportionally decreased. Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon. Progress is being made on all fronts, but zero-day vulnerabilities remain a major threat. A Look Back — 2023 Zero-Day Activity at a Glance Barracuda ESG: CVE-2023-2868 Barracuda disclosed in May 2023 that a zero-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) had been actively exploited since as early as October 2022. Mandiant investigated and determined that UNC4841, a suspected Chinese cyber espionage actor, was conducting attacks across multiple regions and sectors as part of an espionage campaign in support of the PRC. Mandiant released a blog post with findings from the initial investigation, a follow-up post with more details as the investigation continued, and a hardening guide. Barracuda also released a detailed advisory with recommendations. VMware ESXi: CVE-2023-20867 Mandiant discovered that UNC3886, a Chinese cyber espionage group, had been exploiting a VMware zero-day vulnerability (CVE-2023-20867) in a continued effort to evade security solutions and remain undiscovered. The investigation shined a big light on UNC3886's deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform. Mandiant released a blog post detailing UNC3886 activity involving exploitation of this zero-day vulnerability, and also detection, containment and hardening opportunities to better defend against the threat. VMware also released an advisory with recommendations. MOVEit Transfer: CVE-2023-34362 Mandiant observed a critical zero-day vulnerability in Progress Software's MOVEit Transfer file transfer software (CVE-2023-34362) being actively exploited for data theft since as early as May 27, 2023. Mandiant initially attributed the activity to UNC4857, which was later merged into FIN11 based on targeting, infrastructure, certificate and data leak site overlaps. Mandiant released a blog post with details on the activity, as well as a containment and hardening guide to help protect against the threat. Progress released an advisory with details and recommendations. Takeaways Zero-day exploitation has the potential to be high impact and widespread, as evidenced by the three examples shared in this post. Vendors must continue investing in security to reduce risk for their users and customers, and organizations across all industry verticals must remain vigilant. Zero-day attacks that get through defenses can result in significant financial losses, reputational damage, data theft, and more. While zero-day threats are difficult to defend against, a defense in depth approach to security can help reduce potential impact. Organizations should focus on sound security principles such as vulnerability management, network segmentation, least privilege, and attack surface reduction. Additionally, defenders should conduct proactive threat hunting, and follow guidance and recommendations provided by security organizations. Read the report now to learn more about the zero-day landscape in 2023.
Analysis Summary
# Vulnerability: Remote Command Injection in Barracuda ESG
## CVE Details
- CVE ID: CVE-2023-2868
- CVSS Score: 9.8 (Critical)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
## Affected Systems
- Products: Barracuda Email Security Gateway (ESG) (Appliance)
- Versions: 5.1.3.001 through 9.2.2.000
- Configurations: Vulnerability resides in the m_pre-processor module which screens email attachments.
## Vulnerability Description
The flaw is a remote command injection vulnerability in the way the Barracuda ESG appliance parses incoming email attachments. Specifically, the issue stems from insufficient sanitization of `.tar` file metadata (such as filenames) which are passed to internal system commands. An attacker can craft a malicious archive file to execute arbitrary system commands with the privileges of the ESG application.
## Exploitation
- Status: Exploited in the wild (since October 2022)
- Complexity: Low
- Attack Vector: Network
## Impact
- Confidentiality: High (Full access to email data and system files)
- Integrity: High (Ability to modify system configurations and files)
- Availability: High (Potential for system disruption/takeover)
## Remediation
### Patches
- Barracuda released a series of security patches (BNS-24964, BNS-24966) to address the vulnerability and clean up indicators of compromise.
### Workarounds
- No manual workaround is recommended; Barracuda advised immediate replacement of compromised physical appliances in high-risk environments.
## Detection
- Indicators of compromise: Look for unauthorized persistence via reverse shells (SEASPY backdoor) and the presence of the SALTWATER malware.
- Detection methods: Review Barracuda ESG logs for unusual outgoing connections to unknown IP addresses.
## References
- hxxps://www.barracuda[.]com/company/legal/esg-vulnerability
- hxxps://cloud.google[.]com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally
***
# Vulnerability: Authentication Bypass in VMware Tools
## CVE Details
- CVE ID: CVE-2023-20867
- CVSS Score: 3.9 (Low - but high strategic value for persistence)
- CWE: CWE-287 (Improper Authentication)
## Affected Systems
- Products: VMware ESXi, VMware Tools
- Versions: Prior to ESXi 7.0 U3m and 8.0 U1a; VMware Tools versions 12.x.x
- Configurations: Requires the attacker to already have compromised a guest VM.
## Vulnerability Description
An attacker with root privileges on a guest Virtual Machine (VM) can leverage this flaw to execute commands on the underlying ESXi host via the Virtual Machine Communication Interface (VMCI). This allows for a bypass of the authentication mechanism intended to separate the guest from the host, facilitating lateral movement.
## Exploitation
- Status: Exploited in the wild (by UNC3886)
- Complexity: Medium (Requires existing guest root access)
- Attack Vector: Adjacent (Guest-to-Host communication)
## Impact
- Confidentiality: High
- Integrity: High
- Availability: Low
## Remediation
### Patches
- VMware ESXi 7.0 U3m or later
- VMware ESXi 8.0 U1a or later
### Workarounds
- Disable "VMware Tools" guest-to-host operations if not strictly required for environmental management.
## Detection
- Indicators of compromise: Look for unusual `vmsvc` process activity or unauthorized file transfers across the VMCI interface.
## References
- hxxps://www.vmware[.]com/security/advisories/VMSA-2023-0013.html
- hxxps://cloud.google[.]com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass
***
# Vulnerability: SQL Injection in MOVEit Transfer
## CVE Details
- CVE ID: CVE-2023-34362
- CVSS Score: 9.8 (Critical)
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- Products: Progress MOVEit Transfer (Enterprise file transfer software)
- Versions: All versions prior to May 2023 updates
- Configurations: Internet-facing web applications using MOVEit Transfer.
## Vulnerability Description
A SQL injection vulnerability in the MOVEit Transfer web application allows an unauthenticated attacker to gain unauthorized access to the MOVEit database. Depending on the database engine used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker could infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
## Exploitation
- Status: Exploited in the wild (Mass exploitation by FIN11/Cl0p)
- Complexity: Low
- Attack Vector: Network (HTTPS)
## Impact
- Confidentiality: High (Mass data exfiltration)
- Integrity: High
- Availability: High
## Remediation
### Patches
- MOVEit Transfer 2023.0.1 (15.0.1), 2022.1.8 (14.1.8), 2022.0.4 (14.0.4), 2021.1.4 (13.1.4), 2021.0.6 (13.0.6)
### Workarounds
- Disable all HTTP and HTTPS traffic to MOVEit Transfer environment (ports 80 and 443).
- Delete unauthorized user accounts and active sessions.
## Detection
- Indicators of compromise: Presence of `human2.aspx` webshells, unauthorized large file transfers, and the creation of new administrative users.
- Detection methods: Scan for specific SQL query pattern spikes in web server logs.
## References
- hxxps://community.progress[.]com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- hxxps://cloud.google[.]com/blog/topics/threat-intelligence/zero-day-moveit-data-theft