As we head into 2024, we're looking back at the interesting vulnerability research that VulnCheck published throughout 2023. Over the last year, we’ve shared a range of impactful research, but our favorite research falls into one of two camps:
- Novel or new exploitation
- Exploitation in the wild
With our last blog of 2023, we highlight the top 10 VulnCheck research blogs that fall into those categories and describe why we believe they were, and still are, impactful.
Novel or New Exploitation
The security community often relies on researchers to develop proof of concept exploits. Defenders use these exploits to help implement appropriate countermeasures. In this group of blogs, VulnCheck developed new exploits and exploitation methods that changed how defenders protected their networks.
1. Executing from Memory Using ActiveMQ CVE-2023-46604
In Executing from Memory Using ActiveMQ CVE-2023-46604, VulnCheck introduced a new method of exploiting CVE-2023-46604 that allowed attackers to execute arbitrary code without touching the filesystem or executing external programs, thereby avoiding detections.
2. Fileless Remote Code Execution on Juniper Firewalls
In Fileless Remote Code Execution on Juniper Firewalls, VulnCheck introduced a new method of exploiting CVE-2023-36845 that, again, allowed attackers to execute arbitrary code without touching the filesystem or executing external programs. We also published a version scanner and found that, at the time, 80% of Juniper routers remained unpatched.
3. Exploitation of Openfire CVE-2023-32315
In Exploitation of Openfire CVE-2023-32315, VulnCheck introduced a new method of exploiting CVE-2023-32315 that avoided creating a new user, another technique to avoid detection. We also shared that around half of internet-facing Openfire instances remained vulnerable. Finally, we shared Suricata rules that would detect our novel exploitation techniques.
4. Exploiting MikroTik RouterOS Hardware with CVE-2023-30799
In Exploiting MikroTik RouterOS Hardware with CVE-2023-30799, VulnCheck shares details on the development of an exploit for CVE-2023-30799 affecting MikroTik routers. At the time of publication, more than 900,000 routers were vulnerable.
5. PaperCut Exploitation - A Different Path to Code Execution
In PaperCut Exploitation - A Different Path to Code Execution, VulnCheck shared a different exploitation for CVE-2023-27350. VulnCheck found a new HTTP endpoint to trigger code execution, and instead of using java.exe like others, we used python3 (Linux) and ftp.exe (Windows) to establish a reverse shell. We also shared proof of concept code and Suricata rules to detect the new attack.
6. A Different Payload for CVE-2022-47966
In A Different Payload for CVE-2022-47966, VulnCheck once again demonstrated a new memory-resident attack, this time for CVE-2022-47966 affecting a wide range of ManageEngine products. VulnCheck also examined some good (and bad!) public detections for CVE-2022-47966.
Intel on Exploitation in the Wild
Exploitation in the wild is probably the most important topic for the security community. In the following blogs, VulnCheck discovered exploitation in the wild or assessed the likelihood of exploitation in the wild.
7. Exposing RocketMQ CVE-2023-33246 Payloads
In Exposing RocketMQ CVE-2023-33246 Payloads, VulnCheck was able to extract exploit payloads from exploited hosts on the internet. The result was the ability to identify multiple attackers and their unique approaches to exploitation. This blog pre-dated CVE-2023-33246’s inclusion on the CISA KEV list.
8. Widespread Cisco IOS XE Implants in the Wild
In Widespread Cisco IOS XE Implants in the Wild, VulnCheck broke the news that there were thousands of implanted Cisco IOS XE devices on the internet. We also shared the scanner we used to scan the internet.
9. Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236
In Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236, VulnCheck is the first to publish exploit details for CVE-2022-3236, and, after a scan of the internet, explain why the firewall is highly unlikely to be a mass-exploitation target.
10. Looking for CVE-2023-43261 in the Real World
In Looking for CVE-2023-43261 in the Real World, VulnCheck found evidence that cellular routers, often used in ICS networks, affected by CVE-2023-43261 had been widely exploited in the wild. We also discovered that the CVE description did not accurately describe all the affected models and versions.
Conclusion
2023 was a wild year for vulnerabilities and exploitation. Hopefully, our research and insights had a positive impact on the community. Happy holidays! You’ll see many new payloads from us next year.
About VulnCheck
Are you interested in the vulnerabilities that actually matter? Do you want to track the vulnerabilities attackers are exploiting in the wild? If so, VulnCheck's Exploit & Vulnerability Intelligence is for you. Register and demo our data today.