Exploits and vulnerabilities in the second quarter of 2024

Andrey Plat
14 min readMay 25, 2024

Statistics on registered vulnerabilities.

Vendors can register vulnerabilities and assign CVE identifiers to them for easy vulnerability management. All identifiers and public information on them are published on https://cve.mitre.org (at the time of writing this report it is in the process of moving to a new domain https://www.cve.org/). Although vendors do not always register vulnerabilities and the list of CVEs cannot be considered exhaustive, we can trace certain trends on its basis. We analyzed the data on registered software vulnerabilities and compared their number over the last five years.

Number of newly registered CVEs, 2019–2023. The drop in 2024 is due to the fact that the data is only presented for the first quarter (download)

As you can see in the graph, the number of new vulnerabilities has been steadily increasing every year recently. There are several reasons for this.

First, the popularization of Bug Bounty programs and vulnerability search competitions has seriously stimulated research in this area. As a result, more and more vulnerabilities are being found. For the same reason, more and more vendors are registering the found vulnerabilities, which means that the number of CVEs is growing.

Secondly, companies developing popular software, operating systems and programming languages are introducing more and more security solutions and new procedures that increase the efficiency of software vulnerability monitoring. This leads to the fact that, on the one hand, vulnerabilities are detected more frequently, and on the other hand, entire classes of old vulnerabilities become obsolete. Therefore, both attackers and security researchers who want to get ahead of them are actively looking for new types of vulnerabilities and creating automated services to detect them even more efficiently.

Finally, as new programs emerge over time and existing programs are updated and become more complex, new vulnerabilities may be introduced. As technology continues to evolve rapidly, the number of vulnerabilities discovered is likely to increase year after year.

It should be noted that different vulnerabilities pose different levels of threat to security. In particular, we can single out critical vulnerabilities. We calculated the share of critical vulnerabilities based on the data from the list of registered CVEs and the results of internal testing of vulnerability reproducibility.

Number of newly reported CVEs, and the proportion of critical ones among them, 2019–2023. The drop in 2024 is due to the fact that data are presented for the first quarter only (download)

As you can see in the graph, the number of critical vulnerabilities is growing by leaps and bounds. Thus, in 2021 and 2022, the share of critical vulnerabilities among the total number of vulnerabilities was comparable, while from 2019 to 2021 and from 2022 to 2023 it increased. Notably, 2023 was a record year for the number of critical vulnerabilities discovered in various software. At the same time, in the first quarter of 2024, the share of critical vulnerabilities among all registered vulnerabilities remains high. This once again emphasizes the importance of competent patch management, as well as the need to use protective solutions that can prevent exploitation of vulnerabilities.

Vulnerability exploitation statistics

This section contains statistics on exploits obtained both from public sources, such as the list of registered CVEs, and from our telemetry.

An exploit is a program containing data or executable code that allows one or more vulnerabilities in software on a local or remote computer to be exploited for a deliberately malicious purpose. Exploit developers are most interested in software vulnerabilities that, when exploited, allow them to gain control of a user’s system.

Exploits can be created by attackers who sell their creations on shady forums or use them for their own purposes. Exploits can also be created by enthusiasts, including participants in various Bug Bounty programs, so that they can develop countermeasures before the vulnerability is discovered by attackers.

Exploitation of vulnerabilities in Windows and Linux

Dynamics of the number of Windows users experiencing exploits, Q1 2023 — Q2 2024 The number of users experiencing exploits in Q1 2023 is taken as 100%.

Dynamics of the number of Linux users encountering exploits, Q1 2023 — Q1 2024 The number of users encountering exploits in the first quarter of 2023 is taken as 100%

As you can see in the graph, the number of Windows users experiencing exploitation remained relatively stable through 2023, while the number of affected Linux users increased throughout the year. That said, both cases are not necessarily about the same vulnerabilities. Some of them lose relevance rather quickly, and attackers switch to newer ones.

Let’s illustrate the dynamics of popularity of specific vulnerabilities using the example of CVE-2023–38831 in WinRAR.

Dynamics of CVE-2023–38831 vulnerability popularity in WinRAR, September 2023 — March 2024.

The graph shows that the vulnerability was very popular almost immediately after its registration in September 2023, but gradually lost relevance as users installed patches. This once again emphasizes that vulnerabilities are interesting to attackers while few people have installed patches.

Statistics on public exploits

The availability of an exploit, especially if it is available on public sites such as GitHub, is one of the most important criteria for assessing the criticality of a vulnerability. We analyzed data on published exploits to registered vulnerabilities.

Number of vulnerabilities and proportion of vulnerabilities for which exploits exist, 2019–2024.

Statistics show an increase in the total number of exploits, including both ready-to-use and “raw” PoCs. The latter may be unstable, but they illustrate the possibility of exploiting the vulnerability and can be further developed in the future. It is worth noting that there is a demand among attackers for both new exploits and improvements to already published ones, such as optimizing them to work with multiple operating systems, adding new data processing methods, improving stability, and so on.

Most common exploits

We continuously monitor published exploits for various vulnerabilities, with a special focus on critical vulnerabilities. Based on our analysis of these exploits, we have divided software of particular interest to attackers into several classes:

Browsers;

  • Operating systems (Windows, Linux, macOS);
  • MS Exchange servers and their components;
  • MS SharePoint servers and their components;
  • MS Office suite of tools;
  • All other applications that do not fall into the first five classes.
  • Let’s take a look at which classes of software in 2023 and the first quarter of 2024 had the most critical vulnerabilities for which working exploits exist:

Distribution of exploits to critical vulnerabilities by platform, 2023.

Distribution of exploits to critical vulnerabilities by platform, Q2 2024.

The obtained data shows that the following software categories are leading in terms of vulnerability criticality and the number of working exploits:

  • Operating Systems;
  • Browsers.

That said, we also saw quite a few exploits to Exchange servers in the first quarter of 2024. In addition, a significant number of exploits fall into the Other Software category. This is due to the variety of software that can be installed on users’ systems to perform business tasks.

Exploiting vulnerabilities in APT attacks

Exploiting vulnerabilities in software is an integral part of almost any APT attack targeting organizations’ infrastructures. We analyzed available APT attack data for 2023 and the first quarter of 2024 and found out which software attackers exploit most often. Below are the vulnerabilities that APT groups exploited the most in 2023 and early 2024.

TOP 10 vulnerabilities exploited in APT attacks, 2023.

The above statistics allow us to conclude that attacks with the following entry points are currently popular among attackers:

  • Vulnerable remote access services (Ivanti, ScreenConnect);
  • Vulnerable access control mechanisms (Windows SmartScreen);
  • Vulnerable office applications. It is noteworthy that exploits for the MS Office package, which for a long time topped the list of the most common in attacks, in 2023 ceded the first line to vulnerabilities in WinRAR.

Thus, we can conclude that APT groups mainly exploit vulnerabilities when gaining initial access to infrastructure. Most cases involve either perimeter breaching (e.g., exploitation of vulnerable services accessible from the Internet, such as VPNs and web applications) or exploitation of office software bundled with social engineering (e.g., mailing an infected document or archive to company employees).

Interesting vulnerabilities for the first quarter of 2024

In this section, we will look at the most interesting vulnerabilities reported in the first quarter of 2024.

CVE-2024–3094 (XZ).

In late March, a backdoor was discovered in the XZ data compression utility package. Attackers added code to the source code of a library for working with archived data, which, as a result of a modified build procedure, was inserted into the compiled library. When loading such a library, the malicious code started modifying functions in memory that are exported by some SSH server distributions so that attackers could send commands to the infected server.

The backdoor’s functionality is notable because the attackers were able to add malicious algorithms to a popular library, something that has only been done a handful of times in the history of open source applications. Moreover, this attack stands out from the majority of similar attacks because of its complexity and multi-stage infection. No one but the author of the malicious code would have been able to use the backdoor.

CVE-2024–20656 (Visual Studio)

A vulnerability in Visual Studio allows attackers to escalate privileges on the system. An attacker could use it to perform a “DACL reset” attack on Windows. A DACL (Discretionary Access Control List) is an access control list that describes the level of user access to perform certain operations on an object. If this list is reset, all restrictions on access to system files or directories are removed and any users can do anything they want with them. This vulnerability is interesting due to its exploitation algorithm.

In the source code of the exploit we have studied, the Visual Studio application debugging service is redirected from one directory to another via SymLink: DummyDir=> Global\\\GLOBALROOT\\\\RPC Control => TargetDir, where DummyDir is a public directory specially created by the attacker and TargetDir is the directory he wants to access. When the application debugging service redirects from DummyDir to TargetDir, the latter receives access settings similar to DummyDir.

This method of using links to perform point-and-click actions on protected files is quite difficult to stop, since not all files on the system can be write-protected. This means that it could potentially be used to exploit other vulnerabilities as well. If you find a file or dependency that is used by the target OS service and remove modification restrictions from it, then after the exploit runs, the user can simply overwrite that file or dependency. On the next run, the code added by the attackers will start in the attacked service and will have the same access level as the service itself.

At the moment we are not aware of this vulnerability being used in real attacks, but it has the same exploitation primitives as the CVE-2023–36874 vulnerability, which attackers started exploiting before it was discovered.

CVE-2024–21626 (runc)

OS feature-based virtualization, or containerization, is used quite often today to scale applications and build fault-tolerant systems. Therefore, vulnerabilities are critical in systems that allow containerization.

This vulnerability is a consequence of the peculiarities of the fork system call in the Linux kernel, namely the way of starting a child process that is copied from its parent.

This allows to launch applications quite quickly, but it contains a danger that developers are not always aware of. Full process copying implies that some of the data of the parent process can be accessed from the child process. If such data is not monitored in the application code, a data disclosure vulnerability, CWE-403 — Exposure of File Descriptor to Unintended Control Sphere (Exposure of File Descriptor to Unintended Control Sphere) according to CWE classification, can occur.

The CVE-2024–21626 vulnerability is a good example of the problem described above. In the Docker toolkit, the runc tool is used to create and run containers, so the running container is a child of runc. If you try to access the /proc/self directory from this container, you can get descriptors of all files that were opened by the runc process. Navigating through available resources and descriptors in Linux follows the rules of working with the file system, so to exploit the vulnerability almost immediately began to use the relative path to the interpreters that are available to the parent process to escape from the container using them.

Vulnerability exploitation can be detected through activity in an already running container. The main pattern that the exploitation exhibits can be seen as attempts to access the container’s file system via the path:

/proc/self/cwd/../.

CVE-2024–1708 (ScreenConnect)

ConnectWise ScreenConnect is remote desktop access software. The application includes applications that run directly on the client systems and a server that can be used to manage the clients. The server runs a web application that contains the vulnerability in question.

It is believed that the most critical mechanism that web applications have is the access control mechanism. It works only if every function and parameter available to the user in the web application is monitored and checked before being used in the application algorithm. In ScreenConnect, monitoring and controlling requests was not sufficient. An attacker could force the system to perform a reset simply by adding a / sign in the URL to the original request (e.g., http://vuln.server/SetupWizard.aspx). As a result, an attacker could log in as an administrator and use the server in malicious scenarios.

This vulnerability is actively exploited by attackers, so we recommend that ScreenConnect users apply the patch released by the developers and configure firewall rules to restrict access to the server’s web interface.

CVE-2024–21412 (Windows Defender)

The goal of most attacks on users’ systems is to execute malicious commands. There are various ways to accomplish this task, but the most popular and stable way is to launch a malicious file. To minimize the risk of unauthorized applications launching, Windows has a mechanism called SmartScreen Filter. It is used to check the sites the user visits and files downloaded from the Internet. When the scan starts, the user sees a lock screen:unintended process) according to the CWE classification.

Such a notification can make a user wonder if he really wants to launch an application. Therefore, attackers today try to find ways to trick the filter. One of such ways is the exploitation of CVE-2024–21412.

Deception of the protection mechanism is based on a simple principle — if the filter checks files from the Internet, it should be made to think that the file was already in the system when it was launched.

This can be done by working with a file in a network storage. In the vulnerability in question, this storage is located on a WebDAV server. The functionality of the protocol of the same name allows multiple users to simultaneously edit a file stored on the server, and Windows has the ability to automatically access such storage. All that remains for attackers to do is to properly present the server to the system. For this purpose, a file URL with the following contents is used:

1

URL=file://ip_address@port/webdav/TEST.URL

CVE-2024–27198 (TeamCity).

A vulnerability in the web interface of the TeamCity continuous integration application allows access to functions that should be available only to authenticated users of this application. The exploitation of the vulnerability can be detected by analyzing the standard logs that TeamCity creates in the working directory. The malicious pattern looks as follows:

Incorrect processing of files with an empty name, as in the screenshot above, results in an unauthorized attacker gaining access to the server API.

This vulnerability is used by attackers to initially penetrate target systems. To better monitor its exploitation, we recommend auditing accounts that access the web interface.

CVE-2023–38831 (WinRAR)

This vulnerability was discovered in 2023, but we believe it is necessary to pay attention to it due to its popularity among attackers both at the end of 2023 and in the first quarter of 2024.

The vulnerability is as follows: when trying to open a file in an archive in the WinRAR GUI, the program also opens the contents of the folder with the same name, if it is present in the archive.

During the time the vulnerability has been actively exploited by attackers, several variants of exploits have appeared, which can have one of two formats:

  • ZIP archives;
  • RAR archives.

Differences in malware and existing archives do not allow us to unambiguously determine whether a particular archive is an exploit. However, it is possible to identify the main signs of an exploit:

The archive contains files whose names match the subdirectories.

The name of at least one file contains a space character before the extension.

An archive necessarily contains an executable file, which is located in a subdirectory.

Here are examples of such files in the hex editor. For a ZIP archive, the data looks like this:

For RAR files, it’s like this:

Attackers have learned to hide exploit artifacts by setting a password on the archive: in this case, file paths can be encrypted, which means that the exploit can only be detected by behavioral analysis.

Conclusions and recommendations

Recently, more and more vulnerabilities have been reported every year. The number of public exploits is also growing. Vulnerability exploitation is one of the key components of targeted attacks, and as a rule, attackers actively exploit vulnerabilities in the first weeks after they are registered and the exploit is published. To stay safe, you need to be responsive to the changing threat landscape, as well as:

  • It is good to know your infrastructure, keep a close eye on its assets and pay special attention to the perimeter. Knowing your infrastructure is a key factor in building any security processes.
  • Develop patch management to detect vulnerable software in your infrastructure and install security patches on time.
  • Use a robust anti-malware solution.
  • Use comprehensive security solutions that help you build a flexible and effective security system that includes providing reliable workplace protection, detecting and stopping attacks of any complexity at an early stage, collecting up-to-date data on cyberattacks around the world, and training employees in basic digital literacy skills. As such a solution, customizable to the needs and capabilities of a company of any size, we can offer a line of products for business protection.
  • #cyber_attacks
  • Blockchain.com blocked cryptocurrency
  • Exploits

--

--

Andrey Plat

Blockchain projects, promotion and development. Open source intelligence (OSINT). Non-standard tasks, with non-standard execution.