Unpatched vulnerabilities are always critical means for compromising enterprise systems, but attacker activity around certain zero-day flaws indicate key trends cyber teams should be aware of.
Zero-day vulnerabilities saw big growth once again in 2024. With no patch available, zero-day flaws give attackers a significant jump on cybersecurity defense teams, making them a critical weapon for attacking enterprise systems.
But while all zero-days are essential for CISOs and their team to be aware of, and for vendors to remedy in a timely manner, some can stand out as indicative of trends in the type of products that attackers are targeting to gain access to corporate networks and data.
Here are some of the most noteworthy trends that CISOs and their enterprise security teams should be aware of based on rising exploitations of zero-day vulnerabilities this year. Each is significant either because of its criticality, innovative approach, or real-world impact against business assets.
1. Zero-day attacks against network security devices increase
The targeting of network-edge devices, including VPN gateways, firewalls, email security gateways, and load-balancing systems, accelerated sharply this year. These devices serve as ideal entry points into corporate networks due to their powerful features, privileged network positions, and the limited visibility their owners have into their underlying code and operating systems.
The year started with two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure, an SSL VPN and a network access control solution. One vulnerability, tracked as CVE-2023-46805, allowed for an authentication bypass. The second, CVE-2024-21887, allowed for a command injection in the underlying OS. The two vulnerabilities were combined in an exploit chain by a Chinese nation-state actor.
The year continued with zero-day exploits against:
- Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-6548, code injection; CVE-2023-6549, buffer overflow)
- Ivanti Connect Secure (CVE-2024-21893, server-side request forgery)
- Fortinet FortiOS SSL VPN (CVE-2024-21762, arbitrary code execution)
- Palo Alto Networks PAN-OS (CVE-2024-3400, command injection)
- Cisco Adaptive Security Appliance (CVE-2024-20359, arbitrary code execution; CVE-2024-20353, denial of service)
- Check Point Quantum Security Gateways and CloudGuard Network Security (CVE-2024-24919, path traversal leading to information disclosure)
- Cisco NX-OS switches (CVE-2024-20399, CLI command injection)
- Versa Networks Director (CVE-2024-39717, arbitrary file upload and execution)
- Ivanti Cloud Services Appliance (CVE-2024-8963, path traversal leading to remote code execution)
- Ivanti Cloud Services Appliance (CVE-2024-9381, path traversal chained with CVE-2024-8963)
- Ivanti Cloud Services Appliance (CVE-2024-9379, SQL injection leading to application takeover chained with CVE-2024-8963)
- Ivanti Cloud Services Appliance (CVE-2024-9380, OS command injection chained with CVE-2024-8963)
- Fortinet FortiManager (CVE-2024-47575, missing authentication leading to full system compromise)
- Cisco Adaptive Security Appliance (CVE-2024-20481, Remote Access VPN denial of service)
- Palo Alto PAN-OS (CVE-2024-0012, improper authentication chained with CVE-2024-9474, command injection)
Other known vulnerabilities that already had fixes (N-days) also continued to be exploited in unpatched network-edge devices and appliances, making these systems one of the top targets for attackers in 2024, especially for state-sponsored cyberespionage groups.
2. Remote monitoring and management remains a ripe target
Attackers, especially initial access brokers working for ransomware groups, habitually abuse remote monitoring and management (RMM) products to maintain persistence on corporate networks but also to break into them.
Back in 2021, the REvil ransomware group exploited a vulnerability in Kaseya VSA servers, a remote management platform used by many managed service providers (MSPs). In February 2024, attackers exploited two zero-day vulnerabilities in ConnectWise ScreenConnect, another widely used RMM tool.
The flaws, tracked as CVE-2024-1708 and CVE-2024-1709, are a path traversal issue and an authentication bypass. The vulnerabilities allow attackers to access the initial setup wizard and reset the administrative password as part of the process. Normally the setup wizard should only be run once and should be protected once the application is set up.
3. Managed file transfer under fire
Ransomware gangs are also known for targeting enterprise managed file transfer (MFT) software for initial access into corporate networks. In December, attackers started exploiting an arbitrary file write vulnerability in Cleo LexiCom, VLTrader, and Harmony, three enterprise file transfer products.
The vulnerability, now tracked as CVE-2024-55956, is similar to another vulnerability patched in the same Cleo products back in October (CVE-2024-50623) that enables both arbitrary file writing and file reading. However, according to Rapid7 researchers, even if they are located in the same part of the code base and are reachable through the same endpoint, the vulnerabilities are different and don’t need to be chained together.
Attackers can exploit CVE-2024-55956 to write a malicious file into the Autorun directory of the application and then leverage the built-in functionality to have their file executed and download additional malware payloads.
In 2023, a zero-day SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer, an MFT product used by thousands of businesses, was exploited by the Cl0p ransomware gang to steal data from many organizations. This year, two critical authentication bypass flaws were found in the same product (CVE-2024-5806 and CVE-2024-5805), sparking fears that a new wave of exploitation is coming, especially because ransomware groups targeted MFT products before.
In January 2023, the Cl0p gang exploited a zero-day remote-code execution vulnerability (CVE-2023-0669) in GoAnywhere MFT and claimed to have stolen data from 130 organizations, while in 2020, members of the same group exploited a zero-day flaw in the Accellion File Transfer Appliance (CVE-2021-27101).
4. CI/CD flaws prove attractive to attackers
Attackers are also seeking vulnerabilities in CI/CD tools because they not only provide entry points into corporate networks, if left exposed to the internet, but also raise the potential to compromise software development pipelines leading to software supply chain attacks. One such high-profile attack led to the 2020 backdooring of SolarWinds’ Orion software used by tens of thousands or private organizations and government agencies.
In January 2024, researchers found a path traversal flaw in Jenkins (CVE-2024-23897) that could lead to code execution. The vulnerability was rated critical and stemmed from the way the software parsed command-line interface (CLI) commands.
Although a patch was available when it was publicly disclosed, and thus not a zero-day, attackers were quick to adopt it with signs of exploits for the flaw being sold as early as March. In August, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalogue of known exploited vulnerabilities after ransomware groups began exploiting it to break into enterprise networks and steal sensitive data.
Another N-day CI/CD vulnerability that attackers exploited this year was CVE-2024-27198, an authentication bypass issue in JetBrains TeamCity, a build management and continuous integration server. The flaw can lead to a complete server takeover and remote code execution.
This wasn’t the first time attackers targeted TeamCity, as another authentication bypass vulnerability, discovered in September 2023 (CVE-2023-42793), was quickly exploited by North Korean state-sponsored hackers to compromise Windows environments and then continued to be targeted throughout 2024 by other groups as well.
5. Supply-chain compromises abound
CI/CD flaws are not the only way to break into development or build environments to compromise source code or introduce backdoors. This year saw the uncovering of a years-long infiltration campaign in which a malicious developer using a fake identity slowly gained the trust of an open-source project and got added as a maintainer to the XZ Utils library, a widely used open-source data compression library.
The rogue developer, known as Jia Tan, slowly added a backdoor to the XZ Utils code that interacted with SSH with the goal of opening unauthorized remote access on systems. The backdoor was discovered accidentally — and luckily before the trojanized versions made it into stable Linux distributions.
The vulnerability, tracked as CVE-2024-3094, highlighted the risks of supply chain attacks in the open-source ecosystem where many projects that produce critical and widely used software libraries are understaffed and underfunded and are likely to accept help from new developers without much scrutiny.
In December, attackers exploited a script injection vulnerability via GitHub Actions to compromise and backdoor the PyPI releases of Ultralytics YOLO, an open-source AI library. This class of script injection vulnerabilities that takes advantage of insecure uses of the GitHub Actions CI/CD service was documented earlier this year and can impact many projects hosted on GitHub.
6. AI gold rush opens new attack possibilities
In a rush to test and integrate AI chatbots and machine learning models into business workflows, organizations are deploying a variety of AI-related frameworks, libraries, and platforms on their cloud infrastructures with insecure configurations. In addition to being misconfigured, these platforms can also have vulnerabilities that enable attackers to access sensitive intellectual property such as custom AI models and training data, or that at least provide them with a foothold on the underlying servers.
Instances of Jupyter Notebooks, a web-based interactive computing platform used for data visualization, machine learning, and more, have been regularly targeted by botnets that infect servers with cryptomining programs. Cloud providers such as Google and AWS offer Jupyter Notebooks as managed services.
This year, a Jupyter Notebooks vulnerability (CVE-2024-35178) in its Windows version let unauthenticated attackers leak the NTLMv2 password hash of the Windows users under which the server ran. If cracked, this password can be used to perform lateral movement to other machines on the same network using that credential.
In November, researchers from JFrog announced the results of their effort to analyze the machine learning tool ecosystem, which resulted in the discovery of 22 vulnerabilities in 15 different ML projects, both in the server-side and client-side components. Earlier in October, Protect AI reported 34 vulnerabilities in the open-source AI/ML supply chain that were disclosed through its bug bounty program.
Research efforts such as these highlight that, being newer projects, many AI/ML frameworks might not be sufficiently mature from a security perspective or have not received the same level of scrutiny from the security research community as other types of software. While this is changing, with researchers increasingly examining these tools, malicious attackers are looking into them as well, and there seems to be enough flaws left for them to discover.
7. Security feature bypasses make attacks more potent
While organizations should always prioritize critical remote code execution vulnerabilities in their patching efforts, it’s worth remembering that in practice attackers also leverage less severe flaws that are nevertheless useful for their attack chains, such as privilege escalation or security feature bypasses.
This year, attackers have exploited five different zero-day vulnerabilities in Windows that allowed them to bypass the SmartScreen prompts when executing files downloaded from the internet: CVE-2024-38217, CVE-2024-38213, CVE-2024-29988, CVE-2024-21351, and CVE-2024-21412.
Windows Defender SmartScreen is a file reputation feature built into Windows that treats files carrying a flag called the Mark-of-the-Web (MOTW) as suspicious, therefore displaying more aggressive alerts to users.
Any technique that could bypass this feature is very useful for attackers who distribute malware via email attachments or drive-by downloads. Ransomware groups in particular have been known to find and exploit SmartScreen bypasses in recent years.
Privilege escalation vulnerabilities that allow malicious code executed by the current user to gain administrative-level privileges on the system are also very useful for attackers who intend to gain a full system compromise. There were 11 such vulnerabilities in Windows and Windows Server reported as zero-days this year compared to only 5 zero-day remote code execution flaws in Windows components.