Most Exploited Vulnerabilities of 2023 (Insights to Define Cybersecurity in 2025)

admin
Advisory, APT, Cyber Crime, Ransomware
December 3, 2024

APT28 (Fancy Bear)

Category	Details
Campaign Overview	Targeted European government, transportation, energy, and military sectors.
Target Regions/Victims	European industries including critical infrastructure sectors.
Methodology	Exploitation of CVE-2023-23397 (Microsoft Outlook).
Product Targeted	Microsoft Outlook for Windows.
Malware Reference	Utilized NTLMv2 hash-stealing techniques for credential theft.
Tools Used	Customized payloads to exploit NTLMv2 vulnerabilities through crafted emails.
Vulnerabilities Exploited	CVE-2023-23397
TTPs	Credential theft, exploitation of UNC path properties in emails.
Attribution	Russian state-sponsored group, Fancy Bear (APT28).
Recommendations	Apply Microsoft patches, implement SMB signing, and monitor NTLM traffic for anomalies.
Source	Joint cybersecurity advisory and SOCRadar insights.

UNC4841 (Linked to China)

Category	Details
Campaign Overview	Targeted email security solutions and exploited zero-day vulnerabilities.
Target Regions/Victims	Organizations using Barracuda ESG appliances, globally.
Methodology	Used custom backdoors and reverse shells for persistent access.
Product Targeted	Barracuda ESG appliances.
Malware Reference	Reverse shell backdoors.
Tools Used	Email-based TAR file injection exploit payloads.
Vulnerabilities Exploited	CVE-2023-2868
TTPs	Cyber espionage, privilege escalation, deployment of backdoors.
Attribution	Assessed to be linked to the People’s Republic of China.
Recommendations	Regularly update email security appliances, disable vulnerable features, and monitor for anomalous email activity.
Source	SOCRadar and advisory insights.

LockBit 3.0 Ransomware Operators

Category	Details
Campaign Overview	Targeted organizations using Citrix products and high-profile supply chain vulnerabilities.
Target Regions/Victims	Technology firms, government organizations, and supply chain-related targets globally.
Methodology	Exploited authentication bypass flaws, deployed ransomware payloads, and exfiltrated sensitive data.
Product Targeted	Citrix NetScaler ADC & Gateway.
Malware Reference	LockBit 3.0 ransomware payloads.
Tools Used	MFA bypass exploits, hijacked authenticated sessions.
Vulnerabilities Exploited	CVE-2023-4966 (Citrix Bleed)
TTPs	Ransomware deployment, session hijacking, unauthorized access.
Attribution	LockBit 3.0 ransomware group.
Recommendations	Strengthen MFA configurations, apply Citrix patches promptly, and monitor session anomalies.
Source	Joint advisory and incident disclosures.

Storm-0062

Category	Details
Campaign Overview	Exploited Atlassian Confluence vulnerabilities to infiltrate collaboration environments.
Target Regions/Victims	Organizations using Atlassian Confluence Data Center and Server globally.
Methodology	Leveraged unauthorized administrator account creation for lateral movement.
Product Targeted	Atlassian Confluence Data Center and Server.
Malware Reference	Customized scripts to exploit access controls.
Tools Used	Access control bypass techniques.
Vulnerabilities Exploited	CVE-2023-22515
TTPs	Broken access control exploitation, privilege escalation, APT-style infiltration.
Attribution	Likely an Advanced Persistent Threat group tracked by Microsoft as Storm-0062.
Recommendations	Apply Atlassian patches, disable unnecessary admin account creation features, and monitor administrative activities.
Source	Joint advisory and Microsoft threat intelligence.

Disclaimer: The above summary has been generated by an AI language model.

Source: SOCRadar

Published on: December 3, 2024

Leave a Reply Cancel reply