Major security exploits expected to rise before New Year

Cyber security researchers are expecting major exploits to proliferate in the last few months of the year, repeating the pattern of previous years.

Similarly to how the Log4Shell vulnerability was discovered late into 2021, researchers at Deep Instinct said they expected similar exploits of major vulnerabilities discovered this year to ramp up before the year closes out.

The security community hasn't observed any vulnerabilities this year as severe as Log4Shell, but there have been a number of other high-profile vulnerabilities targeting popular services such as Microsoft Exchange which could see a rise in exploitation.

Deep Instinct said there are still many unpatched systems for older vulnerabilities that can be taken advantage of by attackers, such as 'Follina' and DogWalk', tracked as CVE-2022-30190 and CVE-2022-34713 respectively.

These two vulnerabilities, discovered this year, affect Microsoft Support Diagnostic Tool (MSDT) and are among the most-discussed flaws of the year, the security company said. Follina is a zero-day exploit that uses Office documents as its primary delivery method to achieve remote code execution (RCE) and is similar to Dogwalk.

In September, a separate Microsoft Exchange Server exploit dubbed 'ProxyNotShell' was also discovered and the company failed to adequately patch the flaw three times.

The issue remains without an official fix and was left unaddressed in Microsoft's latest Patch Tuesday updates.

Other high-profile vulnerabilities for this year include SpoolFool and Dirty Pipe, tracked as CVE-2022-22718 and CVE-2022-0847 respectievly.

SpoolFool is a Windows vulnerability where threat actors use Windows Print Spooler when they have limited access to a computer but don’t have administrative privileges. Attackers are then able to move laterally across an organisation’s systems.

Dirty Pipe is a Local Privilege Escalation (LPE) for Linux that allows attackers to escape a website's home directory and access all the websites and resources of the server, Deep Instinct said.

VMware Workspace Once, Confluence Server, and WSO2 were all also the subject of criticism for the serious flaws found in their respective products this year.

In addition to predicting a rise in exploits towards the end of the year, Deep Instinct said it expects insiders and affiliate programmes to become more popular. As cyber security firms improve their defences, threat actors will have to try harder to infiltrate companies. Sometimes, they turn to pay someone on the inside to give them initial access.

“A case in point is the BlackCat (ALPHV) group, who provide up to 90% of the ransom payment to affiliates,” explained the company. “This is appealing to threat actors even if they pay a large sum of money to the insider, as they are guaranteed to gain access to an organisation.”

Deep Instinct underlined that for insiders, the reward can be very high. Most attacks of this nature are carried out in third-world countries, where a global company has an office, it said.

The company also predicted that supply chain attacks will increase. Attackers have started infecting the software developers use, mostly site packages which are groups of code which allow its creators to add different features to their projects. The code can be found in repositories like PyPi for Python or NPM for JavaScript.

The sites are generally considered to be reliable resources meaning that developers trust the packages which they install. Attackers are now beginning to exploit this causing NPM to enforce two-factor authentication (2FA) on their most popular packages. PyPI mirrored this in July 2022, forcing the top 1% of projects to use the more secure authentication method.

However, Deep Instinct underlined that 2FA won’t combat protestware, a different attack method. This is when a developer sabotages their own software, giving it malware capabilities to harm users.

The Russia-Ukraine war caused an increase in protestware, said the company, with one of the most famous examples being the node-ipc wiper, a popular NPM package. In March 2022, its developer allegedly changed the package’s code to cause it to wipe computers belonging to potential Russian and Belarusian software developers.