Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
The arbitrary Top of the past year 2022
Published on
This year it smells like dried security manager (CISO) tears vaporized by the heat of vulnerability detonations: this is your traditional arbitrary top cybersecurity events of the past year 🎊. For all the details, I refer you to the emails on this list as well as the OSSIR 2022 news reviews in PDF and video form: https://www.ossir.org/support-des-presentations/?date=2022 and https://www.youtube.com/@OSSIR/videos
Let's go over this again:
- 2020 was pretty catastrophic.
- 2021 was worse with even more massively exploited critical vulnerabilities in the wild, hacks, data leaks...
- 2022... we'll see.
The main question to ask is, "What was 2022? What characterized it?"
2022, again a year of major vulnerabilities?
Unfortunately yes, still and again major vulnerabilities, massively exploited in the wild and allowing to almost totally compromise an enterprise 😥.
In 2022, we saw the aftermath of Log4J with new ways of exploiting the vulnerability (see review of 2022-01-11 and 2022-02-08) and variants of the former.
In 2022, a few days after the release of a patch for a Java code injection with the "Spring Expression Language" named Spring4Shell was released. (CVE-2022-22963). A kind of Log4J but fortunately requiring a configuration is not very common (see review of 2022-04-12)
In 2022, we understood that yes, there are major vulnerabilities in Cloud providers and yes, they can be exploited in the wild with gigantic impacts, like : Those affecting AWS CloudFormation (see review of 2022-02-08). Those affecting Azure Automation Account, allowing to retrieve the tokens of other customers (see review of 2022-03-08)
In 2022, we have also seen many vulnerabilities affecting Microsoft Exchange such as ProxyNotShell, allowing a complete compromise and that Microsoft will have taken 3 months to fix (see review of 2022-10-11)
In 2022, we finally saw that Zimbra (the email suite) was targeted with exploits of vulnerabilities unknown to the editor (0-days) at the time of the attacks (cf. review of 2022-02-08, 2022-07-12, 2022-09-13, 2022-10-11)
2022, still a year of vulnerabilities affecting microprocessors / CPU?
Again and again vulnerabilities affecting microprocessors, which generally allow to read protected memory and sometimes even to elevate privileges.
These vulnerabilities are particularly troublesome in the case of shared infrastructure like the cloud:
- SQUIP / Side Channel Vulnerability, affecting AMD Zen 1, 2 and 3 CPUs (see 2022-09-13)
- AEPIC Leak / Architecturally Leaking Uninitialized Data from the Microarchitecture, affecting 10th, 11th and 12th generation Intel CPUs (see 2022-09-13)
- RetBleed, affecting Intel and AMD CPUs (cf. 2022-09-13)
- Phantom JMPS, affecting Intel and AMD CPUs (see 2022-09-13)
- PACMAN, affecting Apple M1 CPUs (see 2022-09-13)
2022, the year of the end of workstation compromises due to Office macros?
It is perhaps one of the major events of the 2022 cybersecurity but not very visible: since July 2022, Office macros are disabled by default, if the document comes from the Internet (from an insecure zone) by mail, download, network share... Announced in February (see review of 2022-02-08), applied in July following a series of rocky blocks and backtracking: Microsoft has finally blocked the number 1 factor of compromises.
Unfortunately there are still workarounds with :
- DDE of Office files (Dynamic Data Exchange);
- The use of call patterns, like the one of the Office diagnostic tool (ms-msdt://) that it was possible to add in an Office file and giving the Follina vulnerability (CVE-2022-30190) (cf. review of 2022-06-14)
- XLL add-ins ;
- OneNote files;
- Improbable exploitation chains multiplying the file formats (cf. 2022-09-13):
- .html > .zip > .lnk > .dll
- url > .zip > .iso > .lnk > .bat > .dll
- .zip > .iso > .lnk > .bat > wscript > .dll
- GoogleDrive > password protected .zip > .lnk > .ps1 > .exe
- .zip > .js > .ps1 > .vbs > .bat > .vbs > .bat > .ps1 > malware
2022, a year of continuity with large-scale compromises?
In 2022, we discovered the LastPass hack and the questionable communication of the publisher:
- LastPass hack (from a developer) (cf. 2022-09-13)
- Hacked again (see review of 2022-11-08)
- Finally all password vaults were stolen (see review of 2023-01-10)
And many other hacks with potential consequences on thousands of companies or individuals:
- Slack with the theft of the source code (see review of 2023-01-10)
- InterSport at home, with the blocking of many stores (see review of 2022-12-08)
- Chinese police with the leak of data (including criminal records) of 1 billion Chinese (see review of 2022-07-12)
- Stratacache, one of the leaders of digital signage (management of billboards, screens in stores...) (see review of 2023-01-10)
- Lots of cryptocurrency marketplace hacks with even a top of the worst: https://web3isgoinggreat.com/charts/top (see 2023-01-10 review)
2022, still a year of supply chain compromises?
What could be easier than hacking a supplier, a dependency (in the sense of a software library), a third party access... to hack the target at the end of the chain.
In 2022, we discovered :
- The Russian espionage operations of the StellarParticle and CozyBear groups, linked to SolarWinds, mixing hacking of services/applications exposed on the Internet, access to the Azure tenant, cookie stealing to bypass MFAs... (cf. review of 2022-02-08)
- Operation Serpent, targeting French companies and ministries, starting with a phishing attack and installing the Chocolatey package manager (see review of 2022-04-12)
- The hacking of CircleCI, provider of outsourced development chains (CI/CD), with the theft of ALL the secrets of ALL the customers (see review of 2023-01-10)
- GSM networks were spied by a Chinese group using the old "Poison Ivy" tool (see review of 2022-04-12)
- Employees of Twilio (SMS cloud platform) were hacked, allowing attackers to compromise Signal, Okta, Telegram accounts... (see 2022-09-13 review)
- The hacking of Hubspot, one of the leaders in CRM, to target their customers who were companies in cryptos (see review of 2022-04-12)
In 2022, even bug bounty programs and were no longer secure, with HackerOne employees forging reports to steal and resell these vulnerabilities (see 2022-07-12 review)
2022, the continuity of hacking of administration interfaces exposed on the Internet, usually on security solutions?
You know it, we have been repeating it for years: you should NEVER expose an administration interface on the Internet, especially if it is a security product giving access to your internal resources. The editors of these security software and equipment remain editors, subject to the same pressures as everyone else and suffer, like everyone else, from critical vulnerabilities. The problem is that they are not software or hardware like any other and should not have critical vulnerabilities, at least not as trivial as some of those listed below.
In 2022, we saw again security solutions being compromised (and companies afterwards) due to exposed administration interfaces on the Internet like :
- The WatchGuard firewall and VPN hack by the Cyclops Blink group (the same people as Sandworm) (see 2022-03-08 review)
- Mass hacking of Fortinet firewalls due to authentication bypass (see 2022-11-08 review)
- Authentication bypass on the Palo Alto firewall and VPN gateway administration portal (CVE-2022-0030)
- Taking control of SonicWall SSL VPNs through a trivial web request (see 2022-02-08 review)
- Remote code injection without authentication on F5 BigIP devices (see 2022-06-14 review)
- Remote command injection without authentication on Zyxel firewalls by a simple POST request with a JSON (CVE-2022-30525) (see the review of 2022-06-14)
- Remote code execution without authentication on Sophos firewalls via a simple POST request with a unicode character (CVE-2022-1040) (see review of 2022-06-14)
In 2022, we had many critical vulnerabilities on Palo Alto solutions such as the XDR Cortex (see 2022-02-08 review)
In 2022, as in previous years, Zoho's products suffered from numerous vulnerabilities, Manage Engine in the lead, some of which were trivial such as the takeover by a simple web request (CVE-2021-44515) (see review of 2022-02-08)
2022, a year of critical vulnerabilities similar to those of the 2000s?
Fashions are cyclical. Would it be the same for vulnerabilities with the return of trivial vulnerabilities worthy of the 90s?
In 2022, we had a crazy amount of trivial ert vulnerabilities worthy of the 90s-2000s:
- Atlassian Confluence, remote command injection without authentication from a simple GET request (CVE-2022-26134) (see 2022-06-14 review)
- Atlassian Confluence, another hidden account with a hard-coded password (see review of 2022-10-11)
- Atlassian Jira, trivial web request injection (SSRF) (CVE-2022-26135) (see review of 2022-07-12)
- GitLab, hard-coded password "123qweQWE!@#00" for external authentication (see 2022-02-08 review)
- Grafana 8.4.3, arbitrary file reading with trivial path traversal (CVE-2022-32275) (see review of 2022-06-14)
- Apache, arbitrary reading and writing of... 20 year old memory (see review of 2022-09-13)
- pfSence, trivial command execution without authentication (see review of 2022-10-11)
- GLPI, trivial command injection (see review of 2022-11-08)
2022, confirmation that cybercriminals have no soul?
It has become our daily lot, companies, hospitals, communities that are ransomed with the publication of stolen data on the sites of cybercriminals and sometimes dramatic effects. Not a week goes by without an announcement of this type and it has unfortunately become a daily occurrence. These cybercriminals clearly have no soul.
These soulless individuals have attacked in 2022 :
- The Corbeil-Essonnes hospital, blocking the entire information system (see review of 2022-09-13)
- The Indre et Loire Department, creating problems with the payment of benefits (see review of 2022-09-13)
- Castelluccio Hospital in Ajaccio, which blocked critical services (see review of 2022-06-14)
- Groupement hospitalier de la région Grand Est (GHT Cœur Grand Est) with the theft of patient data (see review of 2022-06-14)
- Public Interest Groups (see review of 2022-06-14)
- Corbeil-Essonnes Hospital (see review of 2022-09-13)
Don't worry, the LockBit group has apologized for the compromise of a children's hospital in Canada 🤦♂️ (see review of 2023-01-10)
Fortunately, sometimes, these cybercriminals get hacked themselves, as with the publication of all the internal exchanges of the Conti group, which is pro-Russian, but with pro-Ukraine members (see review of 2022-03-08)
2022, a year when cybercriminals take over the codes of the "startup nation"?
Shortage and weariness of employees, need to secure its applications, need to have more visibility... No, we are not talking about classic companies but about cybercriminal groups. They too have embraced the "startup nation" trend.
LockBit has announced a bugbounty program, a vulnerability buyout program, partnerships, recruitment... (see 2022-07-12 review)
2022, a surprising year with 16 year old attackers using basic techniques!!?
Lapsus$, but who hasn't heard about this group that hacked :
- Nvidia and released 1TB of data, AD accounts with NTLM condensate... (see 2022-02-08 review)
- Samsung and released 200GB of data including sensitive source codes (see 2022-02-08 review)
- Microsoft and the release of a lot of source code including Bing but quickly cut because the group announced the leak in real time (see review of 2022-04-12) But also Ubisoft, Okta, Uber, Rockstar...
No ransom demands, no threats to release data... but just publications of what they had stolen and a Telegram group to brag about their exploits. Companies were not ready for this type of threat, not ready to deal with attackers ... teenagers! 7 people were arrested including the potential 16 year old leader (see review of 2022-04-12)
2022, a year confirming that yes, an antivirus and an EDR can be bypassed?
And yes, an antivirus and an EDR is good, but it's not enough, especially since there are lots of bypass methods.
I'm not going to list them all but in almost every monthly OSSIR news review I've featured one or two... well, come on, yes, I'll put some of them on here 😉 :
- Very discreet loader https://github.com/xforcered/BokuLoader
- Call to EnumSystemGeoID() and its callback https://github.com/HuskyHacks/RustyProcessInjectors/blob/master/EnumSystemGeoID/src/main.rs
- Reflective loading of NTDLL https://twitter.com/d1rkmtr/status/1611710773532807168
- More reflective https://twitter.com/vysecurity/status/1602593669588164608
- Unhooking https://twitter.com/0xtriboulet/status/1607815073917009924
- Simple escape techniques https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
- More techniques https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion/
2022, another year of data theft, data leakage publications...?
Every year leaks, every week even...
Here are some of them:
- Emma bedding and theft of 97,000 customers' information (see review of 2022-04-12)
- Database of 1 Billion Chinese people from their police with personal data and records (see review of 2022-07-12)
- Database of Mobile Post customers, published by Lockbit (see review of 2022-07-12)
- Database of TikTok users (see review of 2022-09-13)
- List of all the customers of the Orange CyberDefense micro-SOC (cf. review of 2022-09-13)
- Altice data that allowed journalists to investigate the Drahi family (see review of 2022-09-13)
- Database of 5.4 million Twitter users with phone numbers (see review of 2022-09-13)
- Database of 233 million Twitter users (see review of 2023-01-10)
- Database of 257 million Deezer users (see review of 2023-01-10)
If you are interested in the subject, here is a visual site showing data leaks by year: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2022, a new year of collecting your personal data, without limit?
Your personal data is a currency but above all, the solutions you use continue the collection even when you think it is not.
In 2022 (but also before), Cisco WebEx was listening to you even when the mic is off but rest assured, it's only for telemetry 🤪 (see review of 2022-06-14) In 2022, the world discovered that iPhones never really turn off and always listen in NFC as well as GPS: "Evil never sleeps" (see review of 2022-04-12) In 2022, intimate photos taken by robot vacuum cleaners were released on Facebook (see review of 2023-01-10)
2022, a reassuring year with many seizures, arrests and penalties?
It seems to be commonly accepted that cybercriminals are safe and, on a smaller scale, that there are no consequences for companies that don't play by the rules. The facts in 2022 have fortunately shown otherwise.
On the fines side, there were quite a few things in 2022, like :
- The announcement that Google Analytics was not compliant with the RGPD (see review of 2022-04-12)
- Dedalus Biologie was fined €15m for storing the personal and medical data of 500,000 French citizens in an unsecured manner (see review of 2022-06-14)
- The multiple fines against ClearView AI (£7.5m in England; €20m in Italy; formal notice in France) (see 2022-06-14 review)
- Criteo, potential €60m fine from the CNIL (see review of 2022-09-13)
- 60m fine against Microsoft by the CNIL (see review of 2023-01-10)
- 390m fine against Meta by the Irish CNIL (see 2023-01-10 review)
- 8m fine against Apple for advertising tracking (see 2023-01-10 review)
2022, a flourishing year for cybersecurity mergers, buyouts and fundraising?
Cyber is not experiencing a crisis with many buyouts, mergers or fundraisings.
On the buyout side:
- NeoSoft acquired CONIX (see review of 2022-03-08)
- Google acquired Mandiant for $5Bn (see review of 2022-03-08)
- Schwarz Group acquired XM Cyber for $700 million
- Framatome acquired Cyberwatch (see review of 2022-06-14)
- IBM acquired Randori (!=RandoriSec) which specializes in EASM ("External Attack Surface Management"), a low value-added mapping solution (see review of 2022-06-14)
- UnaBiz (Singapore) acquired the French company Sigfox and kept 110 employees out of 174 (see review of 2022-06-14)
- Broadcom acquired VMware (see review of 2022-06-14)
- Thales acquired S21sec and Excellium (Luxembourg) (see review of 2022-06-14)
- Orange Cyber Defense acquired the Swiss companies SCRT and Telsys (see review of 2022-12-08)
On the fundraising side :
- Patrowl raised €2m in seed 🎉🎊
- Thetris raised €44m (see 2022-11-08 review)
- Citalid raised €12m (see 2022-11-08 review)
2022, the year private companies become aware of threats? Who hasn't heard of NSO Group and its malware (spyware?) Pegasus.
In 2022, we discovered that Pegasus was used :
- By the Israeli police, outside of any official investigation, against Israeli politicians, their relatives, industrialists... (see review of 2022-02-08)
- From 2019, by Poland against political opponents and their lawyers (see review of 2022-06-14)
- In 2019, by the FBI which had acquired licenses (cf. review of 2022-02-08)
- In 2021, against Finnish diplomats (see review of 2022-02-08)
- In 2021, against a senior official of Human Rights Watch who was investigating Syria, Burma, Israel... (cf. review of 2022-02-08)
- Against French politicians such as Montebourg, Blanquer... (see review of 2022-02-08)
- Against the British Prime Minister and many other elected officials, senior civil servants... by "a priori" the United Arab Emirates, India, Chipre and Jordan (cf. review of 2022-04-12)
- Against the Catalan government (see review of 2022-06-14)
- By the Thai government
- In 2022, we saw a very good presentation by Etienne Maynier (from Amnesty International's Security Lab), at the SSTIC 2022 conference, on their analysis tools to detect Pegasus (https://www.sstic.org/2022/presentation/smartphone_et_forensic__comment_attraper_pgasus_for_fun_and_non-profit/)
As a result of all this, several actions have been taken:
- In 2022, an investigation commission was launched in Europe (see review of 2022-02-08)
- In 2022, we saw that Apple reacted strongly and warned customers potentially targeted by Pegasus
- In 2022, NSO was added to the blacklist of US suppliers
- Following this, an American fund offered to buy Pegasus for $300 million but withdrew (see review of 2022-02-08)
Detecting and alerting against Pegasus is good, but there are still many companies offering this kind of services like :
- Predator/Alien spyware from Cytrox, spotted by Google and used by Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain and Indonesia against political opponents, journalists... (cf. review of 2022-06-14)
- The spyware Candiru Ltd (see review of 2022-06-14)
- Innefu
- Mollitiam
- Belltrox
- Nexa/Intellexa (a French-Israeli company), whose commercial proposal was published following the hacking of one of their customers (see the review of 2022-09-13)
- ...
2022, the year of the awareness of the threats coming from the private companies of influence and diffusion of lies?
The Team Jorge affair (but I topic mostly broke in 2023 in France):
- Unmasked in 2022 by a group of journalists from the Forbidden Stories consortium
- Caught red-handed after spreading disinformation on BFM TV The company, which wanted to remain secret, was infiltrated by journalists who were able to demonstrate their tool for creating false accounts on social networks and spreading lies.
2022, the year of France's success in cyber?
In France, we have the best engineers... and this year, they shone!
In 2022, Synacktiv continued to show its muscles, with success, during international competitions such as Pwn2Own, Pwn2Own Vancouver (see review of 2022-02-08, 2022-04-12) In 2022, many French tools have been recognized worldwide as references:
- ADeleg, to audit your Active Directory delegations (see review of 2022-06-14)
- CrackMapExec, to audit your internal information systems, with crazy updates almost every month
- PingCastle, always present, always the reference to analyze the security of your Active Directory
2022, the year of the great debate about cyber insurance?
Insurance is the principle of many paying for few, of a rare risk, costly but rare, which allows everyone to pay a little, to help the few exposed to risk, to a disaster (this is the "dispersion"). Except that in cybersecurity, more than half of the insureds suffer a loss, making the risk difficult to insure.
In 2022, we experienced an emotional elevator of announcements (or emotional roller coaster to fit the illustration above) with:
- AMRAE, which announced that cyber insurance could disappear (see 2022-02-08 review)
- Generali, which announced that it would not reimburse ransom payments (see review of 2022-02-08)
- Lloyd's, no reimbursement for victims of state attacks (see review of 2022-09-13)
- But... Bercy wants to authorize the compensation of ransoms, under condition (cf. review of 2022-09-13)
2022, confirmation that no, the cloud is not free of major failures?
The cloud is magic, it works on its own except that no, it's just a commercial reformulation of outsourced hosting (with many of the products in service mode / SaaS, ok 😉 ). The cloud is just someone else's computer and that computer is not failure free, nor is it free of major failures impacting hundreds, thousands or even hundreds of thousands of businesses!
In 2022, we saw a lot of outages from the big cloud players:
- AWS, impacting impacting Twitch, Zoom, Playstation Network, Xbox Live, Hulu, League of Legends... (see 2022-01-11 review)
- Atlassian deletes the data of 400 customers following a bad manipulation (see review of 2022-06-14)
- CloudFlare, touching 19 dataceners for 1h20 because of a BGP error and not DNS (see review of 2022-07-12)
- Microsoft Teams, with an inability to run the service (see review of 2022-09-13)
- Google UK, because of the summer heat (see review of 2022-09-13)
- Azure, because of DNS (see review of 2022-09-13)
And for you, what characterized this year? Despite my delay in publishing this article, I wish you a great 2023 and... happy Easter 🤣.
Happy New Year 2023, the year of text and image responses generated by "deep learning" at the top of kalitéy and accuracy, when asked to wish them a Happy New Year 2023 🤦♂️: