Exploits and vulnerabilities in Q1 2024

We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Additionally, we take a close look at several noteworthy vulnerabilities discovered in Q1 2024.

Statistics on registered vulnerabilities

To facilitate the management of vulnerabilities, vendors can register these and assign CVE identifiers. All identifiers and related public information are published on https://cve.mitre.org (at the time of writing, the site is in the process of migrating to a new domain, https://www.cve.org/). Although vendors often fail to register vulnerabilities, and the CVE list cannot be considered exhaustive, it does allow us to track certain trends. We analyzed data on registered software vulnerabilities and compared their quantities over the past five years.

The number of newly registered CVEs, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (download)

As the chart illustrates, the number of new vulnerabilities has been steadily increasing year over year. This can be attributed to several factors.

Firstly, the growing popularity of bug bounty platforms and vulnerability discovery competitions have provided a major impetus to research in the field. As a result, vulnerability discoveries have been on the rise. This also leads to more vendors registering the discovered vulnerabilities, resulting in a growing number of CVEs.

Secondly, companies developing popular software, operating systems, and programming languages are implementing more security solutions and new procedures that improve the performance of vulnerability monitoring in software. On the one hand, this leads to vulnerabilities being discovered more frequently; on the other, entire categories of vulnerabilities become obsolete. As a result, both threat actors and security researchers striving to stay ahead are actively searching for new types of vulnerabilities and creating automated services that allow for even more efficient detection.

Finally, new applications appear with time as existing ones get updates and become more complex, spawning new vulnerabilities. With the rapid pace of technological evolution, the number of discovered vulnerabilities is likely to continue to grow year after year.

It is important to note that different vulnerabilities pose different levels of security threats. In particular, some of them may be categorized as critical. We used the data in the list of registered CVEs and the results of internal reproducibility tests to calculate the share of critical vulnerabilities.

The number of newly registered CVEs and the percentage of critical CVEs in these, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (download)

As the chart shows, the growth in the number of critical vulnerabilities has been intermittent. In 2021 and 2022, the share of critical vulnerabilities among the total number was comparable, but it increased during the periods from 2019 through 2021 and from 2022 through 2023. The year 2023 was notable for a record number of critical vulnerabilities discovered in software. The percentage of critical vulnerabilities in the total number of registered ones remained high in Q1 2024. This once again emphasizes the importance of proper patch management and the need for security solutions capable of preventing vulnerability exploitation.

Exploitation statistics

This section presents exploit statistics gathered from both public sources, such as registered CVEs, and our in-house telemetry.

An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes. Software vulnerabilities that allow attackers to gain control over the target user’s system are of the highest value to exploit developers.

Exploits can be created by malicious actors who sell their creations on underground forums or use them to their own ends. Additionally, enthusiasts, including participants of various bug bounty programs, develop exploits to stay ahead of adversaries and devise countermeasures.

Windows and Linux vulnerability exploitation

The charts below show the trends in the number of Linux and Windows users protected by Kaspersky products who encountered vulnerability exploits in 2023 and Q1 2024. The statistics are based on data from the Kaspersky Security Network, provided by our users voluntarily.

Changes in the number of Windows users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Changes in the number of Linux users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

As the charts demonstrate, the number of Windows users who experienced vulnerability exploitation remained roughly unchanged throughout 2023, whereas the number of affected Linux users increased steadily. It’s important to note that this doesn’t necessarily involve the same vulnerabilities in both cases. Some vulnerabilities quickly become obsolete, prompting threat actors to shift their focus to newer ones.

Let’s illustrate the changes in the popularity of certain vulnerabilities using the example of the CVE-2023-28831 vulnerability in WinRAR.

The popularity dynamics of the CVE-2023-28831 vulnerability in WinRAR, September 2023 — March 2024 (download)

The chart reveals that the vulnerability was quite popular almost immediately after it was registered in September 2023 but then gradually declined in relevance as users installed patches. This is just further evidence that malicious actors tend to take an interest in vulnerabilities as long as the number of users who have installed a fix is relatively small.

Public exploit statistics

The availability of an exploit, especially when accessible on public platforms like GitHub, is a key criterion in assessing the criticality of a vulnerability. We analyzed data on publicly available exploits for registered vulnerabilities.

The number of vulnerabilities and the percentage of those that have an exploit, 2019 — 2024 (download)

The statistics reveal an increase in the total number of exploits, encompassing both ready for use and raw PoCs. The latter may be unstable but they demonstrate the possibility of exploiting the vulnerability and hold potential for future refinement. It’s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements.

Most prevalent exploits

We continuously monitor exploits published for various vulnerabilities, with a particular focus on critical ones. Our analysis of these exploits has allowed us to single out several categories of software that are of particular interest to malicious actors:

• Browsers;
• Operating systems (Windows, Linux, macOS);
• Microsoft Exchange servers and server components;
• Microsoft SharePoint servers and server components;
• The Microsoft Office suite;
• All other applications that fall outside the five categories above.

Let’s see which software categories had the most critical vulnerabilities with working exploits in 2023 and Q1 2024.

The distribution of exploits for critical vulnerabilities by platform, 2023 (download)

The distribution of exploits for critical vulnerabilities by platform, Q1 2024 (download)

The data indicates that the software categories most affected by critical vulnerabilities with working exploits are:

• Operating systems;
• Browsers.

However, in Q1 2024, we also observed a significant number of exploits targeting Exchange servers. Additionally, a substantial portion of exploits falls into the “other software” category. This is due to the variety of applications that users may have installed on their systems to handle business tasks.

Vulnerability exploitation in APT attacks

Exploiting software vulnerabilities is an integral component of nearly every APT attack targeting enterprise infrastructures. We analyzed available data on exploits used in APT attacks for 2023 and Q1 2024 to determine which software is most frequently exploited by attackers. Below are the vulnerabilities that APT groups leveraged the most in 2023 and Q1 2024.

The top 10 vulnerabilities exploited in APT attacks, 2023 (download)

The top 10 vulnerabilities exploited in APT attacks, Q1 2024 (download)

The statistics presented above indicate that popular entry points for malicious actors currently are:

• Vulnerable remote access services like Ivanti or ScreenConnect.
• Vulnerable access control features like Windows SmartScreen.
• Vulnerable office applications. Notably, exploits for the Microsoft Office suite, which long held the top of the most-exploited list, were superseded by a WinRAR vulnerability in 2023.

Therefore, we can conclude that APT groups mostly exploit vulnerabilities while gaining initial access to an infrastructure. In most cases, this involves either breaching the perimeter (for example, by exploiting vulnerable internet-facing services like VPNs and web applications) or exploiting office applications combined with social engineering (for example, by emailing infected documents or archives to company employees).

Notable Q1 2024 vulnerabilities

This section deals with the most interesting vulnerabilities registered in Q1 2024.

CVE-2024-3094 (XZ)

A backdoor was discovered within the XZ data compression utility package in late March. Attackers inserted malicious code into the source code of the library responsible for handling archived data. This code, through a modified build procedure, ended up in the compiled library. Upon loading such a library, the malicious code would begin modifying functions in memory that are exported by certain distributions for SSH server operation, enabling the attackers to send commands to the infected server.

The backdoor’s functionality is notable because the attackers managed to inject malicious algorithms into a popular library, a feat rarely accomplished in the history of open-source software. The attack also stands out for its complexity and the multi-stage infection process. No one but the author of the malicious code could have exploited the backdoor.

CVE-2024-20656 (Visual Studio)

This vulnerability in Visual Studio lets a malicious actor elevate their privileges in the system. An attacker can leverage it to execute a DACL reset attack on Windows. A DACL (Discretionary Access Control List) is an access control list that defines the level of access users have to perform specific operations on an object. Resetting a DACL removes all restrictions on accessing system files or directories, so any users can do whatever they wish to these. The vulnerability is intriguing due to its exploitation algorithm.

The exploit source code, which we analyzed, utilizes a method of redirecting the Visual Studio application debugging service from one directory to another through a symlink chain: DummyDir => Global\\GLOBALROOT\\RPC Control => TargetDir. Here, DummyDir is a publicly accessible directory created by the attacker, and TargetDir is the directory they want to gain access to. When the application debugging service is redirected from DummyDir to TargetDir, the latter inherits access settings identical to those of DummyDir.

This method of employing symlinks to perform selective actions on protected files is quite challenging to prevent, as not all files within a system can be write-protected. This implies that it could potentially be used to exploit other vulnerabilities in the future. If a file or dependency used by the targeted OS service is identified and its modification restrictions are removed, the user can simply overwrite this file or dependency after the exploit runs. Upon the next launch, the attacker-injected code will execute within the compromised service, inheriting the same access level as the service itself.

We are not currently aware of any cases of this vulnerability being leveraged in real-life attacks. However, it shares the same exploitation primitives with the CVE-2023-36874, which malicious actors began exploiting even before it was discovered.

CVE-2024-21626 (runc)

OS-level virtualization, or containerization, is widely employed today for application scaling and building fault-tolerant systems. Therefore, vulnerabilities within systems that manage containers are of critical importance.

The vulnerability in question owes its existence to certain behavior of the fork system call in the Linux kernel. This system call’s characteristic feature is the method by which it launches a child process, which is copied from the parent process.

This functionality allows for rapid application startup but also presents a risk that developers may not always consider. Process cloning implies that some data from the parent process may be accessible from the child process. If the application code fails to monitor such data, this can lead to a data disclosure vulnerability CWE-403 – Exposure of File Descriptor to Unintended Control Sphere, according to the CWE category system.

CVE-2024-21626 is a case in point. The Docker toolkit uses the runc tool to create and run containers; therefore, a running container acts as a child process relative to runc. If you try accessing /proc/self directory from that container, you can obtain descriptors for all files opened by the runc process. Navigation of accessible resources and descriptors in Linux follows file system rules. Hence, attackers quickly started using the relative path to interpreters accessible to the parent process to escape the container.

You can detect exploitation of this vulnerability by monitoring activity within a running container. The primary pattern observed during exploitation involves the container attempting to access the file system using the path:

/proc/self/cwd/../

CVE-2024-1708 (ScreenConnect)

ConnectWise ScreenConnect is a remote desktop access tool. It comprises client-side applications running on user systems and a server used for client management. The server hosts a web application that contains the vulnerability in question.

Access control is considered to be the most critical mechanism within web applications. It works only as long as every user-accessible function and parameter in the web application is monitored and validated before being used in the application’s algorithms. The request monitoring and control in ScreenConnect proved to be inadequate. An attacker could force the system to reset its settings by simply appending a “/” character to the original request URL like this: http://vuln.server/SetupWizard.aspx. As a result, the adversary could gain access to the system with administrator privileges and exploit the server for malicious purposes.

The vulnerability is being actively used by malicious actors. Therefore, we recommend that ScreenConnect users apply the patch released by the developers and configure firewall rules to restrict access to the server’s web interface.

CVE-2024-21412 (Windows Defender)

The primary objective of most attacks targeting user systems is the execution of malicious commands. Attackers aim to accomplish this task through various methods, but the most popular and reliable approach involves launching a malicious file. To minimize the risk of unauthorized application launches, Windows employs a mechanism known as the SmartScreen Filter. SmartScreen checks websites that the user visits and files downloaded from the internet. When the check starts, the user sees a lock screen.

Such a notification can prompt the user to reconsider whether they truly want to launch the application. Consequently, malicious actors are actively seeking ways to bypass this filter. CVE-2024-21412 represents one such method.

Deceiving the security mechanism relies on a simple principle: if SmartScreen checks files downloaded from the internet, just trick the filter into believing that the file was already in the system at the time of launch.

This can be achieved by interacting with a file stored in a network storage. In the vulnerability in question, the storage resides on a WebDAV server. The WebDAV protocol allows multiple users to simultaneously edit a file stored on the server, and Windows provides capabilities for automatic access to such storage. All that remains for attackers is to present the server to the system in the appropriate manner. For this purpose, they use the following file URL:

CVE-2024-27198 (TeamCity)

This vulnerability in the web interface of the TeamCity continuous integration tool allows access to features that should be restricted to authenticated users. You can detect exploitation by analyzing the standard logs that TeamCity generates in its working directory. The malicious pattern appears as follows:

The improper handling of files with a blank name, as shown above, grants unauthorized attackers access to the server API.

Malicious actors leverage this vulnerability as a way of gaining initial access to targeted systems. For more efficient exploitation monitoring, we recommend auditing accounts with access to the web interface.

CVE-2023-38831 (WinRAR)

Although this vulnerability was discovered in 2023, we believe it warrants attention due to its popularity among malicious actors in both late 2023 and Q1 2024.

This is how it works: when attempting to open a file inside an archive using the WinRAR GUI, the application also opens the contents of a folder with the same name if such a folder exists in the archive.

Since attackers began exploiting the vulnerability, they have come up with several types of exploits that can have one of two formats:

• ZIP archives;
• RAR archives.

The variations in malware and existing archives make it impossible to determine definitively whether an archive is an exploit. However, we can identify key characteristics of an exploit:

• The archive contains files whose names match those of subdirectories.
• At least one file name contains a space before the extension.
• The archive must contain an executable located inside the subdirectory.

Here are examples of such files viewed in a hex editor. For a ZIP archive, the data looks like this:

For RAR files, like this:

Attackers have learned to conceal exploit artifacts by protecting the archive with a password. In such cases, file paths may be encrypted, so the only way to detect an exploit would be through behavior analysis.

Conclusions and advice

In recent times, we have observed a continuous year-over-year increase in the number of registered vulnerabilities, accompanied by a rise in the availability of public exploits. Vulnerability exploitation is a crucial component of targeted attacks, with malicious actors typically focused on leveraging vulnerabilities extensively within the first few weeks following their registration and exploit publication. To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:

• Maintain a comprehensive understanding of your infrastructure and its assets, paying particular attention to the perimeter. Knowledge of your own infrastructure is a fundamental factor in establishing any security processes.
• Implement a robust patch management system to promptly identify vulnerable software within your infrastructure and deploy security patches. Our Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed solutions can assist you in this endeavor.
• Use comprehensive security solutions that enable you to build a flexible and efficient security system. This system should encompass robust endpoint protection, early detection and suppression of attacks regardless of their complexity, access to up-to-date data on global cyberattacks, and basic digital literacy training for your We recommend our Kaspersky NEXT suite of products for business protection as a solution that can be tailored to the needs and capabilities of any company size.