Back
6 of the Spookiest Vulnerabilities from 2023
October might be the spookiest time of the year, but for cybersecurity practitioners in the trenches, vulnerabilities can cause quite a scare year-round.
What’s most frightening is that many data breaches today happen because of well-known attack paths using simple tactics, as opposed to highly-skilled threat actors using advanced methods to gain entry to systems. A prime example of this is the recent vishing attack that caused massive disruption at casino chain MGM Resorts, as well as the City of Fort Lauderdale falling victim to a $1.2 million scam during a phishing attack. These simple, yet successful, breach attempts happen every day, and if organizations aren’t adequately prepared, they can face scary repercussions.
It’s time to go back to the basics, and revisit the most common vulnerabilities across attack surfaces according to NetSPI’s 2023 Offensive Security Vision Report. When bolstering your organization’s security strategy, it can be helpful to review resources like our annual report as well as the OWASP API Security Top 10 to ensure the fundamentals are covered.
Here are the six spookiest vulnerabilities of 2023 and their tips for remeidation. For a more comprehensive look at the most common vulnerabilities, access NetSPI’s 2023 Offensive Security Vision Report.
First Things First: Understanding the Most Common Attack Surfaces
In our report, NetSPI analyzed over 300,000 anonymized findings from thousands of pentest engagements spanning more than 240,000 hours of testing. Initially, we pulled the top 30 most prevalent vulnerabilities from our six core focus areas, or attack surfaces, from Resolve ™, NetSPI’s penetration testing as a service (PTaaS) platform. The attack surfaces we analyzed are as follows:
Next Up: Cover Your Bases Against 2023’s Top Vulnerabilities
1. Web Applications: Authorization Bypass – Missing Function Level Access Controls (MFLAC)
If an MFLAC vulnerability exists, the application does not perform adequate access control checks and unauthorized users can perform actions outside of their intended scope of permissions. This can result in the access, modification, or deletion of data within the system. In the most severe instances, it may be used for privilege escalation. It is extremely prevalent in web applications and can be difficult to identify every instance of it. Given how severe it can be, it will be one of the likeliest attack paths to theft of data in a system.
Remediation Tip
“Fine-grained access controls should be implemented to properly attribute authorization of records/objects as well as functions to the individually authenticated and authorized user.”
Paul Ryan, Director, Application Pentesting
2. Mobile Applications: Authorization Bypasses – Insecure Direct Object References (IDOR) and Missing Function Level Access Controls (MFLAC)
Mobile applications can be susceptible to IDOR and MFLAC vulnerabilities in the same way as web applications. IDOR vulnerabilities are a privilege escalation flaw that allow one user to access another user’s data. Many mobile applications receive less scrutiny on their server-side APIs because there is greater technical complexity involved in performing these reviews.
3. Thick Applications: Client Side Controls
The server side component of the application does not examine the data it retrieves from the client to validate if it is secure or correct. This vulnerability allows the client to perform unauthorized actions.
Thick, mobile, and embedded applications are more susceptible to this vulnerability than other kinds of applications because developers often do not consider the client to be untrusted.
Remediation Tip
“Ensure all client → server calls are checked for proper authorization on the server. Additionally, perform server-side input validation on the client → server call to ensure a malicious client cannot access functionality they aren’t intended to access.”
Andre Joseph, Director, Thick Client Pentesting
4. Cloud: Publicly Available Resources Hosting Sensitive Data
A publicly available cloud resource allows public, anonymous access. This can apply to cloud services like storage or to IP addresses assigned to virtual machines. Inadvertent public/anonymous access can lead to the exposure of sensitive data. In addition, this access could also potentially lead to privilege escalation vectors into the cloud environment.
Remediation Tip
“Ensure that all cloud services are restricted to internal, authenticated access if public access is not required. Employ a layered security approach that uses both individual service configuration settings and organization-wide policies as an additional guardrail.”
Thomas Elling, Director, Cloud Pentesting
5. External Network: Publicly Available Resources Hosting Sensitive Data
Sensitive information such as credentials, API keys, and internal domain information can inadvertently be exposed in publicly accessible places such as online source code repositories, cloud storage platforms, and public paste sites. Attackers may discover publicly accessible information and use it against the organization’s employees and infrastructure. Credentials or API keys may allow an attacker to gain unauthorized access to an organization’s systems or cloud services for example, while internal organizational details might be used to build effective pretext scenarios for targeted social engineering attacks.
Remediation Tip
“Ensure that effective policies, procedures, and monitoring solutions are established to safeguard the flow of organizational information to external locations. Review commonly targeted sources of information such as GitHub and Pastebin on a regular basis to identify and remove any sensitive information that may have been inadvertently disclosed.”
Ryan Krause, Principal Consultant, External Network Pentesting
6. Internal Network: Network Protocol Attacks
This vulnerability category includes most of the top network protocols that we frequently target to gain an initial foothold on an internal network. Most of these protocols are enabled by default and may be unknown or unused by the client organization. Exploitation of these common protocols could allow an attacker to gain a man-in-the-middle position with unsuspecting users. This could lead to credential or sensitive data exposure, a foothold on the domain, and privilege escalation.
Remediation Tip
“Remove support for commonly exploited protocols if they are not being utilized for a business purpose internally. For example, we frequently identify unutilized LLMNR and NBNS protocols unknowingly exposed on internal Windows networks, and disabling them through Group Policy could completely remove these attack vectors.”
Josh Weber, Director, Internal Network Pentesting
As cybersecurity programs continue to mature, going back to the basics will always be an essential first step to successful security planning – helping to avoid frightening scares down the line. Download NetSPI’s 2023 Offensive Security Vision Report today for more on these common vulnerabilities, our top remediation tips, and how to bolster your security posture with offensive security measures.
