Vulnerabilities are a major risk for organizations, and a major attack vector for threat actors. There were over 29,000 vulnerabilities published in 2023, amounting to over 3,800 more common vulnerabilities and exposure (CVEs) identifiers being issued last year than in 2022. But that doesn’t mean these most recent vulnerabilities are the only ones in a threat actor’s toolbox.

On March 21, 2024, security researchers published a technical analysis along with a proof of concept (PoC) regarding the critical Remote Code Execution (RCE) vulnerability, CVE-2023-48788, in Fortinet’s FortiClientEMS. This vulnerability enables an unauthenticated threat actor to achieve RCE through the manipulation of SQL commands. Fortinet has stated that this vulnerability is under active exploitation. PoC exploit code is also now publicly available.

It’s no secret that the manufacturing industry has found themselves in the crosshairs of threat actors in recent years. With a low tolerance for downtime, international operational footprints, and servers full of valuable information, these organizations represent riches for ransomware gangs and individual hackers alike.

The 2023 ransomware attack at the University of Manchester didn’t stop once the threat actors had successfully exfiltrated the personal identifiable information (PII) for faculty and staff, plus 250 GB of other data. When the university showed hesitation toward paying the ransom, they turned to a tactic that is becoming increasingly popular among cybercriminals — triple extortion.

Arctic Wolf has recently observed an uptick in detected password spraying for multiple Firewall and VPN appliances. This activity began on February 28, 2024. A variety of products are affected by this activity, including but not limited to devices from vendors such as Cisco, Palo Alto Networks, and WatchGuard. Further investigation revealed that authentication against web-based applications in general was being targeted as opposed to a selection of firewall vendors.

Active Directory (AD) is a mainstay for most organizations, especially as identity management grows for even small-to-medium businesses (SMBs) and once on-premises organizations digitize. But this widely adopted tool comes with major security risks.

On March 3, 2024, JetBrains published a blog post describing two authentication bypass vulnerabilities affecting the On-Premises Servers of TeamCity. An unauthenticated threat actor with HTTP(S) access to a TeamCity Server can exploit these vulnerabilities to bypass authentication and gain administrative control of a TeamCity Server. CVE-2024-27198 (CVSS 9.8): Alternative path issue in the web component of TeamCity that can lead to remote code execution (RCE). CVE-2024-27199 (CVSS 7.3)

On March 1, 2024, SolarWinds published a security advisory reporting that SolarWinds Security Event Manager (SEM) is vulnerable to a high severity vulnerability that allows an unauthenticated threat actor to achieve remote code execution (RCE), CVE-2024-0692. The vulnerability lies in the configuration of the AMF deserialization endpoints. Exploitation can occur due to insufficient validation of user-provided data, allowing untrusted data to be deserialized.

Arctic Wolf and SC Media surveyed an audience of more than 500 North American IT security professionals in the fall of 2023 and discovered that, among those who currently have cyber insurance policies, 47% of them have had coverage for 12 months or less. A significant increase among the insured reflects the kind of growth one might expect from an industry that has seen monumental change in just a few short years.

The past few years have been hard on cybersecurity professionals. An onslaught of new attack innovations and evolutions have raised the risk — and the costs — of an attack. More organizations than ever before are attempting to transfer a portion of that risk through cyber insurance. However, cyber insurance policies, once easy to get and robust in coverage, have become challenging to obtain, difficult to maintain, and costly to keep.

As the goals of securing as much ransom money and sowing as much discord as possible continues to grow, one of the most preferred methods threat actors have to accomplish these goals is to target the supply chain.