A week full of security happenings, with unauthenticated endpoint access to Twilio Authy API leading to phone number disclosure to an exfiltration of data from ServiceNow instances by chaining three vulnerabilities, making remote code execution (RCE) possible. Apache HugeGraph’s instances and end-of-life D-Link NAS devices, also faced attempts of remote code execution flow, from attackers in the wild.
Old CVEs seem to be still being a major nuisance, as multiple CVEs from last year are still being exploited actively in the wild and with CISA adding an Internet Explorer RCE from 2012 to their KEV.
Reaper, Zerobot and Sysrv botnets, among others were seen exploiting IOT devices, routers and some Apache HTTP server in order to compromise them. Not forgetting malware campaigns, evidence of Russian-based ACR Stealer, Hatvibe and Cherryspy were seen exploiting fresh MS Windows Smartscreen and Repetto FS vulnerabilities. And lastly, vulnerabilities in Nvidia, Github, Telegram and other big names that we might see being exploited in the coming days.
Twilio, a popular communications API provider, faced a fairly interesting bug that allowed attackers to verify if a phone number was registered on Authy multi factor-authentication or not. An unauthenticated API endpoint, a frequent sight in recent times, in the Twilio Authy API that was being accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, allowed the threat actor ShinyHunters to retrieve a list of a whopping 33 million phone numbers associated with the users of Authy app. With a CVSS score of 5.3 and exploit prediction score (EPSS) of 0.11792, this vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog[1] , in the recent update.
Part of a chain of three vulnerabilities in ServiceNow, a popular suite of business management solutions, CVE-2024-4879[2] is a Jelly template injection vulnerability, exploiting a double evaluation bug in order to execute commands. Combined with CVE-2024-5178 and CVE-2024-5217, it is possible to go for a full compromise and extract a lot of sensitive data: usernames, hashed passwords, and the whole shebang. Due to its severity, a high CVSS score of 9.3 was given to this bug and ServiceNow has made patches and fixes available as of now. Although the EPSS is a low 0.00896. With a recent flood of publicly available exploits, threats actors are leveraging them to actively exploit this in the wild[3].
A blast from the past, the remote code execution flaw with a CVSS score of 9.3 in Microsoft Internet Explorer (6 through 8) was recently added to the CISA’s Known Exploited Vulnerabilities catalog[4]. A user-after-free class vulnerability, allowed attackers to craft malicious websites that could possibly execute arbitrary code by attempting to access a deleted or improperly allocated object. With an EPSS score of 0.92145, known to be currently being actively exploited as part of malware/ransomware campaigns, it’s recommended to upgrade to the latest versions of Microsoft IE.
Affecting end-of-life range of D-Link NAS devices, a remote code execution vulnerability was found that is being exploited in the wild by attackers, in an attempt to gain control over 90,000 devices, as of April this year. A simple exploit by nature, RCE is possible through command injection in the parameters of a HTTP GET request towards the vulnerable path “/cgi-bin/nas_sharing.cgi”. Since the affected products are end of life, vendors will not be patching them and it is recommended to decommission the devices if still in use[5].
Apache’s graph database offering, HugeGraph, is under active exploitation by threat actors due to a remote code execution flaw[6]. Abusing the insufficient restrictions on executing system commands through the Gremlin endpoint (aptly named “/gremlin”) by manipulating the Java code, attackers were able to execute system commands. HugeGraph from version 1.0.0 to 1.2.1 is suffering from this issue and as exploits are available publicly since June, there has been an increase in exploitation attempts.Data received from Cytellite sensors, below is a list of older CVEs that we are seeing being exploited and scanned in the wild actively. For related IOCs, source IPs and further details, please reach out to us.
Popular router brand TP Link’s Archer AX21 (AX1800) routers have firmware versions before 1.1.4 Build 20230219 which are flawed with a command injection vulnerability. A simple POST request can be used to exploit the bug, where a specific request parameter is not properly sanitized before being passed to code functionality that performs system command execution. With public exploits available, botnets are relentlessly exploiting these devices to create zombie devices that could possibly be used to carry out DDoS attacks. Namely, AGoent, Gafgyt, Moobot, Miori, Mirai and Condi are the main campaigns behind the exploitation of CVE-2023-1389[7][8][9].
Zerobot, a Go-based botnet, was seen exploiting CVE-2021-41773. A path traversal bug in Apache HTTP server, in the scenario of loose directory restrictions, can allow attackers to read arbitrary files like /etc/passwd. In case the mod-cgi module is also loaded, attackers can access cgi files and can possibly execute remote code. Zerobot was also seen exploiting the sister-vulnerability CVE-2021-42013, another path traversal bug in Apache HTTP server[10].
A 6 year old vulnerability in Huawei HG532 routers has persisted as botnet operators are actively exploiting it. Few customized firmware versions allow an authenticated attacker to send packets to port 37215, which upon successful exploitation can allow remote code execution. Botnet based on Sysrv malware, a worm and cryptominer targeting Linux environments, have been seen using this exploit to gain access to unpatched Huawei routers[11].
Another old vulnerability that is re-emerging in recent times. A webshell, conveniently located at “/shell” endpoint, is accessible in MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE. This can allow unauthenticated actors to execute system commands. IoT_Reaper, also known as Iotroop, is known to exploit this CVE. Also known simply as Reaper, this botnet seems to share some of its code with the infamous Mirai botnet[12].
A Microsoft Windows SmartScreen bypass, this security bug has allowed threat actors running malware campaigns to successfully run fake and malicious Microsoft installers as they are able to circumvent the security warning screen shown by SmartScreen. Possible due to a flaw in error handling of specially crafted installers, this bug is being exploited by multiple malwares, mainly ACR Strealer, a Russian infostealer, which interestingly uses Steam community profiles to hide the C2 server addresses[13].
Recently, a template injection vulnerability was uncovered in Rejetto, a popular and lightweight HTTP file server. Leading to possible unauthenticated remote code execution, a simple injection in the HTTP GET request parameters can allow attackers to run system commands. With public exploits available, Russian-based HATVIBE and CHERRYSPY malware, which are exploiting CVE-2024-23692 as part of the initial access step[14].
The LOVI platform monitors multiple open sources feed and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chances of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database,