Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 27th September 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: The headline news this week has to be the extra-ordinary joint announcement from multiple national cybersecurity agencies including the FBI, CNMF, NSA, and NCSC regarding the compromise of up to 260,000 Internet-connected devices in a campaign attributed to Chinese (PRC)-linked cyber actors. The threat actors used a network of compromised nodes (a “botnet”) running a customized variant of the ‘Mirai’ family of malware to hijack devices including routers, firewalls and NAS devices via a selection of over 60 known and catalogued vulnerabilities. Full details are available via the published NSA report. Seemingly unrelated to the NSA announcement, separate reports in the Wall Street Journal and other sources claim that Chinese state actors dubbed ‘Salt Typhoon’ are also implicated in the ongoing exploitation of known flaws in server software including Adobe ColdFusion and Microsoft’s Exchange Server.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Previously flagged by CISA as one of their ‘Top 10 Routinely Exploited Vulnerabilities’ for 2020, at which time it was exploited as part of targeted ransomware campaigns, telemetry data from IDS solutions and honeypot operators this week suggested a resurgent in active exploitation of the vulnerability. Security researchers have tied the latest round of exploitation activity to an Iranian advanced persistent threat (APT) threat actor that they claim is likely affiliated with the Ministry of Intelligence and Security (MOIS), acting as an initial access facilitator that provides remote access to target networks.
CISA issued a special advisory over the weekend warning customers of Versa Networks’ virtualization and service creation platform to check for potential compromise, hunt for any malicious activity and to report any positive findings to them. This unusual step indicates that they believe that there is a very high risk of exploit of the vulnerability in the coming days and weeks. CISA have previously published warnings of active exploitation of earlier critical vulnerabilities in the Versa Director solution, including most recently just last month (August 2024) under CVE-2024-39717. That previous activity was at the time attributed to Chinese state-sponsored threat actors including ‘Volt Typhoon’.
Previously reported by the CISA (America’s Cyber Defense Agency) under its ‘KEV’ (known exploited vulnerabilities’) catalogue process to be known to be undergoing active exploitation as of November 2021. However third-party researchers have this week (September 2024) advised that the vulnerability is again being weaponised for exploitation, this time by a hacktivist group known as ‘Twelve’.
This week, CISA have re-issued an earlier advisory (originally posted in August) warning of the ongoing exploitation of a critical authentication bypass flaw in the web admin UI of Ivanti’s ‘vTM’ application delivery controller solution. It is unknown if this re-issued advisory relates to a second wave of attacks by the same threat actor, or an unrelated attack campaign by a new party. Oddly, Ivanti’s support article still states that the company is unaware of any ongoing exploitation, putting the company’s position at odds both with the now-two CISA advisories as well as exploitation attempts reported by multiple third-party operators of honeypot and IDS solutions.
A second exploitation also previously announced under a CISA KEV advisory back in 2023, a deserialization flaw in Adobe’s ColdFusion server has recently seen a substantial uptick in targeted exploitation attempts. Reports in the Wall Street Journal and other sources seem to indicate that the activity may be linked to threat actor known as ‘Salt Typhoon’, linked to previous exploits of both ColdFusion and other technologies such as Microsoft’s Exchange Server.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
An OS command injection vulnerability in Raisecom’s MSG series of data-access and converged gateways is confirmed to be undergoing exploitation since early September, with attackers being observed leveraging the vulnerability to download malware onto target devices, most likely as a precursor to recruitment of vulnerable devices into ever-growing ‘botnet’ control groups. Since the vendor has not yet provided a patch some weeks after the vulnerability was first published, this remains a critical ‘0-day’ vulnerability at present, with device operators left reliant on whatever manual mitigation efforts they can use to screen vulnerable devices from takeover.
Little information is available at the time of writing about which threat actor is exploiting this vulnerability in the wild – however the HTTPD daemon is known to be used in a plethora of IoT (Internet of Things) devices, including routers from a number of manufacturers: attacks seems highly likely to be linked to recent reported upticks in botnet activity across the globe.
This threat was previously reported as part of AppCheck’s Known Actively Exploited Vulnerabilities Round-up for 16.08.24-22.08.24, but since then, exploit code for this vulnerability has been publicly released which potentially increases the likelihood of active exploitation.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s KEV roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 8th October 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
