Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 1st November 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: Only one pumpkin found in the patch from CISA this week, but it’s another case of the gift that keeps on giving with a resurgence in ‘Ripple20’ attacks targeting embedded devices that are notorious for not getting any firmware updates to bandage them up, typically being deployed and then somewhat forgotten about. Then there’s the ghostly threat group known as ‘IntelBroker’ who have been merrily stealing sensitive data using flaws in both Ivanti and Atlassian (and then telling scary bedtime stories on their very own cybercriminal forum). We also have a case of a security researcher getting a little too excited with all the chocolate treats and publicly releasing exploit code for a vulnerability only days after the original advisory was published, which has enabled a mass ransomware attack against nearly 22,000 servers running the CyberPanel web hosting administration software.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Four years on from the initial discovery, and two years on from the last big wave of attacks warned about by CISA, the ‘Ripple20’ vulnerabilities in Treck’s TCP/IP library continue to cause a splash. In particular, CVE-2020-11899, a relatively modest medium-criticality out-of-bounds read has seen a spike in targeted exploitation. With a huge presence in embedded systems and IoT devices – estimates of up to one hundred million devices – and the common problem that many embedded devices never have their firmware updated after leaving the factory, the total attack surface is still enormous. Researchers claim to have observed 400,000 exploit attempts – not all of them successful – in a single week.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
An unexpected resurgence for another somewhat older vulnerability this week, as threat intelligence sources reported the ongoing exploitation of an LDAP injection vulnerability in the Jenkins continuous integration platform. Although of critical concern when originally announced, and the trigger of an emergency out-of-band patch release by the vendor, this is one dish that was thought to have long grown cold. But as the recent spate of attacks confirm, and as with the resurgent targeting of ‘Ripple 20’ (CISA KEV update above), its not only the latest critical vulnerabilities that can be exploited by well-organised threat groups with a flexible and adaptive arsenal at their disposal.
What could possibly go wrong following the public release of proof-of-concept exploit code only a few days after the vendor releases a patch for the issues? Mass ransomware exploitation, it transpires… The three vulnerabilities in question can be combined for the holy grail of unauthenticated remote code execution, which exactly what threat actors have done in a massed PSAUX ransomware attack. Threat intelligence sources claim that nearly 22k vulnerable servers were exposed online with only about 400 instances remaining online following the attack and forums flooded with reports of compromised instances. It would be hard to argue against promoting responsible disclosure following cases such as this.
The threat group known as IntelBroker has exfiltrated data from several US government organisations by exploiting a flaw in several of Ivanti’s products. The same group was responsible for breaching Cisco in October 2024, said to have impacted over 1,000 organizations. After stealing data, this group is best known for either selling the data or even posting it online for free. They have also been linked to ransomware deployments and are not shy of blowing their own trumpet via posting on their very own cybercriminal forum.
The same threat group (IntelBroker) has also exploited a vulnerability in the PostGreSQL Driver bundled with Atlassian’s Confluence Server product in the same series of attacks. Patches in Atlassian’s May 2024 Security Bulletin, the flaw is exploited to allow the execution of arbitrary commands via SQL injection. IntelBroker claimed responsibility for attacks against numerous organizations, including Autotrader, Volvo, AT&T, and Verizon in addition to several other organisations across the government, telecommunications, automotive, and technology sectors.
A memory corruption bug in Apple iOS has been the target of active exploitation by threat actors following its inclusion in the ‘LightSpy2’ malware toolkit, a highly flexible collection of exploits that is able to target vulnerabilities in a range of vendor hardware and software, linking back to a centralised C&C (command and control) network. CISA has previously reported on the active exploitation of a number of other vulnerabilities in Apple’s operating systems – including most recently that of CVE-2024-23296, a separate but highly similar memory corruption vulnerability in Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
