Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 29th November 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: A quartet of show tunes from CISA, with reports of active exploitations targeting products from VMware, Microsoft, F5 and Array Networks. A clear theme running through this week’s reported attacks is that they all feature repeat reruns of vulnerabilities originally reported – and originally exploited – between 2020 and 2023. Chart toppers will always be popular favourites, it seems. Elsewhere, researchers from Team Nautilus have also discovered renewed exploitation of a flaw (first seen in 2021) in routers from multiple brands that run Arcadyan firmware. The repeated exploitations of older vulnerabilities in public-facing software and hardware underlines the importance of diligence in remediating any flaws in the security of internet facing devices, and in rooting out legacy systems that may be EOL and no long receiving security updates.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
An expression-language injection vulnerability in Spring Cloud Function is one of a trifecta of nasties that have been reported to be exploited in the wild by CISA previously, but that are now seeing renewed exploitation activity. A report published this week by Cato Networks states that this vulnerability is one of the “TOP 10” most exploited that they have seen in their data analysis.
A server-side request forgery (SSRF) vulnerability in Microsoft’s Exchange Server from 2021 was one of a set of four vulnerabilities used in an exploit chain dubbed ‘ProxyLogin’. Another flaw previously reported by CISA as being exploited in the wild, this vulnerability is also listed as one of the “TOP 10” most exploited in the report published this week by Cato Networks.
A ‘difference of opinion’ in how to resolve paths between the HTTPD and Tomcat services in F5’s BIG-IP line of application delivery controllers is undergoing a resurgence in exploitation according to data released last week. Originally patched – and highlighted by CISA – back in 2020, a year after its initial discovery, unpatched instances apparently remain ripe for exploitation. Since all public-facing instances must surely have been compromised in the initial wave of attacks, it is likely that the latest wave of attacks are occurring as part of a more sophisticated multi-step exploitation by advanced (APT) threat actors who have gained an initial foothold in corporate networks via unrelated vulnerabilities.
Array Networks put a fair degree of emphasis in their marketing materials of the fact that their ‘Array OS’ network operating system – used across their range of security and application delivery controllers – is a hardened and security-first platform with minimal attack surface. That hasn’t stopped attackers from finding – and exploiting – a series of injection vulnerabilities in the web interfaces of deployed appliances from the company. That’s according to researchers at Trend Micro and Japanese security labs LAC, who report that they have been tracking a threat group known as ‘Earth Kasha’ since 2019. In an advisory this week, the team noted that the threat group has recently expanded their arsenal to scale up attacks against a range of organizations including those in advanced technology and governmental sectors.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Zyxel Networks have published information confirming that an OS command injection flaw in the firmware for its ATP/USG series firewalls has been used as the initial attack vector for the delivery of ransomware by a group known as ‘Helldown’, originally reported by Sekoia back in October. It’s no surprise that the compromise of firewalls or VPN gateways remains a favourite tactic for ransomware groups looking to gain an initial foothold from which to burrow deeper into corporate networks.
With a reported 44% of public-facing instances of the product remaining unpatched almost 18 months after the release of a fix, its no surprise that threat actors have been reaping the rewards. Researchers report that exploitation is ‘widespread’ due to the ‘abysmal’ patching rates. ProjectSend is used to securely transfer files between organisations and clients, meaning that – as with former similar exploitations of products including the MFT line from Progress, this has led to the disclosure of highly sensitive data. If you run ProjectSend, upgrade is advised ASAP.
A flaw in the firmware of routers from multiple vendors including Arcadyan was first disclosed back in 2021, attributed at that time to Chinese threat actors leveraging it to deploy a Mirai botnet variant. In September 2024, CISA reported that this flaw was again being targeted along with 60 others by nation-state threat actors. However, this latest wave of exploitation appears to be somewhat lower-tech. Researchers at Aqua Nautilus have observed renewed exploitation by a group dubbed as ‘Matrix’. They estimate the group are probable ‘script kiddies’, lower-skilled threat actors piggybacking on the work of others and often re-deploying simple, publicly available scripts for exploit. With so many internet facing devices running vulnerable firmware, even these low-skilled attackers are finding targets aplenty.
‘Power Apps’ isn’t yet a household name in Microsoft’s portfolio – the product is Microsoft’s entry into the ‘low-code’ space, designed to compete against a wide range of offerings from Appian, AppSmith, SalesForce, Zoho and others. Details are extremely sparse – as is typical from the traditionally tight-lipped Microsoft – but the company has simply reported (and since confirmed to reporters) that the platform has “been exploited”.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
