Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending Friday 8th November 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com – you can click on the title of any of the exploitations below to see more information from this service.
This week: Its not clear if CISA are facing resource shortages, distracted by US electoral matters, or just don’t believe that US federal agencies specifically are threatened by the majority of known exploitations that have been revealed recently – but the majority of this week’s alerts have come from third party researchers stepping up to the plate. Threat Intelligence sources including corporate giant Microsoft and not-for-profit organisation Shadowserver have between them issued critical alerts over the ongoing exploitation of varied platforms including Splunk’s data query solution, Microsoft SQL Server, Sophos Firewall appliances, and both the OSX and Android operating systems.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
CISA reported this week that several models of network-enabled high-fidelity video cameras from PTZOptics – and potentially other vendors – had been compromised by attackers due to a pair of critical vulnerabilities. With reported attacks now thought to stretch back as early as June, anyone with impacted devices is strongly advised to check for signs of compromise in addition to patching alone – attackers have been observed installing web shells and seeking to spread further into corporate networks in so-called ‘pivot’ attacks.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Following the original active exploitation for this bundle of RCE joy back in September 2023, the vendor has now discovered that the original patch for this issue wasn’t as comprehensive as they might have hoped. Finding a way to the bypass the fix only further demonstrates the tenacity of threat actors. Let’s hope that the fix which fixes the fix won’t be bypassed again. Although the real message here, is the risk of continuing to use legacy devices which are staring into the abyss that is ‘end-of-life’ (EOL).
The warning systems at FortiGuard have detected a renewed effort to deploy the Mallox ransomware, using this little gem of a remote code execution flaw lurking withing Microsoft SQL Server. Whilst this ransomware first appeared in June 2021, the continued presence of vulnerable SQL Servers (specifically those with a 2014, 2016 or 2017 vintage) is a stark reminder of the ever present danger posed by continuing to deploy, and expose, out-of-support or unpatched database instances with data that can be held for ransom.
Next up, the ever-vigilant warning systems of ShadowServer report the active exploitation of a critical path traversal flaw in popular data-analysis platform Splunk. The flaw allows the unauthorised remote retrieval of critical system files including old favourites such as the ‘passwd’ and ‘shadow’ user databases, which contain critical information such as authentication credentials. With exploit code being publicly available from multiple sources, it is likely that further exploitation attempts by multiple threat actors will be attempted against any exposed instances.
In somewhat unsporting reporting, researchers at decades-long rivals Microsoft published details this week of a flaw in Apple’s macOS (formerly OSX) operating system – and then followed it up with a further advisory that exploitation has now been seen in the wild. The flaw in question lies in Apple’s ‘TCC’ protection mechanism, which is meant to prevent apps from gaining unauthorised access to restricted and sensitive data. Exploitation delivers elevated privileges and data exfiltration possibilities. Patches are available now for vulnerable MDM-managed corporate devices.
Threat actors have seemingly been exploiting a ‘0-day’ vulnerability in the Android OS that allow them to bypass the developer’s intended restrictions (introduced in Android 11) that prevent one application from accessing another’s data. With news of the exploitation dropping at the same time as the patch, it seems likely that Google is slamming the stable doors closed only after various attackers have made off with all the stallions. If you have MDM-managed corporate mobile devices running Android OS, this one looks like it needs patching as a matter of urgency.
A vulnerability in a legacy Windows hardware library is being exploited at claimed ‘massive’ scale as part of the ‘SteelFox’ crimeware-crimewave. Even where the vulnerable library isn’t already present, attackers are retrieving and installing it on vulnerable systems, specifically to then exploit a known ‘write-what-where’ vulnerability in the signed package that bypasses Windows’ memory protection mechanisms.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
