AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 11th October, 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
A busy start courtesy of the folks at Microsoft with the release of its key security updates for critical security vulnerabilities as part of ‘Patch Tuesday’. One of the busiest rounds of updates we’ve seen from Microsoft since July; this month’s bundle included two “actively exploited” vulnerabilities – the most critical threat to many organisations. Key vulnerabilities announced this month by the Redmond, Washington based tech giant included a remote code execution (RCE) vulnerability in the Microsoft Management Console (CVE-2024-43572) and the latest in a series of exploits targeting weaknesses in the company’s legacy MSHTML Platform – something that is surely due for retirement soon given its legacy status and the repeated discovery of critical flaws in it over the last year.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations, on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
A critical remote code execution (RCE) vulnerability in Microsoft Management Console has been confirmed by Microsoft as undergoing actively exploit in the wild by attackers, to execute arbitrary code on targeted devices in customer environments. Microsoft has released a security patch which prevents untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.
A platform spoofing vulnerability in Windows MSHTML Platform has also been confirmed as exploited in the wild. Classed as a cross-site-scripting (XSS) flaw, Microsoft’s classification of this as a ‘spoofing’ vulnerability suggests that adversaries have been gaining unauthorized access to customer environments by tricking users into accepting links or data from them as a trusted source.
A vulnerability, first reported back in February 2024 in Fortinet’s FortiOS software, is undergoing active exploitation according to CISA this week. The vendor, at the time of writing, has not issued any notice of exploitation or updated their guidance to customers. This attack is the latest in over a dozen vulnerabilities in Fortinet software that CISA have issued notices for warning of active exploitation, the most recent previous advisory being in April earlier this year.
Would calling this a ‘hat-trick’ be too flippant, we wonder? Three separate vulnerabilities in Ivanti’s Cloud Service Appliance (CSA) have been found to be undergoing exploit in the wild, chained with a fourth vulnerability in the same platform (CVE-2024-8963) that was itself reported to be undergoing exploitation just last month. It has been a bruising few months for Ivanti, with critical – and exploited – flaws in their products having been covered now in almost every one of our KEV roundups for the last quarter.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high-profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published exploitations.
The recent surge in directed-botnet DDoS attacks continued apace this week, with an announcement from CloudFlare that it had seen the largest denial of service attack in history. An authentication flaw in multiple models of router from Taiwanese multinational ASUS had been coopted into a massive, coordinated strike targeting companies in several sectors across the globe, with a combined rate of two billion packets per second and 3.8 Tbps total bandwidth. The threat from botnets does not look like letting up anytime soon.
The cybersecurity Twittersphere has been abuzz since late September about an upcoming announcement around multiple vulnerabilities in the CUPS printing service from Apple/ OpenPrinting (as used in operating systems including macOS, Linux and FreeBSD). The publication of the details for the vulnerabilities ended up being an acrimonious tussle between the reporter of the vulnerability and the software maintainers as to the severity of the bugs. However, several weeks later, and with proof on concept code released, several sources have confirmed – despite the vulnerabilities being highly technical and difficult to pull off – that exploitations are being observed in the wild.
The Shadowserver Foundation, a non-profit security organization that gathers and analyses data on malicious Internet activity, reported at the start of this week that it had observed limited exploitation of a flaw in the NS-ASG application security gateway from Chinese network security vendor Netcom (NetEntSec). In 2013, SQL injection was rated the number one attack on the OWASP top ten but has not been as prominent in recent years and considered something of a ‘solved problem’, since it is easily protected against by developers via measures such as parameterized statements. This latest exploitation shows that there is still some mileage left for attackers in this exploit technique.
On Monday, Okta warned customers of their ‘Okta Classic’ SSO solution of the potential compromise of customer instances stretching from mid-July to October 4th, when the issue was patched. The company has provided full details on how customers can check if their instance was compromised and have urged customers to contact them if they need assistance. Because the solution can be integrated to provide authentication to a wide number of platforms, the impact of a compromise could be extensive for any given organisation.
Limited exploitation in the wild has been reported for this unusual attack vector, which allows an attacker to submit a ‘dump’ file to an organisation for debugging, but which can trigger the execution of arbitrary malicious code on the victim developer’s machine. The exploit is possible due to a weakness in Visual Studio that allows existing validation of dump files to be bypassed, side-stepping malware protection measures.
Tuesday saw the delivery of an advisory from Qualcomm relating to a vulnerability found in the firmware of several dozen of their chipsets. A similar vulnerability had previously been reported back in December 2023, but this time around the vendor has made the first move, issuing a warning that this vulnerability may be under limited, targeted exploitation. This information has also been confirmed by several independent security researchers, so it is definitely a threat to be considered as ‘in the wild’.
Although Oracle are remaining tight-lipped for the moment, third parties report that a critical authentication bypass in the company’s WebLogic Server is the latest in a dozen vulnerabilities in the company’s products to be undergoing active exploitation. In the latest attacks, reported to be targeting large and lucrative targets, organised ransomware threat groups have extorted businesses for payouts of up to $75million.
Wednesday saw an alert issued by Mozilla that they had observed a ‘use after free’ vulnerability in their popular web browser Firefox being actively exploited in the wild by attackers to execute malicious code. Whilst there are next to no details on how the vulnerability is being exploited or the identity of the threat actors behind it, a report such as this, coming directly from the vendor, should not be ignored.
To keep up to date with future high-profile patches for critical exploits from several key vendors, tune in next Friday for next week’s KEV roundup.
Don’t forget to add the next ‘Patch Tuesday’ from Microsoft to your calendar now too – 12th November 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)