AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 15th November 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: CISA is back on it with a vengeance this week, reporting a grand total of eight alerts about the exploitation of products from several top-tier vendors including Microsoft, Cisco, Palo Alto and Atlassian. That’s not to say that the many fine folks working independently in the threat intelligence sector have been slacking either, with a trio of exploits targeting Microsoft, D-Link and Citrix being reported by Fortinet and the not-for-profit Shadowserver Foundation. Extra attention for Microsoft is common following the publication of its now-infamous ‘Patch Tuesday’, and this week is no exception, giving them the top spot for the title of ‘most exploited vendor in the wild’ this week.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
My inner 14 year old is incredibly excited that there is a webserver called “Nazgul Nostromo”. It sounds, frankly, AWESOME. Unfortunately, the niche webserver – used within embedded systems and appliances due to its minimal codebase and small executable resource footprint – is also subject to a more-serious-than-typical path traversal exploit, which can lead to Remote Code Execution. The vulnerability appears to have been widely known about for some time, with public exploit code existing for a while, but CISA has warned of widespread exploitation being observed only at the start of this week. With no definitive list of vendors utilising the open-source webserver, it could be some time until the full attack surface is known.
The first exploitation this week is one of a pair of ‘0-day’ vulnerabilities that were exploited prior to the release of a fix and likely prior to the vendor even being aware that there was a vulnerability at all. These are some of the most problematic vulnerabilities for organisations to address: since there is no fix available at time of discovery, and often no known threat pattern or indicators of compromise that can be watched for, attackers can effectively operate undetected. There are few technical details at this time but since the report is attributed to Google’s Threat Analysis Group (TAG) it is safe to assume that the exploitation is being performed by a highly sophisticated advanced persistent threat (APT) or nation-state group – patching this one is critical now that MS has released a fix.
Thought that Internet Explorer was a relic of the past, long since condemned to the scrap heap? Think again. Despite being formally retired, the legacy browser is still intrinsically interwoven throughout various components of both the Desktop and Server variants of Microsoft’s flagship operating system. And its those threads that attackers have found a way to unpick and exploit in this second ‘0-Day’ of the week from Microsoft. The payload this time is access to arbitrary user NTLM hashes, allowing attackers to pose as legitimate users in order to then access further services and systems.
Only a few short weeks ago we reported on a command injection vulnerability in Palo Alto’s legacy configuration-migration utility, and this week the same tool is back in the headlines again. In a somewhat topsy-turvy reversal, its an earlier vulnerability rather than a newer one that CISA are warning is undergoing exploitation in the wild this time: the service fails to require any authentication at all before happily agreeing to reset the administrative password for any attacker polite enough to request it.
Cisco aren’t the only vendor called out by CISA this month, with a report that the operators of the ‘AndroxGh0st’ malware/botnet have dusted off this decade-old Cisco vulnerability to exploit is as part of what is being called a ‘strategic expansion’ by the group. The heightened organisational and technical skills of modern threat actors presents a formidable threat to organisations.
Data from the FortiGuard Recon Threat Intelligence team that showed over 30,000 exploitation attempts against a file inclusion vulnerability in data analysis platform Metabase led to CISA announcing it under their ‘KEV’ process as part of a flurry of advisories published on the monthly ‘Patch Tuesday’ for November. Further investigation now suggests that the vulnerability may have been targeted by a hacktivist group called ‘GhostSec’ since at least as early as May 2024.
If it looks like an iceberg, smells like an iceberg and moves like and iceberg, it’s probably an iceberg. Well that’s the case here with another blast from the past for Oracle’s WebLogic server. This exploit was reported by CISA back in 2021 but now we can see that the active exploitation engine is bouncing off the rev limiter once again with multiple sources giving indications that this access control flaw, which allows complete takeover of the vulnerable server, is undergoing a new wave of exploitation at scale.
The latest reported exploitation of a critical vulnerability in an Atlassian product follows hot on the heals of an advisory in September issued by the Federal Bureau of Investigation (FBI) – in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners – warning that Russian Military Cyber Actors were actively exploiting two earlier Atlassian vulnerabilities (CVE-2022-26134, CVE-2022-26138) to target U.S. and Global Critical Infrastructure. No word yet on the threat actors this time round, although it is possible it is the same parties involved in this latest exploitation.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
To quote Ian Fleming, “Once is happenstance. Twice is coincidence. Three times is enemy action”. Whilst this vulnerability isn’t quite as old as the film from the book from which that line is stolen (Goldfinger, and a scarcely believable 1959), its certainly been around the block a few times. The latest exploitation, reported this time by researchers at Fortinet’s FortiGuard Labs, is at least the third major wave of exploitation of this 2017 flaw – this time being used to spread a Remote Access Trojan (RAT) via infected systems.
A tale almost as old as the internet with an active exploitation targeting End-of-Life (EOL) network storage devices, this time from D-Link. Exploit code for the affected devices exists in the wild, and with attackers knowing that it will never be patched, sure enough the Shadowserver Foundation now reports the active exploitation of thousands of internet facing vulnerable devices. No word on who’s responsible so far, but easy targets are sure to attract all manner of Ne’er-do-well’s to the party.
Information is limited at the time of writing but the non-profit Shadowserver organisation report the exploitation of a Citrix vulnerability against a number of organisations in the US. The impact is described as allowing “limited” remote code execution, which is a little ambiguous and seems somewhat akin to describing your hair as being only “slightly on fire” but – as we have seen before – vendors do seem to like to downplay these issues where possible, even when real-world attacks are in progress.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)