AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 18th October 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com – you can click on the title of any of the exploitations below to see more information from this service.
This week: As we covered just last month, multiple national cybersecurity agencies including the FBI, CNMF, NSA, and NCS issued a security alert warning of the compromise of up to 260,000 Internet-connected devices in a campaign attributed to Chinese (PRC)-linked cyber actors ([[https://appcheck-ng.com/known-actively-exploited-vulnerabilities-round-up-20-09-24-26-09-24/]]). At the time, the agencies reported that Chinese state actors dubbed ‘Salt Typhoon’ were also implicated in the ongoing exploitation of known flaws in server software including Adobe ColdFusion and Microsoft’s Exchange Server. However, in an update published this week, the NSA alerted to the further exploitation of several additional vulnerabilities in common server software and network appliances, including Apache HTTPD (CVE-2021-42013), Apache Tapestry (CVE-2021-27850), Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange Server (CVE-2023-36745).
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Following the recent announcement by the NSA warning of a new set of vulnerabilities being exploited in the wild, our first pick of the bunch is this exploitation of a flaw in the SSL VPN Web Portal of vulnerable Fortinet devices. This exploit has allowed attackers to download critical and sensitive system files.
Our second pick from the list from the NSA of vulnerabilities currently being exploited in the wild is a flaw in Microsoft’s Exchange Server. This one involves attackers taking advantage of the system’s unsafe deserialization of untrusted data in order to totally compromise target systems.
Our third pick from the list of tools in the arsenal of the nation-state actors warned about by the NSA relates to leveraging an RFI flaw in Apache’s Java-based web application framework. This one has delivered remote attackers the ability to execute arbitrary, malicious code (RCE). The vulnerability itself is a bypass of the attempted fix for earlier vulnerability CVE-2019-0195.
Our fourth and final pick from the NSA list relates to this flaw in Apache’s HTTP Server. By leveraging the ability to request URLs to files outside the expected document root, attackers have been able to compromise a number of vulnerable Apache HTTP Server instances via unauthorised remote code execution.
In a case of “let’s see what tasty network devices you have to exploit”, CISA has published an article urging users of the F5 BIG-IP LTM module to ensure that HTTP persistence cookies are encrypted. This is following evidence that attackers are gathering network information to enumerate non-internet facing devices from these deliciously tempting unencrypted cookies.
The ‘Zerologon’ flaw in Microsoft’s Active Directory domain controller authentication caused quite a stir back in 2020/2021 when details were first revealed, and hackers were quick to take advantage of it, with CISA issuing a warning on ongoing exploitation. This week CISA again issued a second advisory, this time in partnership with multiple agencies including the NSA and FBI, of the continued exploitation of the vulnerability by Iranian threat actors in targeted attacks against the energy, engineering, government, healthcare and public health (HPH), and information technology sectors.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
The results of a long-running investigation by Trend Micro into Advanced Persistent Threat (APT) activity against governmental groups was published this week. The report claims that the ‘Earth Simnavaz’ APT threat group is leveraging vulnerabilities including CVE-2024-30088 for privilege escalation in recent attacks, in combination with an exploit binary that was loaded into memory via the open-source tool ‘RunPE-In-Memory’.
Following an earlier round of attacks targeting a different vulnerability in Zimbra Collaboration just last week, the company’s troubles mounted at the start of this week, with reports that the Russia-linked group APT29 is now targeting a different, older vulnerability in Zimbra servers – as well as an unrelated vulnerability in JetBrains TeamCity – on a large scale.
Researchers in FortiGuard Labs reported that a vulnerability in Microsoft’s legacy MSHTML (Trident) rendering engine could be exploited via ActiveX controls embedded in Office documents. In observed instances, APT threat groups had been observed exploiting the vulnerability to install the ‘MerkSpy’ malware and establish an ongoing persistent presence in victim organisations’ networks.
To keep up to date with future high-profile patches for critical exploits from several key vendors, tune in next Friday for next week’s KEV roundup.
Don’t forget to add the next ‘Patch Tuesday’ from Microsoft to your calendar now too – 12th November 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)