AppCheck presents our weekly round up of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 20th September 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘known exploited vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe in the last seven days. As such, they present perhaps the greatest ongoing cybersecurity risk to businesses, and a very real threat. The vulnerabilities are often being exploited by attackers in order to achieve direct financial gain via techniques such as malware and ransomware installation. We summarise each known ongoing exploitation below, but full details – including their impact, versions affected, and any official fix and remediation guidance – for each of the listed vulnerabilities are all available, for free, via the AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
This week: Its been a week of unusually heightened threat activity across the board, with a raft of critical advisories dropping both from CISA and individual vendors regarding active exploitation of weaknesses in software and hardware spanning both the enterprise and SOHO spaces. So-called ‘0-day’ exploits (exploitations of the latest, sometimes unpatched, vulnerabilities only recently uncovered) has been matched by threat groups showing equal willingness to exploit legacy, decade-old vulnerabilities. Technologies such as Adobe Flash, a technology discontinued a number of year ago, is reportedly being actively exploited once more. In the SOHO space, the ongoing willingness of manufacturers to continue to ship poorly-secured edge routing devices has allowed attackers to recruit botnet ‘armies’ of compromised devices to weaponize against corporations and enterprises, with ‘Raptor Train’ the latest Mirai-based threat to be reported. Elsewhere, Ivanti, Oracle and Apache have had a particularly rough week, with multiple critical vulnerabilities in their software and appliances being successfully exploited by attackers.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations on an often daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders—and to help every organisation better manage vulnerabilities and keep pace with threat activity.
Attackers have weaponised two vulnerabilities within Ivanti’s Cloud Services Appliances (CSA), within days or perhaps hours of their publication. Cyber threat actors are exploiting these vulnerabilities to take full control of unpatched appliances, likely through the use of an exploit chain which allows attackers to gain the admin privileges necessary for complete compromise. Only last month, CISA also warned of the active exploitation of another vulnerability in Ivanti products (CVE-2024-7593), caused by an authentication flaw in the admin UI of Ivanti’s vTM series of appliances.
Microsoft have updated their security advisory for CVE-2024-43461 to warn that the vulnerability is now confimed as having been actively exploited in attacks dating back at least as far as July 2024, as a part of an attack chain relating to CVE-2024-38112, another MSHTML spoofing flaw. According to a report from Trend Micro, CVE-2024-38112 was exploited by an advanced persistent threat (APT) threat actor tracked by the assigned moniker ‘Void Banshee’. For this latest round of exploitations, attackers are employing phishing tactics to gain access to sensitive information and install malware.
In an unexpected and unusual blast from the past, attackers are confirmed by CISA to be actively targeting four legacy vulnerabilities within Adobe Flash Player – a platform that was discontinued back in 2020. Although these vulnerabilities are a decade old, all four are critical vulnerabilities. This wave of exploitations, whilst still a mystery in source, have lead to total compromise and hostile takeover of systems. Originally, these vulnerabilities were exploited as part of “Operation GreedyWonk” back in 2014. That series of exploits specifically targeted non-profit institutions in the West relating to international policy or national security and public policy. Due to the frankly mysterious resurrection of these vulnerabilities and critical impact of these exploits, remediation to any environments still remaining unpatched a decade on should be prioritised.
AppCheck first alerted customers to prioritise patching of this vulnerability back in July of this year, and now CISA have published this as a ‘known exploited vulnerability’ with attackers developing exploits based on PoC exploit code available for several months now via sites such as GitHub. In this latest wave of exploitations, remote attackers are performing the unauthorised execution of arbitrary (malicious) commands on the targeted platforms. Ultimately, the attackers are taking control over servers and stealing confidential data, leveraging the foothold to further pivot into onward attacks within victim organisations’ internal networks, deploying malware or ransomware and performing a number of other exploits.
Originally having patches made available by the vendor in 2022, following the vulnerability’s initial reporting back in 2021, this is now undergoing active exploitation two years later according to CISA. Attackers are exploiting this resurfacing vulnerability as part of an exploit chain involving CVE-2022-21497 in order to remotely compromise Oracle JDeveloper instances. Given that exploit code is confirmed to be available ‘in the wild’ to attackers via sites such as GitHub, vulnerable instances should be prioritised for remediation.
Another critical older vulnerability resurfaces under active exploitation affecting Microsoft SQL Server instances. Attackers are achieving the unauthorised execution of arbitrary (malicious) code in the context of the Report Server service account via the submission of a specially crafted page requests to vulnerable Reporting Services instances.
Following the pattern this week of vulnerabilities that have long had patches available still remaining unpatched and hence being exploited, this 2020 vulnerability is being exploited in combination with another Oracle vulnerability in the ADF Faces component (CVE-2022–21445) as part of a sophisticated exploit chain. Remote, unauthenticated attackers are achieving complete hostile takeover and sequestration of vulnerable Oracle WebLogic Server instances. With both the probability of exploitation and impact of said exploitation marked as critical, remediation of impacted environments should be prioritised.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Attackers strike again, in a second wave of exploitation leveraging a vulnerability reported initially back in April of this year that was being exploited at the time as a critical zero-day. Originally, Palo Alto Networks warned that the vulnerability in the PAN-OS software used on its firewall and application security devices was being actively exploited in the wild as a foothold to deploy Pantegana, Spark RAT, and Cobalt Strike Beacon malware onto compromised and screened hosts.
Japan’s NICTER (Network Incident analysis Center for Tactical Emergency Response) have reported ongoing attack activities and the recruitment of affected Buffalo edge routers into an ‘Internet of Things’ (IoT) botnet. NICTER reported initial exploit as early as May 21st 2024 but exploitation continues as remote attackers continue to compromise devices for recruitment into botnet ‘armies’ that are used to launch onward attacks coordinated by central C&C servers.
Back again with another entry, but this time with a far more recent vulnerability, Adobe faces down the ongoing exploitation of a ‘zero-day’ within their Acrobat Reader product. Attackers are exploiting this zero-day to execute arbitrary (malicious) code on susceptible systems. This remote code execution vulnerability was initially discovered ‘in the wild’ via a file uploaded to the EXPMON system – a sandbox-based platform for detecting advanced file-based exploits – in June 2024. With exploit code now available to attackers in the wild, and the widespread install footprint of Acrobat Reader, this vulnerability has proven to be an attractive threat vector to various attack groups.
A vulnerability within CloudStack – an Infrastructure-as-a-Service (IaaS) cloud computing solution – is currently undergoing active exploitation. Proof-of-concept (‘PoC’) exploit code has been published to sites – including GitHub – by parties claiming alignment with certain politically-aligned hacktivist groups. With reports of active exploitation and an EPSS (Exploit Prediction Scoring System) score that has rocketed to a predicated 83.89% probability of exploit of vulnerable instances within the next 30 days, this is one to patch urgently.
Five discrete critical vulnerabilities that were disclosed by network equipment manufacturer D-Link in certain models of their wireless routers, with the IDs CVE-2025-45694 to CVE-2024-45698, have proven too tempting a target for attackers to ignore. Evidenced by frequent mention in AppCheck’s KEV round-ups, D-Link devices are commonly targeted by malware botnets and millions of D-Link routers are at risk from this latest round of exploitation. Given how trivial these vulnerabilities are to exploit, it is unsurprising that threat actors have been quick to take advantage of these latest vulnerabilities. Taking the impact and triviality of exploit into account, prioritisation should be given to immediate remediation in any impacted environment.
Over a decade since its discovery and initial report, a buffer overflow vulnerability within Novell ZENworks (a suite of software products for computer systems management) is currently being exploited by attackers to achieve remote code execution, leading to total system compromise and takeover. At of this morning, the resurfaced vulnerability has been assigned an Exploit Prediction Scoring System (EPSS) score of 93.91%, indicating an extremely high (critical or near-certain) risk of exploitation of any vulnerable instances within the next 30 days.
A new wave of attacks against VMware’s vCenter sees attackers exploiting a heap-based buffer overflow vulnerability to achieve arbitrary code execution, ultimately leading to total system compromise and takeover of vulnerable instances. CISA has previously warned of active exploitation of flaws in the vCenter Server on no fewer than 8 prior occasions. Most recently, a strikingly similar vulnerability in the same DCERPC protocol as leveraged in this latest vulnerability (CVE-2023-3404) allowed attackers to achieve RCE via triggering a buffer overflow. Exploitation of that earlier flaw started around late 2021 by a China-nexus espionage group tagged as ‘UNC3886’.
One of the most infamous vulnerabilities of the last few years, ‘Spectre’ makes a (kind-of) return in a similar new variant of a so-called ‘speculative execution’ vulnerability in Microsoft Windows on ARM-based processors. Much narrow in scope than the original Spectre/Meltdown vulnerabilities, nevertheless this is a critical vulnerability that may potentially see active exploitation attempts in the coming days and weeks.
Attackers are targeting Microsoft yet again, this time via a critical file permission vulnerability in Task Scheduler, a set of Microsoft Windows components that allows for the execution of scheduled tasks. Attackers gain SYSTEM (superuser) privileges on an affected system, allowing for complete compromise and take over of a target system. This is the latest in a series of critical Microsoft Windows vulnerabilities in recent months that are being actively targeted by threat actors, including most recently CVE-2024-43491 just a couple of weeks ago.
A buffer overflow vulnerability within TOTOLINK AC1200 T8 routers is being actively exploited by attackers to execute arbitrary code. A PoC exploit has been published to sites such as GitHub and third-party security researchers have also highlighted the rise of a Mirai-variant botnet dubbed ‘Raptor Train’, which has built a botnet of an estimated 200,000 compromised IoT devices such as small office/home office (SOHO) routers from TOTOLINK as well as other manufacturers including ASUS, DrayTek, Tenda, TP-LINK, and Zyxel. The botnet is stated to be likely to be operated by a Chinese nation-state threat actor called ‘Flax Typhoon’ (aka Ethereal Panda or RedJuliett).
Collaborative content management system (CMS) SPIP features a command injection vulnerability that is currently under active exploitation, with remote and unauthenticated attackers executing arbitrary (malicious) operating system commands on vulnerable unpatched systems. These unauthenticated remote attackers are able to completely compromise and takeover the target system. With an EPSS score of 66%, prioritisation should be given to any impacted environments.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s ‘KEV’ (known exploitation) roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 8th October 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)