AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 20th December 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: It’s been another busy week for many vulnerability management and cybersecurity teams, with no let-up in the pace of ongoing exploitations in the run up to the Christmas period. Exploitations reported in the last seven days include targeted attacks against ‘big name’ and well-known products such as Adobe ColdFusion, Microsoft Windows, Apache Struts and WordPress. Elsewhere however, the world is changing, with the first major exploitation of an AI platform reported (Anyscale Ray) as well as the continued co-opting of IoT devices (this time Draytek routers) into botnets. Elsewhere, the sophisticated stratification of threat actors into niche specialisations within a dark economy is exemplified by several exploitations which research has shown were the result of sophisticated and coordinated actions by different threat actors: in several cases an exploit was developed by one party, sold on to a second party, who exploited it, and then in turn this access was sold on to a third party for monetised exploitation. Threat actors are now seemingly as well organised (and funded) as the organisations they are targeting, making the jobs of ‘blue’ security teams increasingly challenging. Read on below (and apologies for the puns!).
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Following their original discovery, patching, and publication of proof of concept (PoC) exploit code in March this year, CISA warned this week of the active exploitation in the wild of two linked access control flaws in Adobe’s ColdFusion. The twin vulnerabilities in the Performance Monitoring component allow attackers to self-issue a ‘UUID’ that can then be used to gain access to critical administrative operations.
Back in March 2024 the DEVCORE research team showcased a Privilege Escalation flaw in MS Windows at the ‘Pwn2Own’ Vancouver 2024 hacking competition, with the POC exploit code being published a few months later. Several months on still, CISA have now added the vulnerability to their list of those known to be undergoing active exploitation in the wild. The good news is that a fix for this flaw was made available as part of June 2024 patch Tuesday, so anyone keeping their systems up to date can sleep a little easier.
Multiple IoT devices from ReoLink, including network-enabled security cameras, are reported by CISA to be undergoing active exploitation. CISA has not released further details of the specific exploitations that led to this advisory, however the FBI, CNMF, NSA, NCSC and other national cybersecurity agencies have earlier (September 2024) issued a joint cybersecurity alert regarding the compromise of up to 260,000 Internet-connected devices. The cooption of devices including IoT devices such as video cameras warned of under the earlier ‘umbrella’ advisory related to a campaign attributed to Chinese (PRC)-linked cyber actors. The threat actors used a network of compromised nodes (a “botnet”) as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted networks in the West.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
‘XXE’ maybe doesn’t have the same immediate, broad recognisability as more common cybersec acronyms such as ‘XSS’ and ‘SQLi’, but the consequences of exploitation can be pretty disastrous. That’s the case here, where attackers have reportedly weaponised an earlier Proof of Concept (PoC) exploit in Ivanti’s MDM solution, inherited under its acquisition of WaveLink. The threat actors involved are reported to be exploiting the XXE flaw to target enterprises across the globe. Exploitation allows attackers to perform arbitrary file reads, gaining access to all manner of sensitive data.
A path traversal vulnerability in Mitel’s multi-platform ‘MiCollab’ collaboration suite for enterprises is under active exploitation. That’s according to sources at GreyNoise, who reported seeing exploitation kick off within 24 hours of the release of Proof of Concept (PoC) exploit code. With a fix having been released back in October for the flaw, enterprises had had a decent window to apply patches before the exploit was released, but those slow on the uptake may now find themselves in a vulnerable position.
The latest in a long string of IoT and network edge device compromises, attackers have been reported to compromised over 300 organisations, many of them in the UK, via a critical vulnerability in Draytek routers. The flaw allows attackers to escape an emulation “sandbox” and execute commands against the native underlying host. The attackers are highly organised and stratified in a threat group economy that involves one threat actor gaining initial access to devices before selling compromised device access to secondary threat groups for exploitation and monetisation.
Take a dash of logic-breaking path traversal, sprinkle in an unhealthy dollop of file-type validation failure, and we have the recipe for yet another remote code execution exploitation. The critical flaw in the Apache Struts web application framework is seeing active exploitation in the wild according to SANS Institute. With Proof of Concept (PoC) exploit code available in the wild, its possible that multiple threat actors are involved. Whilst patching to the required version will help to remediate this issue, the upload mechanism in question has also been deprecated in newer releases.
A slightly atypical warning from Cyble this week about a critical RCE vulnerability in 7-Zip. Typically reports of exploitation and attempted exploitation come from sources such as vendors (following customer reports and requests for assistance) or from operators of honeypot and security monitoring services. In a change of pace, Cyble’s warning comes in the form of a not-quite-KEV: the company reports that an earlier “proof of concept” (PoC) exploit has now been weaponised into functional exploit code and is being actively traded on the dark web for $8000 a pop. A fix is available thankfully, so this is no 0-day and customers are advised to patch immediately if they have not already done so.
A content spoofing flaw is reportedly being actively exploited in Documenso, the open-source e-signature alternative to DocuSign. The vulnerability certainly isn’t typical of the ones we normally cover, but has potentially highly damaging implications. The exploitation involves leveraging a discrepancy between on-screen and printed document versions to trick a user into signing and printing documents whose content varies from that they thought they were signing due to a lack of ‘layer-flattening’ in PDF documents. Ramifications for legal documents produced using the platform could obviously be significant.
We reported last week on the active exploitation of multiple file transfer products from Cleo. That saga continues this with confirmation from the vendor that the first fix was incomplete, exposing fully patched systems to further attack. The vendor is confident that they’ve finally got this one patched up now. Publication of this second KEV is accompanied by news that the ransomware group known as ‘Clop’ have officially claimed to be behind the exploitation seen. The bad news for anyone already hit by this one is that the data stolen and held ransom from exploitations to date is now being permanently wiped by the group, putting it beyond recovery.
Whilst examining a WordPress site infection, WPScan unearthed the active exploitation of this critical missing authorisation flaw in the Hunk Companion plugin. Attackers have been observed to exploit the flaw to install and activate other vulnerable plugins in order to take advantage of their exploit potential. Need a Cross‑Site Scripting (XSS) attack? We have a plugin for that! Need a Remote Code Execution (RCE) exploit? We have a plugin for that too! A good reminder for anyone with a WordPress site to ensure that they are only running the latest and greatest plugins, with nothing on their plugin install list that’s been marked as deprecated by WordPress, and potentially remains vulnerable to all sorts of nasty surprises.
A veritable cornucopia of vulnerabilities in Anyscale’s ‘Ray’ platform has allowed attackers to target hundreds of organisations in attacks that exfiltrate company and customer data. Perhaps most alarmingly for customers, the company was advised of the flaw some months back, but dismissed the vulnerability report and elected not to remediate the flaw, a decision that has now come back to ‘sting’ the company along with many of their customers.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
