Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 22nd November 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
The week kicked off with a bang with an announcement from Shadowserver that network surveillance systems from GeoVision were being exploited in the wild. Further advisories from CISA throughout the week disclosed a series of critical ‘0-Days’ vulnerabilities in enterprise network products from vendors including Palo Alto, who have been battered recently by a series of high-profile exploitations. The final firework display has been provided by FortiGuard who have reported a resurgence in active exploitation activities thought to be linked to Russian military intelligence.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
CISA have already issued repeated warnings since September of 2024 of the activity of suspected Russian nation-state actors in a series of exploitations globally. However, security researchers at FortiGuard Labs this week reported renewed attacks exploiting the vulnerabilities from the original CISA advisory – as well as several new vulnerabilities. The attacks are claimed to be tied to activities originating from Russian military intelligence (GRU) Unit 29155, sometimes referred to as ‘Ember Bear’. The attacks are targeting sectors including the government services, financial services, transportation systems, energy, and healthcare sectors of countries including NATO members and the EU. Their goal is believed to be to conduct espionage, steal data, and compromise or destroy sensitive information.
Over the weekend, sparse details began to emerge of a possible ‘0-Day’ RCE vulnerability being exploited in the wild against Palo Alto’s PAN series of firewalls and VPN concentrators. The company themselves seemed unclear of the source or nature of the vulnerability initially, and had no fix prepared, only advising customers to isolate the management interfaces of the devices as best possible to trusted network segments and restrict access to trusted source IPs only. Presumably using a firewall. Just not this one.
Sometimes you learn from your mistakes. Other times, not so much. Progress Kemp’s ‘Loadmaster’ application delivery controller was already in the headlines earlier this year for the active exploitation of an OS command injection vulnerability in its LMOS operating system (CVE-2024-7591). Just two months later, the company is in the spotlight again for a second, almost identical, vulnerability, that is again being exploited at scale, according to CISA. A fix has been released by the vendor.
CVE-2024-38812 has been something of a thorn in the side of VMware ever since its initial discovery in a Chinese hacking contest some months ago. The vendor has released a string of patches, each one claiming to fix the flaw, only for variants and bypass to be found each time by attackers. The confusion and uncertainty over fix status has played into hackers’ hands, for sure. We warned of “highly probably exploitation” back in September, which was confirmed this week by CISA. Lets hope this latest fix is the one.
The folks at Palo Alto must be feeling pretty battered and bruised at this point, with yet another flaw in PAN-OS being highlighted by CISA. Something of a partner in crime for the RCE ‘0-Day’ patched at the same time (CVE-2024-9474), this authentication flaw is being used to drop all sorts of nasty payloads including malware and webshells. We’re not entirely sure of the significance of giving this exploitation investigation an official moniker, but it’s no worse than some of the others we’ve seen over the years. Plus, we get to do puns.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Multiple product lines from GeoVision affected here, and with the devices all End Of Life (EOL) we’re unlikely to see any fixes. Network isolation of any vulnerable devices is probably slightly preferable to panicked cable-yanking, but longer term customers are advised to look at replacing devices with in-support alternatives.
The latest in a slew of MSHTML Platform weaknesses in Microsoft Windows was recently discovered undergoing exploitation in the wild again, reports cyber security firm ClearSky. A suspected Russian threat actor identified as ‘UAC-0194’ has been observed distributing a ZIP archive containing files designed to exploit this flaw as part of a targeted malware distribution campaign.
Not one that’s hit CISA’s radar yet – perhaps due to low uptake of WordPress in US federal agencies – but WordFence have reported the ongoing exploitation of a ‘file inclusion’ vulnerability in this popular chart-building plugin for WordPress. Quite how many hosts have been compromised isn’t yet clear, but the company reports that – in addition to any successful compromises – they have blocked a further two million discrete exploit attempts to date.
As if one high-profile ‘0-Day’ in a week wasn’t enough, Fortinet found themselves in a very similar situation to Palo Alto (above). The situation with this one is a little more murky however since the company that broke the news claim that they reported the issue to the vendor way back in June this year, but that a patch still hasn’t been released – and that the vulnerability is now being exploited by highly proficient China-linked threat actors. Not a good look for Fortinet if so, but the vendor has yet to officially respond.
Google’s Threat Analysis Group (TAG) took two bites out of Apple this week following their report of two juicy flaws affecting multiple Apple operating systems. Apple has since confirmed receiving reports of active exploitation of the two flaws in the wild. Everyone involved is keeping tight lipped on the details with no word on the who, the how or the why, but given the popularity of Apple products, its a target rich environment out there with vulnerable systems ripe for exploitation.
Oracle’s product ecosystem continues to pose a lucrative target for attackers, with the company reporting the confirmed exploitation this week of a critical access control bypass vulnerability in its Agile Product Lifecycle Management (PLM) Framework – part of the company’s Supply Chain suite – that led to the exfiltration of highly sensitive commercial data. No technical details have been published yet, but a patch is available.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
