Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 25th October 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: The top story this week is undoubtedly the news that tens of thousands of Fortinet’s FortiManager devices across the internet are vulnerable to an unpatched ‘0-day’ authentication bypass flaw. Fortinet are working away to get patches released for all vulnerable systems, but with an almost two-month window of opportunity to date for attackers, Fortinet is urging potentially affected organisations to conduct forensic investigations as a matter of urgency to check for existing compromise. We’ve also seen a wide range of exploits being reported against other vendors, with miscreants and ne’er-do-wells targeting systems including Microsoft SharePoint (CVE-2024-38094), Roundcube Webmail (CVE-2024-37383) and Spring Framework for Java (CVE-2024-38816). Exploits targeting Samsung and Google Smartphones are being waved in the general direction of ‘commercial spyware’ operators (CVE-2024-44068). And Rackspace has revealed that a recent outage was the result of entities-unknown exploiting a vulnerability in a service used in their platform but deployed across other organisations too – potentially paving the way for more of the same in the near future (CVE-2024-9537), a valuable reminder of how some gifts will just keep on giving.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Veteran hosting goliaths Rackspace revealed this week that a widespread service outage at the company in late September was due to a threat actor having exploited a then-0day vulnerability (now assigned the ID of CVE-2024-9537) in the ScienceLogic application, used for monitoring services on the platform. The RCE vulnerability, in ScienceLogic’s SL1 service, is not unique to Rackspace and exists in any SL1/EM7 platform, potentially exposing many more installations to attack. A similar exploitation at Rackspace in 2022 resulted in a data breach that led to direct costs of over ten million dollars for the company according to a 2023 regulatory filing, as well as multiple class action lawsuits.
We reported just under a month ago about the exploitation of an earlier SharePoint deserialization flaw being exploited by attackers (CVE-2019-0604) and this week lightning strikes again, with a second, newer, deserialization flaw also now undergoing active exploitation. The last round of attacks were pinned by multiple sources on Iranian threat actors, but no attribution has been claimed yet for this latest renewed activity. Microsoft released patches for the underlying vulnerability in July, but taking steps to restrict network access to instances and apply additional mitigations where possible seems wise at this point too, given the repeated focus on SharePoint vulnerabilities by highly-organised APT groups in recent weeks.
A ‘Use After Free’ vulnerability in the ‘Exynos’ series of processors from Samsung’s ‘LSI’ chipset fabrication division sounds relatively obscure. But as researchers at Google’s Threat Analysis Group (TAG) have uncovered, the vulnerability is being leveraged by commercial spyware vendors in a widespread targeting of the millions of mobile smartphones from both Samsung’s Galaxy and Google’s Pixel lines in which the chips are used. No word yet on the threat actors or the extent of the impact. Enterprise customers with corporate mobile phone programmes are advised to ensure that mobile device management (MDM) solutions are in place and up to date, delivering the latest patches to all managed devices.
Fortinet really are having a rough time of it recently for a security solution vendor, with a string of high-profile attacks being reported by CISA in the company’s FortiOS, FortiPAM, FortiProxy, and FortiWeb solutions. The latest vulnerability to be targeted at scale is an authentication bypass flaw in an API of the company’s FortiManager devices which serves a proprietary protocol used for management within the Fortinet ecosystem. With over 50,000 vulnerable instances exposed to the internet and 0-day attacks occurring before Fortinet could even get a patch prepared and issued, this one requires swift action.
A bypass of the XSS protection mechanism in Roundcube’s webmail platform has been reportedly undergoing exploitation in phishing attacks by organised attackers focusing on governmental agencies and organisations within Europe. The attacks are the latest in a round of recent exploitations of several vulnerabilities in the platform – reported to be widely used in government agencies. No claim has yet been made as to the identity of the attackers, but the most recent prior exploitations, including the latest in June 2024, were attributed to Russian-linked APT threat actors, for whom the software seems to remain a favoured target.
Hot on the heels of a blog post from Cisco’s Talos group in April 2024 warning of the dangers of brute force attacks against Virtual Private Network (VPN) services, a recent security advisory released by Cisco warns of this very attack due to flaw in the Remote Access VPN (RAVPN) service that fails to rate-limit remote login attempts. Cisco have handily provided a software checker so that vulnerable installations can get themselves patched up before succumbing to takeover.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Cisco’s veteran commercial threat intelligence team the ‘Talos’ Intelligence Group reports that prolific ‘Akira’ ransomware operators have been exploiting a vulnerability in the company’s HyperFlex HX platform web UI, as part of a sophisticated exploit chain involving other product within the Cisco ecosystem – including ASA and FTD software. Talos reports that the threat group is specifically targeting organizations in the manufacturing, professional, scientific, and technical services sectors.
Palo Alto Networks’ “Expedition” tool is offered by the networking company as a solution to assist in the migration from other networking vendors to the Palo Alto platform. Consequently the solution is often stuffed full of credentials used to authenticate to vendor equipment, and if compromised delivers the literal ‘key to the kingdom’ for technical estates. The saving grace here is that the tool would typically be run on administrative workstations and rarely exposed directly to the internet… hopefully.
Unknown scoundrels were reported to be exploiting a path traversal vulnerability in the Spring Framework for Java on Wednesday this week. According to security researchers at Cybel, it’s an attack that allows remote access to arbitrary sensitive and critical files on host systems. A patch is available, but the vulnerability is reportedly present in a considerable number of previous releases. With the framework often utilised in third-party solutions – where older versions often remain pegged in place – unpicking the true extent of the attack surface for this one could pose a challenge for many organisations.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
