AppCheck presents our weekly round up of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 30th August 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: known exploitations are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe. As such, they present perhaps the greatest ongoing cybersecurity risk to businesses, and a very real threat. The vulnerabilities are often being exploited by attackers in order to achieve direct financial gain via techniques such as malware and ransomware installation. We summarise each known ongoing exploitation below, but full details – including their impact, versions affected, and any official fix and remediation guidance – for each of the listed vulnerabilities are all available, for free, via the AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
This week: Once again, numerous exploits feature in the roundup this week, including attacks by state-sponsored threat actors, the appearance of critical exploit chains and many older vulnerabilities resurfacing in new attacks. Notably, the ransomware service ‘RansomHub’ unleashes havoc across a spread of industries and platforms with a sophisticated exploit chaining of several critical exploits. Also, a new wave of attacks on a VMware ESXi vulnerability (first reported on back in June of this year) by the ‘BlackByte’ ransomware group targets government entities and private companies. Multiple vulnerabilities, including ones first reported on in 2019, 2022 and 2023, are also now being exploited by suspected Iranian state-backed actors ‘PioneerKitten’.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations on an often daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders—and to help every organisation better manage vulnerabilities and keep pace with threat activity.
A greater-than-typical advisory from CISA details multiple CVEs affecting a range of network devices exploited by a recent campaign coordinated by ransomware service ‘RansomHub’. This sophisticated exploit chain has been used in targeting vulnerabilities in platforms including FortiOS, Windows, Citrix and the Atlassian product catalog, targeting a wide variety of industries and sectors including governments, emergency services, critical infrastructure and much more. Due to the nature of this series of exploits and the extensive use of the services affected, the impact of exploitation for these vulnerabilities is highly significant.
Iranian threat actors have resurfaced and exploited vulnerabilities including CVE-2023-3519, CVE-2022-1388 & CVE-2019-19781 in an ongoing campaign. In this wave of attacks, U.S. cybersecurity and intelligence agencies have attributed the attacks to Iranian state-sponsored actors. This activity has been linked to a threat actor dubbed ‘Pioneer Kitten’, which sources claim is connected to the government of Iran. Targets appear to include education, finance, healthcare and defense sectors, as well as local government entities.
A critical flaw in the V8 JavaScript engine which can lead to a corruption of heap memory, and be triggered by a user simply visiting a maliciously crafted webpage, is being actively exploited. Google have acknowledged the ongoing exploitation and emphasise the urgency of users updating their browsers to mitigate attacks. Only last week, Google rushed to address a different high-severity zero-day vulnerability in CVE-2024-7971 resulting from a V8-type confusion weakness.
In a second wave of attacks, VMware ESXi is once again targeted via an authentication mechanism bypass vulnerability that was first discovered back in June of this year. Responsible for this new wave of attacks is the ‘BlackByte’ ransomware group; a different group from the original wave of exploitation. Impacted sectors include critical infrastructure, private companies and government entities.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
An improper access control vulnerability has been identified in the SonicWall SonicOS used on the firm’s web application firewalls, allowing attackers to gain privileges, access sensitive information, execute commands and evade detection. The vendor reports that successful exploitation leads to unauthorised administrative access, which has the capacity to crash the firewalls. Whilst active exploitation in the wild has not yet reported by CISA, the agency has reported previously on active exploitation of flaws affecting SonicWall appliances since 2022. Since these appliances are found to be used in corporate environments and are often the target of threat actors, prioritisation should be given to remediating any impacted environments.
A command injection vulnerability found in the Sangfor Web Application Firewall (WAF) from Hillstone Networks allows an unauthorised, remote attacker – upon successful exploit – to sequester or gain complete control of the WAF appliance and compromise the security of any screened web applications or APIs that it’s been deployed to protect. Whilst not yet reported by CISA, the vendor urges remediation given the critical nature of the exploit and it’s active exploitation.
An open source GPS tracking system, Traccar, is under threat of an exploit chain which features two related vulnerabilities that allow remote code execution by attackers on vulnerable Traccar instances via multiple exploit paths. With researchers suggesting that over 1,400 Traccar 5 servers are exposed on the internet running the default settings that allow for unauthenticated attackers to exploit this chain of vulnerabilities, the impact of successful exploitation is critical.
A multilingual plugin designed for WordPress by OnTheGoSystems named ‘WPML’, created to assist in building and running multilingual sites, is now being actively exploited via a Server-Side Template Injection (SSTI) weakness. Successful exploitation allows a remote attacker to execute arbitrary (malicious) code on the WordPress server, and with over one million installations of this plugin – many within WooCommerce installations – the impact of exploitation is critical.
A critical access control exploit exists in Fortra’s FileCatalyst Workflow due to two separate access control vulnerabilities: a broken access control and an SQL Injection vulnerability. Successfully exploiting these vulnerabilities can lead to the execution of malicious system commands. CISA previously warned of active exploitation of a different RCE vulnerability in Fortra’s ‘GoAnywhere’ MFT solution (CVE-2023-0669) by ransomware group ‘CL0P’, where victimised companies were ransomed through the threat of severe data leaks.
WPS Office, an office suite accessible on multiple operating systems including Windows and macOS, is being actively exploited by attackers via improper path validation using two linked vulnerabilities. Security researchers at ESET have published information showing that a group aligned with South Korea known as ‘APT-C-60’ leveraged these two linked vulnerabilities to execute malicious code and deploy malware via a custom backdoor – ‘SpyGlace’. By 2022, WPS Office topped over 494 million monthly active users and a total 1.2 billion installations. Suffice to say, the impact of exploitation is critical.
A critical Integer Underflow vulnerability exists in the IPv6 implementation within Microsoft Windows, allowing an unauthenticated attacker to exploit this flaw and achieve remote code execution (RCE). At the time of the initial report, Microsoft said there was no evidence of this flaw being exploited in the wild but ranked it ‘More Likely’ in regards to the likeliness of exploitation. Since then, the code has indeed been published ‘in the wild’, and is now available to attackers via sites such as GitHub. Given the availability of the exploit code and the nigh-universal deployment Windows systems, remediation of impacted environments should be prioritised.
A leading manufacturer and provider of environmental solutions, AVTECH Software, Inc. faces a critical vulnerability in it’s line of discontinued AVTECH IP cameras. Successful exploitation of this command injection vulnerability allows an attacker to execute commands and input arbitrary code resulting in unauthorised access, data exfiltration and other malicious actions. CISA report that exploitations so far have targeted critical infrastructure sectors like financial services and healthcare. The ongoing attack campaign has been underway since March 2024, although the vulnerability has had a public proof-of-concept (PoC) exploit as far back as February 2019. This flaw has been targeted alongside other known vulnerabilities to spread a Mirai botnet variant on target systems.
Note: Although technically reported by CISA via an ICS Advisory, it is not yet part of the Known Exploited Vulnerabilities catalogue, hence it’s position in our ‘Elsewhere on the Web’ section.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s ‘KEV’ (known exploitation) roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 10th September 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)