AppCheck presents our weekly summary of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending October 4th, 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they are perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by attackers to achieve direct financial gain via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – you can access our free AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
In the news this week: A mixed bag of miscreant behaviour to delve into. To kick us off: it’s been another busy time for nation state hacking groups flexing their exploits with an all too familiar story of botnets recruiting vulnerable routers, gateways and IoT devices from vendors including D-Link and Draytek. Looking elsewhere we have seen everything from enterprise firewall appliances (WatchGuard) to cloud commerce solutions (SAP) and several core Linux OS libraries (glibc, polkit) getting themselves into trouble. Most notably perhaps, Ivanti’s EPM solution has been compromised yet again. Endpoint management solutions such as Ivanti’s offer a lucrative target to attackers, since they often store credentials for, or have client execution capabilities on, a multitude of managed devices (that are otherwise screened on private networks from direct external attack). Sophisticated threat actors will often use these flaws to gain APT (advanced persistent threat) presence in compromised devices long after the original vulnerability is remediated. Inevitably, this leads to the deployment of reverse web shells and other techniques to persist access, and it can be tough to root them out once they have gained that first foothold.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations, on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
The Microsoft security team released a detailed writeup to kick the week off with a bang, outlining a sophisticated exploit chain targeting initial weaknesses in exposed web services including ZohoCorp’s ManageEngine suite, previously warned about in a CISA KEV advisory. ManageEngine was among several systems targeted to gain an initial foothold in customer technical estates, in a complex exploit chain that delivered ransomware throughout hybrid cloud environments. The ongoing exploitation involves a complex combination of techniques and vulnerabilities in a blended attack by sophisticated threat actors.
In a by-now all too familiar pattern, CISA warned at the start of the week that a command injection vulnerability in a legacy D-Link router model is being exploited in the wild. CISA hasn’t provided specifics on the threat actors involved – but based on the pattern typically seen, it is reasonable to assume that vulnerable devices are being co-opted into the ranks of a botnet to be used as a pawn in further attacks. Just last week we covered how IoT device botnets are being used by actors affiliated with nation states and amassing hundreds of thousands of compromised devices.
A second command injection vulnerability, in a second vendor’s routing equipment – this time Draytek’s ‘Vigor’ series of VPN Gateways – is also reported by CISA to be undergoing active exploitation. Whereas the details of the attacks against D-Link Routers (above) are sparse, the exploitation of the Draytek devices was one of over sixty vulnerabilities highlighted by the NSA, FBI and other national security agencies as covered in last week’s KEV roundup, the devices being the target of Chinese nation-state actors seeking to compromise infrastructure in the West.
SAP’s ‘Commerce Cloud’ product – the company’s answer to Salesforce in the cloud-based CRM space – has been reportedly coming under attack this week by attackers exploiting a deserialization vulnerability in the bundled VJDBC HTTP servlet, in order to gain code execution privileges. The vulnerability itself is now five years old and has been patched across all current release streams so it is not immediately clear how many instances are still vulnerable and have been targeted.
Ivanti’s EPM solution has been battered in recent months by a string of high-profile exploitations by attackers of a number of vulnerabilities including CVE-2024-8963, CVE-2021-44529, CVE-2024-8190 and CVE-2023-35082. That list gains another member this week, with CISA issuing an alert that a ‘Blind’ SQL injection vulnerability in the product first reported back in May 2024 was now also undergoing active exploit in the wild. The platform continues to attract the focus from high-profile attackers due to its position as an ‘endpoint management’ solution that acts as a useful first foothold into a customer network which can be exploited to compromise numerous downstream servers and other devices managed by EPM.
Reports appeared this week from multiple sources of attackers exploiting a critical vulnerability in Zimbra’s Collaboration Server and Collaboration Suite within days of the publication of Proof of Concept (PoC) exploit code. The vulnerability itself is an unusual one, since it can be exploited remotely simply by sending an email to vulnerable SMTP mail servers. This provides the potential for massive exploitation at scale across multiple organisations at once, with minimal effort. Zimbra have urged companies to patch vulnerable instances immediately.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately refrain from publishing certain known exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high-profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in the same way as for CISA-published ones.
Originally exploited widely back in 2022, a critical vulnerability in the Linux ‘polkit’ utility acts as a catch-all privilege elevation vulnerability that can be chained with a number of other exploits to achieve remote code execution. In the latest round of attacks reported, the vulnerability is being chained with weaknesses in both Selenium Grid and Apache’s RocketMQ to hijack hosts for crypto-mining operations. Although no precise claims have been made as to the attackers’ identity yet, the exploit is a sophisticated one, with the malware that is delivered taking multiple steps to mask its activities once installed – including process name obfuscation, multiple redundant copies, and quiescence if it detects that it is in danger of being spotted by legitimate system administrators.
Watchguard’s Firebox series of firewalls, commonly deployed in enterprises, has been found to contain a pair of critical vulnerabilities in the Single-Sign On (SSO) implementation: a lack of encryption or authentication in the protocols used for communication leave them open to request forgery that can be exploited in a number of ways, including bypass of firewall rules by assigning policies to one device that were intended to another. With exploit code available in the wild, researchers are warning that exploitation attempts are highly likely.
A pair of unrelated vulnerabilities in Oracle’s WebLogic application server have been reported by multiple sources to be undergoing exploit in recent weeks. The attackers have exploited the twin vulnerabilities to install both a trojan for access persistence, as well as crpyto-mining or ‘cryptojacking’ software. The latter is a form of malware that co-opts the computing resources of compromised hosts to mine cryptocurrencies such as bitcoin for financial gain at the expense of the host’s owner.
The ‘CosmicSting’ vulnerability (CVE-2024-34102) previously reported in our August 2024 (week 1) KEV roundup, is being paired with a ‘0-day’ exploit of the GNU C Library (glibc) in an exploit chain that leads to Remote Code Execution. Big-name companies including Ray Ban, National Geographic, and Cisco and reportedly already falling victim to attack according to some sources.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s KEV roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – it lands in just a few days now, on 8th October 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)