Menu
AppCheck presents our weekly round up of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 6th September 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: known exploitations are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe. As such, they present perhaps the greatest ongoing cybersecurity risk to businesses, and a very real threat. The vulnerabilities are often being exploited by attackers in order to achieve direct financial gain via techniques such as malware and ransomware installation. We summarise each known ongoing exploitation below, but full details – including their impact, versions affected, and any official fix and remediation guidance – for each of the listed vulnerabilities are all available, for free, via the AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
This week: An abundance of exploits feature in this week’s known exploited vulnerabilities round-up. Apache OFBiz faces yet another round of exploits in a month-long saga of attacks and partial fixes. Russian state-actors put U.S. based intelligence agencies on high alert as vulnerabilities existing in platforms like Atlassian are targeted via complex exploit chains. A second wave of attacks by hacktivist group ‘Head Mare’ allows attackers to execute arbitrary code in WinRAR. Plus, a special update on a previously exploited vulnerability and it’s costly impact on a Californian software company.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations on an often daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders—and to help every organisation better manage vulnerabilities and keep pace with threat activity.
A vulnerability within the Atlassian Confluence data centre and server is actively under threat of exploitation, as successful attacks lead to remote execution of arbitrary (malicious) code on an affected Confluence instance. Despite an earlier warning, and the availability of patches, many organisations remain vulnerable as of September 2024. The ‘Godzilla’ backdoor is the latest tool being used by cybercriminals to exploit this flaw in the most recent wave of exploitations. CISA originally reported there were in the wild exploit attempts as of the 24th January 2024.
Despite the availability of a patch and a widespread warning of the risk of exploit, a resurfacing arbitrary code execution vulnerability from August 2023 is found being actively exploited in a second wave of attacks by the ‘Head Mare’ hacktivist group – as reported by Kaspersky security. This vulnerability, affecting RARLabs by file archiver utility WinRAR, allows attackers to execute arbitrary code when a user attempts to view a file within a ZIP archive upon successful exploitation.
Network equipment manufacturer, Draytek, faces down two linked path traversal vulnerabilities via their Vigorconnect central management system. Upon successful exploit, attackers are able to leverage these vulnerabilities to download arbitrary files from the underlying operating system with root privileges. Although no information on the identity of the threat actors or the targets of exploitation have been released for this wave of attacks, CISA have reported this vulnerability as known to be actively exploited in the wild as of the 3rd September 2024.
In an ongoing exploitation by the Russian ‘RomCom’ group, ransomware is able to be distributed across targeted computers utilising this Windows HTML, remote code execution, zero-day vulnerability found within the Search component of Microsoft Windows. This allows the attacker to then encrypt the victim’s files and, through this, demand a ransom fee to unlock said files. There are currently 16 victims listed on the data leak website, across a number of critical sectors.
In September 2024, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) and other U.S./international partners released a joint warning that Russian state-actors were actively exploiting these two Atlassian vulnerabilities, that were initially reported by CISA back in the Summer of 2022. The Cybersecurity Advisory warning states that the attacks are specifically targeted at U.S. and Global critical infrastructure. The full exploitation chain at play includes the compromise of numerous other systems including Microsoft Windows and Sophos Firewall.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
A vulnerability within VMware Fusion, a software developed for macOS systems, is at risk of a critical exploit that allows attackers to execute arbitrary code within the Fusion application’s context, leading to total system compromise. VMware is usually an attractive target for threat actors, with CISA previously posting bulletins on other VMware vulnerabilities. Due to the critical nature of this exploit, and it’s high probability of exploit, prioritisation should be given to remediation in any impacted environment.
Four linked vulnerabilities are undergoing active exploitation in one of D-Link Systems’ wireless networking device model. Each of these vulnerabilities is rated as critical and can be exploited for command injection. When successfully exploited, attackers are able to execute arbitrary (malicious) code on the target devices. Since the vendor is not patching these vulnerabilities, they effectively remain permanent ‘0-days’. D-Link vulnerabilities have been exploited in the past by malware botnets, as well as a recent attack by threat actors that lead to stolen passwords and breached devices via a flaw (CVE-2024-0769) in a D-Link router.
Taiwanese broadband provider, Zyxel, is currently exposed by a command injection vulnerability present in multiple models of their routers. Unauthenticated attackers can, upon successful exploit, execute arbitrary (malicious) commands on the host operating system by sending a crafted cookie to a vulnerable device. Vulnerabilities like these on network devices are commonly exploited to recruit devices into botnets such as Mirai for DDoS attacks. The probability of targeted exploit by known threat actors is considered to be extremely high, so remediation should be prioritised in any impacted environments.
The free and open-source learning management system (LMS) Moodle, widely used in educational centres and workplaces, has reportedly been under exploit via a code injection vulnerability – according to the SANS ‘Internet Storm Center’, which operates a ‘honeypot’ to capture and analyse threat activity. According to their report, a substantial number of attackers probing for the Moodle vulnerability recently are already attempting exploit against vulnerable instances. The risk of exploit is attackers being able to delete courses or reveal sensitive information.
A critical security advisory released by Cisco Systems details a vulnerability in the Cisco Meraki Systems Manager (SM) Agent for Windows. Attackers can execute their own programs, access unauthorised data files and more when this vulnerability is successfully exploited. Given that the vendor released this advisory outside of standard patch cycles, the potential for active exploitation should be considered to be very high, especially given the risk of onward (pivot) attacks to further managed systems one system compromise is achieved.
In what appears to be a back and forth between fixing an exploit and having it bypassed yet again, Apache OFBiz faces yet more vulnerabilities, as the third and fourth critical RCE vulnerabilities undergo active exploitation. It’s highly likely that this latest vulnerability (CVE-2024-45195) is under exploitation by the same threat actors. As of the first week in August, sensors detected a significant increase in attempts of exploitation in OFBiz vulnerabilities – several thousand per day – believed to be linked to the ‘Mirai’ botnet.
An unauthenticated remote code execution vulnerability exists in the proprietary backup application from the privately held, US-based I.T. company known as Veeam Software. Successful exploit allows an unauthenticated remote attacker to execute arbitrary (malicious) code in an ‘RCE’ exploit, which allows for a complete hostile system takeover. As Veeam is considered a high-value target for ransomware operators, such as the Cuba ransomware gang and FIN7, immediate remediation is advised for any impacted environments.
As a special add-on to this week’s round-up, we thought it worth sharing some recent and significant news about a previously mentioned vulnerability that we had warned of being actively exploited. A company called Verkada, that develops cloud-based building security and operating systems, had a breach via this vulnerability being exploited. In the aftermath, Verkada made a $2.95 million legal settlement as part of a class-action lawsuit that accused the company of negligence in protecting user data, evidencing the importance of due diligence and timely patching when it comes to these high risk vulnerabilities.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s ‘KEV’ (known exploitation) roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 10th September 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
