A Week of Malware Exploitations and Sustained Botnet Activity

October 18, 2024
Executive Summary
Trending / Critical Vulnerabilities
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Vulnerabilities Abused by Malware
PRE-NVD observed for this week
External References
Subscribe to our Reports

Executive Summary

This week, the CISA Known Exploited Vulnerabilities (KEV) catalog experienced a modest expansion with the addition of four new vulnerabilities affecting Microsoft, Mozilla, Veeam, and SolarWinds products.

Notably, threat actors such as Earth Simnavaz and ScarCruft have been detected exploiting Microsoft zero-day vulnerabilities as part of their cyber espionage campaigns, while Akira and Fog ransomware were observed leveraging a vulnerability in Veeam Backup and Replication.

 In other developments, the Mirai botnet intensified its attacks on TP-Link Archer AX21 routers, highlighting its ongoing focus on consumer devices. Additionally, the Sysrv and Enemy botnets were seen actively exploiting vulnerabilities in Spring Cloud Gateway, further broadening their attack vectors. The IoT_Reaper botnet continued to target a long-standing vulnerability in MVPower CCTV DVR models, and Zerobot was found exploiting a three-year-old vulnerability in the Apache HTTP server.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions. 

CVE-2024-9680

A use-after-free vulnerability in the Animation timeline component of Mozilla Firefox, which has a high CVSS score of 9.8, enables attackers to execute code within the content process.  This prompted the Tor Project to issue an emergency update for Tor Browser version 13.5.7 to resolve the issue. Additionally, this vulnerability has been added to the CISA KEV catalog. 

CVE-2024-28987

A critical hardcoded credential vulnerability in SolarWinds Web Help Desk (WHD) version 12.8.3 HF1 and earlier allows remote, unauthenticated attackers to infiltrate internal systems and modify sensitive data. With a high-severity CVSS score of 9.1, this flaw has been flagged in the CISA Known Exploited Vulnerabilities (KEV) catalog. SolarWinds swiftly responded by releasing WHD version 12.8.3 Hotfix 2 to mitigate the threat.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2023-4966 D-Link NAS devices Critical Command Injection Vulnerability in D-Link NAS devices True True
CVE-2023-31192 SoftEther VPN Critical Information Disclosure vulnerability in the ClientConnect() functionality of SoftEther VPN 5.01.9674 True False
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21 True True
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-1389 TP-Link Archer AX21 An unauthenticated command injection vulnerability found in the TP-Link Archer AX21 WiFi router True AGoent, Gafgyt, Moobot, Miori, Mirai, Condi
CVE-2022-22947 Spring Cloud Gateway Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True Enemybot, GuardMiner, Sysrv-botnet
CVE-2021-41773 Apache HTTP Server Path traversal vulnerability in Apache HTTP Server True Zerobot
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTV DVR models True IoT-Repear

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2024-30088 

This privilege escalation vulnerability in the Windows Kernel poses a serious risk as it enables threat actors to elevate their privileges to SYSTEM level, thereby gaining extensive control over affected devices. Recent investigations from Trend Micro revealed that the Iranian threat actor Earth Simnavaz, also known as APT34 and OilRig, has been leveraging this vulnerability in a cyber espionage campaign aimed at government organizations in the UAE and the larger Gulf region. This vulnerability has now been included in the CISA KEV catalog. 

CVE-2024-40711

A deserialization vulnerability in Veeam Backup & Replication affecting versions 12.1.2.172 and earlier, allows unauthenticated remote code execution, carrying a high-severity CVSS score of 9.8. Exploited by threat actors to deploy both Akira and Fog ransomware, this flaw posed a serious risk to systems. Veeam addressed the issue with the release of version 12.2 in September 2024. The vulnerability has since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2024-38178 

This memory corruption vulnerability in the scripting engine can lead to remote code execution when using the Edge browser in Internet Explorer mode. Investigations by AhnLab uncovered that the North Korean threat actor ScarCruft (also known as RedEyes, TA-RedAnt, Group123, APT37, and others) has been actively exploiting this flaw to deliver RokRAT malware to compromised devices. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in August 2024.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-30088 High Privilege escalation vulnerability in the Windows kernel True Earth Simnavaz False
CVE-2024-40711 Critical A deserialization of untrusted data vulnerability in Veeam Backup & Replication True Akira ransomware, Fog ransomware False
CVE-2024-38178 High Memory Corruption vulnerability in Windows Scripting Engine leads to remote code execution True ScarCruft, RokRAT False

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-6404 Improper Input Validation Telenium Online Web Application Resource
CVE-2024-47966 Remote Code Execution Delta Electronics CNCSoft-G2 Resource
CVE-2024-6992 Out of bounds Read Chromium Resource
CVE-2024-9710 Server-Side Request Forgery PostHog database_schema Resource
CVE-2024-6519 Use-After-Free QEMU SCSI Resource

External References

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports