New Critical Vulnerabilities Surface as Threat Actors Evolve

November 1, 2024
Executive Summary
Trending / Critical Vulnerabilities
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Vulnerabilities Abused by Malware
PRE-NVD observed for this week
External References
Subscribe to our Reports

Executive Summary

In an unexpected turn, the CISA KEV list saw no new additions this week, leaving cybersecurity experts surprised. However, critical vulnerabilities were identified in Grafana OSS, VMware vCenter Server, and DrayTek Vigor routers, indicating that threats are still very much present.  In proactive measures, Google has patched a critical vulnerability reported by Apple, and the Progress community has released a fix for a significant flaw in WhatsUp Gold. Organizations must remain vigilant and ready to address these evolving security challenges.  

With the PSAUX ransomware and LightSpy macOS implants ramping up their activity this week, the urgency for organizations to fortify their cybersecurity strategies has never been more critical.

The IoT_Reaper botnet remains active, persistently exploiting a vulnerability in MVPower CCTV DVR models, while Zerobot has been discovered targeting a three-year-old flaw in the Apache HTTP server. Additionally, notable botnets such as Enemybot, LiquorBot, and the infamous Mirai are leveraging a nine-year-old vulnerability in D-Link DIR 645 routers.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-9264

A severe SQL injection vulnerability in Grafana’s experimental SQL Expressions feature permits authenticated users to execute arbitrary DuckDB SQL queries by adjusting dashboard expressions.  With a CVSS score of 9.9, this vulnerability impacts both Grafana OSS and Enterprise, and a PoC is currently available.

CVE-2024-38812

VMware vCenter Server contains a critical heap overflow vulnerability, allowing an attacker with network access to exploit it through specially crafted packets, possibly resulting in remote code execution. This vulnerability, affecting versions 8.0U3a and earlier, has a CVSS score of 9.8, and a proof-of-concept is available.

CVE-2024-48074

DrayTek Vigor2960 routers running firmware version 1.4.4 are impacted by a remote code execution vulnerability with a high CVSS score of 8.0. This flaw, if exploited successfully, could lead to data breaches, network disruption, malware spread, and botnet recruitment. The availability of proof-of-concept elevates the risk level, posing a critical threat to organizations.  

CVE-2024-10487

Google has addressed a high severity out-of-bounds write vulnerability in its Chrome browser, which has been assigned a CVSS score of 8.8. This flaw, reported by Apple, impacts versions prior to 130.0.6723.92 and is associated with the Dawn implementation.

CVE-2024-7763

A critical authentication bypass vulnerability in Progress Software's WhatsUp Gold, impacting versions prior to 2024.0.0 and assigned a CVSS score of 9.8, allows attackers to exploit the flaw to access encrypted user credentials, potentially resulting in further unauthorized access.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerability Product Severity Title Exploited – in the Wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21. True True
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2021-41773 Apache HTTP Server Path traversal vulnerability in Apache HTTP Server True Zerobot
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTVDVR models True IoT-Repear
CVE-2015-2051 D-Link DIR-645 Arbitrary command execution vulnerability in D-Link DIR-645 Wired/Wireless Router False Hakai Yowai
Mirai
LiquorBot
BotenaGo
Enemybot

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-51567, CVE-2024-51568 and CVE-2024-51378  

Threat actors are actively exploiting three critical remote code execution vulnerabilities in CyberPanel, a widely used web hosting control panel to compromise servers and deploy PSAUX ransomware. These vulnerabilities affecting versions 2.3.6 and 2.3.7 allow unauthenticated attackers to gain root access for full control over the impacted systems.  

CVE-2020-9802 and CVE-2020-3837

The LightSpy threat actor has broadened its focus to the iOS platform, targeting devices running up to version 13.3 by exploiting the publicly available Safari vulnerabilities CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation, demonstrating its capacity for destruction through actions like wiping contact lists and disabling devices by removing critical system components.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-51567 Critical The vulnerability resides in the upgrademysqlstatus function located in CyberPanel’s databases/views.py. Attackers can achieve remote command execution by circumventing security middleware and exploiting shell metacharacters in the statusfile property. True PSAUX ransomware False
CVE-2024-51568 Critical This issue pertains to command injection through the completePath parameter in the ProcessUtilities.outputExecutioner() function. Attackers can execute arbitrary commands via file uploads in File Manager, enabling remote code execution without requiring authentication. True PSAUX ransomware False
CVE-2024-51378 Critical This vulnerability impacts the getresetstatus function in both dns/views.py and ftp/views.py. Like other vulnerabilities, it permits remote command execution by circumventing the middleware, classifying it as a high-risk flaw. True PSAUX ransomware False
CVE-2020-9802 High A use-after-free vulnerability in Apple Safari that could enable arbitrary code execution if a user interacts with maliciously crafted web content. Apple has addressed this vulnerability across several products, including iOS, iPadOS, tvOS, watchOS, Safari, iTunes, and iCloud for Windows. True LightSpy True
CVE-2020-3837 High A memory corruption vulnerability in iOS, iPadOS, and macOS could allow an application to execute arbitrary code with kernel-level privileges. True LightSpy False

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-8025 Heap-based Buffer Overflow Nikon NEF Codec Resource
CVE-2024-9369 Insufficient Data Validation Google Chrome Resource
CVE-2024-9370 Inappropriate Implementation Google Chrome Resource
CVE-2024-7025 Integer Overflow Google Chrome Resource
CVE-2024-31145 Memory Corruption Xen Package Resource

External References

  1. https://www.securityweek.com/google-patches-critical-chrome-vulnerability-reported-by-apple/  
  2. https://securityonline.info/cve-2024-48074-rce-flaw-discovered-in-draytek-vigor2960-routers-poc-published/  
  3. https://www.threatfabric.com/blogs/lightspy-implant-for-ios  
  4. https://securityonline.info/psaux-ransomware-is-exploiting-two-max-severity-flaws-cve-2024-51567-cve-2024-51568-in-cyberpanel/  
  5. https://securityonline.info/grafana-vulnerability-cve-2024-9264-poc-released-for-9-9-rated-critical-flaw/

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports