This week, CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Two of these vulnerabilities, CVE-2021-20123 and CVE-2021-20124, are path traversal flaws affecting DrayTek Vigor Connect devices. The third vulnerability, CVE-2024-7262, is a remote code execution flaw in WPS Office that has been exploited by the APT-C-60threat actor group.

Meanwhile, the hacktivist group "Head Mare" has been exploiting CVE-2023-38831, a vulnerability in WinRAR, to gain initial access to target systems.

The notorious Mirai bot net persists in its aggressive exploitation campaign, this week targeting LB-Link BL devices and TP-Link Archer AX21routers. Furthermore, attacks on Huawei routers and Spring Cloud vulnerabilities remain a frequent choice for botnet operators like Sysrv and Enemy bot.

CVE-2024-7262

A high severity vulnerability identified in WPS Office, CVE-2024-7262 is a remote code execution vulnerability that enable attackers to execute arbitrary code on the victim's machine, potentially resulting in data theft, ransomware attacks, or further system compromise.  Recent investigations revealed that this vulnerability was exploited by APT-C-60 threat acting group to target organizations present in East Asian countries. This one-click exploit vulnerability was assigned a CVSS Score of 7.8 and EPSS score of 0.04703. This bug was also added to the CISA KEV catalog.  

CVE-2023-38831

A severe remote code execution vulnerability in WinRAR affecting versions prior to 6.23. This flaw allows attackers to execute arbitrary code on a vulnerable system by tricking users into opening a specially crafted ZIP archive. With a CVSS score of 7.8 and an EPSS score of 0.31236, this vulnerability has been exploited by the hacktivist group "Head Mare" to achieve initial access and deploy malicious payloads.

CVE-2021-20123 and CVE-2021-20124

DrayTek Vigor Connect 1.6.0-B3 contained two path traversal vulnerabilities, CVE-2021-20123 and CVE-2021-20124, which allowed unauthenticated attackers to download arbitrary files with root privileges; both vulnerabilities, assigned a CVSS score of 7.5 (with EPSS scores of 0.49447 for CVE-2021-20123 and 0.49184 for CVE-2021-20124), have been added to the CISA KEV catalog due to the significant risks they pose.

Cytellite sensors experienced significant exploit activity and mass scanning toward router devices, including Wavelink, Tenda, LB-Link, and TP-Link. Microsoft Exchange Server (CVE-2022-41040) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. For further details, please refer to our previous reports.

Mirai botnet’s exploitation of LB-LINK and TP-Link Devices continues this week. Spring Cloud and Huawei router RCE are also a frequent favorite of botnet operators.

CVE-2024-5274

Google has revealed that the state-sponsored APT29 hacking group has been actively exploiting CVE-2024-5274. Renowned for its advanced cyber-espionage tactics, APT29 utilized this vulnerability in July 2024 to target Android users who visited the compromised website ‘mga.gov[.]mn’.  

CVE-2024-38106

Microsoft has identified Citrine Sleet, a North Korean state-sponsored threat actor group, as actively exploiting the CVE-2024-38106 privilege escalation vulnerability in the Microsoft Windows kernel. By leveraging this vulnerability, Citrine Sleet has been successfully deploying the FudModule rootkit malware, granting them elevated system privileges and enabling them to conduct a range of malicious activities.

CVE-2023-22527

A critical template injection vulnerability in older versions of Confluence has been exploited by threat actors to conduct cryptojacking attacks. This flaw allows attackers to inject malicious code into Confluence pages, has been used to install XMRig miners and other shell scripts on unpatched instances of Confluence.  

CVE-2024-7971  

Microsoft has identified Citrine Sleet, a North Korean state-sponsored threat actor group, actively exploiting a zero-day vulnerability in Google Chrome. By leveraging this flaw, Citrine Sleet has effectively deployed the FudModule rootkit malware, which grants them elevated system privileges and facilitates a range of malicious activities.

CVE-2023-38831

Recent investigations by Kaspersky have uncovered that the hacktivist group "Head Mare" has been exploiting this vulnerability in WinRAR, to gain initial access to targeted systems. Active since 2023, Head Mare is known for targeting organizations for financial gain and employs a range of tactics, including phishing campaigns, ransomware attacks, and data exfiltration. The group utilizes tools such as PhantomDL, a Go-based backdoor, and PhantomCore, a malware framework, to facilitate their attacks and gain initial access.  

CVE-2021-26855  

Recent investigations by Kaspersky have uncovered a new threat actor group, like Advanced Persistent Threat (APT) groups, leveraging the remote code execution vulnerability in Microsoft Exchange Server to deploy an ICMP backdoor. This group, codenamed "ToddyCat," has been actively exploiting this vulnerability to gain unauthorized access to targeted systems.

‍

The LOVI platform monitors multiple open sources feed and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database.

1. https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-exploited-vulnerabilities-catalog  
2. https://securityonline.info/cve-2024-5274-chrome-zero-day-exploited-by-apt29-poc-exploit-published/  
3. https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/  
4. https://securelist.com/head-mare-hacktivists/113555/  
5. https://securelist.com/incident-response-interesting-cases-2023/113611/  
6. https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/  
7. https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html  
8. https://cujo.com/blog/the-sysrv-botnet-and-how-it-evolved/