Severe CVEs, Severe Outcomes

August 30, 2024
Executive Summary
Trending / Critical Vulnerabilities
Vulnerabilities Abused by Malware
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Pre NVD
External References
Subscribe to our Reports

Executive Summary

This week, three zero-day vulnerabilities were actively exploited in the wild. Among them, two critical vulnerabilities in Google Chrome, CVE-2024-7965 and CVE-2024-7971, highlight ongoing browser security challenges, marking the tenth such flaw addressed by Google in 2024. The third vulnerability, CVE-2024-38856, is a critical remote code execution flaw in Apache OFBiz. All three have been added to the CISA Known Exploited Vulnerabilities (KEV) list.

The notorious Mirai botnet continues its aggressive campaign, now targeting LB-Link BL devices, TP-Link Archer AX21 routers, and Avtech Security cameras. Other botnets, including Sysrv and Enemy bot, have been observed exploiting vulnerabilities in Spring Cloud Gateway and Huawei HG532 devices. Additionally, a new IoT botnet, IoT_Reaper, has emerged, targeting an eight-year-old vulnerability in MVPower CCTV DVR models.

This week, threat actors have been particularly active. Volt Typhoon exploited an unrestricted file upload vulnerability in Versa Director GUI, while APT-C-60, a South Korean threat group, exploited a critical flaw in Kingsoft WPS Office. The VMware ESXi vulnerability has resurfaced, with BlackByte ransomware utilizing it for malicious purposes. Additionally, a new crypto jacking technique involving XMRig has been discovered, targeting Atlassian Confluence servers.

Trending / Critical Vulnerabilities

CVE-2024-7965

A security flaw discovered in Chrome a few days ago, CVE-2024-7965 is an out-of-bounds read bug allowing attackers to perform heap corruption due to improper implementation in the V8 javascript engine. The exploit can be triggered through a crafted HTML page.

With a CVSS score of 8.8 and an EPSS score of 0.00061, the bug was reported to Google through their bug bounty program but Google has reported that it has seen exploitation in the wild of CVE-2024-7965 and an exploit also exists. This has led CISA to add the CVE to their Known Exploited Vulnerability catalog[1].

CVE-2024-38856

Yet another critical vulnerability was disclosed in Apache OFBiz, this time an incorrect authorization flaw that can result in remote code execution. Attackers do not need to be authenticated to exploit this bug, which exposes sensitive endpoints to unauthenticated users. Sending crafted requests towards these endpoints can result in code execution.

Due to its severity, a CVSS score of 9.8 was assigned while a relatively low EPSS score of 0.01877 was given. There have been reports of exploitation in the wild and CISA has also added the CVE to their KEV catalog[2].

CVE-2024-7971

Another vulnerability affecting Google Chrome, this time a type confusion bug allowing to perform heap corruption. This CVE also affects the V8 javascript engine and similar to CVE-2024-7965, can be exploited through a crafted HTML page.

Part of multiple V8-related bugs fixed by Google recently, CVE-2024-7971 has a CVS score of 8.6 and an EPSS score of 0.00159. This bug was also added to CISA’s KEV catalog[3].

CVE-2024-39717

Versa Director, a virtualization and service creation platform for SASE services, suffered from a critical flaw that is being heavily exploited by APTs in the wild. An option to change icon files for the GUI can be exploited to upload malicious files masqueraded as PNG images, leading to the uploading of web shells and potential compromise. Already there are reports of US-based managed service providers being compromised through this flaw.

With a CVSS score of 7.2 and an EPSS score of 0.0026, the bug is being exploited in the wild, and consequently, CISA added the CVE to their KEV catalog[4].

Vulnerabilities Abused by Malware

CVE-2024-7029 

A botnet campaign attributed to a Mirai variant has been seen using the previously exploited flaw in AVTECH IP Cameras. Assigned CVE-2024-7029, the flaw allows unauthenticated attackers to inject commands and perform code execution. 

The new campaign uses malware that contains references to the COVID-19 virus, leading the researchers to dub it “Corona Mirai”[8]. Although the CVE was assigned in August 2024, a public exploit has been available since 2019 and evidence of Corona Mirai has been present since as early as December 2023.

CVE-2024-7262

Heavily exploited path traversal vulnerability in the WPS Office by Kingsoft is being exploited by APT-C-60, a cybercriminal group based in South Korea[5]. Mainly targeting East Asian countries, APT-C-60 is using a weaponized payload in the form of a malicious spreadsheet document as a downloader for further malicious deliverables. 

Even though the patch is available in the form of the latest version of the WPS office, unpatched instances among the 200 million user base are still susceptible to attacks.

CVE-2024-39717

The unrestricted upload of file with dangerous type vulnerability in Versa Director is being exploited in the wild and most of the exploit activity is being attributed to an APT known as Volt Typhoon[6].

A Chinese state-sponsored threat attacker, Volt Typhoon exploited the upload flaw to install a webshell, dubbed “VersaMem” by the researchers. It is recommended that you upgrade to the latest versions of Versa Director, as patched updates are available.

CVE-2024-37085 

Black Byte has joined the growing list of ransomware operators targeting vulnerable VMWare ESXi instances through CVE-2024-37085[9]. A simple but critical flaw that could allow attackers to completely compromise unpatched ESXi instances was seen being exploited by Black Byte and then remotely accessing other systems from the victim instance. 

Reportedly, this methodology is atypical of Black Byte and doesn’t align with their usual TTPs. The ransomware is also stronger, dropping one extra vulnerable driver file than before and self-propagating through the AD environment using valid credentials.

CVE-2023-22527

A template injection bug discovered in older versions of Confluence is being used by threat actors to perform cryptojacking. Allowing potential remote code execution, XMRig miners and other shell scripts are seen being installed by threat actors through this flaw in unpatched instances[7]

Discovered last year, the bug has a CVSS score of 10.0, indicating its extreme criticality.

For further details, please refer to our reports.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-7029 High Command Injection vulnerability in AVTECH SECURITY Corporation IP camera AVM1203 firmware through FullImg-1023-1007-1011-1009 False Mirai False
CVE-2024-7262 Critical Path Traversal vulnerability in promecefpluginhost.exe in Kingsoft WPS Office version True APT-C-60 True
CVE-2024-39717 High Unrestricted Upload of File with Dangerous Type vulnerability in Versa Director GUI 21.2.3, 22.1.2 and 22.1.3 leads to privilege escalation True VersaMem, Volt Typhoon False
CVE-2024-37085 High Authentication Bypass vulnerability in VMware ESXi True Black Byte False
CVE-2023-22527 Critical Template injection vulnerability in Out-of-Date Versions of Confluence Data Center and Server leads to remote code execution True XMRig False

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Cytellite sensors experienced significant exploit activity and mass scanning toward multiple router devices, including Wavelink, Tenda, LB-Link, and TP-Link. Microsoft Exchange Server ( SSRF (CVE-2022-41040) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. Recently disclosed PHP-CGI injection (CVE-2024-4577) is being heavily targeted. For further details, please refer to our previous reports.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2023-38646 Metabase open source/Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1. True False
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices. True False
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21. True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Mirai botnet’s exploitation of LB-LINK BL Devices through common injection flaws continues this week. So do the botnet attacks towards the RCE in Realtek SDK, which includes botnets like Bashlite, Gitpaste-12, and Mirai among others. Spring Cloud and Huawei router RCE are also a frequent favorite of botnet operators. For further details, please refer to our previous reports.

Pre NVD

The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.

CVE-ID Type of vulnerability Product Reference
CVE-2024-6993 Inappropriate implementation Chromium Resource
CVE-2024-6992 Out of bounds Chromium Resource
CVE-2024-5579 Remote Code Execution Allegra Resource
CVE-2024-5581 Directory Traversal Allegra Resource
CVE-2024-7508 Heap-based Buffer Overflow Trimble SketchUp Viewer Resource

External References

  1. CISA adds Google Chromium V8 Inappropriate Implementation Vulnerability to catalog 
  2. CISA adds Apache OFBiz Incorrect Authorization Vulnerability to catalog 
  3. CISA adds Google Chromium V8 Type Confusion Vulnerability to catalog 
  4. CISA adds Versa Director Dangerous File Type Upload Vulnerability to catalog
  5. Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
  6. Taking the Crossroads: The Versa Director Zero-Day Exploitation
  7. Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 
  8. Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day
  9. BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports