Surge in Cyber Threats: UNC5820 and Lazarus Group Exploited Critical Vulnerabilities

October 25, 2024
Executive Summary
Trending / Critical Vulnerabilities
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Vulnerabilities Abused by Malware
PRE-NVD observed for this week
External References
Subscribe to our Reports

Executive Summary

This week, the CISA Known Exploited Vulnerabilities (KEV) catalog saw an expansion with the addition of five newly identified vulnerabilities impacting products from Cisco, Roundcube WebMail, ScienceLogic SL1 platform, Microsoft, and Fortinet.

The UNC5820 threat group is exploiting a cross-site scripting vulnerability in Fortinet's FortiManager, drawing attention to significant security risks. Simultaneously, Google has alerted users about vulnerabilities in Samsung mobile processors that are actively being exploited. Furthermore, the notorious Lazarus Group from North Korea has been attributed in exploiting a recently patched zero-day vulnerability in Google software. 

Additionally, there has been a marked increase in the activity of the Mirai botnet, which has intensified its attacks on TP-Link Archer AX21 routers, highlighting its ongoing targeting of consumer devices. The Sysrv and Enemy botnets have also been exploiting vulnerabilities in Spring Cloud Gateway, broadening their attack vectors. Meanwhile, the IoT_Reaper botnet continues to target a persistent vulnerability in MVPower CCTV DVR models, and Zerobot has been found exploiting a three-year-old vulnerability in the Apache HTTP server.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions. 

CVE-2024-20481 

A vulnerability in the Remote Access VPN (RAVPN) service of Cisco ASA and Firepower Threat Defense (FTD) Software could let unauthenticated attackers launch a denial-of-service (DoS) attack. Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, this zero-day flaw was exploited in a brute force password spraying attack in April before Cisco released a patch. 

CVE-2024-37383

A stored cross-site scripting (XSS) vulnerability in Roundcube Webmail, tracked as CVE-2024-37383, was exploited in a phishing campaign targeting government organizations in June 2024. Threat actors used seemingly empty emails containing hidden JavaScript payloads to steal credentials from Roundcube users. This vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog recently.

CVE-2024-9537

A critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 has been identified in the ScienceLogic SL1 platform, potentially allowing unauthorized access to its internal performance reporting systems. Rackspace confirmed to Bleeping Computer that this flaw was actively exploited as a zero-day by unknown threat actors. In response to the heightened risk, this vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-38094 

A new vulnerability, CVE-2024-38094, with a CVSS score of 7.2, has been identified in Microsoft SharePoint Server and was recently added to the CISA Known Exploited Vulnerabilities (KEV) catalog. According to Microsoft, an authenticated attacker with Site Owner permissions can exploit this deserialization vulnerability to inject and execute arbitrary code within the SharePoint environment.

CVE-2024-44068

Google's Threat Analysis Group (TAG) has flagged a critical zero-day vulnerability, CVE-2024-44068, affecting Samsung's mobile processors—specifically Exynos 9820, 9825, 980, 990, 850, and W920. The flaw, which has a CVSS score of 8.1, is being exploited in the wild as part of an attack chain enabling arbitrary code execution. Samsung addressed the issue with security patches released in their October 2024 updates.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices. True False
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21. True True
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-26801 LB-LINK BL Devices Command injection vulnerability in LB-LINK BL-AC1900_2.0 1.0.1, BL-WR9000 2.4.9, BL-X26 1.2.5, and BL-LTE300 1.0.8 True Mirai
CVE-2021-41773 Apache HTTP Server Path traversal vulnerability in Apache HTTP Server True Zerobot
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTV DVR models True IoT-Repear

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.   

CVE-2024-47575

A critical missing authentication vulnerability has been discovered in the Fortinet FortiManager fgfmd daemon, which enables remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Investigations by Mandiant revealed the existence of a new threat cluster, designated UNC5820, that has been actively exploiting this vulnerability since June 27, 2024. Additionally, this flaw has recently been included in CISA's Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2024-4947

A Type Confusion vulnerability in the V8 JavaScript engine has been discovered, potentially enabling remote code execution attacks. Kaspersky has identified the Lazarus Group, a North Korean cyber threat actor, as responsible for exploiting this zero-day vulnerability. The vulnerability, which has now been patched, allowed attackers to gain unauthorized access and control over compromised systems.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-47575 Critical Critical missing authentication vulnerability in Fortinet FortiManager True UNC5820 False
CVE-2024-4947 High Type confusion vulnerability in the V8 JavaScript engine True Lazarus Group True

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-7952 Sensitive Information Disclosure DataEdgePlatform DataMosaix Private Cloud 7.07 and earlier Resource
CVE-2024-9252 Use-After-Free Foxit PDF Reader Resource
CVE-2024-0119 Out of Bounds Read NVIDIA D3D10 Driver Resource
CVE-2024-0120 Out of Bounds Read NVIDIA D3D10 Driver Resource
CVE-2024-0121 Out of Bounds Read NVIDIA D3D10 Driver Resource

External References

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports