This Week's Cyber Threats: Active CVE Exploits and SteelFox’s Use of Old Flaws

November 8, 2024
Executive Summary
Trending / Critical Vulnerabilities
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Vulnerabilities Abused by Malware
PRE-NVD observed for this week
External References
Subscribe to our Reports

Executive Summary

The first week of November brought significant cybersecurity concerns as six actively exploited vulnerabilities were added to CISA’s KEV catalog. Two zero-day exploits were uncovered in PTZOptics PT30X-SDI/NDI cameras, while Google responded to a high-risk Android Framework vulnerability in its November update. New additions include a vulnerability in CyberPanel, affecting web hosting environments, and a critical vulnerability in Palo Alto Networks' Expedition tool, potentially exposing networks to unauthorized access. Notably, an old vulnerability in Nostromo has resurfaced, underscoring the importance of monitoring for emerging threats in both new and legacy software.    

Kaspersky warns of widespread attacks by the SteelFox trojan, which is targeting Windows systems with fake cracks for popular software, exploiting devices to mine cryptocurrency and steal sensitive data.

The IoT_Reaper botnet continues to exploit vulnerabilities in MVPower CCTV DVRs, maintaining its presence in the threat landscape. Meanwhile, the Zerobot botnet has turned its attention to an older vulnerability in the Apache HTTP server, dating back three years. Other well-known botnets, including Enemybot, LiquorBot, and the notorious Mirai, are also targeting a nine-year-old flaw in D-Link DIR 645 routers, demonstrating how aging vulnerabilities remain prime targets for attackers.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-8956 and CVE-2024-8957

Two critical zero-day vulnerabilities in PTZOptics PT30X-SDI/NDI cameras have been actively exploited by threat actors, granting them the ability to take full control of the affected devices, alter video streams and access sensitive data. These vulnerabilities impact devices running VHD PTZ camera firmware versions below 6.3.40, commonly found in cameras from PTZOptics, Multicam Systems SAS, and SMTAV Corporation, which use Hisilicon Hi3516A V600 SoC V60, V61, and V63.  Recognizing the severity, CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.  

CVE-2024-43093

Google has patched a critical zero-day vulnerability in the Android Framework component as part of its November security update. This elevation-of-privilege vulnerability affects the Documents UI within Google Play system updates and Android Framework components. Google's advisory noted "indications that this vulnerability may be under limited, targeted exploitation," suggesting it is actively being used in specific, targeted attacks. Additionally, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the need for immediate action.

CVE-2024-51567

A critical remote code execution vulnerability has been identified in CyberPanel, specifically within the upgrademysqlstatus function in databases/views.py. This flaw, found in versions 2.3.6 and 2.3.7, allows unauthenticated attackers to bypass security middleware and exploit shell metacharacters in the statusfile property, leading to potential remote command execution.   Due to its severity and widespread impact, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.  

CVE-2024-5910

A critical missing authentication vulnerability in Palo Alto Networks’ Expedition tool, a vital asset for migrating firewall configurations to PAN-OS, poses a serious risk to organizations. Recently added to the CISA KEV catalog, this flaw highlights the elevated potential for exploitation, making it a priority for security teams. The issue is resolved in Expedition version 1.2.92 and all subsequent updates.

CVE-2019-16278

A critical directory traversal vulnerability in Nostromo nhttpd (version 1.9.6 and earlier) allows attackers to bypass security restrictions and execute malicious commands through crafted HTTP requests. With a CVSS score of 9.8, this vulnerability can lead to remote code execution and remains a significant security threat, despite being an older issue. Its addition to the CISA KEV catalog signals the urgency for organizations to address this flaw and secure affected systems.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerability Product Severity Title Exploited – in the Wild CISA KEV
CVE-2024-8963 Ivanti Cloud Services Appliance Critical Path Traversal vulnerability in Ivanti Cloud Services Appliance True True
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21 True True
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2021-41773 Apache HTTP Server Path traversal vulnerability in Apache HTTP Server True Zerobot
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTVDVR models True IoT-Repear
CVE-2015-2051 D-Link DIR-645 Arbitrary command execution vulnerability in D-Link DIR-645 Wired/Wireless Router False Hakai
Yowai
Mirai
LiquorBot
BotenaGo
Enemybot

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2021-41285

The Ballistix MOD Utility contains a critical local privilege escalation vulnerability in its MODAPI.sys driver (version 2.0.2.5 and earlier), which allows low-privileged users to gain unauthorized access to physical memory via the MmMapIoSpace function. Kaspersky reports that the SteelFox Trojan has actively exploited this vulnerability, using it to steal confidential information and conduct illicit cryptocurrency mining. Additionally, XMRig miner incorporates the vulnerable WinRing0.sys driver, leveraging it to facilitate unauthorized mining activities on compromised devices.

CVE-2020-14979

Security researchers have identified a critical vulnerability in the WinRing0_1_2_0 driver, integrated within EVGA’s Precision X1 software, which permits attackers with low privileges to escalate to SYSTEM-level access, executing commands without restriction. Kaspersky reports that this weakness has been targeted by the SteelFox Trojan, using the driver to gather sensitive information and conduct illicit cryptocurrency mining. Additionally, the same driver is embedded in the XMRig miner, making it a prime target for exploitation in mining operations.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2021-41285 High A local privilege escalation vulnerability in the Ballistix MOD Utility False SteelFox Trojan
XMRig miner
False
CVE-2020-14979 High A local privilege escalation vulnerability in the WinRing0_1_2_0 driver service of EVGA’s Precision X1 performance software True None False

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-43093 Privilege Escalation Google Android 12, 13, 14 and 15 Resource
CVE-2024-7025 Integer Overflow Google Chrome Resource
CVE-2024-31329 Privilege Escalation Google Android 13 Resource
CVE-2024-9716 Use-After-Free Trimble SketchUp Viewer Resource
CVE-2024-6992 Out of Bounds Read Microsoft Edge Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2024/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog  
  2. https://www.cisa.gov/news-events/alerts/2024/11/07/cisa-adds-four-known-exploited-vulnerabilities-catalog  
  3. https://www.bleepingcomputer.com/news/security/hackers-target-critical-zero-day-vulnerability-in-ptz-cameras/
  4. https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/  
  5. https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zero-days-used-in-targeted-attacks/
  6. https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai  
  7. https://thehackernews.com/2024/11/google-warns-of-actively-exploited-cve.html
  8. https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/  
  9. https://security.paloaltonetworks.com/CVE-2024-5910  

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports