Executive Summary
This week, the CISA Known Exploited Vulnerabilities (KEV) catalog experienced a modest expansion with the addition of four new vulnerabilities affecting Microsoft, Mozilla, Veeam, and SolarWinds products.
Notably, threat actors such as Earth Simnavaz and ScarCruft have been detected exploiting Microsoft zero-day vulnerabilities as part of their cyber espionage campaigns, while Akira and Fog ransomware were observed leveraging a vulnerability in Veeam Backup and Replication.
In other developments, the Mirai botnet intensified its attacks on TP-Link Archer AX21 routers, highlighting its ongoing focus on consumer devices. Additionally, the Sysrv and Enemy botnets were seen actively exploiting vulnerabilities in Spring Cloud Gateway, further broadening their attack vectors. The IoT_Reaper botnet continued to target a long-standing vulnerability in MVPower CCTV DVR models, and Zerobot was found exploiting a three-year-old vulnerability in the Apache HTTP server.
Trending / Critical Vulnerabilities
Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.
A use-after-free vulnerability in the Animation timeline component of Mozilla Firefox, which has a high CVSS score of 9.8, enables attackers to execute code within the content process. This prompted the Tor Project to issue an emergency update for Tor Browser version 13.5.7 to resolve the issue. Additionally, this vulnerability has been added to the CISA KEV catalog.
A critical hardcoded credential vulnerability in SolarWinds Web Help Desk (WHD) version 12.8.3 HF1 and earlier allows remote, unauthenticated attackers to infiltrate internal systems and modify sensitive data. With a high-severity CVSS score of 9.1, this flaw has been flagged in the CISA Known Exploited Vulnerabilities (KEV) catalog. SolarWinds swiftly responded by releasing WHD version 12.8.3 Hotfix 2 to mitigate the threat.
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.
Vulnerabilities abused by Botnet
Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.
Vulnerabilities Abused by Malware
We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.
This privilege escalation vulnerability in the Windows Kernel poses a serious risk as it enables threat actors to elevate their privileges to SYSTEM level, thereby gaining extensive control over affected devices. Recent investigations from Trend Micro revealed that the Iranian threat actor Earth Simnavaz, also known as APT34 and OilRig, has been leveraging this vulnerability in a cyber espionage campaign aimed at government organizations in the UAE and the larger Gulf region. This vulnerability has now been included in the CISA KEV catalog.
A deserialization vulnerability in Veeam Backup & Replication affecting versions 12.1.2.172 and earlier, allows unauthenticated remote code execution, carrying a high-severity CVSS score of 9.8. Exploited by threat actors to deploy both Akira and Fog ransomware, this flaw posed a serious risk to systems. Veeam addressed the issue with the release of version 12.2 in September 2024. The vulnerability has since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
This memory corruption vulnerability in the scripting engine can lead to remote code execution when using the Edge browser in Internet Explorer mode. Investigations by AhnLab uncovered that the North Korean threat actor ScarCruft (also known as RedEyes, TA-RedAnt, Group123, APT37, and others) has been actively exploiting this flaw to deliver RokRAT malware to compromised devices. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in August 2024.
PRE-NVD observed for this week
It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.
