This week, three zero-day vulnerabilities were actively exploited in the wild. Among them, two critical vulnerabilities in Google Chrome, CVE-2024-7965 and CVE-2024-7971, highlight ongoing browser security challenges, marking the tenth such flaw addressed by Google in 2024. The third vulnerability, CVE-2024-38856, is a critical remote code execution flaw in Apache OFBiz. All three have been added to the CISA Known Exploited Vulnerabilities (KEV) list.

The notorious Mirai botnet continues its aggressive campaign, now targeting LB-Link BL devices, TP-Link Archer AX21 routers, and Avtech Security cameras. Other botnets, including Sysrv and Enemy bot, have been observed exploiting vulnerabilities in Spring Cloud Gateway and Huawei HG532 devices. Additionally, a new IoT botnet, IoT_Reaper, has emerged, targeting an eight-year-old vulnerability in MVPower CCTV DVR models.

This week, threat actors have been particularly active. Volt Typhoon exploited an unrestricted file upload vulnerability in Versa Director GUI, while APT-C-60, a South Korean threat group, exploited a critical flaw in Kingsoft WPS Office. The VMware ESXi vulnerability has resurfaced, with BlackByte ransomware utilizing it for malicious purposes. Additionally, a new crypto jacking technique involving XMRig has been discovered, targeting Atlassian Confluence servers.

CVE-2024-7965

A security flaw discovered in Chrome a few days ago, CVE-2024-7965 is an out-of-bounds read bug allowing attackers to perform heap corruption due to improper implementation in the V8 javascript engine. The exploit can be triggered through a crafted HTML page.

With a CVSS score of 8.8 and an EPSS score of 0.00061, the bug was reported to Google through their bug bounty program but Google has reported that it has seen exploitation in the wild of CVE-2024-7965 and an exploit also exists. This has led CISA to add the CVE to their Known Exploited Vulnerability catalog^[1].

CVE-2024-38856

Yet another critical vulnerability was disclosed in Apache OFBiz, this time an incorrect authorization flaw that can result in remote code execution. Attackers do not need to be authenticated to exploit this bug, which exposes sensitive endpoints to unauthenticated users. Sending crafted requests towards these endpoints can result in code execution.

Due to its severity, a CVSS score of 9.8 was assigned while a relatively low EPSS score of 0.01877 was given. There have been reports of exploitation in the wild and CISA has also added the CVE to their KEV catalog^[2].

CVE-2024-7971

Another vulnerability affecting Google Chrome, this time a type confusion bug allowing to perform heap corruption. This CVE also affects the V8 javascript engine and similar to CVE-2024-7965, can be exploited through a crafted HTML page.

Part of multiple V8-related bugs fixed by Google recently, CVE-2024-7971 has a CVS score of 8.6 and an EPSS score of 0.00159. This bug was also added to CISA’s KEV catalog^[3].

CVE-2024-39717

Versa Director, a virtualization and service creation platform for SASE services, suffered from a critical flaw that is being heavily exploited by APTs in the wild. An option to change icon files for the GUI can be exploited to upload malicious files masqueraded as PNG images, leading to the uploading of web shells and potential compromise. Already there are reports of US-based managed service providers being compromised through this flaw.

With a CVSS score of 7.2 and an EPSS score of 0.0026, the bug is being exploited in the wild, and consequently, CISA added the CVE to their KEV catalog^[4].

CVE-2024-7029 

A botnet campaign attributed to a Mirai variant has been seen using the previously exploited flaw in AVTECH IP Cameras. Assigned CVE-2024-7029, the flaw allows unauthenticated attackers to inject commands and perform code execution. 

The new campaign uses malware that contains references to the COVID-19 virus, leading the researchers to dub it “Corona Mirai”^[8]. Although the CVE was assigned in August 2024, a public exploit has been available since 2019 and evidence of Corona Mirai has been present since as early as December 2023.

CVE-2024-7262

Heavily exploited path traversal vulnerability in the WPS Office by Kingsoft is being exploited by APT-C-60, a cybercriminal group based in South Korea^[5]. Mainly targeting East Asian countries, APT-C-60 is using a weaponized payload in the form of a malicious spreadsheet document as a downloader for further malicious deliverables. 

Even though the patch is available in the form of the latest version of the WPS office, unpatched instances among the 200 million user base are still susceptible to attacks.

CVE-2024-39717

The unrestricted upload of file with dangerous type vulnerability in Versa Director is being exploited in the wild and most of the exploit activity is being attributed to an APT known as Volt Typhoon^[6].

A Chinese state-sponsored threat attacker, Volt Typhoon exploited the upload flaw to install a webshell, dubbed “VersaMem” by the researchers. It is recommended that you upgrade to the latest versions of Versa Director, as patched updates are available.

CVE-2024-37085 

Black Byte has joined the growing list of ransomware operators targeting vulnerable VMWare ESXi instances through CVE-2024-37085^[9]. A simple but critical flaw that could allow attackers to completely compromise unpatched ESXi instances was seen being exploited by Black Byte and then remotely accessing other systems from the victim instance. 

Reportedly, this methodology is atypical of Black Byte and doesn’t align with their usual TTPs. The ransomware is also stronger, dropping one extra vulnerable driver file than before and self-propagating through the AD environment using valid credentials.

CVE-2023-22527

A template injection bug discovered in older versions of Confluence is being used by threat actors to perform cryptojacking. Allowing potential remote code execution, XMRig miners and other shell scripts are seen being installed by threat actors through this flaw in unpatched instances^[7]. 

Discovered last year, the bug has a CVSS score of 10.0, indicating its extreme criticality.

For further details, please refer to our reports.

Cytellite sensors experienced significant exploit activity and mass scanning toward multiple router devices, including Wavelink, Tenda, LB-Link, and TP-Link. Microsoft Exchange Server ( SSRF (CVE-2022-41040) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. Recently disclosed PHP-CGI injection (CVE-2024-4577) is being heavily targeted. For further details, please refer to our previous reports.

Mirai botnet’s exploitation of LB-LINK BL Devices through common injection flaws continues this week. So do the botnet attacks towards the RCE in Realtek SDK, which includes botnets like Bashlite, Gitpaste-12, and Mirai among others. Spring Cloud and Huawei router RCE are also a frequent favorite of botnet operators. For further details, please refer to our previous reports.

The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.

1. CISA adds Google Chromium V8 Inappropriate Implementation Vulnerability to catalog 
2. CISA adds Apache OFBiz Incorrect Authorization Vulnerability to catalog 
3. CISA adds Google Chromium V8 Type Confusion Vulnerability to catalog 
4. CISA adds Versa Director Dangerous File Type Upload Vulnerability to catalog
5. Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
6. Taking the Crossroads: The Versa Director Zero-Day Exploitation
7. Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 
8. Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day‍
9. BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks