Executive Summary
ServiceNow exploits have continued, as CVE-2024-5217 joins CVE-2024-4879 in reports of getting exploited by attackers in the wild. There are Nuclei templates available for scanning, allowing anyone to test instances for these critical vulnerabilities.
Talking about big companies facing critical vulnerabilities, VMWare joins the list as a simple-to-execute exploit in their EXSi offering was found, resulting in attackers gaining complete access over the host. The simplicity and impact has made this vulnerability a favorite among ransomware groups, as multiple attacks through this bug have already been reported.
In some of the same campaigns related to VMWare exploit, malwares were seen using last year’s Windows CLFS system driver privilege escalation bug before compromising the ESXi instances. Along the same lines, India based APT SideWinder has been making news, where as part of a series of attacks they were seen using seven year old RCE vulnerabilities in Microsoft Office Suite.
CVE-2023-45249 in cybersecurity provider Acronis, reported last year, was finally disclosed this week and along came the news of its exploitation by attackers in the wild. No surprises here.
Trending /Critical Vulnerabilities
CVE-2024-5217
A part of a series of three vulnerabilities found in ServiceNow, a leading suite of business management solutions, CVE-2024-4879 was a Jelly template injection vulnerability that takes advantage of a double evaluation bug to execute commands, which we discussed last week. Part of the same chain, CVE-2024-5217 is the second critical vulnerability in ServiceNow solutions which has been trending this week. While the previous one was a template injection issue, this one comes into the picture after the template injection, by exploiting an Input Validation vulnerability in the GlideExpression Script with the main purpose of probing the database details and possibly, dumping the credentials.
As critical as CVE-2024-4879, this vulnerability has an even higher CVSS score of 9.8 and with this being exploited heavily in the wild, an EPSS score of 0.95999 was given. This is probably due to the large number of exploits and newly released Nuclei scripts to check for possible targets.
Similar to its sister vulnerability, CVE-2024-5217 was also added to the latest iteration of CISA’s Known Exploited Vulnerabilities catalog[1]. A bad week for unpatched ServiceNow instances!
CVE-2024-37085
The popular bare-metal hypervisor offering VMWare ESXi reportedly had an authentication bypass vulnerability. An attacker in an Active Directory environment with enough permissions can gain full access to the host by re-creating a specific AD group (ESX Admins) even after its deletion, resulting in complete compromise.
A high-severity vulnerability with a CVSS score of 7.2 and although the EPSS score assigned is a low 0.00306, the exploit has been seen being used by threat actors in the wild (associated with multiple ransomware campaigns). This led to the recent inclusion of this CVE in the Known Exploited Vulnerability catalog by CISA[2].
CVE-2023-45249
As a consequence of default password usage, a remote code execution vulnerability was discovered last year in Acronis Cyber Infrastructure (ACI), assigned as CVE-2023-45249, and was recently disclosed this past week. With perfect timings, this bug is being reportedly exploited in the wild by attackers to compromise ACI instances and the pre-authentication nature of the bug makes it that much more easier for attackers (and harmful for organizations) to exploit it. Although, the EPSS score is a low 0.12209 as of now.
Of a critical nature, the CVE was given a hefty CVS score of 9.8 and was acknowledged by CISA as exploited as they added it to their KEV catalog[3].
Vulnerabilities Abused by Malware
CVE-2023-28252
A critical privilege escalation zero-day was discovered last year in the Microsoft Windows Common Log File System Driver. An issue with the clfs.sys driver, a native Windows file, allowed attackers to gain higher permissions and privileges for further exploitation.
Microsoft reported that this has been recently seen being used by malware as part of ransomware campaigns, usually after the initial infection of a system after which the malware uses the Windows CLFS privilege escalation bug to elevate their permissions. QakBot is the major malware using this bug, alongside Storm-0506’s Black Basta[3].
CVE-2024-37085
Continuing our discussion from the first section, CVE-2024-37085 has been exploited by multiple ransomware and malware operators in recent weeks. Taking the example of QakBot, using it for the initial access, threat actor Storm-0596 performed exploitation of the VMWare ESXi bug (a simple procedure that involves creating the “ESX Admins” group and adding a user to it to gain admin privileges) to gain access to organization’s hypervisors[3].
The same TTPs were seen in attacks by Storm-1175 (aka Medusa), Octo Tempest (aka Scattered Spider), and Manatee Tempest attack groups. Multiple variants of ransomware like Akira, LockBit, Babuk, and Kuiper have carried out multiple attacks through the exploitation of CVE-2024-37085[4].
CVE-2017-0199 & CVE-2017-11882
A couple of seven-year-old remote code execution vulnerabilities present in Microsoft Office suite were seen being actively exploited by the India-based APT SideWinder aka Leafperforator, targeting ports and related services in multiple South Asian countries.
Following a phishing attack, the initial loader contacts a malware delivery site (disguised as Pakistan's Directorate General Ports and Shipping site) using CVE-2017-0199 which in turn executes a malicious RTF file to exploit CVE-2017-11882, which delivers the final malware payload[5].
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Significant exploit activity and mass scanning continue on Cytellite sensors, with remote code execution vulnerabilities CVE-2024-3273 and CVE-2024-27348 under active exploitation. Older CVEs also show increased exploitation attempts. For further details, please refer to last week’s report.
Vulnerabilities abused by Botnet
Botnets continue to exploit various vulnerabilities across different devices. CVE-2023-1389 in TP-Link Archer AX21 routers and CVE-2021-41773 in Apache HTTP server are under active exploitation. Older vulnerabilities, such as CVE-2017-17215 in Huawei routers and CVE-2016-20016 in MVPower CCTV DVR models, are also being targeted by botnets like AGoent, Mirai, and Zerobot. For further details, please refer to last week’s report.
Pre NVD
The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.
External References
- https://www.cisa.gov/news-events/alerts/2024/07/29/cisa-adds-three-known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/alerts/2024/07/30/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
- https://www.theregister.com/AMP/2024/07/30/make_me_admin_esxi_flaw/
- https://www.broadcom.com/support/security-center/protection-bulletin/leafperforator-campaign-exploits-pakistan-s-maritime-affairs-documents-to-spread-javascript-malware