/
/
Weekly Threat & Vulnerabilities Report

Weekly Threat & Vulnerabilities Report

July 26, 2024
Executive Summary

A week full of security happenings, with unauthenticated endpoint access to Twilio Authy API leading to phone number disclosure to an exfiltration of data from ServiceNow instances by chaining three vulnerabilities, making remote code execution (RCE) possible. Apache HugeGraph’s instances and end-of-life D-Link NAS devices, also faced attempts of remote code execution flow, from attackers in the wild.

Old CVEs seem to be still being a major nuisance, as multiple CVEs from last year are still being exploited actively in the wild and with CISA adding an Internet Explorer RCE from 2012 to their KEV.

Reaper, Zerobot and Sysrv botnets, among others were seen exploiting IOT devices, routers and some Apache HTTP server in order to compromise them. Not forgetting malware campaigns, evidence of Russian-based ACR Stealer, Hatvibe and Cherryspy were seen exploiting fresh MS Windows Smartscreen and Repetto FS vulnerabilities. And lastly, vulnerabilities in Nvidia, Github, Telegram and other big names that we might see being exploited in the coming days.

Trending /Critical Vulnerabilities

CVE-2024-39891

Twilio, a popular communications API provider, faced a fairly interesting bug that allowed attackers to verify if a phone number was registered on Authy multi factor-authentication or not. An unauthenticated API endpoint, a frequent sight in recent times, in the Twilio Authy API that was being accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, allowed the threat actor ShinyHunters to retrieve a list of a whopping 33 million phone numbers associated with the users of Authy app. With a CVSS score of 5.3 and exploit prediction score (EPSS) of 0.11792, this vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog[1] , in the recent update.

CVE-2024-4879

Part of a chain of three vulnerabilities in ServiceNow, a popular suite of business management solutions, CVE-2024-4879[2] is a Jelly template injection vulnerability, exploiting a double evaluation bug in order to execute commands. Combined with CVE-2024-5178 and CVE-2024-5217, it is possible to go for a full compromise and extract a lot of sensitive data: usernames, hashed passwords, and the whole shebang. Due to its severity, a high CVSS score of 9.3 was given to this bug and ServiceNow has made patches and fixes available as of now. Although the EPSS is a low 0.00896. With a recent flood of publicly available exploits, threats actors are leveraging them to actively exploit this in the wild[3].

CVE-2012-4792

A blast from the past, the remote code execution flaw with a CVSS score of 9.3 in Microsoft Internet Explorer (6 through 8) was recently added to the CISA’s Known Exploited Vulnerabilities catalog[4]. A user-after-free class vulnerability, allowed attackers to craft malicious websites that could possibly execute arbitrary code by attempting to access a deleted or improperly allocated object. With an EPSS score of 0.92145, known to be currently being actively exploited as part of malware/ransomware campaigns, it’s recommended to upgrade to the latest versions of Microsoft IE.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

CVE-2024-3273

Affecting end-of-life range of D-Link NAS devices, a remote code execution vulnerability was found that is being exploited in the wild by attackers, in an attempt to gain control over 90,000 devices, as of April this year. A simple exploit by nature, RCE is possible through command injection in the parameters of a HTTP GET request towards the vulnerable path “/cgi-bin/nas_sharing.cgi”. Since the affected products are end of life, vendors will not be patching them and it is recommended to decommission the devices if still in use[5].

CVE-2024-27348

Apache’s graph database offering, HugeGraph, is under active exploitation by threat actors due to a remote code execution flaw[6]. Abusing the insufficient restrictions on executing system commands through the Gremlin endpoint (aptly named “/gremlin”) by manipulating the Java code, attackers were able to execute system commands. HugeGraph from version 1.0.0 to 1.2.1 is suffering from this issue and as exploits are available publicly since June, there has been an increase in exploitation attempts.Data received from Cytellite sensors, below is a list of older CVEs that we are seeing being exploited and scanned in the wild actively. For related IOCs, source IPs and further details, please reach out to us.

Vulnerabilities Product Severity Description Exploited in the Wild CISA KEV
CVE-2023-38646 Metabase open source/Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1. True False
CVE-2023-33010 Zyxel ATP series firmware Critical Buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions leads to denial of service or remote code execution on affected device True True
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices. True False
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21. True True
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False

Vulnerabilities abused by Botnet

CVE-2023-1389

Popular router brand TP Link’s Archer AX21 (AX1800) routers have firmware versions before 1.1.4 Build 20230219 which are flawed with a command injection vulnerability. A simple POST request can be used to exploit the bug, where a specific request parameter is not properly sanitized before being passed to code functionality that performs system command execution. With public exploits available, botnets are relentlessly exploiting these devices to create zombie devices that could possibly be used to carry out DDoS attacks. Namely, AGoent, Gafgyt, Moobot, Miori, Mirai and Condi are the main campaigns behind the exploitation of CVE-2023-1389[7][8][9].

CVE-2021-41773

Zerobot,  a Go-based botnet, was seen exploiting CVE-2021-41773. A path traversal bug in Apache HTTP server, in the scenario of loose directory restrictions,  can allow attackers to read arbitrary files like /etc/passwd. In case the mod-cgi module is also loaded, attackers can access cgi files and can possibly execute remote code. Zerobot was also seen exploiting the sister-vulnerability CVE-2021-42013, another path traversal bug in Apache HTTP server[10].

CVE-2017-17215

A 6 year old vulnerability in Huawei HG532 routers has persisted as botnet operators are actively exploiting it. Few customized firmware versions allow an authenticated attacker to send packets to port 37215, which upon successful exploitation can allow remote code execution. Botnet based on Sysrv malware, a worm and cryptominer targeting Linux environments, have been seen using this exploit to gain access to unpatched Huawei routers[11].

CVE-2016-20016

Another old vulnerability that is re-emerging in recent times. A webshell, conveniently located at “/shell” endpoint, is accessible in MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE. This can allow unauthenticated actors to execute system commands. IoT_Reaper, also known as Iotroop, is known to exploit this CVE. Also known simply as Reaper, this botnet seems to share some of its code with the infamous Mirai botnet[12].

Vulnerabilities Abused by Malware

CVE-2024-21412

A Microsoft Windows SmartScreen bypass, this security bug has allowed threat actors running malware campaigns to successfully run fake and malicious Microsoft installers as they are able to circumvent the security warning screen shown by SmartScreen. Possible due to a flaw in error handling of specially crafted installers, this bug is being exploited by multiple malwares, mainly ACR Strealer, a Russian infostealer, which interestingly uses Steam community profiles to hide the C2 server addresses[13].

CVE-2024-23692

Recently, a template injection vulnerability was uncovered in Rejetto, a popular and lightweight HTTP file server. Leading to possible unauthenticated remote code execution, a simple injection in the HTTP GET request parameters can allow attackers to run system commands. With public exploits available, Russian-based HATVIBE and CHERRYSPY malware, which are exploiting CVE-2024-23692 as part of the initial access step[14].

Pre NVD

The LOVI platform monitors multiple open sources feed and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chances of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database,

CVE-ID Type of Vulnerability Product Reference
CVE-2024-6558 Cross-site scripting HMS Industrial Networks Anybus-CompactCom 30 Resource
CVE-2024-2046 Arbitrary local file read Telegram 10.8.2 Resource
CVE-2024-2878 Denial of Service GitLab Community Edition and Enterprise Edition Resource
CVE-2024-0107 Out-of-Bounds Read NVIDIA GPU Compiler Driver Resource
CVE-2023-49667 Buffer Over-Read cp_dump driver Resource
CVE-2023-49668 Out-of-Bounds Read cp_dump driver Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2024/07/23/cisa-adds-two-known-exploited-vulnerabilities-catalog
  2. https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
  3. https://www.bleepingcomputer.com/news/security/critical-servicenow-rce-flaws-actively-exploited-to-steal-credentials/
  4. https://www.cisa.gov/news-events/alerts/2024/07/23/cisa-adds-two-known-exploited-vulnerabilities-catalog
  5. https://arstechnica.com/security/2024/04/hackers-actively-exploit-critical-remote-takeover-vulnerabilities-in-d-link-devices/
  6. https://cybersecuritynews.com/apache-hugegraph-server-rce-vulnerability/
  7. https://heimdalsecurity.com/blog/tp-link-archer-command-injection-vulnerability/
  8. https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
  9. https://www.greynoise.io/blog/active-exploitation-attempts-cve-2023-1389-against-tp-link-archer-gigabit-internet-routers
  10. https://cujo.com/blog/the-zerobot-botnet-vulnerabilities-targeted-and-exploits-used-in-detail/
  11. https://cujo.com/blog/the-sysrv-botnet-and-how-it-evolved/
  12. https://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
  13. https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed
  14. https://cert.gov.ua/article/6280129

Subscribe to our Reports

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Weekly Reports