The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two security flaws of its known vulnerabilities (KEV) catalog with reference to evidence of active exploitation in the wild.
The list of disadvantages is given below –
- CVE-2024-20767 (CVSS Score: 7.4) – Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an admin panel exposed to the Internet (patched by Adobe in March 2024)
- CVE-2024-35250 (CVSS Score: 7.8) – The Microsoft Windows kernel mode driver contains an untrusted pointer dereferencing vulnerability that could allow a local attacker to elevate privileges (Fixed by Microsoft in June 2024)
The Taiwanese cybersecurity firm DEVCORE, which discovered and reported CVE-2024-35250, general additional technical details in August 2024 stating that it is rooted in the Microsoft Kernel Streaming Service (MSKSSRV).
There are currently no details on how the flaws are used in actual attacks, although a proof of concept (PoC) exploit for both with them exist in the public domain.
Due to the active exploitation, the Federal Civil Enforcement Agency (FCEB) is advised to implement the necessary corrective measures by January 6, 2025 to protect their networks.
FBI Warns of Stopping RATs Targeting Web Cams and DVRs
This happened after a warning from the Federal Bureau of Investigation (FBI). BreakRAT companies expanding beyond network devices such as routers to scan Internet of Things (IoT) devices from Hikvision, D-Link and Dahua located in the US, Australia, Canada, New Zealand and the UK.
“The actors scanned web cameras and video recorders for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260and weak passwords provided by vendors,” according to the FBI said. “Many of these vulnerabilities have not yet been patched by vendors.”
Malicious activity observed in March 2024 involved the use of open source utilities called Ingram and Medusa to scan and brute force authentication.
DrayTek routers are used by ransomware companies
The warnings also come after Forescout Vedere Labs, with information shared by PRODAFT, discovered last week that threat actors used security flaws in DrayTek routers to target more than 20,000 DrayTek Vigor devices in a coordinated ransomware campaign with August to September 2023.
“The operation exploited a suspected zero-day vulnerability, allowing attackers to infiltrate networks, steal credentials, and deploy ransomware,” the company said in a statement. saidadding that the campaign “included three different threat actors – the Terrible Mantis (Ragnar Locker), the Merciless Mantis (PTI-288) and the LARVAE-15 (Vadsavaka) – who followed a structured and efficient work process.”
Monstrous Mantis is believed to have identified and exploited this vulnerability and systematically collected credentials that were then compromised and passed on to trusted partners such as Ruthless Mantis and LARVA-15.
The attacks ultimately allowed employees to perform post-exploitation actions, including lateral movement and privilege escalation, which ultimately led to the deployment of various ransomware families such as RagnarLocker, Nokoyawa, RansomHouse, and Qilin.
“Monstrous Mantis abandoned the exploit, retaining sole control over the initial access phase,” the company said. “This calculated structure allowed them to profit indirectly as ransomware operators who successfully monetized their intrusions were required to share a percentage of their revenue.”
Ruthless Mantis is estimated to have successfully compromised at least 337 organizations, mostly located in the UK and the Netherlands, with LARVA-15 acting as an Initial Access Broker (IAB), selling access obtained from Monstrous Mantis to other threat actors.
The attacks are suspected to have used a zero-day exploit in DrayTek devices, as evidenced by the discovery 22 new vulnerabilities which share root causes similar to CVE-2020-8515 and CVE-2024-41592.
“Re-appearance of such vulnerabilities in the same codebase indicates a lack of thorough root cause analysis, remediation and systematic review of the code by the vendor after each vulnerability disclosure,” Forescout noted.
