VULNERA Pulse

Google — Chromium V8

CVE-2024-7965 / Added: Aug. 28, 2024

HIGH CVSS 8.80 EPSS Score 0.16 EPSS Percentile 53.04

Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Headlines

• Aug. 31, 2024 - End-of-life IP cams being used to spread new Mirai botnet
• Aug. 28, 2024 - U.S. CISA adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog
• Aug. 27, 2024 - Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation
• Aug. 27, 2024 - Google Chrome Faces Double Blow with New Zero-Day Flaw Exploits: CVE-2024-7965 and CVE-2024-7971
• Aug. 26, 2024 - Google addressed the tenth actively exploited Chrome zero-day this year
• Aug. 26, 2024 - Google tags a tenth Chrome zero-day as exploited this year
• Aug. 22, 2024 - Urgent Chrome Update: Active Zero-Day Exploit Detected (CVE-2024-7971)

Back to top ↑

Apache — OFBiz

CVE-2024-38856 / Added: Aug. 27, 2024

CRITICAL CVSS 9.80 EPSS Score 93.27 EPSS Percentile 99.14

Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

Headlines

• Aug. 31, 2024 - End-of-life IP cams being used to spread new Mirai botnet
• Aug. 29, 2024 - CISA Highlights Apache OFBiz Flaw After PoC Open Access
• Aug. 28, 2024 - U.S. CISA adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog
• Aug. 28, 2024 - U.S. CISA adds Apache OFBiz bug to its Known Exploited Vulnerabilities catalog
• Aug. 28, 2024 - CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports
• Aug. 27, 2024 - CISA Warns of Actively Exploited Apache OFBiz CVE-2024-38856 Vulnerability, PoC Available
• Aug. 11, 2024 - Week in review: Tips for starting your cybersecurity career, Patch Tuesday forecast
• Aug. 8, 2024 - CISA warns about actively exploited Apache OFBiz RCE flaw
• Aug. 8, 2024 - PoC Exploit Released for Apache OFBiz Remote Code Execution Flaw (CVE-2024-38856)
• Aug. 6, 2024 - New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution
• Aug. 6, 2024 - Pimax VR Security Breach: Hackers Could Exploit CVE-2024-41889 to Take Control
• Aug. 5, 2024 - Critical Apache OfBiz Vulnerability Allows Preauth RCE
• Aug. 5, 2024 - Researchers warn of a new critical Apache OFBiz flaw
• Aug. 5, 2024 - Critical Vulnerability in Apache OFBiz Requires Immediate Patching
• Aug. 5, 2024 - Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856)
• Aug. 5, 2024 - CVE-2024-38856: Critical Apache OFBiz Flaw Opens Door to Unauthorized Code Execution

Back to top ↑

Google — Chromium V8

CVE-2024-7971 / Added: Aug. 26, 2024

HIGH CVSS 8.80 EPSS Score 0.16 EPSS Percentile 53.04

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Headlines

• Aug. 31, 2024 - North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit
• Aug. 31, 2024 - North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit
• Aug. 31, 2024 - CVE-2024-7971: North Korean APT Citrine Sleet Exploits Chromium Zero-Day
• Aug. 30, 2024 - North Korean hackers exploit Chrome zero-day to deploy rootkit
• Aug. 28, 2024 - U.S. CISA adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog
• Aug. 27, 2024 - Google Chrome Faces Double Blow with New Zero-Day Flaw Exploits: CVE-2024-7965 and CVE-2024-7971
• Aug. 26, 2024 - Google addressed the tenth actively exploited Chrome zero-day this year
• Aug. 26, 2024 - Google tags a tenth Chrome zero-day as exploited this year
• Aug. 26, 2024 - Alleged Karakut ransomware scumbag charged in US
• Aug. 25, 2024 - Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited
• Aug. 23, 2024 - Urgent Edge Security Update: Microsoft Patches Zero-day & RCE Vulnerabilities
• Aug. 23, 2024 - Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
• Aug. 22, 2024 - Google Chrome Update Fixes Flaw Exploited in the Wild
• Aug. 22, 2024 - New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971)
• Aug. 22, 2024 - Google addressed the ninth actively exploited Chrome zero-day this year
• Aug. 22, 2024 - Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
• Aug. 22, 2024 - Urgent Chrome Update: Active Zero-Day Exploit Detected (CVE-2024-7971)
• Aug. 21, 2024 - Google fixes ninth Chrome zero-day exploited in attacks this year
• Aug. 21, 2024 - Google fixes ninth Chrome zero-day exploited in attacks this year

Back to top ↑

CVE-2024-4671

CRITICAL CVSS 9.60 EPSS Score 0.10 EPSS Percentile 41.95

CISA Known Exploited Actively Exploited Remote Code Execution

Published: May 14, 2024

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Vendors Impacted: Google, Fedoraproject

Products Impacted: Fedora, Chromium, Chrome

Quotes

• These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices
• While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors
• When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device

Headlines

• Aug. 30, 2024 - Russian Hackers Use Commercial Spyware Exploits to Target Victims
• Aug. 30, 2024 - Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
• Aug. 30, 2024 - CVE-2024-5274: Chrome Zero-Day Exploited by APT29, PoC Exploit Published
• Aug. 29, 2024 - Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack
• Aug. 29, 2024 - Midnight Blizzard delivered iOS, Chrome exploits via compromised government websites
• Aug. 29, 2024 - Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors

CVE-2023-41993

HIGH CVSS 8.80 EPSS Score 0.31 EPSS Percentile 70.43

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 21, 2023

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Vendors Impacted: Fedoraproject, Oracle, Netapp, Debian, Apple

Products Impacted: Iphone Os, Jre, Jdk, Multiple Products, Safari, Oncommand Insight, Macos, Graalvm, Debian Linux, Cloud Insights Acquisition Unit, Fedora, Ipados, Oncommand Workflow Automation, Cloud Insights Storage Workload Security Agent

Quotes

• From a watering hole attack on Mongolian government websites
• These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices
• In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group
• While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors
• When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device

Headlines

• Aug. 30, 2024 - Commercial Spyware Vendors Have a Copycat in Top Russian APT
• Aug. 30, 2024 - Russian Hackers Use Commercial Spyware Exploits to Target Victims
• Aug. 30, 2024 - Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
• Aug. 29, 2024 - Commercial spyware inspires state-sponsored attackers
• Aug. 29, 2024 - Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack
• Aug. 29, 2024 - Midnight Blizzard delivered iOS, Chrome exploits via compromised government websites
• Aug. 29, 2024 - Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors
• Aug. 29, 2024 - State-backed attackers and commercial surveillance vendors repeatedly use the same exploits

CVE-2024-7971

HIGH CVSS 8.80 EPSS Score 0.16 EPSS Percentile 53.04

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware

Published: Aug. 21, 2024

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Products Impacted: Chrome, Chromium V8

Quotes

• One of the most effective security measures available
• Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild
• Some of the chats indicated Sforza's efforts to revive cold cases were successful in extracting ransom payments
• We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain

Headlines

• Aug. 30, 2024 - North Korean hackers exploit Chrome zero-day to deploy rootkit
• Aug. 28, 2024 - U.S. CISA adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog
• Aug. 27, 2024 - Google Chrome Faces Double Blow with New Zero-Day Flaw Exploits: CVE-2024-7965 and CVE-2024-7971
• Aug. 26, 2024 - Google addressed the tenth actively exploited Chrome zero-day this year
• Aug. 26, 2024 - Google tags a tenth Chrome zero-day as exploited this year
• Aug. 26, 2024 - Alleged Karakut ransomware scumbag charged in US
• Aug. 25, 2024 - Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited

CVE-2024-5274

HIGH CVSS 8.80 EPSS Score 0.35 EPSS Percentile 72.13

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: May 28, 2024

Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendors Impacted: Google, Fedoraproject

Products Impacted: Fedora, Chrome, Chromium V8

Quotes

• These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices
• While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors
• When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device

Headlines

• Aug. 30, 2024 - Russian Hackers Use Commercial Spyware Exploits to Target Victims
• Aug. 30, 2024 - Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
• Aug. 30, 2024 - CVE-2024-5274: Chrome Zero-Day Exploited by APT29, PoC Exploit Published
• Aug. 29, 2024 - Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack
• Aug. 29, 2024 - Midnight Blizzard delivered iOS, Chrome exploits via compromised government websites
• Aug. 29, 2024 - Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors
• Aug. 29, 2024 - State-backed attackers and commercial surveillance vendors repeatedly use the same exploits

CVE-2024-7029

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 9.55

Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 2, 2024

Commands can be injected over the network and executed without authentication.

Quotes

• Command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)
• If there is no way to remediate a threat, decommissioning the hardware and software is the recommended way to mitigate security risks and lower the risk of regulatory fines
• Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware. CVE-2024-7029 is another example of using the latter, which is becoming an increasingly popular attack trend observed by the SIRT
• This RCE zero-day vulnerability was discovered in the brightness function of AVTECH IP camera devices and allows for a command injection to spread a Mirai variant on a target system. This can be executed remotely with elevated privileges (running process owner

Headlines

• Aug. 29, 2024 - Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
• Aug. 29, 2024 - Unpatched CCTV Cameras Exploited to Spread Mirai Variant
• Aug. 29, 2024 - Corona Mirai botnet spreads via AVTECH CCTV zero-day
• Aug. 29, 2024 - Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks
• Aug. 29, 2024 - Mirai Botnet Exploits Zero-Day Vulnerability CVE-2024-7029 in AVTECH IP Cameras
• Aug. 28, 2024 - CCTV Zero-Day Exposes Critical Infrastructure to Mirai Botnet Campaign

CVE-2024-7965

HIGH CVSS 8.80 EPSS Score 0.16 EPSS Percentile 53.04

CISA Known Exploited Actively Exploited

Published: Aug. 21, 2024

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Products Impacted: Chrome, Chromium V8

Quotes

• Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild
• Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release
• Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page

Headlines

• Aug. 28, 2024 - U.S. CISA adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog
• Aug. 27, 2024 - Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation
• Aug. 27, 2024 - Google Chrome Faces Double Blow with New Zero-Day Flaw Exploits: CVE-2024-7965 and CVE-2024-7971
• Aug. 26, 2024 - Google addressed the tenth actively exploited Chrome zero-day this year
• Aug. 26, 2024 - Google tags a tenth Chrome zero-day as exploited this year

CVE-2024-7263

HIGH CVSS 7.80 EPSS Score 0.06 EPSS Percentile 23.63

Risk Context N/A

Published: Aug. 15, 2024

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.

Vendors Impacted: Kingsoft, Microsoft

Products Impacted: Windows, Wps Office

Quotes

• Allows code execution via hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe
• The exploit is cunning as it is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet while also being very effective and reliable
• The first thing that they did is to check the signature of the library that will be loaded [by promecefpluginhost.exe] — that it's their own package which is signed by the company
• To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this
• While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s many downloader components. The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region

Headlines

• Aug. 29, 2024 - South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel
• Aug. 28, 2024 - South Korean hackers exploited WPS Office zero-day to deploy malware
• Aug. 28, 2024 - APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
• Aug. 28, 2024 - ESET Uncovers Zero-Day Vulnerabilities in WPS Office, Exploited by APT-C-60
• Aug. 28, 2024 - APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262)
• Aug. 28, 2024 - Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
• Aug. 28, 2024 - South Korean Spies Exploit WPS Office Zero-Day

CVE-2024-7262

HIGH CVSS 7.80 EPSS Score 0.06 EPSS Percentile 23.63

Risk Context N/A

Published: Aug. 15, 2024

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

Vendors Impacted: Kingsoft, Microsoft

Products Impacted: Windows, Wps Office

Quotes

• Allows code execution via hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe
• The exploit is cunning as it is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet while also being very effective and reliable
• The first thing that they did is to check the signature of the library that will be loaded [by promecefpluginhost.exe] — that it's their own package which is signed by the company
• To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this
• While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s many downloader components. The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region

Headlines

• Aug. 29, 2024 - South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel
• Aug. 28, 2024 - South Korean hackers exploited WPS Office zero-day to deploy malware
• Aug. 28, 2024 - APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
• Aug. 28, 2024 - ESET Uncovers Zero-Day Vulnerabilities in WPS Office, Exploited by APT-C-60
• Aug. 28, 2024 - APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262)
• Aug. 28, 2024 - Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
• Aug. 28, 2024 - South Korean Spies Exploit WPS Office Zero-Day

CVE-2024-39717

HIGH CVSS 7.20 EPSS Score 0.26 EPSS Percentile 66.35

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Aug. 22, 2024

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.

Vendors Impacted: Versa-Networks, Versa

Products Impacted: Versa Director, Director

Quotes

• Likely ongoing against unpatched Versa Director systems
• This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor
• Once the attackers gain initial access, they escalate privileges to gain highest-level administrator credentials
• This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges
• Failed to implement system hardening and firewall guidelines…leaving a management port exposed on the internet that provided the threat actors with initial access
• Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer
• The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface
• Based on known and observed tactics and techniques, [Lumen’s] Black Lotus Labs attributes the zero-day exploitation of CVE-2024-39717 and operational use of the VersaMem web shell with moderate confidence to the Chinese state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette
• We identified compromised SOHO devices with TCP sessions over port 4566 which were immediately followed by large HTTPS connections over port 443 for several hours. Given that port 4566 is generally reserved for Versa Director node pairing and the pairing nodes typically communicate with this port for extended periods of time, there should not be any legitimate communications to that port from SOHO devices over short timeframes. We assess the short timeframe of TCP traffic to port 4566 immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g. SOHO device) as a likely signature of successful exploitation

Headlines

• Aug. 27, 2024 - China-linked APT Volt Typhoon exploited a zero-day in Versa Director
• Aug. 27, 2024 - China's Volt Typhoon suspected of exploiting Versa bug
• Aug. 27, 2024 - Versa Director zero-day exploited to compromise ISPs, MSPs (CVE-2024-39717)
• Aug. 27, 2024 - Chinese Hackers Deploy VersaMem Web Shell via Versa Director Zero-Day (CVE-2024-39717)
• Aug. 27, 2024 - New 0-Day Attacks Linked to China’s ‘Volt Typhoon’ –
• Aug. 27, 2024 - Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs
• Aug. 27, 2024 - China's Volt Typhoon Exploits 0-day in Versa's SD-WAN Director Servers
• Aug. 27, 2024 - Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors
• Aug. 27, 2024 - Versa Networks Releases Advisory for a Vulnerability in Versa Director, CVE-2024-39717 | CISA
• Aug. 26, 2024 - Versa fixes Director zero-day vulnerability exploited in attacks
• Aug. 25, 2024 - U.S. CISA adds Versa Director bug to its Known Exploited Vulnerabilities catalog
• Aug. 24, 2024 - CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September

CVE-2024-37085

HIGH CVSS 7.20 EPSS Score 1.41 EPSS Percentile 86.75

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: June 25, 2024

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Vendor Impacted: Vmware

Products Impacted: Cloud Foundation, Esxi

Quotes

• By exploiting CVE-2024-37085, BlackByte is demonstrating an ability to quickly integrate new vulnerabilities into their toolkit, moving away from purely relying on older, well-known techniques
• Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors
• BlackByte’s progression in programming languages from C# to Go and subsequently to C/C++ in the latest version of its encryptor — BlackByteNT — represents a deliberate effort to increase the malware's resilience against detection and analysis
• The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor

Headlines

• Aug. 29, 2024 - BlackByte Adopts New Tactics, Targets ESXi Hypervisors
• Aug. 29, 2024 - BlackByte Ransomware Group Exploits VMware CVE-2024-37085 Flaw, Shifts Tactics
• Aug. 28, 2024 - BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
• Aug. 28, 2024 - BlackByte Ransomware group targets recently patched VMware ESXi flaw CVE-2024-37085
• Aug. 28, 2024 - BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave
• Aug. 28, 2024 - BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks