CISA and FBI Warn of Exploited Flaws and HiatusRAT Threats
CISA Adds New Vulnerabilities to Known Exploited Vulnerabilities Catalog: Key Details Unveiled
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two significant security flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency of these issues due to active exploitation in the wild. The newly identified vulnerabilities, CVE-2024-20767 and CVE-2024-35250, pose serious risks to users of Adobe ColdFusion and Microsoft Windows Kernel-Mode Driver, respectively. Understanding these vulnerabilities is crucial for organizations aiming to safeguard their networks against potential attacks.
Overview of Newly Identified Vulnerabilities
CISA’s addition of these vulnerabilities underscores the importance of timely updates and patches for software security. Here are the key details:
-
CVE-2024-20767 (CVSS score: 7.4): This vulnerability in Adobe ColdFusion involves improper access control, allowing attackers to access or modify restricted files through an internet-exposed admin panel. Adobe released a patch for this issue in March 2024.
- CVE-2024-35250 (CVSS score: 7.8): This flaw in the Microsoft Windows Kernel-Mode Driver enables local attackers to escalate privileges by exploiting an untrusted pointer dereference. Microsoft issued a patch for this vulnerability in June 2024.
The Taiwanese cybersecurity firm DEVCORE discovered these vulnerabilities and provided additional technical insights in August 2024, linking the issues to the Microsoft Kernel Streaming Service (MSKSSRV). Although proof-of-concept (PoC) exploits exist, specific details on how these vulnerabilities are being weaponized in real-world scenarios remain scarce.
Recommendations for Federal Agencies
In response to these active threats, CISA recommends that Federal Civilian Executive Branch (FCEB) agencies implement necessary remediation by January 6, 2025. This proactive approach is vital for securing sensitive networks against potential exploitation.
FBI Alerts on HiatusRAT Targeting IoT Devices
In a related security advisory, the Federal Bureau of Investigation (FBI) has warned about the expansion of HiatusRAT campaigns. These campaigns are now targeting not only network edge devices like routers but also Internet of Things (IoT) devices from manufacturers such as Hikvision, D-Link, and Dahua across the U.S., Australia, Canada, New Zealand, and the United Kingdom.
The FBI revealed that threat actors scanned web cameras and DVRs for various vulnerabilities, including:
- CVE-2017-7921
- CVE-2018-9995
- CVE-2020-25078
- CVE-2021-33044
- CVE-2021-36260
Many of these vulnerabilities remain unaddressed by vendors, increasing the risk to users.
Ransomware Campaigns Exploiting DrayTek Routers
Additionally, Forescout Vedere Labs has reported that security flaws in DrayTek routers have been exploited in a ransomware campaign affecting over 20,000 DrayTek Vigor devices between August and September 2023. This operation involved a suspected zero-day vulnerability, enabling attackers to infiltrate networks and deploy ransomware while leveraging three distinct threat actor groups.
Key points from the Forescout report include:
- Monstrous Mantis: Identified and exploited the vulnerability, harvesting credentials for further exploitation.
- Ruthless Mantis: Successfully compromised at least 337 organizations, mainly in the U.K. and the Netherlands.
- LARVA-15: Acted as an initial access broker, selling access gained from Monstrous Mantis to other threat actors.
The ongoing exploitation of vulnerabilities emphasizes the need for thorough root cause analysis and systematic code reviews by vendors post-disclosure.
Stay Informed and Secure
As cyber threats continue to evolve, staying informed about the latest vulnerabilities and security advisories is essential for organizations. If you found this article insightful, follow us on Twitter and LinkedIn for more exclusive cybersecurity content. Share your thoughts in the comments below or explore our related articles for further information on safeguarding your digital assets.