Recent Cybersecurity Alerts: CISA Highlights New Vulnerabilities; FBI Warns on IoT Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday the addition of two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the active exploitation of these security flaws across various platforms. This proactive measure aims to guide organizations in securing their networks against emerging threats.
One notable vulnerability identified is CVE-2024-20767, rated with a CVSS score of 7.4. This flaw affects Adobe ColdFusion and involves improper access control, potentially allowing unauthorized access or modification of sensitive files through an internet-exposed admin panel. Adobe has issued a patch for this vulnerability as of March 2024. Another critical vulnerability, CVE-2024-35250, carries a higher CVSS score of 7.8 and pertains to the Microsoft Windows Kernel-Mode Driver, which poses risks of privilege escalation due to an untrusted pointer dereference. Microsoft provided a fix for this issue in June 2024. The Taiwanese cybersecurity firm DEVCORE, which uncovered CVE-2024-35250, released further technical details, linking the vulnerability to the Microsoft Kernel Streaming Service.
Despite the official advisories, specifics on how these vulnerabilities are being weaponized in actual cyberattacks remain sparse. However, proof-of-concept exploits for both vulnerabilities have been publicly shared, indicating an avenue for malicious actors to exploit these security flaws. Given the active nature of these threats, the Federal Civilian Executive Branch (FCEB) agencies have been advised to implement the necessary remediations before January 6, 2025.
In a related incident, the Federal Bureau of Investigation (FBI) has issued warnings regarding escalating campaigns by HiatusRAT, malware targeting consumer devices, including web cameras and DVRs. The FBI reported that actors have been scanning Internet of Things (IoT) devices from manufacturers like Hikvision, D-Link, and Dahua, operating in regions such as the U.S., Australia, Canada, New Zealand, and the U.K. The attacks are focused on exploiting various known vulnerabilities, including several CVEs dating back to 2017. The FBI emphasized that many of these vulnerabilities remain unaddressed by their respective vendors, making IoT devices a ripe target for exploitation.
The methodology observed in the HiatusRAT campaigns has involved utilizing open-source tools for both scanning and password cracking, indicating a sophisticated approach to targeting vulnerable systems. The detection of these malicious activities in March 2024 reflects an increasing trend in cybercriminals expanding their attack vectors into family-oriented consumer products.
Compounding these threats, research from Forescout Vedere Labs, in collaboration with PRODAFT, revealed that threat actors have exploited vulnerabilities in DrayTek routers as part of a coordinated ransomware effort targeting over 20,000 devices. This ransomware campaign occurred between August and September 2023 and is believed to have leveraged a zero-day vulnerability, enabling attackers to infiltrate networks, steal credentials, and deploy various ransomware strains.
In this case, multiple threat groups were involved, with evidence suggesting a structured collaboration where initial access via the vulnerability was controlled and exploited systematically. Threat actor groups such as Monstrous Mantis, Ruthless Mantis, and LARVA-15 were cited as key players in this sophisticated infrastructure, using the compromised access to execute further actions, including lateral movement within victim networks.
The observed attacks highlight several MITRE ATT&CK tactics that may have been employed, including the initial access phase via exploitation of vulnerabilities, credential access during lateral movement, and privilege escalation methods to grant attackers additional control over the compromised systems. The recurrence of exploited vulnerabilities within products like DrayTek suggests a concerning trend in inadequate vendor responses to known security issues.
As businesses navigate these evolving threats, the emphasis on systematic security measures and timely remediation remains critical. The pervasive nature of these vulnerabilities illustrates the dynamic landscape of cybersecurity, where businesses must remain vigilant and proactive in their defense strategies against an increasing array of cyber threats.
