Critical vulnerabilities in Apple, VMware, and Ubuntu are under active exploitation, urging immediate patch updates to mitigate security risks.

Overview

Cyble Research and Intelligence Labs (CRIL) analyzed 25 vulnerabilities between November 13 and November 19, 2024, identifying several high-priority threats that security teams must address. This blog also highlights 10 exploit discussions on underground forums, increasing the urgency to patch.

Key vulnerabilities include issues in Apple’s macOS, VMware vCenter, and Zyxel devices, with observed exploitation activity. Apple’s zero-day vulnerabilities (CVE-2024-44308 and CVE-2024-44309) and VMware’s critical vulnerabilities (CVE-2024-38812 and CVE-2024-38813) have particularly raised concerns among cybersecurity experts.

Additionally, researchers observed active discussions of proof-of-concept (PoC) exploits for D-Link, Fortinet, and Palo Alto Networks products on dark web forums, raising the likelihood of broader exploitation.

Below are the critical vulnerabilities and exploit highlights.

Top IT Vulnerabilities

Cyble researchers emphasized these vulnerabilities as high-priority fixes:

1. CVE-2024-44308, CVE-2024-44309: Two zero-day vulnerabilities in Apple’s macOS systems affecting WebKit and JavaScriptCore components. These flaws allow remote code execution and cross-site scripting (XSS). Apple has released emergency patches for macOS, Safari, and iOS to address these vulnerabilities.
2. CVE-2024-38812, CVE-2024-38813: Critical vulnerabilities in VMware’s vCenter Server. CVE-2024-38812 enables remote code execution, while CVE-2024-38813 allows privilege escalation. Attackers have actively exploited these vulnerabilities in the wild, targeting corporate environments.
3. CVE-2024-42057: A command injection vulnerability in Zyxel’s IPSec VPN feature. Unauthenticated attackers can execute OS commands on vulnerable devices. Researchers linked this flaw to the Helldown ransomware group, which uses it to infiltrate networks.
4. CVE-2024-10914: A critical command injection vulnerability in legacy D-Link NAS devices. Exploiting the cgi_user_add function in the account_mgr.cgi script allows attackers to execute OS commands remotely. Over 61,000 vulnerable devices were identified online.
5. CVE-2024-48990, CVE-2024-48991, CVE-2024-48992: Privilege escalation vulnerabilities in the “needrestart” package for Ubuntu systems. Local attackers can gain root privileges on vulnerable installations. While these vulnerabilities are less likely to be exploited remotely, they pose significant risks in shared environments.
6. CVE-2024-11120: A command injection vulnerability affecting EOL GeoVision devices. Exploited by botnets, attackers use this flaw to conduct DDoS attacks and cryptomining.

Dark Web and Underground Exploit Activity

Cyble’s research uncovered multiple exploit discussions and PoCs shared on underground forums and Telegram channels:

1. Fortinet FortiManager (CVE-2024-47575): Known as “FortiJump,” this vulnerability allows unauthenticated remote attackers to execute arbitrary commands. Threat actors have weaponized this exploit for lateral movement in corporate environments.
2. D-Link NAS Devices (CVE-2024-10914): Threat actors shared exploit details enabling command injection via the account_mgr.cgi script. Researchers detected over 61,000 exposed devices, emphasizing the urgency of mitigation.
3. Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9464): Exploits for these vulnerabilities allow attackers to gain administrator privileges or execute OS commands with root access. Discussions on underground forums highlight chaining techniques for broader attacks.
4. Microsoft Exchange Server (CVE-2021-34470): Despite being disclosed in 2023, this privilege escalation vulnerability remains a target in cybercrime forums, with fresh PoCs surfacing.
5. Zero-Day Windows Exploit: A threat actor named “IOWA” offered a Local Privilege Escalation (LPE) vulnerability for Microsoft Windows and Windows Server. The asking price ranged from $200,000 to $400,000, reflecting its critical nature.

Cyble’s Recommendations

To address these vulnerabilities and mitigate potential risks, CRIL recommends the following steps:

• Apply Patches: Regularly update all software and hardware systems with vendor-provided patches. Prioritize critical vulnerabilities like Apple’s zero-days, VMware vCenter flaws, and Zyxel command injection vulnerabilities.
• Implement Patch Management: Develop a comprehensive strategy that includes testing and deploying patches promptly. Automate where possible to ensure consistency.
• Network Segmentation: Isolate critical assets using VLANs, firewalls, and access controls to minimize exposure.
• Monitor for Suspicious Activity: Use SIEM solutions to detect abnormal behavior. Analyze logs for signs of exploitation, particularly for internet-facing services.
• Conduct Regular Assessments: Perform vulnerability assessments and penetration testing to identify weaknesses. Complement these efforts with security audits to ensure compliance.
• Enhance Visibility: Maintain an inventory of internal and external assets. Use asset management tools to ensure comprehensive monitoring.
• Adopt Strong Password Policies: Change default passwords, enforce complexity, and implement multi-factor authentication (MFA).

Conclusion

The vulnerabilities discussed in this report call for improved and robust cybersecurity practices. With active exploitation of critical flaws like Apple’s zero-days and VMware’s vCenter vulnerabilities, organizations must act swiftly to patch, monitor, and secure their environments. Proactive measures are essential to mitigate risks and protect sensitive systems from escalating cyber threats.

Related