Top 5 Major Vulnerabilities Being Actively Exploited by Threat Actors

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations. 

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five emerging threats that you should be aware of, including a major ransomware attack by RansomEXX exploiting a critical Jenkins vulnerability to disrupt India’s banking sector, a widespread extortion campaign targeting publicly accessible .env files to compromise cloud environments, the exploitation of a critical remote code execution vulnerability (CVE-2024-4885) in Progress’s WhatsUp Gold, the Lazarus Group leveraging a zero-day vulnerability in the Windows AFD.sys driver to deploy a rootkit, and the South Korean cyber espionage group APT-C-60 exploiting a critical WPS Office vulnerability to spread the SpyGlace backdoor.

Read on to discover more…

1. Ransomware Strikes Jenkins Vulnerability Leading to Banking Breach

A major ransomware attack has disrupted India’s banking sector, targeting Brontoo Technology Solutions, a partner of C-Edge Technologies Ltd. The breach originated from a misconfigured Jenkins server exploited through the LFI vulnerability CVE-2024-23897, which allowed attackers to gain secure shell access by reading sensitive files such as private keys. The initial access may have been facilitated by IntelBroker, with RansomEXX executing the attack using sophisticated tactics like phishing, RDP vulnerabilities, and VPN weaknesses. The RansomEXX group employs strong encryption algorithms (RSA-2048, AES-256), making recovery without a decryption key nearly impossible. They utilize tools like Cobalt Strike and Mimikatz for lateral movement, privilege escalation, and file encryption, often exfiltrating data for double extortion. RansomEXX targets sectors including government, technology, manufacturing, telecom, and healthcare, and has evolved by using stolen digital certificates and collaborating with other cybercriminal groups to enhance their attacks.

2. Hackers Exploit Public Environment Variables in Cloud Extortion

A widespread extortion campaign is exploiting publicly accessible `.env` files that contain credentials for cloud and social media applications. According to cybersecurity researchers, the attackers leveraged exposed environment variables, long-lived credentials, and a lack of least privilege architecture to embed their attack infrastructure within compromised organizations’ AWS environments. They scanned over 230 million targets, harvesting more than 90,000 unique variables, including 7,000 linked to cloud services and 1,500 associated with social media accounts.

Instead of encrypting data, the attackers exfiltrated sensitive information from cloud storage containers and left ransom notes directly in the compromised storage. They gained initial access through unsecured `.env` files on web applications, not by exploiting vulnerabilities in cloud service providers. The threat actors used AWS IAM keys to create new roles, escalate privileges, and deploy AWS Lambda functions for automated scanning operations targeting domains globally.

The attackers extracted credentials from exposed `.env` files and stored them in a public S3 bucket, which has since been taken down by AWS. They specifically targeted `.env` files containing Mailgun credentials, likely to send phishing emails from legitimate domains. The campaign also involved the exfiltration and deletion of data, followed by ransom demands to prevent the sale of the data on the dark web. Though the identity of the threat actors remains unknown, with connections traced to Ukraine and Morocco, the operation showed advanced automation and expertise in cloud architecture and attack techniques.

3. CVE-2024-4885: Critical RCE flaw in WhatsUp Gold Under Exploitation

A critical vulnerability (CVE-2024-4885) in Progress Software’s WhatsUp Gold allows unauthenticated remote code execution, posing significant risks to organizations using the network monitoring application. The flaw, with a CVSS score of 9.8, affects versions released before 2023.1.3 and enables attackers to execute commands with elevated privileges through the ‘WhatsUp.ExportUtilities.Export.GetFileWithoutZip’ command method. Exploitation attempts began on August 1, 2024, targeting the /NmAPI/RecurringReport endpoint. A proof-of-concept exploit has been publicly released, increasing the risk of attacks. Additionally, the latest WhatsUp Gold version patches two more critical flaws (CVE-2024-4883 and CVE-2024-4884), both also allowed unauthenticated remote code execution.

4. Lazarus Group Exploits Windows driver Zero-day to deploy Rootkit

The Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver (CVE-2024-38193) to gain kernel-level privileges and install the FUDModule rootkit, which evades detection by disabling Windows monitoring features. This flaw was used in a targeted campaign against Brazilian cryptocurrency professionals. Lazarus, known for large-scale financial cyberheists, including the 2014 Sony Pictures hack and the 2017 WannaCry attack, leveraged this vulnerability as part of a broader BYOVD (Bring Your Own Vulnerable Driver) attack strategy. The group used social engineering, such as fake job offers, to deliver malware, and this attack is part of a continued pattern of exploiting similar vulnerabilities in Windows drivers.

5. APT-C-60 Leverages WPS Office Vulnerability to Spread SpyGlace

A South Korean cyber espionage group, APT-C-60, exploited a critical remote code execution vulnerability (CVE-2024-7262, CVSS 9.3) in Kingsoft WPS Office to deploy the SpyGlace backdoor. The flaw allowed attackers to upload malicious DLLs via manipulated file paths in the WPS Office plugin promecefpluginhost.exe, enabling remote code execution. A second vulnerability (CVE-2024-7263) was also identified. The attack, delivered through a malicious spreadsheet with a hidden hyperlink, targeted users in China and East Asia.

The SpyGlace trojan, delivered as TaskControler.dll, can perform file theft, plugin loading, and remote command execution. APT-C-60’s strategy included disguising the malicious spreadsheet to look legitimate, triggering the exploit when users clicked on it. The group has been active since 2021, and SpyGlace was first detected in 2022.

Additionally, the group exploited a malicious third-party plugin for Pidgin, ScreenShareOTR, to download binaries and deploy DarkGate malware, capable of keylogging and screenshot capture. The same backdoor code was found in Cradle, a purported open-source fork of Signal, which delivered malware via PowerShell scripts on Windows and ELF executables on Linux. Both the plugin and the app were signed with a certificate from “INTERREX – SP. Z O.O.,” indicating a coordinated effort to distribute the malware.

Key recommendations to combat cyber risks: 

  • Patch Management: Regularly update all software, including Kingsoft WPS Office, WhatsUp Gold, and third-party plugins, with the latest security patches to address known vulnerabilities like CVE-2024-7262, CVE-2024-7263, and CVE-2024-4885.
  • Advanced Threat Detection and Monitoring: Deploy advanced threat detection tools and continuous monitoring solutions to identify unusual behavior, unauthorized changes, and exploitation attempts, especially related to drivers, IAM roles, and critical endpoints.
  • Application Whitelisting and Least Privilege: Implement application whitelisting to restrict the execution of unapproved software, and enforce the principle of least privilege for all users and roles to minimize potential impacts.
  • User Awareness and Security Training: Conduct regular security awareness training to educate employees on the risks of phishing, social engineering, and opening suspicious documents with embedded links.
  • Access Controls and Environment Security: Secure environment variable files and sensitive data with proper access controls, encryption, and secret management services. Limit access to critical servers, such as WhatsUp Gold and Jenkins, to trusted IP addresses and VPNs.
  • Incident Response and Backup Strategies: Develop and practice an incident response plan and maintain robust backup strategies with offline copies to ensure quick recovery from potential breaches.
  • Regular Security Audits and Vulnerability Assessments: Perform regular security audits, vulnerability assessments, and penetration testing to identify and mitigate security gaps, including those in cloud environments and supply chain components.

To get updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories or check out SISA Weekly Threat Watch on our website.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider