Exploited: Cisco, SharePoint, Chrome vulnerabilities
Threat actors have been leveraging zero and n-day vulnerabilities in Cisco security appliances (CVE-2024-20481), Microsoft Sharepoint (CVE-2024-38094), and Google’s Chrome browser (CVE-2024-4947).
CVE-2024-20481 (Cisco ASA/FTD)
In the past few days, Cisco has released fixes for a slew of vulnerabilities affecting the software powering its security appliances.
Among them several are of particular note:
- CVE-2024-20481, a vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service.
- CVE-2024-20377, CVE-2024-20387 and CVE-2024-20388, affecting Cisco Secure Firewall Management Center (FMC) Software, may allow attackers to conduct cross-site scripting (XSS) attacks or access sensitive information on an affected device.
CVE-2024-20481 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, a decision that’s likely based on Cisco confirming that they are aware of malicious use of the flaw.
Information included in the security advisory points to the attackers having inadvertently triggered the flaw as they were performing password spraying attacks.
According to a Cisco Talos report covering Q3 2024, the group “has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access.”
CVE-2024-20377, CVE-2024-20387 and CVE-2024-20388 are not under active exploitation, but Cisco’s Product Security Incident Response Team is aware that proof-of-concept exploit code is available for them.
CVE-2024-38094 (Microsoft Sharepoint)
SharePoint is Microsoft’s enterprise-grade solution for content/knowledge management that can be used as part of Microsoft 365 (as a cloud-based service) or run as on-premises software.
CVE-2024-38094 is a data deserialization vulnerability that allows an authenticated attacker with Site Owner permissions to inject arbitrary code and execute it in the context of SharePoint Server.
The vulnerability was fixed by Microsoft in July 2024.
CISA has added CVE-2024-38094 to its KEV catalog, but details about the attacks are currently unavailable.
Proof-of-concept exploits for this particular flaw are publicly available.
CVE-2024-4947 (Google Chrome)
Kaspersky researchers have shared how North Korean threat actors exploited CVE-2024-4947, a type confusion vulnerability Chrome’s JavaScript engine, to target individuals in the cryptocurrency space via a clever social engineering campaign and compromise them with a custom backdoor (“Manyscrypt”).
“On May 13, 2024, our consumer-grade product Kaspersky Total Security detected a new Manuscrypt infection on the personal computer of a person living in Russia. Since Lazarus rarely attacks individuals, this piqued our interest and we decided to take a closer look. We discovered that prior to the detection of Manuscrypt, our technologies also detected exploitation of the Google Chrome web browser originating from the website detankzone[.]com,” the researchers explained.
“On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version. But that was just a disguise. Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC. Visiting the website was all it took to get infected — the game was just a distraction.”
CVE-2024-4947 was quickly reported to and fixed by Google.
According to Kaspersky, the attackers also exploited an additional security bug – a V8 sandbox bypass – to effect the compromise.
“This issue (330404819) was submitted and fixed in March 2024. It is unknown whether it was a bug collision and the attackers discovered it first and initially exploited it as a 0-day vulnerability, or if it was initially exploited as a 1-day vulnerability.”