The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has expanded its Known Exploited Vulnerabilities (KEV) repository after uncovering evidence of in-the-wild exploitation.
The newly flagged vulnerabilities include:
- CVE-2024-20767 (CVSS 7.4) – A flaw within Adobe ColdFusion due to improper access controls, potentially granting attackers unauthorized access to sensitive files through an exposed administrative panel. Adobe addressed this issue with a patch rolled out in March 2024.
- CVE-2024-35250 (CVSS 7.8) – A critical weakness in the Microsoft Windows Kernel-Mode Driver stemming from untrusted pointer dereference, allowing privilege escalation for local attackers. Microsoft issued a patch in June 2024.
Taiwanese security firm DEVCORE, the entity that uncovered CVE-2024-35250, delved into its technical intricacies in August 2024, attributing the flaw to the Microsoft Kernel Streaming Service (MSKSSRV).
While proof-of-concept (PoC) exploits for both vulnerabilities exist publicly, details of their utilization in real-world assaults remain scarce. Federal Civilian Executive Branch (FCEB) agencies have been urged to implement remediations before January 6, 2025, to fortify network defenses.
FBI: HiatusRAT Campaign Targets IoT Devices and Web Cameras
Simultaneously, the Federal Bureau of Investigation (FBI) issued an advisory regarding the alarming evolution of HiatusRAT operations. Originally targeting network edge devices such as routers, the campaign now focuses on vulnerabilities within Internet of Things (IoT) devices—specifically web cameras and DVR systems from Hikvision, D-Link, and Dahua.
Affected regions include the U.S., Australia, Canada, New Zealand, and the United Kingdom. The FBI highlighted active exploitation of vulnerabilities like:
- CVE-2017-7921
- CVE-2018-9995
- CVE-2020-25078
- CVE-2021-33044
- CVE-2021-36260
The attackers employed tools such as Ingram and Medusa—open-source utilities—for systematic scanning and brute-force authentication tactics. The FBI underscored that many of these flaws persist unpatched, exacerbating the threat landscape.
DrayTek Routers Compromised in Extensive Ransomware Campaign
In parallel, Forescout Vedere Labs, leveraging intelligence from PRODAFT, recently unveiled a coordinated ransomware campaign that exploited vulnerabilities in DrayTek routers. Between August and September 2023, over 20,000 DrayTek Vigor devices were infiltrated, enabling adversaries to compromise networks, pilfer credentials, and deploy ransomware payloads.
The campaign involved a trio of distinct cybercrime entities:
- Monstrous Mantis (Ragnar Locker) – Orchestrators who identified and weaponized the zero-day exploit, retaining exclusive control over the infiltration process.
- Ruthless Mantis (PTI-288) – Responsible for credential cracking and leveraging stolen access to compromise organizations.
- LARVA-15 (Wazawaka) – Acting as an Initial Access Broker (IAB), monetizing footholds by selling access to fellow threat actors.
The perpetrators executed post-exploitation actions, including lateral movement, privilege escalation, and the deployment of ransomware families such as RagnarLocker, Nokoyawa, RansomHouse, and Qilin.
Forescout emphasized that Monstrous Mantis strategically withheld the exploit, opting instead to profit indirectly by obligating ransomware operators to remit a portion of their proceeds. Ruthless Mantis alone is believed to have successfully infiltrated 337 organizations, primarily in the U.K. and Netherlands.
The investigation revealed 22 additional vulnerabilities sharing architectural flaws akin to CVE-2020-8515 and CVE-2024-41592, underscoring systemic deficiencies in vendor code reviews and root-cause analyses.
As these vulnerabilities persist, the recurring exploitation of inadequately patched systems highlights an urgent need for robust security practices, proactive mitigation, and comprehensive vendor accountability.
The evolving threat landscape mandates vigilance, as adversaries exhibit increasing sophistication, targeting critical infrastructures and perpetuating lucrative ransomware ecosystems.
