Activity Feed

(Edit August 22, 2024: This is now on CISA KEV and is listed as observed in ransomware attacks.)

There seems to only be one main (public) report of exploitation that folks are quoting for this CVE, but the UC Berkeley researcher’s statement indicated fairly high confidence that they were seeing actual exploitation against honeypots, not just scanning.

Notably, this vuln is not on CISA KEV as of August 2024, which may mean there wasn’t enough evidence to definitively confirm successful in-the-wild attacks. I’ve also not seen any public reports of EITW against production systems. Multiple public PoCs were available as of January 2024 (some testing notes from the Splunk team here). A Metasploit modules is also available.

We’ve seen attacks on CI/CD pipelines and tooling escalate the past year or two, so I’d expect bugs like this to get at least triage and recon attention from adversaries, including APTs.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

On CISA KEV and also listed as “Known” for ransomware usage, so adding those tags, too. Lots of CLFS driver bugs have been used in both 0day and n-day attacks the past few years — in December 2023, Securelist published a whole series on CLFS driver exploits used in ransomware attacks. This vuln isn’t in that series, but five others are, underscoring the trend.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Also made CISA’s “Routinely Exploited Vulnerabilities” list for 2022 (published in August 2023).