Back in 1969, the rock group – The Rolling Stones – recorded an album titled “Let it Bleed.” The album sold over 2.4 million copies, and in 1997, it was voted the 27th "Best Album Ever." The current "Bleed You" malicious cyber campaign is far from being popular and is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions. More than 1,000 systems are unpatched and vulnerable to compromise.
If an attacker gains control of a target computer through some vulnerability and they also gain the power to execute commands on that remote computer, this process is called Remote Code Execution (RCE)
• It is one of the cyber-attacks where an attacker can remotely execute commands on someone’s computer
• It usually occurs due to malicious malware downloaded by the host and can happen regardless of the device's geographic location.
Internet Key Exchange (IKE) is a standard protocol to set up a secure and authenticated communication channel between two parties via a virtual private network (VPN). The protocol ensures security for VPN negotiation, remote host, and network access.
A critical role of IKE is negotiating security associations (SAs) for IP Security (IPsec). SAs are security policies defined for communication between two or more entities. A set of algorithms and mutually agreed-upon keys are used and represented by both parties when attempting to establish a VPN tunnel or connection.
There are two versions of IKE standards:
• IKE protocol defined in RFC 2409
• IKE version 2 (IKEv2) defined in RFC 7296
The critical flaw, tracked as CVE-2022-34721, has been under active attack since September, a new report from warns, affecting vulnerable Windows OS, Windows Servers, and Windows protocol and services. Once they achieve a compromise, the threat actors move laterally to deploy ransomware and other malware, the investigators observed.
The threat actors speak Mandarin but also have ties to Russian cybercriminals, according to researchers, which adds that the attacks are not limited to a specific sector with targets across retail, government, IT services, and more. Victims likewise were spread across several mostly Western countries, including Canada, the UK, and the US.
Attackers are exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug. Researchers advised that users apply patches and fixes as soon as possible to reduce the vulnerability's exploitation severity, researchers advised. The researchers observed that unknown hackers are also sharing the exploit link on the underground forums.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
• Reporting: https://www. redskyalliance. org/
• Website: https://www. wapacklabs. com/
• LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments