Exploits and vulnerabilities in Q2 2024

Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to the system. This report considers the statistics of research publications that can be used by cybercriminals to attack target systems, and provides statistical snapshots of vulnerabilities.

Statistics on registered vulnerabilities

In this section, we look at statistics on registered vulnerabilities based on data from the cve.org portal.

In Q2 2024, the number of registered vulnerabilities exceeded last year’s figure for the same period, and is likely to grow further, as some vulnerabilities are not added to the CVE list immediately after registration. This trend is in line with the general uptick in the number of registered vulnerabilities that we noted in our Q1 report.

Total number of registered vulnerabilities and number of critical ones, Q2 2023 and Q2 2024 (download)

Comparing the data for the period 2019–2024 we see that in H1 2024 the total number of registered vulnerabilities was slightly less than half of the figure for the whole of 2023. Worth noting is the quarter-on-quarter rise in the number of registered vulnerabilities, for which reason we cannot say for sure that it won’t exceed the 2023 figure by year’s end.

Number of vulnerabilities and the share of critical ones and of those for which exploits exist, 2019–2024 (download)

The chart also shows the share among all registered vulnerabilities of ones that are critical and of ones for which there is a public description or Proof of Concept. The drop in the latter’s share in Q2 illustrates that the number of registered vulnerabilities is growing faster than the number of published exploits for them.

The share of critical vulnerabilities also decreased slightly relative to 2023. But it is critical vulnerabilities that pose the greatest risk. To understand the risks that organizations may face, and how these risks change over time, let’s look at the types of vulnerabilities that make up the total number of critical CVEs registered in Q2 2023 and Q2 2024.

Vulnerability types that critical CVEs registered in Q2 2023 fall under (download)

Vulnerability types that critical CVEs registered in Q2 2024 fall under (download)

As we see from the charts, even with a CVE entry, most issues remain unclassified and require further investigation to obtain details, which can seriously hamper efforts to protect systems where these vulnerabilities may arise. Besides unclassified critical vulnerabilities, other common issues in Q2 2023 were:

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
• CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

Other types of vulnerabilities came to the fore in Q2 2024:

• CWE-434: Unrestricted Upload of File with Dangerous Type
• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Both lists of the most common types indicate that the vast majority of classified critical vulnerabilities get registered for web applications. According to open-source information, vulnerabilities in web applications are indeed the most critical, since web applications include software that can access sensitive data, such as file-sharing systems, consoles controlling VPN access and cloud and IoT systems.

Vulnerability exploitation statistics

This section presents exploit statistics for Q2 2024 obtained from open sources and our in-house telemetry.

Exploits are quite expensive software. Their shelf life can be counted in days, even hours. Conversely, creating them is a lengthy process, which varies depending on the type of exploit. Below are statistics on the most popular platforms where users were attacked with exploits.

Windows and Linux vulnerability exploitation

Since the start of the year, we have seen growth in the number of triggerings of Kaspersky solutions by exploits for Windows, driven primarily by phishing emails and attempts to gain initial access to user systems through vulnerability exploitation. Among the most popular are exploits for vulnerabilities in the Microsoft Office suite:

• CVE-2018-0802 – remote code execution vulnerability in the Equation Editor component
• CVE-2017-11882 – another remote code execution vulnerability in Equation Editor
• CVE-2017-0199 – remote code execution vulnerability in Microsoft Office and WordPad
• CVE-2021-40444 – remote code execution vulnerability in the MSHTML component

Dynamics of the number of Windows users who encountered exploits, Q1 2023 — Q2 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Note that due to similar detection patterns, exploits classified as CVE-2018-0802 and CVE-2021-40444 may include ones for the vulnerabilities CVE-2022-30190 (remote code execution in the Microsoft Support Diagnostic Tool (MSDT)) and CVE-2023-36884 (remote code execution in the Windows Search component), which also remain a live threat.

As Linux grows in the corporate segment, it also shows growth in terms of exploits; in contrast to Windows, however, the main exploits for Linux target the kernel:

• CVE-2022-0847 – privilege escalation vulnerability in the Linux kernel
• CVE-2023-2640 – privilege escalation vulnerability in the Ubuntu kernel
• CVE-2021-4034 – privilege escalation vulnerability in the pkexec utility used to execute commands as another user

Dynamics of the number of Linux users who encountered exploits in Q1 2023 — Q2 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Most exploits for Linux pertain to privilege escalation and can be used to gain persistence and run malicious code in the system. This may be because attackers often target Linux servers for which high privileges are needed to gain control.

Most common exploits

Q2 saw a shift in the distribution of critical vulnerabilities for which there are public exploits. See the charts below for a visual comparison of Q1 and Q2.

Distribution of exploits for critical vulnerabilities by platform, Q1 2024 (download)

Distribution of exploits for critical vulnerabilities by platform, Q2 2024 (download)

The share of exploits for vulnerabilities in operating systems increased in Q2 against Q1. This is because researchers tend to publish PoCs ahead of the summer season of cybersecurity conferences. Consequently, a great many OS exploits were published in Q2. In addition, the share of exploits for vulnerabilities in Microsoft Sharepoint increased during the reporting period, with almost no new exploits for browsers.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities are most often used in advanced persistent threats (APTs). The ranking below is based on our telemetry, research and open sources.

Top 10 vulnerabilities exploited in APT attacks, Q2 2024

Although the list of vulnerabilities common in APT attacks is radically different compared to Q1, attackers most often exploited the same types of software/hardware solutions to gain access to organizations’ internal networks: remote access services, access control mechanisms and office applications. Note that the vulnerabilities of 2024 in this ranking were already being exploited at the time of discovery, that is, they were zero-day vulnerabilities.

Exploiting vulnerable drivers to attack operating systems

This section examines public exploits that use vulnerable drivers to attack the Windows operating system and software for it. According to open sources and our own data, there are hundreds of such vulnerable drivers, and new ones are appearing all the time.

Threat actors use vulnerable drivers as part of the Bring You Own Vulnerable Driver (BYOVD) technique. This involves installing an unpatched driver on the targeted system to ensure the vulnerability is exploited for privilege escalation in the OS or other cybercriminal activity. This method was first used by creators of game cheats, but was later adopted by cybercriminals.

Since 2023, we have noticed an upward trend in the use of vulnerable drivers to attack Windows with a view to escalating privileges and bypassing security mechanisms. In response, we are systematically adding and improving the mechanisms for detecting and blocking malicious operations through vulnerable drivers in our solutions.

BYOVD attack tools

Vulnerable drivers themselves are a serious enough problem for OS security, but truly destructive activity requires a client application to pass malicious instructions to the driver.

Since 2021, we have seen the appearance of 24 online tools for controlling vulnerable drivers in the context of privilege escalation and attacks on privileged processes, such as built-in and third-party security solutions. See below for a year-by-year distribution.

Number of tools published online for controlling vulnerable drivers, 2021–2024 (download)

As we can see, 2023 was the most abundant year for BYOVD attack tools. And more were published in H1 2024 than in 2021 and 2022 combined. We evaluated the trends of using such software in real attacks, as illustrated by blocked attacks on Kaspersky products in Q1 and Q2 2024:

Dynamics of the number of users who encountered attacks using vulnerable drivers on Kaspersky products, Q1 and Q2 2024; data for Q1 2024 is taken as 100% (download)

With the rise in the number of BYOVD attacks, developers of tools exploiting vulnerable drivers began to sell them, so we see a downturn in the number of published tools for attacks using vulnerable drivers. However, as mentioned, they continue to be made publicly available.

Interesting vulnerabilities

This section presents information about vulnerabilities of interest that were registered in Q2 2024.

CVE-2024-26169 (WerKernel.sys)

Werkernel.sys is a driver for the Windows Error Reporting (WER) subsystem, which handles the sending of error messages. CVE-2024-26169 is a zero-day vulnerability discovered during the investigation of an incident related to a ransomware attack. It is caused by werkernel.sys using the null security descriptor, which handles the access level. This allows any user to interact with the driver, for example, to rewrite the value of the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe. This key stores data about the application that is responsible for error handling for applications in Windows.

An examination of the exploitation algorithm reveals the following events:

List of events generated by the exploit

The exploit tries to perform preparatory actions to create special registry keys that allow the executable file specified in the registry to be restarted with SYSTEM user privileges. The exploit itself is based on a race condition vulnerability, so its success depends on the system where it is launched.

CVE-2024-26229 (csc.sys)

Csc.sys is another driver in Windows, this time related to the Windows Client-Side Caching (CSC) service, which handles data caching on the client side. CVE-2024-26229 is a privilege escalation vulnerability, one that clearly illustrates the problem of insecure code in operating system drivers. Just a few days after the information about this vulnerability was posted on the Microsoft portal, a PoC was released that spread online and was rewritten for various formats and frameworks for penetration testing.

The exploit is very easy to use and comprises a “classic” combination of the Write primitive (writing to an arbitrary kernel location) and the kernel object address leak primitive.

The vulnerability is triggered using IOCTL, meaning that the method of communication with the vulnerable driver is in many ways similar to the BYOVD attack method.

The main algorithm of the exploit aims to modify the PRIMARY_TOKEN structure of the user-run process. This is achieved through the capabilities of the vulnerable driver.

CVE-2024-4577 (PHP CGI)

CVE-2024-4577 stems from bypassing the validation of parameters passed to the web application. Essentially, the vulnerability exists because PHP in CGI mode may not fully validate dangerous characters for pages in some languages. Cybercriminals can use this feature to carry out a standard OS command injection attack.

The validation problem arises in systems using the following language settings:

• Traditional Chinese (code page 950)
• Simplified Chinese (code page 936)
• Japanese (code page 932)

Note that CGI mode is not very popular today, but can be found in products such as XAMPP web servers.

Exploitation of the vulnerability is made possible by the fact that to bypass the filter parameter, it is enough to replace a normal dash with the equivalent of the Unicode symbol “–” (soft hyphen) in writing systems based on Chinese characters. As a result, the query is supplemented with data that can run additional commands. In the process tree, the full exploitation will look as follows:

Tree of processes in the victim system during exploitation of CVE-2024-4577

Takeaways and recommendations

In terms of quality and quantity, vulnerabilities and working exploits for them continue to grow each quarter, and threat actors are finding ways to bring already patched vulnerabilities back to life. One of the main tricks for exploiting closed vulnerabilities is the BYOVD technique, whereby attackers load a vulnerable driver into the system themselves. The wide variety of examples and toolkits in the public domain allow cybercriminals to quickly adapt vulnerable drivers to their needs. Going forward, we will likely only see more active use of this technique in attacks.

To stay safe, you need to react promptly to the changing threatscape, as well as:

• Understand and monitor your infrastructure thoroughly, paying particular attention to the perimeter; knowing your way around your own infrastructure is vital to keeping it secure.
• Introduce effective patch management to promptly detect and eliminate infrastructure vulnerabilities, including vulnerable drivers slipped into your network by attackers. Our Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed solutions could help you with this.
• Use comprehensive security solutions that deliver robust protection of workstations, as well as early detection and prevention of attacks of any complexity, collection of live cyberattack data from around the globe, and basic digital literacy skills for employees. Our Kaspersky NEXT line of solutions ticks all these boxes and more.