VTA-00427 – “Bleed You” Campaign Exploiting RCE Vulnerability in Windows Internet Key Exchange (CVE-2022-34721)
The cybersecurity researcher from CYFIRMA discovered several exploits that are currently in use that target the Windows Internet Key Exchange (IKE) Protocol Extensions and more than 1000 systems are unpatched and vulnerable to the exploit.
Hacker footprints related to this vulnerability have been seen by researcher as part of the “Bleed You” campaign, which found to be under active attack since September. The researcher also noticed unidentified hackers sharing the exploit link from underground forums that could be used to attack vulnerable systems. The ultimate aim of the campaign is to facilitate further malware and ransomware attacks and lateral movement across the network. The campaign is targeting organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the U.S., the U.K, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.
The vulnerability exists in the code used to handle the IKEv1 protocol. It affects Windows OS version as follow, Windows Server 2008r2, Windows Server 2012r2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 7, Windows 8.1, Windows 10, and Windows 11. Impact of the exploitation could lead to memory corruption and remote code execution.
Endpoint, Endpoint OS
1. Command and Control
2. Initial Access
3. Privilege Escalation
1. Exploiting vulnerability in the systems
2. Lateral movement into the organization
Active Defense Tactics:
Active Defense Techniques:
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
Users are recommended to apply Windows patches and fixes as soon as possible to reduce the severity of exploitation of the vulnerability.
Contributed by: September19th