A series of exploits have actually been discovered that target Windows Internet Key Exchange (IKE) protocol extensions.
According to a new advisory recently shared by the security firm sifirma When Information securitythe discovered vulnerabilities could have been exploited to target nearly 1000 systems.
The attacks the company observed could be part of a campaign loosely translated as “bloodshed” by Mandarin-speaking threat actors.
The Cyfirma Research team also observed unknown hackers sharing exploit links on underground forums that could be used to target vulnerable systems.
“Critical Vulnerability Identified microsoft Windows IKE Protocol Extensions” Read the advisory.
“This vulnerability […] Affecting unknown code in the IKE protocol extension component, whose manipulation leads to remote code execution (RCE). ”
In particular, Cyfirma writes, the vulnerability lies in the code used to handle IKEv1. […] Deprecated, but compatible with legacy systems.
The company also clarified that the vulnerability affects all Windows Servers and is critical because it accepts both V1 and V2 packets, although IKEv2 is not affected.
” [proof of concept] Exploits a memory corruption issue in svchost on vulnerable systems. ” technical writing.
“Memory corruption occurs when the system page heap (debugging plugin) is enabled for the Internet Key Exchange process. The exe process hosting the Internet Key Exchange protocol service has an allocated It crashes trying to read data beyond the buffer.”
According to Cyfirma, the attacker is currently unknown, but the team observed a connection between the “bleed you” campaign and Russian cybercriminals.
“From a strategic perspective on changing geopolitical scenarios from external threat landscape management, Russia and China observed to form strategic relationships,” the company wrote.
Cyfirma added that it was assigned by Microsoft. CVE-2022-34721 I fixed this by adding a check for the length of the incoming data and skipping processing that data if the length is too small.