Security firm Cyfirma has released a new report detailing a critical flaw tracked as CVE-2022-34721 that has been under active attack since at least September of this year. The flaw is being exploited in an active campaign that takes advantage of the remote code execution vulnerability in Windows Internet Key Exchange Protocol Extensions. According to Cyfirma, more than 1,000 systems remain unpatched and vulnerable despite the availability of a fix for the flaw. Threat actors are able to achieve compromise and more laterally to deploy ransomware, malware, and other malicious tools.
According to Cyfirma, the threat actors speak Mandarin but could also have ties to Russian cybercriminals. Additionally, the attacks are not targeting a specific sector and instead have targeted organizations in the retails, government, IT services, and more. Victims are primarily located in Western countries such as Canada, the UK, and the US. Cyfirma also identified unknown hackers sharing the exploit link via underground forums, meaning that other threat actors are gaining access to information that could lead to future attacks.