Focus Mode
Threat Research

Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE CVE-2024-50603

iocOne
CVE-2024-50603 is a critical code execution vulnerability in Aviatrix Controller, allowing unauthenticated attackers to execute arbitrary commands remotely due to improper input handling. This vulnerability poses a significant risk, especially in AWS environments where privilege escalation is possible. Immediate upgrades to patched versions are recommended to mitigate exploitation risks. Affected: Aviatrix Controller

Keypoints :

  • CVE-2024-50603 has a maximum CVSS score of 10.0.
  • The vulnerability allows unauthenticated command execution due to command injection flaws.
  • It affects Aviatrix Controller versions prior to 7.1.4191 and 7.2.x before 7.2.4996.
  • Exploitation has been observed in the wild, resulting in cryptojacking and backdoor deployments.
  • Upgrading to patched versions is highly recommended to mitigate risks.
  • The vulnerability is linked to improper handling of user-supplied parameters in the API.
  • 65% of environments with Aviatrix Controller have a lateral movement path to administrative permissions.
  • Threat actors are using the vulnerability to mine cryptocurrency and deploy backdoors.
  • Proactive hunting for evidence of compromise is essential, even if patched.

MITRE Techniques :

  • Command and Control (T1071) – Attackers exploit the command injection vulnerability to execute arbitrary commands on the Aviatrix Controller.
  • Remote Code Execution (T1203) – The vulnerability allows attackers to execute commands remotely without authentication.
  • Credential Dumping (T1003) – Potential for lateral movement to gather credentials from the compromised environment.
  • Data Encrypted for Impact (T1486) – Threat actors may encrypt data as part of their exploitation strategy.
  • Exploitation for Client Execution (T1203) – Attackers exploit the vulnerability to run malicious code on the Aviatrix Controller.

Indicator of Compromise :

  • [IP Address] 91.193.19[.]109:13333 (Sliver C2 Server)
  • [IP Address] 107.172.43[.]186:3939 (Cryptocurrency mining pool)
  • [File Hash] 1ce0c293f2042b677cd55a393913ec052eded4b9 (XMRig)
  • [File Hash] 68d88d1918676c87dcd39c7581c3910a9eb94882 (XMRig)
  • [Path] /tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.system_logs/momika233-2024-04-29-xmrig.zip (XMRig)
  • Check the article for all found IoCs.

Full Research: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603

Tags: HUNTING, HUNT, IMPACT, THREAT HUNTING, LATERAL MOVEMENT, DNS, CREDENTIAL, INITIAL ACCESS