29 November 2022

Bleed You campaign exploits Windows IKE RCE to deploy ransomware


Bleed You campaign exploits Windows IKE RCE to deploy ransomware

Suspected Chinese hackers are trying to take advantage of a known remote code execution vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions to deploy malware or carry out ransomware attacks.

The vulnerability in question (CVE-2022-34721) affects Windows OS, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 7, Windows 8.1, Windows 10, and Windows 11.

The new campaign, dubbed “Bleed You” by Cyfirma researchers, is aimed at organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the US, the UK, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.

Since September 2022, the threat actors have been targeting weak or vulnerable Windows OS, Windows Servers, Windows protocols, and services.

According to Cyfirma, the hackers’ goal is to steal sensitive information from victims for financial gains, gain elevated access, and cause operational disruption. The researchers also discovered possible connection between the threat actor behind the Bleed You campaign and Russian cybercriminals. It was also found that the exploit link is being shared on the underground forums as well.

“Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug,” the company said.

Given that Cyfirma discovered over 1,000 systems exposed to the issue, users are strongly advised to apply patches and fixes as soon as possible to reduce the risk of exploitation of the flaw.


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023