29 November 2022

Bleed You campaign exploits Windows IKE RCE to deploy ransomware


Bleed You campaign exploits Windows IKE RCE to deploy ransomware

Suspected Chinese hackers are trying to take advantage of a known remote code execution vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions to deploy malware or carry out ransomware attacks.

The vulnerability in question (CVE-2022-34721) affects Windows OS, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 7, Windows 8.1, Windows 10, and Windows 11.

The new campaign, dubbed “Bleed You” by Cyfirma researchers, is aimed at organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the US, the UK, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.

Since September 2022, the threat actors have been targeting weak or vulnerable Windows OS, Windows Servers, Windows protocols, and services.

According to Cyfirma, the hackers’ goal is to steal sensitive information from victims for financial gains, gain elevated access, and cause operational disruption. The researchers also discovered possible connection between the threat actor behind the Bleed You campaign and Russian cybercriminals. It was also found that the exploit link is being shared on the underground forums as well.

“Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug,” the company said.

Given that Cyfirma discovered over 1,000 systems exposed to the issue, users are strongly advised to apply patches and fixes as soon as possible to reduce the risk of exploitation of the flaw.


Back to the list

Latest Posts

Tornado Cash users’ funds at risk due to malicious code

Tornado Cash users’ funds at risk due to malicious code

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com.
27 February 2024
Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

The attack compromised Change Healthcare's IT systems, leading to widespread disruptions in pharmacy services across the US.
27 February 2024
New IDAT Loader variant uses steganography to deliver Remcos RAT

New IDAT Loader variant uses steganography to deliver Remcos RAT

While focusing their strategic efforts on entities in Ukraine, UAC-0184 seemingly aimed to broaden their scope to include further entities associated with Ukraine.
27 February 2024