Suspected Chinese hackers are trying to take advantage of a known remote code execution vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions to deploy malware or carry out ransomware attacks.
The vulnerability in question (CVE-2022-34721) affects Windows OS, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 7, Windows 8.1, Windows 10, and Windows 11.
The new campaign, dubbed “Bleed You” by Cyfirma researchers, is aimed at organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the US, the UK, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.
Since September 2022, the threat actors have been targeting weak or vulnerable Windows OS, Windows Servers, Windows protocols, and services.
According to Cyfirma, the hackers’ goal is to steal sensitive information from victims for financial gains, gain elevated access, and cause operational disruption. The researchers also discovered possible connection between the threat actor behind the Bleed You campaign and Russian cybercriminals. It was also found that the exploit link is being shared on the underground forums as well.
“Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug,” the company said.
Given that Cyfirma discovered over 1,000 systems exposed to the issue, users are strongly advised to apply patches and fixes as soon as possible to reduce the risk of exploitation of the flaw.
