Linux Kernel Vulnerability Actively Leveraged by Threat Actors

Security researchers at CrowdStrike have reported active exploitation of CVE-2024-1086, a high-severity use-after-free vulnerability in the Linux kernel. This flaw, which affects kernel versions from 5.14 to 6.6, allows a local user to escalate privileges to gain root access. The vulnerability was patched in January 2024, and a proof-of-concept (PoC) exploit became publicly available in February 2024. Threat actors are now using this publicly available exploit in real-world attacks to deploy ransomware and other malware.

In-the-Wild Exploitation for Ransomware and Malware Deployment

CrowdStrike observed at least two separate threat actors leveraging the CVE-2024-1086 exploit. In one incident, an attacker gained initial access to a publicly exposed server and then used the exploit to escalate privileges to root. Following the privilege escalation, the actor deployed a new variant of the Qilin ransomware to encrypt the system. In a separate event, a different threat actor also utilized the exploit to gain root access on a compromised system. This second actor then attempted to deploy FlyTrap, a custom malware designed for persistence and remote control. CrowdStrike’s security measures detected and blocked these exploitation attempts.

Source: https://securityaffairs.com/184076/security/old-linux-kernel-flaw-cve-2024-1086-resurfaces-in-ransomware-attacks.html