During the Brandefense Intelligence Team operations, a threat actor was observed selling an exploit for CVE-2024-30078. This vulnerability allows remote code execution (RCE) via the WiFi driver on all Windows Vista and later devices. The attacker claims to have functional exploit code that can infect victims through compromised access points (router-based malware) or by being physically present near a device with a saved WiFi network. The exploit is being sold for USD 5,000, with the offer to develop custom solutions to meet specific needs.
Incident Overview
- Vulnerability: CVE-2024-30078
- Exploit Type: Remote Code Execution (RCE)
- Affected Systems: All Windows Vista and later devices
- Price: $5,000
Details of Compromised Data
- Exploit Capabilities:
- Router-Based Infection: Allows infection via a previously compromised access point.
- Physical Proximity Attack: Enables an attack if the attacker is physically present near a device with a saved WiFi network.
Impact of the Breach
- Remote Code Execution: The exploit allows attackers to execute arbitrary code on the affected devices, leading to complete system compromise.
- Wide Range of Devices: All Windows devices from Vista onwards are vulnerable, indicating a potentially large attack surface.
- Infection Vectors:
- Compromised Access Points: Attackers can use previously compromised routers to infect devices, expanding the attack’s reach.
- Physical Proximity: Attackers can exploit the vulnerability by being near a device with a saved WiFi network, making it easier to target specific victims.
Recommendations
For Affected Individuals:
- Update Systems: Ensure all devices are updated with Microsoft’s latest security patches.
- Network Security: Regularly check and secure home and work network routers to prevent unauthorized access.
- Remove Unused Networks: Delete saved WiFi networks that are no longer in use to minimize the risk of physical proximity attacks.
For Organizations:
- Patch Management: Implement a robust patch management program to update all systems promptly.
- Network Monitoring: Monitor network traffic for unusual activity that could indicate a compromised access point.
- Employee Training: Educate employees about the risks of public and unsecured WiFi networks and safe practices.
General Cybersecurity Practices:
- Regular Security Audits: Conduct regular security audits to identify and mitigate vulnerabilities.
- Incident Response Plan: Develop and maintain an incident response plan to address potential breaches swiftly.
- Software Updates: Keep all software and firmware updated with the latest security patches.
- Multi-Factor Authentication: Implement multi-factor authentication to add an extra layer of security to sensitive accounts and systems.
