A critical RCE vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions are being exploited in an active campaign. The campaign “流血你” translating to “Bleed You” is suspected to be operated by unknown Mandarin-speaking threat actors.
Since September, the Bleed You campaign has been targeting weak or vulnerable Windows OS, Windows Servers, Windows protocols, and services.
The ultimate aim of the campaign is to facilitate further malware and ransomware attacks and lateral movement across the network.
The campaign is targeting organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the U.S., the U.K, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.
About the vulnerability
The vulnerability exists in the unknown code used to handle the IKEv1 protocol.
It affects Windows OS, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 7, Windows 8.1, Windows 10, and Windows 11.
Its exploitation could lead to memory corruption and remote code execution.
Additional insights
Attackers aim to exfiltrate sensitive information for financial gains, gain elevated access, and cause operational disruption.
Connections were found between the Bleed You campaign and Russian cybercriminals.
The researchers observed that unknown hackers are sharing the exploit link on the underground forums as well.
Security tips
Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug. Users are recommended to apply patches and fixes as soon as possible to reduce the severity of exploitation of the vulnerability.