Cyble’s Vulnerability Intelligence unit last week detected attacks on Cisco, QNAP, D-Link, PHP, Progress Telerik, Linux systems and more.
Cyble’s Vulnerability Intelligence unit last week detected numerous exploit attempts, malware intrusions, phishing campaigns, and brute-force attacks via its network of Honeypot sensors.
In the week of Sept. 25-Oct. 1, Cyble researchers identified several recent active exploits, including new attacks against a number of network products and routers, more than 300 new spam email addresses, and thousands of brute-force attacks.
Cyble sensors detected several recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited.
Cyble sensors detected attacks on the Progress Telerik UI, which had four vulnerabilities reported recently that could allow for command injection and code execution (CVE-2024-8316, CVE-2024-7679, CVE-2024-7576 and CVE-2024-7575).
End-of-life routers from D-Link (DIR-859 1.06B01) are under attack. A 9.8-severity path traversal vulnerability identified as CVE-2024-0769 can be attacked remotely, and users are urged to replace the device. This week, CISA added another D-Link router, DIR-820, to its Known Exploited Vulnerabilities catalog.
Cyble sensors detected attacks on QNAP QTS firmware, which harbors numerous Command Injection vulnerabilities that are susceptible to exploitation and allow remote command execution on the affected devices. QNAP issued a security advisory on the issue earlier this year.
Cyble sensors have identified attackers scanning for the URL “/+CSCOE+/logon.html”, which is related to the Cisco Adaptive Security Appliance (ASA) WebVPN Login Page. This URL is used to access the login page for the WebVPN service, which allows remote users to access internal network resources securely. The URL has also been found to have a number of vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting. These vulnerabilities may allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.
Critical vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.
The Cyble Vulnerability Intelligence unit also identified a number of Linux attacks, including the CoinMiner Linux Trojan, which arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users upon visiting malicious sites, and Linux IRCBot attacks, where the IRC connection is exploited as a backdoor, allowing attackers to perform various actions on the compromised system. Many affected systems are used as a botnet controlled by the IRC.
Threat actors have become increasingly innovative in delivering Linux malware; earlier this year, CoinMiner was found in PyPI (Python Package Index) packages.
Cyble identified 364 new phishing email addresses this week. Below are six noteworthy campaigns:
E-mail Subject | Scammers Email ID | Scam Type | Description |
Please confirm | [email protected] | Claim Scam | Fake refund against claims |
Attention Please!!! | [email protected] | Lottery/Prize Scam | Fake prize winnings to extort money or information |
GOD BLESS YOU…. | [email protected] | Donation Scam | Scammers posing as Donor to donate money |
lnvestment offer | [email protected] | Investment Scam | Unrealistic investment offers to steal funds or data |
Order: cleared customs | [email protected] | Shipping Scam | Unclaimed shipment trick to demand fees or details |
OFFICIAL PAYMENT PROGRAM | [email protected] | Government Organization Scam | Fake government compensation to collect financial details |
Of the thousands of brute-force attacks detected by Cyble scanners this week, several ports, targets and tactics merit close attention.
Among the top five attacker countries, Cyble noticed attacks originating from Russia targeting ports 3389 (64%), 5900 (30%), 445 (4%), 3306 (2%), and 1143 (1%). Attacks originating from the Netherlands targeting ports used 5900 (80%), 3389 (8%), 22 (1%), and 81 (1%). France, China, and Bulgaria majorly targeted ports 1433, 5900, and 445.
Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
The bulk of the attacks (88%) came from known attackers, bots and crawlers (7%), and mass scanners (4%).
The most frequently used usernames and passwords for brute-force attacks are shown in the figure below. Brute-force attacks commonly target IT automation software and servers, such as “3comcso, elasticsearch, and hadoop” and database attacks such as “mysql” and “Postgres.”
Some of the most common username/password combinations used were “sa”, “root”, “admin”, “password”, “123456”, etc. Hence, it is wise to set up strong passwords for servers and devices.
Cyble researchers recommend the following security controls: