Cyble’s weekly sensor intelligence report detailed more than 30 active attack campaigns against known vulnerabilities.
New attacks were observed against a vulnerability in the Spring Java framework, and more than 400,000 attacks were observed exploiting a known IoT vulnerability.
Cyble’s Vulnerability Intelligence unit also observed thousands of brute-force attacks and hundreds of phishing campaigns.
Here are some highlights from Cyble’s October 17 sensor report sent to clients.
CVE-2024-38816 is a high-severity Path Traversal vulnerability in the popular Spring Java framework that is still undergoing NVD assessment. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks.
An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: the web application uses RouterFunctions to serve static resources, and resource handling is explicitly configured with a FileSystemResource location.
Malicious requests are blocked and rejected when either of the following is true: the Spring Security HTTP Firewall is in use, or the application runs on Tomcat or Jetty.
CVE-2020-11899 is a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack, which was developed as an IPv6 implementation for the limited space of embedded devices. The flaw affects Treck TCP/IP versions before 6.0.1.66 and is also part of the “Ripple20” series of vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities.
Cyble sensors detected more than 411,000 attacks on the CVE-2020-11899 vulnerability from Oct. 9 to 15, 2024, often in an attempt to gain administrator privileges (image below).
Cyble sensors have detected attacks against other “Ripple20” vulnerabilities during this period—most notably CVE-2020-11900, an IPv4 tunneling Double Free vulnerability also present in the Treck TCP/IP stack before 6.0.1.41—so IoT environments that may contain these vulnerabilities should check for exposures and apply appropriate mitigations.
CISA’s Ripple20 advisory – updated last month – lists 17 industrial, medical, and critical infrastructure device manufacturers whose products were potentially affected by the vulnerabilities.
Several other recent exploits observed by Cyble remain active. Linux systems remain under attack as threat actors (TAs) have become increasingly resourceful at delivering malware via package managers and other means. CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.
Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.
Cyble detected 478 new phishing email addresses this week, a multi-week high. Below is a table listing the email subject lines and deceptive email addresses used in six prominent scam campaigns.
E-mail Subject | Scammers Email ID | Scam Type | Description |
ABOUT YOUR PAYMENT… | [email protected] | Claim Scam | Fake refund against claims |
ATTN: Lucky Winner | [email protected] | Lottery/Prize Scam | Fake prize winnings to extort money or information |
GOD BLESS YOU…. | [email protected] | Donation Scam | Scammers posing as Donors to donate money |
My Donation | [email protected] | Investment Scam | Unrealistic investment offers to steal funds or data |
Order 21542906: cleared customs | [email protected] | Shipping Scam | Unclaimed shipment trick to demand fees or details |
UN Compensation Fund | [email protected] | Government Organization Scam | Fake government compensation to collect financial details |
Cyble sensors detected thousands of brute-force attacks in the most recent report. The top 5 attacker countries and ports targeted were: Vietnam – ports 22 (52%), 3389 (25%), and 445 (22%); attacks originating from the United States targeted ports 5900 (58%), 22 (20%), 3389 (15%), 445 (5%), and 135 (2%). Ukraine, Russia, and Greece majorly targeted ports 3389, 1433, 5900, and 445. Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
Cyble researchers recommend the following security controls:
With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.