Overview

Cyble’s weekly sensor intelligence report detailed dozens of active attack campaigns against known vulnerabilities.

New to the list are attacks on a vulnerability in the SPIP open-source content management (CMS) and publishing system, while previously reported campaigns targeting vulnerabilities in PHP, Linux systems, Java and Python frameworks, and more have continued unabated.

Older vulnerabilities in IoT devices and embedded systems continue to be exploited at alarming rates. New to the report this week are exploits of vulnerabilities that may still be present in some Siemens products and network devices. As these vulnerabilities likely exist within some critical infrastructure environments, organizations with internet-facing IoT devices and embedded systems are advised to check for risk exposure and apply necessary mitigations.

Here are some of the details of the Oct. 16-22 sensor intelligence report sent to Cyble clients.

SPIP CMS Attacks Detected By Cyble

SPIP before versions 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue reported last month as CVE-2024-8517. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

As the vulnerability was found as part of a hacking challenge, multiple published PoCs (Proofs of Concept) have increased the odds that older versions of SPIP will be exploited. SPIP admins are advised to update as soon as possible.

IoT Device and Embedded Systems Attacks Persist

IoT device attacks detailed in last week’s report declined significantly, as Cyble honeypot sensors detected 31,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66. Last week, Cyble sensors had detected more than 411,000 attacks on the vulnerability attempting to gain administrator privileges.

CVE-2020-11899 is also part of the “Ripple20” series of Treck TCP/IP vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities. Cyble sensors have detected nearly 1 million exploit attempts since August on CVE-2020-11899 and two other “Ripple20” vulnerabilities (CVE-2020-11900 and CVE-2020-11910), so owners of vulnerable internet-facing devices should assume compromise.

Also of concern for critical infrastructure are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263.

Cyble sensors typically detect 3,000 to 4,000 attacks a week on these vulnerabilities, and as they can be present in a number of older Siemens SIPROTEC 5, RUGGEDCOM Win, Power Meters and other devices, as well as a number of network devices from major IT companies, any exposure to these vulnerabilities should be considered critical.

Linux, Java, and Other Attacks Persist

Several other recent exploits observed by Cyble remain active:

Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active, and CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

The Spring Java framework (CVE-2024-38816) remains a target of threat actors (TAs), and ValvePress WordPress plugins also continue to be targeted.

The Aiohttp client/server framework for asyncio and Python also continues to be exploited.

Phishing Scams Detected by Cyble

Cyble detected thousands of phishing scams this week, including 306 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in six prominent cam campaigns.

Brute-Force Attacks

Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, here are the top 5 attacker countries and ports targeted:

• Attacks originating from the United States targeting ports were aimed at ports 5900 (43%), 3389 (35%), 22 (15%), 23 (4%) and 80 (3%).
• Attacks originating from Russia targeting ports attempted to exploit ports 5900 (75%), 1433 (11%), 445 (8%), 1080 (3%) and 3306 (3%).
• The Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
• Constantly check for Attackers’ ASNs and IPs.
• Block Brute Force attack IPs and the targeted ports listed.
• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.

Related