Cyble’s weekly sensor intelligence report detailed dozens of active attack campaigns against known vulnerabilities.
New to the list are attacks on a vulnerability in the SPIP open-source content management (CMS) and publishing system, while previously reported campaigns targeting vulnerabilities in PHP, Linux systems, Java and Python frameworks, and more have continued unabated.
Older vulnerabilities in IoT devices and embedded systems continue to be exploited at alarming rates. New to the report this week are exploits of vulnerabilities that may still be present in some Siemens products and network devices. As these vulnerabilities likely exist within some critical infrastructure environments, organizations with internet-facing IoT devices and embedded systems are advised to check for risk exposure and apply necessary mitigations.
Here are some of the details of the Oct. 16-22 sensor intelligence report sent to Cyble clients.
SPIP before versions 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue reported last month as CVE-2024-8517. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
As the vulnerability was found as part of a hacking challenge, multiple published PoCs (Proofs of Concept) have increased the odds that older versions of SPIP will be exploited. SPIP admins are advised to update as soon as possible.
IoT device attacks detailed in last week’s report declined significantly, as Cyble honeypot sensors detected 31,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66. Last week, Cyble sensors had detected more than 411,000 attacks on the vulnerability attempting to gain administrator privileges.
CVE-2020-11899 is also part of the “Ripple20” series of Treck TCP/IP vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities. Cyble sensors have detected nearly 1 million exploit attempts since August on CVE-2020-11899 and two other “Ripple20” vulnerabilities (CVE-2020-11900 and CVE-2020-11910), so owners of vulnerable internet-facing devices should assume compromise.
Also of concern for critical infrastructure are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263.
Cyble sensors typically detect 3,000 to 4,000 attacks a week on these vulnerabilities, and as they can be present in a number of older Siemens SIPROTEC 5, RUGGEDCOM Win, Power Meters and other devices, as well as a number of network devices from major IT companies, any exposure to these vulnerabilities should be considered critical.
Several other recent exploits observed by Cyble remain active:
Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active, and CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.
Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.
The Spring Java framework (CVE-2024-38816) remains a target of threat actors (TAs), and ValvePress WordPress plugins also continue to be targeted.
The Aiohttp client/server framework for asyncio and Python also continues to be exploited.
Cyble detected thousands of phishing scams this week, including 306 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in six prominent cam campaigns.
E-mail Subject | Scammers Email ID | Scam Type | Description |
Did you authorize anyone to claim your funds. | [email protected] | Claim Scam | Fake refund against claims |
BMW INTERNATIONAL LOTTERY DEPARTMENT | [email protected] | Lottery/Prize Scam | Fake prize winnings to extort money or information |
My Donation | [email protected] | Donation Scam | Scammers posing as a Doner to donate money |
COOPERATION!! | [email protected] | Investment Scam | Unrealistic investment offers to steal funds or data |
Re: Consignment Box | [email protected] | Shipping Scam | Unclaimed shipment trick to demand fees or details |
UN Compensation Fund | [email protected] | Government Organization Scam | Fake government compensation to collect financial details |
Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, here are the top 5 attacker countries and ports targeted:
Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).
Cyble researchers recommend the following security controls:
With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.