Cyble-Blogs-Honeypots-Sensors

Key Takeaways

  • Cyble’s Threat Hunting Honeypot sensors detected five recent vulnerabilities under active exploitation, including newly identified attacks against WordPress plugins.
  • A new banking trojan is engaged in active attacks in Europe and is expected to spread to other regions.
  • Of more than 400 identified scam email addresses discovered, six in particular stand out.
  • Commonly targeted ports have been identified and should be blocked by security teams.

Overview

Cyble’s Threat Hunting service this week discovered multiple instances of exploit attempts, malware intrusions, financial fraud, and brute-force attacks via its network of Honeypot sensors.

In the week of Sept. 18-24, Cyble researchers identified five recent active exploits, including new attacks against WordPress plugins, a new malware variant targeting the banking industry, more than 400 new spam email addresses, and thousands of brute-force attacks.

Vulnerability Exploits

Cyble sensors detected five recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited:

Case 1: SQL Injection Attack

CVE-2024-27956 is a 9.9-severity improper neutralization of Special Elements used in an SQL Command vulnerability in ValvePress Automatic WordPress plugins that allows for SQL Injection attacks. This issue affects Automatic: from n/a through 3.92.0.

Case 2: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a 9.8-severity PHP vulnerability that impacts CGI configurations and has been under attack since it was announced in June. It enables attackers to execute arbitrary commands through specially crafted URL parameters. It affects PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows.

Case 3: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a 9.8-severity RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, which may impact functionality.

Case 4: Network Command Injection Vulnerability Without Authentication

CVE-2024-7029 is an 8.7-severity AVTECH IP camera vulnerability that allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems.

Case 5: Network Command Injection Vulnerability Without Authentication 

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to a 9.8-severity arbitrary code execution vulnerability (CVE-2024-7954). A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

Octo2: New Malware Variant Targets European Banks in Active Attacks

Octo2, a new variant of the Octo mobile banking trojan, was recently discovered in European bank attacks, and deployment in other global regions is expected to follow.

Octo (also known as ExobotCompact) has emerged as one of the most prominent malware families in the mobile threat landscape, leading in the number of unique samples detected this year. Recently, a new variant named “Octo2,” created by the original threat actor, has been discovered, signaling a potential shift in the actors’ tactics and strategies. This upgraded version enhances the malware’s remote action capabilities, particularly for Device Takeover attacks, ensuring greater stability in execution. New Octo2 campaigns have already been observed targeting several European countries. Additionally, Octo2 employs advanced obfuscation techniques to evade detection, including the introduction of a Domain Generation Algorithm (DGA), further bolstering its ability to remain hidden from security systems.

Here are known hashes and IoCs, via Threat Fabric:

Hash (SHA256) app name package name
83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae NordVPN com.handedfastee5
6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98 Europe Enterprise com.xsusb_restore3
117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9 Google Chrome com.havirtual06numberresources

More Than 400 Scam Email Addresses Detected

Cyble identified 410 new email addresses used in scam campaigns. Here are six notes:

E-mail Subject  Scammers Email ID  Scam Type  Description 
Claim Directives  [email protected]    Claim Scam  Fake refund against claims 
Dear winner!  [email protected]    Lottery/Prize Scam  Fake prize winnings to extort money or information 
DONATION NOTICE  [email protected]    Donation Scam  Scammers posing as donors to donate money 
INVESTMENT PROPOSAL  [email protected]    Investment Scam  Unrealistic investment offers to steal funds or data. 
Order: cleared customs  [email protected]    Shipping Scam  Unclaimed shipment trick to demand fees or details 
UN Compensation Fund  [email protected]  Government Organization Scam  Fake UN compensation to collect financial details 

Brute-Force Attack Ports Identified

Of the thousands of brute-force attacks identified by Cyble, the following targeted ports stand out as meriting attention.

Based on a close inspection of the distribution of attacked ports based on the top five attacker countries, Cyble noticed attacks originating from the United States are targeting ports 22 (40%), 3389 (32%), 445 (21%), 23 (4%), and 80(3%). Attacks originating from Turkey are targeting ports 3389 (100%). Russia, China, and Bulgaria mainly targeted ports 5900 and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

Cyble Recommendations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

The post Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan appeared first on Cyble.