Cyble Malware

Overview

Cyble has identified multiple instances of exploitation attempts, malware intrusions, financial fraud, and brute-force attacks. The data is captured in real-time via Cyble’s comprehensive network of Honeypot sensors, providing valuable insights into the nature of cyber threats.

Cyble’s latest Sensor Intelligence report from December 4th to December 10th, 2024, provides in-depth analysis on a range of vulnerabilities, including high-profile malware variants, phishing scams, and CVE (Common Vulnerabilities and Exposures) attempts.

Cyble’s Global Sensors Intelligence (CGSI) network has detected several attack vectors, many of which target critical vulnerabilities in Internet of Things (IoT) devices and widely used software platforms.

The report covers a broad spectrum of threats, including well-known Linux malware variants such as Mirai and Gafgyt, along with exploitation attempts involving the Telerik UI and Cisco ASA. Below are some key insights into the most prevalent vulnerabilities observed during the reporting period.

Case Studies on Vulnerabilities and Exploits

  1. PHP CGI Argument Injection Vulnerability (CVE-2024-4577)
    A critical vulnerability in PHP configurations has been detected, enabling attackers to execute arbitrary commands through specially crafted URL parameters. This vulnerability could lead to severe system compromise if left unpatched. Organizations are urged to patch PHP configurations and restrict access to vulnerable systems to mitigate potential exploitation.

  2. OSGeo GeoServer Eval Injection Vulnerability (CVE-2024-36401)
    Cyble identified a remote code execution (RCE) vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. This issue arises from the unsafe evaluation of request parameters, allowing unauthenticated users to execute arbitrary code. To mitigate the threat, the report recommends updating to the latest GeoServer versions and removing the vulnerable gt-complex library.

  3. Ruby SAML Improper Signature Verification (CVE-2024-45409)
    The Ruby-SAML library, a widely used tool for implementing the client side of SAML authentication, was found to have improper cryptographic signature verification in versions 12.2 and 1.13.0 to 1.16.0. Attackers could exploit this vulnerability to forge SAML responses and gain unauthorized access to systems. Updating to Ruby-SAML versions 1.17.0 or 1.12.3 is recommended to mitigate this risk.

  4. Cisco IOS XE Web UI Privilege Escalation Vulnerability (CVE-2023-20198, CVE-2023-20273)
    Cyble has reported ongoing exploitation of the web UI feature in Cisco IOS XE Software. The initial compromise occurs via the CVE-2023-20198 vulnerability, which allows attackers to gain access and escalate privileges to root. Organizations are advised to implement Cisco’s recommended patches to secure their systems.

  5. Joomla Improper Access Check-in Webservice Endpoints (CVE-2023-23752)
    An improper access check vulnerability was discovered in Joomla versions 4.0.0 through 4.2.7, allowing unauthorized access to webservice endpoints. This can expose sensitive information and allow attackers to execute malicious actions. Updating Joomla to the latest version is critical for organizations using this content management system.

  6. ownCloud GraphAPI Information Disclosure (CVE-2023-49103)
    A vulnerability in the ownCloud GraphAPI app can disclose sensitive system information, including environment variables, which may contain credentials and other sensitive data. To prevent data leaks, the app must be disabled or updated to the latest patched version.

  7. Apache OFBiz SSRF Vulnerability (CVE-2023-50968)
    Apache OFBiz was found to have a server-side request forgery (SSRF) vulnerability that attackers could exploit to read arbitrary file properties. Upgrading to version 18.12.11 is recommended to eliminate this threat.

  8. Citrix NetScaler ADC Buffer Overflow Vulnerability (CVE-2023-4966)
    Citrix NetScaler ADC and Gateway devices were found to be vulnerable to sensitive information disclosure due to a buffer overflow. This can lead to unauthorized access to internal network resources. Patch management and network monitoring are crucial to protecting against this vulnerability.

Malware and Attack Analysis

Cyble’s analysis also focuses on various malware threats observed across different regions. One notable example is the emergence of a new anti-banking Trojan called AppLite Banker. This sophisticated malware is distributed through phishing campaigns disguised as CRM applications. Once installed, it abuses Android’s Accessibility Services to overlay fake login screens on legitimate applications, tricking users into revealing their credentials.

AppLite employs advanced evasion techniques, such as manipulating APK file structures to avoid detection by static analysis tools. After installation, it can execute commands remotely, exfiltrate financial data, and even control infected devices through features like screen unlocking and interaction simulation. The malware’s global reach is further evidenced by its multilingual capabilities, making it a persistent threat to users worldwide.

CVE Attack Attempts: A Closer Look

In the past week, Cyble observed a high volume of exploit attempts targeting several CVEs. The most frequently attempted CVE was CVE-2020-11899, which saw 25,736 attack attempts. This vulnerability affects the Treck TCP/IP stack and can lead to an IPv6 out-of-bounds read. Other notable CVEs include CVE-2019-0708, a remote code execution flaw in Remote Desktop Services, and CVE-2021-44228, the infamous Log4j vulnerability, which continues to be a major vector for attacks.

Cyble’s extensive network of sensors detected these attacks and provided critical data to help organizations understand and defend against these vulnerabilities. As CVE-2020-11899 continues to be a primary target for cybercriminals, organizations are urged to patch vulnerable systems to prevent potential breaches.

Recommendations and Mitigations

To mitigate the risks highlighted in this report, Cyble recommends the following actions:

  1. Regularly update software and hardware systems to patch known vulnerabilities. This includes applying updates for CVEs and software-specific flaws identified in the report.

  2. Use threat intelligence feeds to block IP addresses associated with known attackers and malware distribution.

  3. Enforce the use of strong passwords and implement multi-factor authentication (MFA) to reduce the risk of brute-force and credential-stuffing attacks.

  4. Continuously monitor for Indicators of Compromise (IoCs), such as suspicious IP addresses, URLs, and file hashes, to detect potential attacks early.

  5. Regularly audit systems, networks, and devices for vulnerabilities and misconfigurations that attackers could exploit.

Conclusion

The findings in Cyble’s Sensor Intelligence report highlight the growing sophistication and persistence of cyber threats. Through its AI-powered intelligence, Cyble provides essential insights that help organizations protect their digital assets.

With AI-powered platforms like Cyble Vision and Cyble Hawk, businesses can access real-time threat intelligence, monitor vulnerabilities, and receive automated remediation advice. Cyble’s solutions empower enterprises, governments, and individuals to stay protected from cybercriminals at all times.

The post Cyble’s Latest Sensor Intelligence Report Reveals Surge in Malware, Phishing, and IoT Vulnerabilities appeared first on Cyble.