Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan
Key Takeaways
- Cyble’s Threat Hunting Honeypot sensors detected five recent vulnerabilities under active exploitation, including newly identified attacks against WordPress plugins.
- A new banking trojan is engaged in active attacks in Europe and is expected to spread to other regions.
- Of more than 400 identified scam email addresses discovered, six in particular stand out.
- Commonly targeted ports have been identified and should be blocked by security teams.
Overview
Cyble’s Threat Hunting service this week discovered multiple instances of exploit attempts, malware intrusions, financial fraud, and brute-force attacks via its network of Honeypot sensors.
In the week of Sept. 18-24, Cyble researchers identified five recent active exploits, including new attacks against WordPress plugins, a new malware variant targeting the banking industry, more than 400 new spam email addresses, and thousands of brute-force attacks.
Vulnerability Exploits
Cyble sensors detected five recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited:
Case 1: SQL Injection Attack
CVE-2024-27956 is a 9.9-severity improper neutralization of Special Elements used in an SQL Command vulnerability in ValvePress Automatic WordPress plugins that allows for SQL Injection attacks. This issue affects Automatic: from n/a through 3.92.0.
Case 2: PHP CGI Argument Injection Vulnerability
CVE-2024-4577 is a 9.8-severity PHP vulnerability that impacts CGI configurations and has been under attack since it was announced in June. It enables attackers to execute arbitrary commands through specially crafted URL parameters. It affects PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows.
Case 3: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation
CVE-2024-36401 is a 9.8-severity RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, which may impact functionality.
Case 4: Network Command Injection Vulnerability Without Authentication
CVE-2024-7029 is an 8.7-severity AVTECH IP camera vulnerability that allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems.
Case 5: Network Command Injection Vulnerability Without Authentication
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to a 9.8-severity arbitrary code execution vulnerability (CVE-2024-7954). A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Octo2: New Malware Variant Targets European Banks in Active Attacks
Octo2, a new variant of the Octo mobile banking trojan, was recently discovered in European bank attacks, and deployment in other global regions is expected to follow.
Octo (also known as ExobotCompact) has emerged as one of the most prominent malware families in the mobile threat landscape, leading in the number of unique samples detected this year. Recently, a new variant named “Octo2,” created by the original threat actor, has been discovered, signaling a potential shift in the actors’ tactics and strategies. This upgraded version enhances the malware’s remote action capabilities, particularly for Device Takeover attacks, ensuring greater stability in execution. New Octo2 campaigns have already been observed targeting several European countries. Additionally, Octo2 employs advanced obfuscation techniques to evade detection, including the introduction of a Domain Generation Algorithm (DGA), further bolstering its ability to remain hidden from security systems.
Here are known hashes and IoCs, via Threat Fabric:
| Hash (SHA256) | app name | package name |
| 83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae | NordVPN | com.handedfastee5 |
| 6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98 | Europe Enterprise | com.xsusb_restore3 |
| 117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9 | Google Chrome | com.havirtual06numberresources |
More Than 400 Scam Email Addresses Detected
Cyble identified 410 new email addresses used in scam campaigns. Here are six notes:
| E-mail Subject | Scammers Email ID | Scam Type | Description |
| Claim Directives | [email protected] | Claim Scam | Fake refund against claims |
| Dear winner! | [email protected] | Lottery/Prize Scam | Fake prize winnings to extort money or information |
| DONATION NOTICE | [email protected] | Donation Scam | Scammers posing as donors to donate money |
| INVESTMENT PROPOSAL | [email protected] | Investment Scam | Unrealistic investment offers to steal funds or data. |
| Order: cleared customs | [email protected] | Shipping Scam | Unclaimed shipment trick to demand fees or details |
| UN Compensation Fund | [email protected] | Government Organization Scam | Fake UN compensation to collect financial details |
Brute-Force Attack Ports Identified
Of the thousands of brute-force attacks identified by Cyble, the following targeted ports stand out as meriting attention.
Based on a close inspection of the distribution of attacked ports based on the top five attacker countries, Cyble noticed attacks originating from the United States are targeting ports 22 (40%), 3389 (32%), 445 (21%), 23 (4%), and 80(3%). Attacks originating from Turkey are targeting ports 3389 (100%). Russia, China, and Bulgaria mainly targeted ports 5900 and 445.
Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
Cyble Recommendations
Cyble researchers recommend the following security controls:
- Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
- Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
- Constantly check for Attackers’ ASNs and IPs.
- Block Brute Force attack IPs and the targeted ports listed.
- Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
- For servers, set up strong passwords that are difficult to guess.
The post Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan appeared first on Cyble.
React to this headline:
