Sensors

Overview

Cyble’s weekly sensor intelligence report detailed more than 30 active attack campaigns against known vulnerabilities.

New attacks were observed against a vulnerability in the Spring Java framework, and more than 400,000 attacks were observed exploiting a known IoT vulnerability.

Cyble’s Vulnerability Intelligence unit also observed thousands of brute-force attacks and hundreds of phishing campaigns.

Here are some highlights from Cyble’s October 17 sensor report sent to clients.

CVE-2024-38816: Spring Java Framework Exploit

CVE-2024-38816 is a high-severity Path Traversal vulnerability in the popular Spring Java framework that is still undergoing NVD assessment. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks.

An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: the web application uses RouterFunctions to serve static resources, and resource handling is explicitly configured with a FileSystemResource location.

Malicious requests are blocked and rejected when either of the following is true: the Spring Security HTTP Firewall is in use, or the application runs on Tomcat or Jetty.

CVE-2020-11899: Treck TCP/IP Stack

CVE-2020-11899 is a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack, which was developed as an IPv6 implementation for the limited space of embedded devices. The flaw affects Treck TCP/IP versions before 6.0.1.66 and is also part of the “Ripple20” series of vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities.

Cyble sensors detected more than 411,000 attacks on the CVE-2020-11899 vulnerability from Oct. 9 to 15, 2024, often in an attempt to gain administrator privileges (image below).

Cyble sensors have detected attacks against other “Ripple20” vulnerabilities during this period—most notably CVE-2020-11900, an IPv4 tunneling Double Free vulnerability also present in the Treck TCP/IP stack before 6.0.1.41—so IoT environments that may contain these vulnerabilities should check for exposures and apply appropriate mitigations.

CISA’s Ripple20 advisory – updated last month – lists 17 industrial, medical, and critical infrastructure device manufacturers whose products were potentially affected by the vulnerabilities.

Linux, PHP, and Other Attacks Persist

Several other recent exploits observed by Cyble remain active. Linux systems remain under attack as threat actors (TAs) have become increasingly resourceful at delivering malware via package managers and other means. CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

Phishing Scams Detected by Cyble

Cyble detected 478 new phishing email addresses this week, a multi-week high. Below is a table listing the email subject lines and deceptive email addresses used in six prominent scam campaigns.

E-mail Subject  Scammers Email ID  Scam Type  Description 
ABOUT YOUR PAYMENT…  [email protected]  Claim Scam  Fake refund against claims 
ATTN: Lucky Winner  [email protected]  Lottery/Prize Scam  Fake prize winnings to extort money or information 
GOD BLESS YOU….  [email protected]  Donation Scam  Scammers posing as Donors to donate money 
My Donation  [email protected]  Investment Scam  Unrealistic investment offers to steal funds or data 
Order 21542906: cleared customs  [email protected]   Shipping Scam  Unclaimed shipment trick to demand fees or details 
UN Compensation Fund  [email protected]  Government Organization Scam  Fake government compensation to collect financial details 

Brute-Force Attacks

Cyble sensors detected thousands of brute-force attacks in the most recent report. The top 5 attacker countries and ports targeted were: Vietnam – ports 22 (52%), 3389 (25%), and 445 (22%); attacks originating from the United States targeted ports 5900 (58%), 22 (20%), 3389 (15%), 445 (5%), and 135 (2%). Ukraine, Russia, and Greece majorly targeted ports 3389, 1433, 5900, and 445. Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect Attacks on Java Framework, IoT Devices appeared first on Cyble.