Key Takeaways
- Threat actors continue to exploit several recent vulnerabilities that users have been slow to mitigate.
- Cyble honeypot sensors detected attacks on vulnerabilities in Cisco ASA, QNAP QTS, D-Link, PHP, Progress Telerik, and other targets.
- Linux malware remains a persistent threat, as threat actors find new ways to infect the supply chain and other vectors.
- Cyble sensors also discovered new spam email campaigns and thousands of brute-force attempts.
Overview
Cyble’s Vulnerability Intelligence unit last week detected numerous exploit attempts, malware intrusions, phishing campaigns, and brute-force attacks via its network of Honeypot sensors.
In the week of Sept. 25-Oct. 1, Cyble researchers identified several recent active exploits, including new attacks against a number of network products and routers, more than 300 new spam email addresses, and thousands of brute-force attacks.
Vulnerability Exploits
Cyble sensors detected several recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited.
Cyble sensors detected attacks on the Progress Telerik UI, which had four vulnerabilities reported recently that could allow for command injection and code execution (CVE-2024-8316, CVE-2024-7679, CVE-2024-7576 and CVE-2024-7575).
End-of-life routers from D-Link (DIR-859 1.06B01) are under attack. A 9.8-severity path traversal vulnerability identified as CVE-2024-0769 can be attacked remotely, and users are urged to replace the device. This week, CISA added another D-Link router, DIR-820, to its Known Exploited Vulnerabilities catalog.
Cyble sensors detected attacks on QNAP QTS firmware, which harbors numerous Command Injection vulnerabilities that are susceptible to exploitation and allow remote command execution on the affected devices. QNAP issued a security advisory on the issue earlier this year.
Cyble sensors have identified attackers scanning for the URL “/+CSCOE+/logon.html”, which is related to the Cisco Adaptive Security Appliance (ASA) WebVPN Login Page. This URL is used to access the login page for the WebVPN service, which allows remote users to access internal network resources securely. The URL has also been found to have a number of vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting. These vulnerabilities may allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.
Critical vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.
Linux Malware Detected
The Cyble Vulnerability Intelligence unit also identified a number of Linux attacks, including the CoinMiner Linux Trojan, which arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users upon visiting malicious sites, and Linux IRCBot attacks, where the IRC connection is exploited as a backdoor, allowing attackers to perform various actions on the compromised system. Many affected systems are used as a botnet controlled by the IRC.
Threat actors have become increasingly innovative in delivering Linux malware; earlier this year, CoinMiner was found in PyPI (Python Package Index) packages.
New Phishing Scams Identified
Cyble identified 364 new phishing email addresses this week. Below are six noteworthy campaigns:
| E-mail Subject | Scammers Email ID | Scam Type | Description |
| Please confirm | barristerpierresalao@gmail.com | Claim Scam | Fake refund against claims |
| Attention Please!!! | davidmillerson@aliyun.com | Lottery/Prize Scam | Fake prize winnings to extort money or information |
| GOD BLESS YOU…. | info@anhorn.com | Donation Scam | Scammers posing as Donor to donate money |
| lnvestment offer | Dave@uS.com | Investment Scam | Unrealistic investment offers to steal funds or data |
| Order: cleared customs | support@ip.linodeusercontent.com | Shipping Scam | Unclaimed shipment trick to demand fees or details |
| OFFICIAL PAYMENT PROGRAM | info@rina.org | Government Organization Scam | Fake government compensation to collect financial details |
Brute-Force Attacks Observed
Of the thousands of brute-force attacks detected by Cyble scanners this week, several ports, targets and tactics merit close attention.
Among the top five attacker countries, Cyble noticed attacks originating from Russia targeting ports 3389 (64%), 5900 (30%), 445 (4%), 3306 (2%), and 1143 (1%). Attacks originating from the Netherlands targeting ports used 5900 (80%), 3389 (8%), 22 (1%), and 81 (1%). France, China, and Bulgaria majorly targeted ports 1433, 5900, and 445.
Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
The bulk of the attacks (88%) came from known attackers, bots and crawlers (7%), and mass scanners (4%).
The most frequently used usernames and passwords for brute-force attacks are shown in the figure below. Brute-force attacks commonly target IT automation software and servers, such as “3comcso, elasticsearch, and hadoop” and database attacks such as “mysql” and “Postgres.”
Some of the most common username/password combinations used were “sa”, “root”, “admin”, “password”, “123456”, etc. Hence, it is wise to set up strong passwords for servers and devices.
Cyble Recommendations
Cyble researchers recommend the following security controls:
- Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
- Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
- Constantly check for Attackers’ ASNs and IPs.
- Block Brute Force attack IPs and the targeted ports listed.
- Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
- For servers, set up strong passwords that are difficult to guess.
