Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan

Key Takeaways

• Cyble’s Threat Hunting Honeypot sensors detected five recent vulnerabilities under active exploitation, including newly identified attacks against WordPress plugins.
• A new banking trojan is engaged in active attacks in Europe and is expected to spread to other regions.
• Of more than 400 identified scam email addresses discovered, six in particular stand out.
• Commonly targeted ports have been identified and should be blocked by security teams.

Overview

Cyble’s Threat Hunting service this week discovered multiple instances of exploit attempts, malware intrusions, financial fraud, and brute-force attacks via its network of Honeypot sensors.

In the week of Sept. 18-24, Cyble researchers identified five recent active exploits, including new attacks against WordPress plugins, a new malware variant targeting the banking industry, more than 400 new spam email addresses, and thousands of brute-force attacks.

Vulnerability Exploits

Cyble sensors detected five recent vulnerabilities under active exploitation, in addition to a number of older vulnerabilities being actively exploited:

Case 1: SQL Injection Attack

CVE-2024-27956 is a 9.9-severity improper neutralization of Special Elements used in an SQL Command vulnerability in ValvePress Automatic WordPress plugins that allows for SQL Injection attacks. This issue affects Automatic: from n/a through 3.92.0.

Case 2: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a 9.8-severity PHP vulnerability that impacts CGI configurations and has been under attack since it was announced in June. It enables attackers to execute arbitrary commands through specially crafted URL parameters. It affects PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows.

Case 3: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a 9.8-severity RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, which may impact functionality.

Case 4: Network Command Injection Vulnerability Without Authentication

CVE-2024-7029 is an 8.7-severity AVTECH IP camera vulnerability that allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems.

Case 5: Network Command Injection Vulnerability Without Authentication 

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to a 9.8-severity arbitrary code execution vulnerability (CVE-2024-7954). A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

Octo2: New Malware Variant Targets European Banks in Active Attacks

Octo2, a new variant of the Octo mobile banking trojan, was recently discovered in European bank attacks, and deployment in other global regions is expected to follow.

Octo (also known as ExobotCompact) has emerged as one of the most prominent malware families in the mobile threat landscape, leading in the number of unique samples detected this year. Recently, a new variant named “Octo2,” created by the original threat actor, has been discovered, signaling a potential shift in the actors’ tactics and strategies. This upgraded version enhances the malware’s remote action capabilities, particularly for Device Takeover attacks, ensuring greater stability in execution. New Octo2 campaigns have already been observed targeting several European countries. Additionally, Octo2 employs advanced obfuscation techniques to evade detection, including the introduction of a Domain Generation Algorithm (DGA), further bolstering its ability to remain hidden from security systems.

Here are known hashes and IoCs, via Threat Fabric:

More Than 400 Scam Email Addresses Detected

Cyble identified 410 new email addresses used in scam campaigns. Here are six notes:

Brute-Force Attack Ports Identified

Of the thousands of brute-force attacks identified by Cyble, the following targeted ports stand out as meriting attention.

Based on a close inspection of the distribution of attacked ports based on the top five attacker countries, Cyble noticed attacks originating from the United States are targeting ports 22 (40%), 3389 (32%), 445 (21%), 23 (4%), and 80(3%). Attacks originating from Turkey are targeting ports 3389 (100%). Russia, China, and Bulgaria mainly targeted ports 5900 and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

Cyble Recommendations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
• Constantly check for Attackers’ ASNs and IPs.
• Block Brute Force attack IPs and the targeted ports listed.
• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.