Cyble Sensor Intelligence: Attacks, Phishing Scams And Brute-Force Detections

Key Takeaways

  • Five exploits of recent vulnerabilities were detected by Cyble honeypot sensors this week.
  • A 9.8-severity PHP flaw identified in June remains under widespread attack, and organizations are urged to upgrade as soon as possible.
  • Cyble researchers also identified 9 phishing scams, a number of very active brute-force attack networks, and the most commonly targeted ports.
  • Security teams are advised to use the information provided to harden defenses

Overview

The Cyble Global Sensor Intelligence Network, or CGSI, monitors and captures real-time attack data through Cyble’s network of Honeypot sensors. This week, Cyble’s Threat Hunting service discovered and investigated dozens of exploit attempts, malware intrusions, financial fraud, and brute-force attacks. 

The full report is available to subscribers; here we’ll cover a number of important attacks and exploits that security teams need to be aware of, plus Cyble investigations into phishing campaigns and brute force attacks. The report covers the week of Sept. 11-Sept. 17.

Attack Case Studies

The Cyble Sensor Intelligence report examined 18 attacks in all; here are five that stand out.

CVE-2024-7954: Arbitrary Code Execution Vulnerability in SPIP’s Porte Plume Plugin

CVE-2024-7954 affects the porte_plume plugin in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, and allows remote unauthenticated attackers to ecute arbitrary PHP code by sending a specially crafted HTTP request. Users should upgrade to patched versions to mitigate this vulnerability.

CVE-2024-7120: OS Command Injection Vulnerability in Raisecom MSG Devices

CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.

CVE-2024-4577: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a critical PHP vulnerability that impacts CGI configurations. It enables attackers to execute arbitrary commands through specially crafted URL parameters. Given PHP’s importance and wide use, impacted organizations must upgrade to a more secure PHP version as soon as possible.

CVE-2024-36401: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a critical RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, though it may impact functionality.

CVE-2024-7029: Network Command Injection Vulnerability Without Authentication in AVTECH IP Cameras

CVE-2024-7029 allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems. AVM1203, firmware version FullImg-1023-1007-1011-1009 and prior, are affected, and other IP cameras and network video recorder products may also be affected.

Phishing Scams Identified

Cyble researchers identified nine email phishing scams this week. Below are the subject lines and deceptive email addresses used in the scams, along with a description of each.

E-mail Subject  Scammers Email ID  Scam Type  Description 
COMPASSION FUND OF 5.5 MILLION DOLLARS.  info@uba.group.org  Charity Scam  Fake charitable fund to steal personal or financial details 
Compensation  info.us.com  Compensation Scam  Offering fake compensation to collect sensitive data 
Dear Beneficiary !!!  info@federalreservebank.com  Impersonation Scam  Scammers posing as a bank CEO to solicit sensitive information 
FACEBOOK GIFTS  info@fam-koeppel.de  Social Media Giveaway Scam  Pretending to offer gifts to steal personal info 
WINNING GIFTS  fachrisalman.2020@student.uny.ac.id  Lottery/Prize Scam  Fake prize winnings to extort money or information 
INVESTMENT PROPOSAL  David@uS.com  Investment Scam  Unrealistic investment offers to steal funds or data 
UN Compensation Fund  info@usa.com  Government Organization Scam  Fake UN compensation to collect financial details 
Your abandoned shipment  contact@wine.plala.or.jp  Shipping Scam  Unclaimed shipment trick to demand fees or details 
RE: Request Commercial We need your product  accounts@eswil.com  Business Commercial Scam  Fake business requests to obtain goods without payment 

Brute-Force Attacks

Brute-force attacks consist of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. A brute force attack uses the trial-and-error method to guess login info and encryption keys or to find a hidden web page. Hackers work through all possible combinations, hoping to guess correctly.

Cyble observed thousands of brute-force attacks in the last week. A close inspection of the distribution of attacked ports based on the top five attacker countries revealed that attacks originating from the United States targeted ports 3389 (60%), 445 (19%), 22 (13%), 5900 (6%), and 9200 (3%). Attacks originating from Russia targeted ports 5900 (96%), 445 (2%), 25 (1%), 3389 (1%), and 1025 (1%). Attacks originating from The Netherlands, India, and Bulgaria largely targeted ports 5900 and 445.

 Security analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

The most frequently used usernames and passwords in brute-force attacks are shown in the figure below. The analysis report indicates brute-force attacks on IT automation software and servers frequently employing usernames such as 3comcso, elasticsearch, and hadoop and database attacks as in mysql and Postgres. Some of the most common username/password combinations were “root”, “admin”, “password”, “123456”, etc. Hence, it is critically important to set up strong passwords for servers and devices, and to always change default credentials.

Cyble Recommendations

Cyble researchers offered a number of recommendations for subscribers in the report:

  • Blocking the listed hashes, URLs, and email info on security systems.
  • Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.
  • Constantly check for attackers’ ASNs and IPs in the real-time attack table.
  • Block brute force attack IPs and the targeted ports listed in the IoC table in security products.
  • Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.