Cyble Sensors Detect Attacks on Java Framework, IoT Devices
Overview
Cyble’s weekly sensor intelligence report detailed more than 30 active attack campaigns against known vulnerabilities.
New attacks were observed against a vulnerability in the Spring Java framework, and more than 400,000 attacks were observed exploiting a known IoT vulnerability.
Cyble’s Vulnerability Intelligence unit also observed thousands of brute-force attacks and hundreds of phishing campaigns.
Here are some highlights from Cyble’s October 17 sensor report sent to clients.
CVE-2024-38816: Spring Java Framework Exploit
CVE-2024-38816 is a high-severity Path Traversal vulnerability in the popular Spring Java framework that is still undergoing NVD assessment. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks.
An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: the web application uses RouterFunctions to serve static resources, and resource handling is explicitly configured with a FileSystemResource location.
Malicious requests are blocked and rejected when either of the following is true: the Spring Security HTTP Firewall is in use, or the application runs on Tomcat or Jetty.
CVE-2020-11899: Treck TCP/IP Stack
CVE-2020-11899 is a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack, which was developed as an IPv6 implementation for the limited space of embedded devices. The flaw affects Treck TCP/IP versions before 6.0.1.66 and is also part of the “Ripple20” series of vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities.
Cyble sensors detected more than 411,000 attacks on the CVE-2020-11899 vulnerability from Oct. 9 to 15, 2024, often in an attempt to gain administrator privileges (image below).
Cyble sensors have detected attacks against other “Ripple20” vulnerabilities during this period—most notably CVE-2020-11900, an IPv4 tunneling Double Free vulnerability also present in the Treck TCP/IP stack before 6.0.1.41—so IoT environments that may contain these vulnerabilities should check for exposures and apply appropriate mitigations.
CISA’s Ripple20 advisory – updated last month – lists 17 industrial, medical, and critical infrastructure device manufacturers whose products were potentially affected by the vulnerabilities.
Linux, PHP, and Other Attacks Persist
Several other recent exploits observed by Cyble remain active. Linux systems remain under attack as threat actors (TAs) have become increasingly resourceful at delivering malware via package managers and other means. CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.
Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.
Phishing Scams Detected by Cyble
Cyble detected 478 new phishing email addresses this week, a multi-week high. Below is a table listing the email subject lines and deceptive email addresses used in six prominent scam campaigns.
E-mail Subject
Scammers Email ID
Scam Type
Description
ABOUT YOUR PAYMENT…
dr.sumitra@ukrit.in
Claim Scam
Fake refund against claims
ATTN: Lucky Winner
santaluciasrspen1@spainmail.com
Lottery/Prize Scam
Fake prize winnings to extort money or information
GOD BLESS YOU….
info@advanceairsystem.com
Donation Scam
Scammers posing as Donors to donate money
My Donation
test@cinematajrobi.ir
Investment Scam
Unrealistic investment offers to steal funds or data
Order 21542906: cleared customs
support@recryptogen.com
Shipping Scam
Unclaimed shipment trick to demand fees or details
UN Compensation Fund
info@usa.com
Government Organization Scam
Fake government compensation to collect financial details
Brute-Force Attacks
Cyble sensors detected thousands of brute-force attacks in the most recent report. The top 5 attacker countries and ports targeted were: Vietnam – ports 22 (52%), 3389 (25%), and 445 (22%); attacks originating from the United States targeted ports 5900 (58%), 22 (20%), 3389 (15%), 445 (5%), and 135 (2%). Ukraine, Russia, and Greece majorly targeted ports 3389, 1433, 5900, and 445. Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
Recommendations and Mitigations
Cyble researchers recommend the following security controls:
Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
Constantly check for Attackers’ ASNs and IPs.
Block Brute Force attack IPs and the targeted ports listed.
Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
For servers, set up strong passwords that are difficult to guess.
Conclusion
With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.
The post Cyble Sensors Detect Attacks on Java Framework, IoT Devices appeared first on Cyble.
Blog – Cyble – Read More