Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More

Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More

Cyble-Blogs-Ivanti

Overview

Cyble honeypot sensors detected dozens of vulnerabilities under attack in the threat intelligence leader’s most recent sensor intelligence report, including fresh attacks on an Ivanti vulnerability.

Threat actors also targeted vulnerabilities affecting PHP and the Ruby SAML library. Cyble’s Dec. 19 report noted that unpatched networks and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.

The report also looked at Linux and Windows exploits, common brute-force attacks, and phishing campaigns.

Vulnerabilities Under Attack

Cyble detected fresh attacks on CVE-2024-7593, a critical authentication bypass vulnerability in the authentication algorithm implementation of Ivanti’s Virtual Traffic Manager (vTM), excluding versions 22.2R1 and 22.7R2. The 9.8-severity vulnerability can allow a remote, unauthenticated attacker to bypass admin panel authentication. It was added to CISA’s Known Exploited Vulnerabilities catalog in September, one of 11 Ivanti vulnerabilities CISA has added to the KEV catalog this year.

CVE-2024-4577 also remains under attack. The critical PHP vulnerability impacts CGI configurations and remains vulnerable in PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8. The 9.8-severity vulnerability enables attackers to execute arbitrary commands through specially crafted URL parameters.

CVE-2024-45409, a vulnerability in the Ruby SAML library designed for implementing the client side of SAML authorization, also remains a frequent target for hackers. In versions 1.12.2 and earlier, and 1.13.0 to 1.16.0, the library fails to verify the signature of SAML Responses properly. The flaw allows an unauthenticated attacker with access to a signed SAML document (issued by the IdP) to forge a SAML Response or Assertion with arbitrary contents, enabling unauthorized login as any user within the affected system. The issue has been resolved in versions 1.17.0 and 1.12.3.

Network and IoT Devices Under Attack

Network and IoT devices remain particularly popular with threat actors, as they can provide entry points into networks as well as additional nodes in a botnet. With many devices with vulnerabilities from 2023 and earlier still unpatched, Cyble noted that the following network vulnerabilities remain particularly popular with attackers:

CVE-2023-20198, a 10.0-severity vulnerability in the web UI feature of the Cisco IOS XE operating system, is being chained with CVE-2023-20273 to gain root privileges in vulnerable devices.

CVE-2023-4966 is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateways when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CVE-2023-1389 is a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface of TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

CVE-2023-46747 could allow undisclosed requests in F5 BIG-IP to bypass the configuration utility authentication, allowing an attacker with network access to the system through the management port and/or self-IP addresses to execute arbitrary system commands.

Vulnerabilities in real-time operating systems (RTOS) and embedded devices remain extremely popular with attackers, exposing operational technology (OT) networks with vulnerable devices to attack.

One last vulnerability hackers keep returning to is CVE-2023-47643, an unauthorized GraphQL Introspection vulnerability in the SuiteCRM Customer Relationship Management (CRM) system in versions before 8.4.2. The flaw allows an attacker to access the GraphQL schema without authentication, revealing all object types, arguments, functions, and sensitive fields such as UserHash. By understanding the exposed API attack surface, attackers can exploit this information to access sensitive data.

Linux systems remain continually under attack by CoinMiner, Mirai Botnet, and IRCBot malware, while hundreds of WannaCry ransomware samples continue to be detected each week in Windows 10, Windows Server 2016, and older systems vulnerable to CVE-2017-0147.

Remote Protocols Targeted in Brute-Force Attacks

Remote access protocols, particularly VNC (port 5900), remain popular targets of brute-force attacks. Examining the ports most targeted by the top five attacker countries, attacks originating from the United States targeted ports 5900 (42%), 22 (36%), 3389 (14%), 80 (5%), and 23 (3%). Attacks originating from Russia targeted ports 5900 (81%), 445 (7%), 22 (5%), 23 (3%), and 1433 (3%). Netherlands, Jordan, and China majorly targeted ports 5900, 22, and 445.

Security analysts are advised to add security system blocks for frequently attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Detected

Cyble detected 277 new scam and phishing email addresses in the most recent weekly report. Here are six notable ones, including subject lines:

 E-mail Subject  Scammers Email ID  Scam Type  Description 
Are you interested in investment    Dave@oig.com  Investment Scam  Unrealistic investment offers to steal funds or data 
UN Compensation Fund.   zagranica@usa.com  Claim scam  Fake compensation fund claim 
COMPENSATION FUND OF 5.5 MILLION DOLLARS.        Info@uba.org  Claim scam  Fake compensation fund email 
Funding projects up to USD 5 Billion      noreply@order.eventbrite.com  Investment Scam  Unrealistic investment offers to steal funds or data 
HOTEL AND REAL ESTATE INVESTMENTS     richardowenr928@gmail.com  Investment Scam  Fake hotel and real estate investment scam 
My Donation           test@cinematajrobi.ir  Donation Scam  Fake donation mail to steal money 

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

Conclusion

With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching wherever possible and applying mitigations where patching isn’t possible. The large number of brute-force attacks and phishing campaigns show that attackers remain active even heading into the holiday season.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More appeared first on Cyble.

Blog – Cyble – ​Read More