Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework

Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework

Key Takeaways


Cyble honeypot sensors detected several new cyberattacks in recent days, targeting vulnerabilities in the Ruby SAML library, D-Link NAS devices, the aiohttp client-server framework, a WordPress plugin, and more.

Cyble’s Vulnerability Intelligence unit also discovered new phishing campaigns and brute-force attacks.

Clients are urged to address the vulnerabilities identified in the report and apply best practices.

Overview

The Cyble Vulnerability Intelligence unit identified several new cyberattacks during the week of Oct. 2-8.

Among the targets are the Ruby SAML library, several D-Link NAS devices, the aiohttp client-server framework used for asyncio and Python, and a popular WordPress plugin used by restaurants and other businesses.

Cyble sensors also uncovered more than 350 new phishing email addresses and thousands of brute-force attacks.

Vulnerabilities Targeted by Threat Actors

The full report for clients looked at more than 40 vulnerabilities under active exploitation by threat actors. Here are four new attacks identified in the report.

Ruby SAML Improper Verification of Cryptographic Signature Vulnerability

The Ruby SAML library implements the client side of SAML authorization. Ruby-SAML in versions up to 1.12.2 and 1.13.0 up to 1.16.0 does not properly verify the signature of the SAML Response. By exploiting the 9.8-severity vulnerability CVE-2024-45409, an unauthenticated attacker with access to any signed SAML document (by the IdP) can forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The vulnerability is fixed in 1.17.0 and 1.12.3.

aiohttp Path Traversal

CVE-2024-23334 is a Path Traversal vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory. When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are recommended mitigations. Version 3.9.2 fixes this issue.

D-Link NAS Devices Hard-Coded Credentials Vulnerability

A 9.8-severity vulnerability, CVE-2024-3272, is being targeted in end-of-life D-Link NAS devices DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403. The issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely, and the exploit has been disclosed to the public. The associated identifier of this vulnerability is VDB-259283. The vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

PriceListo SQL Injection Vulnerability

CVE-2024-38793 is an improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in the PriceListo Best Restaurant Menu WordPress plugin, allowing for SQL Injection attacks. The issue affects Best Restaurant Menu by PriceListo through 1.4.1.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

Brute-Force Attacks

Cyble sensors also detected thousands of brute-force attacks. Among the top 5 attacker countries, Cyble researchers observed attacks originating from Vietnam targeting ports 22 (43%), 445 (32%), 23 (17%), and 3389 (8%). Attacks originating from Russia targeted ports 3389 (58%), 5900 (35%), 1433 (5%), 3306 (1%) and 445 (1%). Greece, Colombia, and Bulgaria majorly targeted ports 1433, 5900, and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Identified

Cyble sensors also detected 351 new phishing email addresses. Below are six phishing scams of note identified by Cyble:

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

Claim Directives 
info@szhualilian.com 
Claim Scam 
Fake refund against claims 

DEAR WINNER 
contact@wine.plala.or.jp 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

GOD BLESS YOU…. 
info@advanceairsystem.com 
Donation Scam 
Scammers posing as a Donor to donate money 

CHOSEN- EMAIL 
test@mps.elnusa.co.id 
Investment Scam 
Unrealistic investment offers to steal funds or data 

Order 3038137699167518: cleared customs 
support@otm4n3-recrypto.to   
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake government compensation to collect financial details 

Cyble Recommendations

Cyble researchers recommend the following security controls:


Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework appeared first on Cyble.

Blog – Cyble – ​Read More