A recent Cyble sensor intelligence report highlighted numerous active attack campaigns targeting known vulnerabilities across critical infrastructure environments. Notably, there have been new attacks on the SPIP open-source CMS, while ongoing exploits persist against IoT devices. Previously reported campaigns continue to exploit vulnerabilities in PHP, Linux systems, and Java and Python frameworks. Older vulnerabilities in IoT devices and embedded systems continue to be exploited at alarming rates. New to the report are exploits of vulnerabilities that may still be present in some Siemens products and network devices.
“As these vulnerabilities likely exist within some critical infrastructure environments, organizations with internet-facing IoT devices and embedded systems are advised to check for risk exposure and apply necessary mitigations,” the Cyble researchers noted in a recent blog post. “New to the list are attacks on a vulnerability in the SPIP open-source content management (CMS) and publishing system, while previously reported campaigns targeting vulnerabilities in PHP, Linux systems, Java and Python frameworks, and more have continued unabated.”
The researchers noted that SPIP before versions 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue reported last month as CVE-2024-8517. “A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request. As the vulnerability was found as part of a hacking challenge, multiple published PoCs (Proofs of Concept) have increased the odds that older versions of SPIP will be exploited. SPIP admins are advised to update as soon as possible,” it added.
IoT device attacks detailed earlier declined significantly, as Cyble honeypot sensors detected 31,000 attacks on CVE-2020-11899, a medium-severity ‘Out-of-bounds Read’ vulnerability in the Treck TCP/IP stack before 6.0.1.66.
Last week, Cyble sensors detected more than 411,000 attacks on the vulnerability attempting to gain administrator privileges. CVE-2020-11899 is also part of the ‘Ripple20’ series of Treck TCP/IP vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities. Cyble sensors have detected nearly 1 million exploit attempts since August on CVE-2020-11899 and two other ‘Ripple20’ vulnerabilities (CVE-2020-11900 and CVE-2020-11910), so owners of vulnerable internet-facing devices should assume compromise.
The Cyble researchers observed that also, of concern, for critical infrastructure are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263.
They also noted that Cyble sensors typically detect 3,000 to 4,000 attacks a week on these vulnerabilities, and as they can be present in a number of older Siemens SIPROTEC 5, RUGGEDCOM Win, Power Meters, and other devices, as well as a number of network devices from major IT companies, any exposure to these vulnerabilities should be considered critical.
Cyble researchers disclosed that attacks against Linux systems and QNAP and Cisco devices remain active, and CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems. “Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors. The Spring Java framework (CVE-2024-38816) remains a target of threat actors (TAs), and ValvePress WordPress plugins also continue to be targeted.
Also, the Aiohttp client/server framework for asyncio and Python continues to be exploited.
Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, the top five attacker countries and ports targeted include attacks originating from the U.S. targeting ports were aimed at ports 5900 (43 percent), 3389 (35 percent), 22 (15 percent), 23 (4 percent) and 80 (3 percent). Attacks originating from Russia targeting ports attempted to exploit ports 5900 (75 percent), 1433 (11 percent), 445 (8 percent), 1080 (3 percent), and 3306 (3 percent); and the Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.
The Cyble researchers identify that with active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.
Cyble researchers recommend blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list); immediately patching open vulnerabilities and routinely monitoring the top Suricata alerts in internal networks; constantly checking for Attackers’ ASNs and IPs; block brute force attack IPs and the targeted ports; and immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes. For servers, set up strong passwords that are difficult to guess.
To safeguard their digital assets, organizations are advised to address known vulnerabilities and implement recommended security measures, such as blocking malicious IP addresses and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.