Cyble’s Vulnerability Intelligence unit has detected cyberattacks on several key IT products and systems, as threat actors have been quick to exploit vulnerabilities and enterprises slow to patch them.
Some of the attacks have involved new vulnerabilities and delivery methods, while other exploited vulnerabilities have been known for months yet remain unpatched or unmitigated in many instances.
Here are some of the highlights of Cyble’s weekly sensor intelligence report, which also looks at new phishing and brute-force attack detections.
Hackers Take Aim at Telerik UI, QNAP, Cisco and More
Progress Telerik UI for WPF (Windows Presentation Foundation) apparently drew the attention of hackers soon after vulnerabilities were announced on Sept. 25, two of them critical vulnerabilities that could allow code execution and command injection attacks (CVE-2024-7576 and CVE-2024-7575). Versions before 2024 Q3 (2024.3.924) are affected.
Certain end-of-life routers from D-Link (DIR-859 1.06B01) contain a 9.8-severity path traversal vulnerability (CVE-2024-0769) that can be attacked remotely, continuing to draw the interest of threat actors. Users are urged to replace the devices. CISA also added another D-Link router, DIR-820, to its Known Exploited Vulnerabilities catalog.
Cyble sensors also detected attacks on QNAP QTS firmware, which may contain command injection vulnerabilities that can lead to remote command execution on affected devices. QNAP issued a security advisory on the issue earlier this year.
Cyble sensors have detected hackers scanning for the URL “/+CSCOE+/logon.html”, which is related to the Cisco Adaptive Security Appliance (ASA) WebVPN Login Page. The URL is used to access the login page for the WebVPN service. The URL has also been found to have vulnerabilities ranging from cross-site scripting, path traversal, and HTTP response splitting. Cyble said the vulnerabilities “may allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.”
Critical vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also continue to be targeted by hackers.
Linux Malware Attacks Detected
The Cyble Vulnerability Intelligence unit also detected attacks on Linux systems, including the CoinMiner trojan, which can be installed by other malware or downloaded unknowingly by users visiting malicious sites, and Linux IRCBot attacks, where the IRC connection is exploited as a backdoor, allowing attackers access to a compromised system. “Many affected systems are used as a botnet controlled by the IRC,” Cyble noted.
Threat actors have become “increasingly innovative in delivering Linux malware,” Cyble researchers said. Earlier this year, for example, CoinMiner was found in PyPI (Python Package Index) packages.
Brute-Force Attacks Observed
The Cyble report also contains an interesting look at the ports, user names and passwords commonly targeted in brute-force attack attempts picked up by honeypot sensors.
Some of the most commonly attacked ports are 22, 3389, 443, 445, 5900 and 3306; security analysts are urged to to add security system blocks for attacked ports when possible.
The most common usernames and passwords in brute-force attacks detected by Cyble are typically aimed at hacking into key enterprise systems, with hackers targeting user names such as “elasticsearch,” “Hadoop,” “mysql” and “Postgres” (see image below).
The Cyble report also contains a number of recommendations for security teams.