Cyble honeypot sensors have also detected attack attempts on vulnerabilities known to be targeted by APT groups.

Overview

Cyble honeypot sensors have detected dozens of vulnerabilities targeted in attack attempts in recent weeks, including some known to be targeted by advanced persistent threat (APT) groups.

WordPress plugins, network devices and firewalls have been some of the targets detailed in the threat intelligence company’s weekly sensor intelligence reports to clients.

The Cyble reports have also examined persistent attacks against Linux systems and network and IoT devices as threat actors continue to scan for vulnerable devices for ransomware attacks and to add to DDoS and crypto mining botnets. The reports have also examined banking malware, brute-force attacks, vulnerable ports, and phishing campaigns.

Here are some of the recent attack campaigns covered in the Cyble sensor reports. Users could be vulnerable to attack if affected product versions aren’t patched and mitigated.

WordPress Plugin Attack Attempts

Cyble honeypots have picked up attack attempts on four WordPress plugins in recent weeks.

CVE-2024-9593 is an 8.3-severity Remote Code Execution (RCE) vulnerability in the Time Clock and Time Clock Pro plugins for WordPress in versions up to and including 1.2.2 and 1.1.4, respectively. The vulnerability stems from the etimeclockwp_load_function_callback function, which could allow unauthenticated attackers to execute arbitrary code on the server.

CVE-2024-33575 affects the User Meta user management plugin in versions up to 3.0, and could allow unauthorized actors to access sensitive information. The issue arises due to improper access controls, potentially exposing user data.

CVE-2024-2876 is a 9.8-severity SQL Injection vulnerability in The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress, affecting all versions up to and including 5.7.14. The vulnerability exists in the run function of the IG_ES_Subscribers_Query class due to improper escaping of user-supplied input and inadequate preparation of SQL queries. This flaw allows unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database.

The Hunk Companion WordPress plugin before version 1.9.0 lacks proper authorization for certain REST API endpoints, a vulnerability tracked as CVE-2024-11972. The flaw could allow unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repository, including vulnerable versions of the Hunk Companion plugin that have been closed. The vulnerability could be exploited to deploy malicious or outdated plugins on a targeted site.

Network Device and Firewall Vulnerabilities

Cyble sensors have also picked up attack attempts on numerous network devices in recent weeks.

CVE-2024-11303 is an 8.7-rated Path Traversal vulnerability in Korenix JetPort 5601 serial device servers that could allow unauthorized access to restricted directories by manipulating the pathname. This issue impacts JetPort 5601 versions up to and including 1.2.

CVE-2024-7593 is a 9.8-severity Incorrect Implementation of an Authentication Algorithm vulnerability in Ivanti Virtual Traffic Manager (vTM) that could enable a remote, unauthenticated attacker to bypass admin panel authentication.

CVE-2024-24919 is an 8.6-severity Information Disclosure vulnerability in Check Point Quantum Security Gateways that could potentially allow an attacker to read certain information on the gateways if they are connected to the Internet and enabled with remote Access VPN or Mobile Access Software Blades.

CVE-2024-3400 is a 10.0-severity arbitrary file creation/command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations that could enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by the vulnerability.

Cyble sensors have detected repeated attack attempts on the CVE-2024-3400 vulnerability in recent weeks, and Microsoft reported recently that Silk Typhoon is attempting to weaponize this vulnerability in IT supply chain attacks. Iranian threat actors have also attempted to exploit both the Palo Alto and Check Point vulnerabilities.

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
• Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.
• Continually checking for attackers’ ASNs and IPs (included in the full Cyble reports).
• Blocking Brute Force attack IPs and the targeted ports listed in the reports.
• Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforcing periodic changes.
• For servers, setting up strong passwords that are difficult to guess.

Conclusion

Organizations must remain vigilant in the face of constant threats against both new and older vulnerabilities, patching quickly and applying mitigations where patching isn’t possible.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.

To access full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.