Overview

Cyble’s weekly sensor intelligence report for clients detailed new attacks on popular WordPress plugins, and IoT exploits continue to occur at very high rates.

Two 9.8-severity vulnerabilities in LightSpeed Cache and GutenKit are under attack, as WordPress and other CMS and publishing systems remain attractive targets for threat actors.

Vulnerabilities in IoT devices and embedded systems continue to be targeted at alarming rates. In addition to older exploits, this week Cyble Vulnerability Intelligence researchers highlighted an older RDP vulnerability that may still be present in some OT networks. Given the difficulty of patching these systems, vulnerabilities may persist and require additional mitigations.

Vulnerabilities in PHP, Linux systems, and Java and Python frameworks also remain under attack.

Here are some of the details of the Oct. 23-29 sensor intelligence report sent to Cyble clients, which also looked at scam and brute-force campaigns. VNC (Virtual Network Computing) was a prominent target for brute-force attacks this week.

CVE-2024-44000: LiteSpeed Cache Broken Authentication

CVE-2024-44000 is an Insufficiently Protected Credentials vulnerability in LiteSpeed Cache that allows Authentication Bypass and could potentially lead to account takeover. The issue affects versions of the WordPress site performance and optimization plugin before 6.5.0.1.

An unauthenticated visitor could gain authentication access to any logged-in users – and potentially to an Administrator-level role. Patchstack notes that the vulnerability requires certain conditions to be exploited:

• Active debug log feature on the LiteSpeed Cache plugin
• Has activated the debug log feature once before, it’s not currently active, and the /wp-content/debug.log file has not been purged or removed.

Despite those requirements, Cyble sensors are detecting active attacks against this WordPress plugin vulnerability.

CVE-2024-9234: GutenKit Arbitrary File Uploads

The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to CVE-2024-9234, with arbitrary file uploads possible due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. The vulnerability makes it possible for unauthenticated attackers to install and activate arbitrary plugins or utilize the functionality to upload arbitrary files spoofed like plugins.

As malicious WordPress plugins are becoming an increasingly common threat, admins are advised to take security measures seriously.

IoT Device and Embedded Systems Attacks Remain High

IoT device attacks first detailed two weeks ago continue at a very high rate, as Cyble honeypot sensors in the past week detected 361,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66, in attempts to gain administrator privileges.

Also of concern for OT environments are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263. Cyble sensors routinely detect 3,000 to 4,000 attacks a week on these vulnerabilities, which can be present in a number of older Siemens devices.

New to the report this week are several hundred attacks on CVE-2019-0708, a 9.8-severity remote code execution vulnerability in Remote Desktop Services found in several older Siemens devices.

Linux, Java, and Other Attacks Persist

A number of other recent exploits observed by Cyble remain active:

Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active.

Previously reported vulnerabilities in PHP, GeoServer, and Python and Spring Java frameworks also remain under active attack by threat actors.

Phishing Scams Detected by Cyble

Cyble sensors detect thousands of phishing scams a week, and this week identified 385 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in four prominent scam campaigns.

Brute-Force Attacks Target VNC

Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, Virtual Network Computing (VNC, port 5900) servers were among the top targets of threat actors. Here are the top 5 attacker countries and ports targeted:

• Attacks originating from the United States targeting ports were aimed at port 5900 (30%), 22 (28%), 445 (25%), 3389 (14%) and 80 (3%).
• Attacks originating from Russia targeted ports 5900 (88%), 1433 (7%), 3306 (3%), 22 (2%) and 445 (1%).
• The Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.

Security analysts are advised to add security system blocks for the most attacked ports (typically 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
• Constantly check for Attackers’ ASNs and IPs.
• Block Brute Force attack IPs and the targeted ports listed.
• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple critical systems highlighted, companies need to remain vigilant and responsive. WordPress and VNC installations and IoT devices were some of the bigger attack targets this week and are worth additional attention by security teams. The high volume of brute-force attacks and phishing campaigns demonstrates the general vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.

Related