Vulnerability Intelligence: Cyberattacks On Spring & IoT Devices
Cyble vulnerability intelligence unit has shared a report, detailing the recent cyberattacks on the Spring Java framework and hundreds of thousands of Internet of Things (IoT) devices. The report sheds light on over 30 active attack campaigns targeting well-known vulnerabilities.
Among these, a focus has emerged on CVE-2024-38816, a critical vulnerability affecting the Spring Java framework. Furthermore, the report highlights that more than 400,000 attacks exploit a vulnerability linked to IoT devices.
Cyble Vulnerability Intelligence Unit Highlights Key Flaws in Multiple Systems
CVE-2024-38816: Exploitation of the Spring Java Framework
CVE-2024-38816 represents a severe path traversal vulnerability within the widely used Spring Java framework, currently under assessment by the National Vulnerability Database (NVD). This vulnerability allows attackers to craft malicious HTTP requests, potentially accessing sensitive files on the system where the Spring application is running. Specifically, applications using RouterFunctions to serve static resources while configured with a FileSystemResource location are particularly at risk.
Importantly, certain defenses can block these malicious requests. If the Spring Security HTTP Firewall is enabled, or if the application is hosted on platforms like Tomcat or Jetty, these attacks can be effectively mitigated.
CVE-2020-11899: Treck TCP/IP Stack Vulnerability
Your browser does not support the video tag.
The vulnerability intelligence report also identifies CVE-2020-11899, a medium-severity out-of-bounds read vulnerability in the Treck TCP/IP stack, which impacts versions prior to 6.0.1.66. This vulnerability is part of the “Ripple20” series, which poses serious risks, including data theft and unauthorized device control. Cyble’s sensors detected a staggering 411,000 attacks exploiting this vulnerability between October 9 and 15, 2024, aimed at gaining administrative privileges.
Moreover, attacks against additional “Ripple20” vulnerabilities, such as CVE-2020-11900, were also noted, emphasizing the need for organizations operating IoT environments to assess their exposure and implement necessary mitigations.
Ongoing Threats to Systems
Beyond vulnerabilities in the Java framework and IoT devices, Cyble’s vulnerability intelligence report reveals that threats to Linux systems persist, with cybercriminals using advanced methods to deploy malware through package managers. Active threats, including CoinMiner, Mirai, and IRCBot, remain prevalent.
Additionally, previously identified vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) continue to attract the attention of threat actors, highlighting the urgent need for vigilant cybersecurity measures.
In a noteworthy development, the Cyble vulnerability intelligence report reported a sharp increase in phishing attempts, identifying 478 new phishing email addresses this week—an all-time high. The vulnerability intelligence report details various scam campaigns, including fake refund claims and lottery scams, which illustrate the diverse tactics used by cybercriminals to exploit unsuspecting individuals.
The report also outlines several brute-force attacks detected across various global locations. The most targeted ports include 22, 3389, and 445, with notable activity originating from Vietnam and the United States. Security analysts are urged to protect defenses by blocking suspicious IP addresses and securing the targeted ports.
Recommendations for Mitigation
To mitigate such threats, organizations should adopt several proactive security measures, including blocking malicious URLs and email addresses associated with recent scams, promptly patching open vulnerabilities while routinely monitoring internal network alerts, and consistently checking for suspicious ASNs and IPs to block known brute-force sources.
Additionally, it’s essential to change default usernames and passwords to prevent brute-force attempts and to enforce regular password updates, alongside employing complex passwords for servers and sensitive applications. By implementing these recommendations, businesses can enhance their defenses against the active threats identified in Cyble’s vulnerability intelligence report, particularly those targeting the Spring Java framework and IoT devices.