Cyble’s Vulnerability Intelligence unit has spotlighted a series of cyberattacks targeting critical vulnerabilities in various software systems, including the Ruby SAML library, D-Link NAS devices, and the aiohttp framework.
Between October 2 and October 8, 2024, Cyble’s honeypot sensors detected multiple new cyberattacks that leveraged vulnerabilities in several high-profile systems. Among the most notable targets were the Ruby SAML library, a range of D-Link NAS devices, the aiohttp client-server framework, and a popular WordPress plugin utilized by restaurants and other businesses.
In addition to these targeted attacks, Cyble’s sensors identified over 350 new phishing email addresses and reported thousands of brute-force attacks aimed at exploiting known weaknesses.
Cyble Vulnerability Intelligence Reveals New Cyberattacks
Cyble’s comprehensive report examined more than 40 vulnerabilities currently under active exploitation by threat actors. Below are four particularly concerning vulnerabilities:
Ruby SAML Improper Verification of Cryptographic Signature Vulnerability (CVE-2024-45409)
The Ruby SAML library, which manages SAML authorization on the client side, was found to improperly verify the signature of SAML responses in versions up to 1.16.0. This 9.8-severity vulnerability allows unauthenticated attackers to forge SAML responses, potentially granting unauthorized access to systems. The issue has been addressed in versions 1.12.3 and 1.17.0.
aiohttp Path Traversal (CVE-2024-23334)
This vulnerability in the aiohttp client-server framework for asyncio and Python permits directory traversal due to improper handling of static routes. When the ‘follow_symlinks’ option is enabled, unauthorized users may access sensitive files outside the designated root directory. The vulnerability has been rectified in version 3.9.2, and experts recommend disabling this option to mitigate risks.
D-Link NAS Devices Hard-Coded Credentials Vulnerability (CVE-2024-3272)
This severe vulnerability impacts end-of-life D-Link NAS devices, enabling remote exploitation due to hard-coded credentials. The affected devices include DNS-320L, DNS-325, DNS-327L, and DNS-340L, with a recommended course of action being their retirement and replacement, as confirmed by the vendor.
PriceListo SQL Injection Vulnerability (CVE-2024-38793)
An SQL Injection vulnerability was discovered in the PriceListo Best Restaurant Menu WordPress plugin, allowing attackers to manipulate database queries. This vulnerability remains exploitable in versions up to 1.4.1.
These vulnerabilities are part of a broader landscape of ongoing threats, including previously reported vulnerabilities in PHP, GeoServer, and AVTECH IP cameras, all under active attack.
Brute-Force Attacks on the Rise
Cyble’s sensors recorded thousands of brute-force attacks during this period, with attackers primarily originating from Vietnam and Russia. The most targeted ports included 22, 445, 23, and 3389, with a significant concentration of attacks directed at remote desktop services. Security analysts are urged to implement security measures to block these frequently attacked ports.
The research team at Cyble also identified 351 new phishing email addresses and highlighted several scams of note. Noteworthy phishing attempts included:
- Claim Directives: A fake refund scam.
- DEAR WINNER: A lottery scam promising fake prize winnings.
- GOD BLESS YOU: A donation scam posing as a charitable organization.
- CHOSEN-EMAIL: An investment scam promising unrealistic returns.
- Order Cleared Customs: A shipping scam designed to extract fees from victims.
- UN Compensation Fund: A fraudulent government compensation scheme.
Conclusion
The findings from Cyble’s Vulnerability Intelligence unit emphasize the urgent need for organizations to remain vigilant against cyber threats. By implementing proactive strategies such as blocking known threats, patching vulnerabilities, and enforcing strong password policies, organizations can enhance their defenses. The insights provided by Cyble sensors offer essential guidance for strengthening vulnerability intelligence and safeguarding against online risks.
