Cyble Vulnerability Intelligence Unit Reports Surge in Cyberattacks Targeting Spring Java Framework and IoT Devices

In an alarming revelation, the Cyble Vulnerability Intelligence Unit has released a comprehensive report detailing a significant uptick in cyberattacks targeting the Spring Java framework and a staggering number of Internet of Things (IoT) devices. With over 30 active attack campaigns exploiting well-known vulnerabilities, the report underscores the urgent need for organizations to bolster their cybersecurity measures.

Spotlight on CVE-2024-38816: A Critical Vulnerability in Spring Java Framework

Among the vulnerabilities highlighted in the report, CVE-2024-38816 stands out as a critical path traversal vulnerability within the widely utilized Spring Java framework. This vulnerability, currently under scrutiny by the National Vulnerability Database (NVD), enables attackers to craft malicious HTTP requests that can potentially access sensitive files on the server where the Spring application is hosted. Applications utilizing RouterFunctions to serve static resources, particularly those configured with a FileSystemResource location, are at heightened risk.

Fortunately, there are defensive measures that can mitigate these attacks. Enabling the Spring Security HTTP Firewall or hosting the application on platforms like Tomcat or Jetty can effectively block these malicious requests, providing a layer of protection against exploitation.

The Ripple Effect: CVE-2020-11899 and IoT Vulnerabilities

The report also sheds light on CVE-2020-11899, a medium-severity out-of-bounds read vulnerability in the Treck TCP/IP stack, affecting versions prior to 6.0.1.66. This vulnerability is part of the notorious “Ripple20” series, which poses severe risks, including data theft and unauthorized control of devices. Cyble’s sensors detected an astonishing 411,000 attacks exploiting this vulnerability between October 9 and 15, 2024, with attackers aiming to gain administrative privileges.

Moreover, the report indicates that additional vulnerabilities within the “Ripple20” series, such as CVE-2020-11900, are also being actively targeted. This highlights the critical need for organizations operating IoT environments to assess their exposure and implement necessary mitigations to safeguard their systems.

Ongoing Threats to Linux Systems and Other Vulnerabilities

Beyond the vulnerabilities affecting the Spring framework and IoT devices, Cyble’s report reveals that threats to Linux systems remain rampant. Cybercriminals are employing sophisticated methods to deploy malware through package managers, with active threats including CoinMiner, Mirai, and IRCBot continuing to pose significant risks.

Additionally, previously identified vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) are still attracting the attention of threat actors. This situation underscores the urgent need for vigilant cybersecurity measures across various platforms and applications.

Rising Phishing Attempts and Brute-Force Attacks

In a noteworthy development, the Cyble vulnerability intelligence report highlights a sharp increase in phishing attempts, with 478 new phishing email addresses identified this week—an all-time high. The report details various scam campaigns, including fake refund claims and lottery scams, illustrating the diverse tactics employed by cybercriminals to exploit unsuspecting individuals.

Furthermore, the report outlines several brute-force attacks detected across various global locations, with the most targeted ports being 22, 3389, and 445. Notable activity has been traced back to Vietnam and the United States, prompting security analysts to urge organizations to protect their defenses by blocking suspicious IP addresses and securing these targeted ports.

Recommendations for Mitigation

To effectively mitigate these threats, organizations should adopt several proactive security measures:

1. Block Malicious URLs and Email Addresses: Organizations should actively monitor and block URLs and email addresses associated with recent scams to prevent phishing attempts.

2. Patch Vulnerabilities Promptly: Regularly updating and patching open vulnerabilities is crucial to maintaining a secure environment.

3. Monitor Internal Network Alerts: Routine monitoring of internal network alerts can help identify potential threats before they escalate.

4. Secure Known Brute-Force Sources: Consistently checking for suspicious Autonomous System Numbers (ASNs) and IPs can help block known brute-force sources.

5. Change Default Credentials: Changing default usernames and passwords is essential to thwart brute-force attempts. Organizations should enforce regular password updates and employ complex passwords for servers and sensitive applications.

By implementing these recommendations, businesses can significantly enhance their defenses against the active threats identified in Cyble’s vulnerability intelligence report, particularly those targeting the Spring Java framework and IoT devices.

Conclusion

The findings from the Cyble Vulnerability Intelligence Unit serve as a stark reminder of the ever-evolving landscape of cyber threats. With vulnerabilities like CVE-2024-38816 and CVE-2020-11899 being actively exploited, organizations must remain vigilant and proactive in their cybersecurity efforts. By adopting robust security measures and staying informed about emerging threats, businesses can better protect themselves against the growing tide of cyberattacks.