Massive Brute Force Attack Targets Networking Devices Using 2.8 Million IPs
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
?
1. Massive Brute Force Attack Targets Networking Devices Using 2.8 Million IPs
A large-scale brute-force attack, leveraging 2.8 million IPs daily, is actively targeting networking devices from Palo Alto Networks, Ivanti, and SonicWall. This attack, orchestrated through a botnet of compromised MikroTik, Huawei, Cisco, Boa, and ZTE devices, aims to infiltrate edge security appliances like firewalls, VPNs, and gateways. Attackers seek to compromise credentials and potentially convert these devices into proxy exit nodes for malicious activities, making detection difficult due to the use of residential proxy networks. The Shadowserver Foundation has observed a surge in attacks, with high activity from Brazil, Turkey, and Russia, posing a severe threat to enterprise security.
To mitigate the risk, organizations should enforce MFA, restrict administrative access, disable unused services, implement login protection, and apply security updates. Monitoring for anomalous activity, securing routers, segmenting networks, and deploying Zero Trust Architecture can further strengthen defenses. Regular security audits and behavioral analytics will help detect and prevent brute-force attempts.
2. “whoAMI” Attack Exploits Misconfigured AMI Selection to Gain Unauthorized Access
Security researchers have uncovered whoAMI, an AWS name confusion attack that allows attackers to execute code within AWS environments by exploiting misconfigured Amazon Machine Image (AMI) selection. The attack occurs when organizations retrieve AMIs without specifying an owner, enabling attackers to upload malicious AMIs with deceptive names, leading to potential system compromise. AWS patched the issue in late 2024, but organizations must proactively update configurations and enforce security controls to prevent exploitation.
To mitigate risks, always specify an AMI owner when using the ec2:DescribeImages API, enable the “Allowed AMIs” security feature, and update Terraform configurations to remove “most_recent=true” unless an owner filter is applied. Organizations should also audit AWS CLI, Boto3, and SDK scripts, use AWS Audit Mode to detect untrusted AMIs, and implement least privilege policies for AMI creation. Regular monitoring, security awareness for DevOps teams, and enforcing best practices are crucial in safeguarding AWS environments.
领英推荐
3. CISA Warns of Active Exploitation of Microsoft Outlook RCE Flaw CVE-2024-21413
CISA has alerted U.S. federal agencies to ongoing attacks exploiting CVE-2024-21413, a Microsoft Outlook RCE vulnerability that bypasses Protected View, enabling NTLM credential theft and remote code execution. Discovered by cybersecurity researchers, this flaw allows attackers to embed malicious links in emails, compromising systems even when emails are only previewed. Microsoft patched the issue, but the Preview Pane remains an attack vector, making exploitation easier.
To mitigate risks, organizations should apply the latest Microsoft security patches, disable NTLM authentication, and block outbound SMB traffic to prevent credential relay attacks. Additional safeguards include disabling automatic link resolution in Outlook, enabling Attack Surface Reduction (ASR) rules, and monitoring for unusual file:// protocol usage. Implementing endpoint detection (EDR), restricting access to sensitive files, and conducting phishing awareness training will further help reduce the attack surface and enhance security resilience.
4. Kimsuky’s forceCopy Malware Targets Web Browsers in Sophisticated Attacks
The North Korea-linked Kimsuky hacking group has been observed using malicious Windows shortcut (LNK) files in spear-phishing attacks to deploy malware, including the forceCopy information stealer. Exploiting legitimate Windows binaries like PowerShell and mshta.exe, the attackers download and execute payloads, gaining system control through tools like PEBBLEDASH and a custom RDP Wrapper. Their 2024 strategy shift favors remote desktop tools over traditional backdoors, enabling stealthier persistence and data exfiltration.
To mitigate risks, organizations should implement advanced email filtering, educate users on phishing awareness, and monitor for anomalous RDP and proxy activity. Deploying endpoint detection and response (EDR) solutions, restricting PowerShell/mshta.exe usage, and disabling unnecessary remote desktop features can further reduce exposure. Strengthening incident response plans and conducting security drills will enhance resilience against evolving nation-state threats.
5. Threat Actors Exploit Fake Chrome Sites to Spread ValleyRAT via DLL Hijacking
Bogus websites posing as Google Chrome download pages are distributing ValleyRAT, a remote access trojan (RAT) linked to the Silver Fox threat actor. Targeting Chinese-speaking regions, these attacks focus on high-value roles in finance, accounting, and sales by luring victims into downloading fake Chrome installers embedded with DLL loaders. The malware exploits DLL hijacking to gain persistent system access, monitor activity, and execute remote commands. Attackers have also used this method to distribute Purple Fox and Gh0st RAT, reinforcing the threat’s sophistication.
To mitigate risks, organizations should educate users on software download risks, implement application whitelisting, deploy endpoint protection against DLL hijacking, and regularly patch vulnerabilities. Monitoring network traffic for suspicious remote connections, enforcing intrusion detection (IDS/IPS), and maintaining an incident response plan are essential to detect and contain infections before they escalate.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories