Top Ten Themes on Cyber Attacks in Q1 2024
Santosh Pandit
Regulator ? Creator of “Hard.Email” ? Author of “Cyber Landscape in 2035” ?
In this post, I'll share my personal observations on cyber attacks during the first quarter of 2024, and insights and solutions you won't find elsewhere online.
High-Level Observations
The number of cyber attacks has decreased, assuming we just ignore basic scripts run by kids and pesky bots and crawlers attempting to copy everything they come across. Nonetheless, the sophistication of cyber attacks continued to increase in Q1 2024.
Ten Primary Attack Vectors and Solutions
1) APIs:
Attacks on APIs ranked highest, targeting both the WordPress REST API and alfacgiapi, mainly from NL, BG, and IN.
Solution: Prioritise API testing, requiring specific skills and tools.
2) The WordPress 'seotheme':
This theme was the second most common attack vector, with activities mainly from NL and BG.
Solution: Avoid using this theme and check for updates.
3) Linux Password Theft:
This involved directory traversal attempts, primarily from IN, FR, and CN.
Solutions: Ensure the web server drops privileges when operating, use chroot, and apply "chmod o-r /etc/passwd".
4) Cryptomining:
Almost exclusively from CN, focusing on Monero (XMR).
Solution: Implement a WAF rule and/or monitor for CPU usage spikes.
5) Ucloud (CN) and Internet Measurement:
Noticed these entities sending a peculiar string "l\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x00" to servers.
Solution: While the intent is unclear, Internet Measurement may stop scanning your IP upon request. For Ucloud, consider blocking their ASNs.
6) Low-Level Protocols:
Likely targeting telecom applications, observed from 11 different countries.
Potential Investigation: The relevant string is "\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00" but I could not figure out what exactly it does.
领英推荐
7) Apache RocketMQ:
Probes from various countries indicate widespread interest.
Solution: Update the software, ensure it's not internet-accessible, or remove it entirely.
8) SMB:
Google Cloud's various IP addresses kept exploring SMB through strings starting with "\x00\x00\x00f\xFESMB".
Solution: Avoid exposing SMB to the internet.
9) Multiplexer and Obfuscation:
Efforts to detect non-HTTPS traffic on port 443, particularly from IN and FR.
Potential Solution: If using a multiplexer, check for vulnerabilities. Be cautious of exposing legitimate traffic on port 443, and stay vigilant for any compromises in your network.
10) jsonrpc:
Most frequently probed by CN.
There are many strings but all of them start with "{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:"
An example of a full string is: "{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x22blue1\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22Windows NT 6.1; Win64; x64\x22}}"
Solution: WAF rules.
Other Notable Attacks:
These included SSL Stripping (US), Bitrix CMS (CA), Oracle Weblogic or T3 (four countries), and ICAP server proxy interception (three countries).
Solutions: Prefer using TLS 1.3 or, at worst, a combination of TLS 1.3/1.2. Consult with your vendors for updates.
Ten Most Active Countries
IP addresses from the Netherlands (NL), United States (US), China (CN), Bulgaria (BG), and India (IN) were most frequently involved in attacks, followed by Hong Kong (HK), Great Britain (GB), Thailand (TH), France (FR), and Morocco (MA).
However, due to the use of VPNs and Tor networks, it's challenging to directly link cyber attacks to hackers from these countries. Consequently, geoblocking will become less effective for your network's incoming traffic but remains valuable and effective for outgoing traffic.
Good luck!
Santosh
3 April 2024