Further analysis on this sample was not conducted. F5 Labs has reported extensively on the Mirai botnet, IoT landscape, and some of its variants. For a detailed breakdown on current Mirai botnets seen in the threat landscape, the Hunt for IoT Research Series publishes current threat data.

Conclusion

All of the vulnerabilities targeted this month can be classified as unsafe input injection. According to 2017 OWASP Top 10 List of web vulnerabilities, injection flaws are the most prevalent type of vulnerability present in applications. These flaws can allow a resourceful attacker to execute malicious commands and queries.

Threat actors used their resources wisely this month, focusing on target reconnaissance. Instead of sending the main payload in the first request, they attempted to do system reconnaissance before sending the malicious payload. Exploits targeting Oracle WebLogic and Elasticsearch were also lower than seen in previous months. This could be due to the fact that a lot of these servers are protected by a web application firewall (WAF). If kept updated, a WAF can stop an attacker from exploiting known vulnerabilities. For most organizations, a web application firewall serves as the first line of defense for their applications. A well-monitored, configured, and updated WAF should also be able to stop these threat actors from exploiting vulnerable systems within a network.

Along with targeting these vulnerabilities that we have reported on in past months, DDoS capabilities continue to be a focus for threat actors. These attacks have been on the rise, with Wikipedia being the latest target.

F5 security researchers continuously monitor new web application exploits to deliver the latest threat intelligence to our customers, as well as the broader IT security community. Join us in continuing the conversation on social media. You can reach us on Twitter @f5labs, or email us at F5LabsTeam@f5.com.