Tag: Attack Campaign
By looking at the table of supported IP protocols, we see that the bot creates raw packets of IGMP, ICMP and TCP protocols. Those packets are just being marked with those protocol numbers, however other fields and headers are not actually set. The packet is filled with “A” characters according to the size specified by…
Read MoreShellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to the underlying system shell, Bash. The Shellshock attack takes advantage of a flaw in Bash that enables attackers to execute remote commands that would ordinarily be blocked. It’s been rated the highest risk possible because remote command execution…
Read MoreRisk is a calculated measurement involving a number of factors including likelihood of occurrence and the impact if exploited. We all know that we could be hit by a bus and suffer dire consequences while crossing the road today, but the likelihood of that occurring is so low that most of us consider it a…
Read MoreFigure 1: How an LDAP reflection-amplification attack works LDAP’s Weak Spot LDAP is used to query resources such as networks, systems, applications, and services throughout an organization network. This protocol is typically served over TCP, which requires a connection to be established before data is transferred. But, in this case, because the source IP address…
Read MoreNo matter how application-savvy you are, it should be fairly obvious that this is not a typical Content-Type header for an HTTP request. According to the RFC, Content-Type is usually of the form “type/subtype”7. This leviathan contains a valid Content-Type header in the very first line—multipart/form-data—but even a rudimentary BNF parser would flag this as a…
Read MoreFigure 2: Authentication success! While Intel didn’t come out and tell everyone exactly what the problem was, the guys at Tenable figured it out within minutes,2 and even show how simple it would be to exploit via Burp Suite. They’ve updated Nessus3 to scan for it, and everyone is broadly recommending that we all disable ports…
Read MoreNeed-to-Know Facts CVE-2017-74942 has a CVSS Score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3. This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code typically as root. The flaw allows a malicious client to upload a shared library to…
Read More“The digital economy is firmly entrenched, and has an appearance that promises prosperity; but in this world, nothing can be said to be certain, except death, taxes, and vulnerabilities.” With many apologies to Benjamin Franklin, to whom the original, unaltered quote on which this one relies is typically attributed. Unlike the forecasts for snow in…
Read MoreLast week, F5 threat researchers spotted a Monero (XMR) crypto-mining campaign that was taking advantage of a user configuration vulnerability in the rTorrent client, specifically misconfigured XML-RPC functionality. This misconfiguration vulnerability in rTorrent allows an unauthenticated user to execute methods in the rTorrent client using HTTP requests. After deeper analysis of the attack logs, F5…
Read MoreFigure 2: Weblogic WLS-WSAT campaign attempting to download and execute the same Windows executable file This attempt to download the same file immediately indicated to us that the same attacker was using different exploits in the operation. Unfortunately, these files weren’t available to download from the original server nor from other malware repositories, so…
Read More