Tag: Malware
By looking at the table of supported IP protocols, we see that the bot creates raw packets of IGMP, ICMP and TCP protocols. Those packets are just being marked with those protocol numbers, however other fields and headers are not actually set. The packet is filled with “A” characters according to the size specified by…
Read MoreShellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to the underlying system shell, Bash. The Shellshock attack takes advantage of a flaw in Bash that enables attackers to execute remote commands that would ordinarily be blocked. It’s been rated the highest risk possible because remote command execution…
Read MoreIt’s been another banner year for leakers. In May, Wikileaks released the CIA’s Vault7 cyberwarfare documentation,1 and the Shadow Brokers released NSA exploit information, including the Windows EternalBlue2 exploit. EternalBlue was quickly weaponized into the WannaCry ransomware that pummeled the Internet for days. The Petya/NotPetya ransomware hitting Eastern Europe is also reportedly using EternalBlue to infect machines.…
Read MoreFigure 2: Alternative C&C server address hosted on Pastebin.com One of the challenges that adversaries need to deal with is how to maintain a sustainable C&C infrastructure without being quickly denylisted by enterprise security solutions, or being frequently shut down by ISPs and hosting services following law enforcement and security vendors’ abuse reports. Many…
Read MoreEvery day, your web servers are increasingly being scanned—and likely attacked—by adversaries attempting to gain access to your infrastructure. Between 2015 and 2017, our data partner, Loryka, observed these types of scans grow from 200 per minute to as much as 2,000 per minute. These kinds of attackers are professionals; they do this for a…
Read MoreLast week, a malware campaign targeting Jenkins automation servers was reported by CheckPoint researchers.1 The attackers exploited a deserialization vulnerability2 in Jenkin’s bidirectional channel (CVE-2017-1000353)3 to deploy Monero cryptomining malware that generated an estimated profit of $3 million. Following this disclosure, F5 researchers observed what appears to be the same threat actor group, as they…
Read MoreOne thing to consider about the Q1 2018 data is that it’s only one quarter in comparison to the annual averages of 2016 and 2017, and that Q1 typically receives the least number of attacks of any quarter. If attacks against North America decline in Q2, as they have done the past 2 years, the…
Read MoreF5 threat researchers detected attackers actively exploiting the rTorrent client through a previously undisclosed misconfiguration vulnerability and deploying a Monero (XMR) crypto-miner operation. The rTorrent client misconfiguration vulnerabilities include: No authentication required for XML-RPC communication Sensitive XML-RPC method is allowed (direct OS command execution) Attackers are actively exploiting this vulnerability in the wild by scanning…
Read MoreFigure 2: Latest attack request targeting Windows servers As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file. Using the Windows certutil Tool While Linux…
Read MoreF5 researchers recently noticed a new campaign exploiting a vulnerability in Microsoft Internet Information Services (IIS) 6.0 servers (CVE–2017–7269) in order to mine Electroneum crypto-currency. Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group.…
Read More