Tag: Remote Code Execution
The majority of the scanning activity is coming from IP addresses assigned to just a handful of ASNs, mostly AS49870 (Alsycon, a hosting provider out of the Netherlands) and AS47890 (Unmanaged Ltd, what looks to be an IT consulting firm based out of the UK). The scanners appear to be using VPS or other resources…
Read MoreIn the event that you have a WAF in place and are hacked (likely, in the scenario where you have implemented the solution in monitoring/listen-only mode), the collection of the post data will be your primary evidence source that indicates how your application was exploited. This information is critical in your investigation and remediation…
Read MoreNo matter how application-savvy you are, it should be fairly obvious that this is not a typical Content-Type header for an HTTP request. According to the RFC, Content-Type is usually of the form “type/subtype”7. This leviathan contains a valid Content-Type header in the very first line—multipart/form-data—but even a rudimentary BNF parser would flag this as a…
Read MoreFigure 1: CVE-2017-5638 campaign The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable. In the first days of this campaign, shell commands were observed to infect the machine with the “PowerBot” malware, which is written in PERL, and uses…
Read MoreThis article was revised 5/15/17 at 9:12 a.m. (PDT) with updated recommendations. Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network.1 The new…
Read MoreNeed-to-Know Facts CVE-2017-74942 has a CVSS Score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3. This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code typically as root. The flaw allows a malicious client to upload a shared library to…
Read MoreIt’s been another banner year for leakers. In May, Wikileaks released the CIA’s Vault7 cyberwarfare documentation,1 and the Shadow Brokers released NSA exploit information, including the Windows EternalBlue2 exploit. EternalBlue was quickly weaponized into the WannaCry ransomware that pummeled the Internet for days. The Petya/NotPetya ransomware hitting Eastern Europe is also reportedly using EternalBlue to infect machines.…
Read MoreAn advanced thingbot, nicknamed Reaper (or IoTroop), was recently discovered infecting hordes of IoT devices. Reaper ups the ante for IoT security. It has a sophisticated C2 channel system and a Lua code execution environment (to deliver much more complicated attacks), and it comes prepackaged with 100 DNS open resolvers. Researchers are tracking Reaper, even…
Read MoreMost don’t, according to BuiltWith, a site that tracks the technologies websites use. Based on its latest data, a paltry .2% of sites on the Internet include CSP headers. Digging further, 8.4% of the Quantcast Top 10,000 have used CSP headers. Which sounds better until you do the math. That’s only 840 sites. By…
Read MoreFigure 2: Weblogic WLS-WSAT campaign attempting to download and execute the same Windows executable file This attempt to download the same file immediately indicated to us that the same attacker was using different exploits in the operation. Unfortunately, these files weren’t available to download from the original server nor from other malware repositories, so…
Read More