Tag: Threats

Cryptominers are frequently included in recent attack campaigns; if you would like to learn more about cryptominers, please check out some of our previous monthly attack campaign wrap-ups. Conclusion Campaigns aimed at mining cryptocurrency and targeting Oracle WebLogic continue to rise in popularity. This has been fueled in part by the zero-day vulnerability found in…

Read More

Poor security is another clue that young novices are operating botnets. The Owari authors left their command and control (C&C) MySQL database wide open (port 3306), “protected” with both the username and password of “root.” Control of IoT devices is a highly competitive market, where rivals commonly DDoS each other. In one case, a competing…

Read More

In-App Testing Since the HSTS and HPKP protocols allow for genuine interception of SSL by trusted certificates, nothing can be done to warn end users that their communications are being intercepted. For those that need to inform their users of interception, in-app testing could be considered. By performing an additional SSL/TLS handshake, using Javascript within…

Read More

Conclusion Campaigns aimed at mining cryptocurrency and targeting Oracle WebLogic are clearly on the rise, and F5 researchers anticipate this trend to continue. This has been fueled partly by the zero-day vulnerability (CVE-2019-2725)found in April 2019. Oracle WebLogic is used widely by large corporations, and the servers are resource-intensive. This attracts threat actors looking to…

Read More

API Vulnerability Data The sensor network that our partner Lorkya maintains found only 0.1% of attack traffic was definitively looking for API vulnerabilities. However, this is probably better attributed to the limitations of the sensor network than any trends about API attacks. Loryka’s sensors primarily detect wide-ranging probes and reconnaissance campaigns where attackers are looking…

Read More

The next step in this process is to convert the decrypted and decompressed data file from binary into a human readable format. The following python snippet provides a regular expression that will roughly split the injects from one another: import re regex_res = re.split(‘[x00]{1}[x00-xff]{7}[x00]{2}[x01-xff]{1}’, data[7:]) The steps outlined here can be used on the different…

Read More

The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) has cited ransomware as “the most visible cybersecurity risk” attacking American IT systems. I think that’s a valid statement, since “most visible” doesn’t necessarily mean largest or most devastating, but it does still qualify ransomware as a significant threat. Indeed, it seems…

Read More

Introduction Ten months ago we asked a rhetorical question: will losses from cryptocurrency exchange hacks hit one billion dollars in 2018? Indeed, they did. Cryptocurrency theft is growing both in terms of frequency of attacks and breadth of targets. Attackers aren’t just cryptojacking and targeting exchanges. According to endpoint security provider Carbon Black, $1.1 billion…

Read More

During June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of geographically oriented targets and did not use redirection attacks—a divergence from previous Trickbot characteristics. In this research, we compared two different target configurations, one older, more “traditional” configuration that uses redirection, and a new Trickbot configuration that does not…

Read More

While analyzing this script which downloads and executes the cryptominer, F5 researchers found that the code is sophisticated, well obfuscated, and long—about 200 lines versus the typical 20 or so lines. The authors clearly put a lot of time and attention into every step, from developing the malware dropper to creating the executable JAR file…

Read More