Tag: Web Application Attacks
In 2018 we published our first Application Protection Report, which summarized trends and attack patterns for 2017 across multiple disciplines of information security and offered a big picture strategy for controlling application risk. We created that report in order to provide three things that we felt the security industry needs: a specific focus on application…
Read MorePoor security is another clue that young novices are operating botnets. The Owari authors left their command and control (C&C) MySQL database wide open (port 3306), “protected” with both the username and password of “root.” Control of IoT devices is a highly competitive market, where rivals commonly DDoS each other. In one case, a competing…
Read MoreConclusion Campaigns aimed at mining cryptocurrency and targeting Oracle WebLogic are clearly on the rise, and F5 researchers anticipate this trend to continue. This has been fueled partly by the zero-day vulnerability (CVE-2019-2725)found in April 2019. Oracle WebLogic is used widely by large corporations, and the servers are resource-intensive. This attracts threat actors looking to…
Read MoreAPI Vulnerability Data The sensor network that our partner Lorkya maintains found only 0.1% of attack traffic was definitively looking for API vulnerabilities. However, this is probably better attributed to the limitations of the sensor network than any trends about API attacks. Loryka’s sensors primarily detect wide-ranging probes and reconnaissance campaigns where attackers are looking…
Read MoreThe next step in this process is to convert the decrypted and decompressed data file from binary into a human readable format. The following python snippet provides a regular expression that will roughly split the injects from one another: import re regex_res = re.split(‘[x00]{1}[x00-xff]{7}[x00]{2}[x01-xff]{1}’, data[7:]) The steps outlined here can be used on the different…
Read MoreThe US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) has cited ransomware as “the most visible cybersecurity risk” attacking American IT systems. I think that’s a valid statement, since “most visible” doesn’t necessarily mean largest or most devastating, but it does still qualify ransomware as a significant threat. Indeed, it seems…
Read MoreIntroduction Ten months ago we asked a rhetorical question: will losses from cryptocurrency exchange hacks hit one billion dollars in 2018? Indeed, they did. Cryptocurrency theft is growing both in terms of frequency of attacks and breadth of targets. Attackers aren’t just cryptojacking and targeting exchanges. According to endpoint security provider Carbon Black, $1.1 billion…
Read MoreDuring June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of geographically oriented targets and did not use redirection attacks—a divergence from previous Trickbot characteristics. In this research, we compared two different target configurations, one older, more “traditional” configuration that uses redirection, and a new Trickbot configuration that does not…
Read MoreWhile analyzing this script which downloads and executes the cryptominer, F5 researchers found that the code is sophisticated, well obfuscated, and long—about 200 lines versus the typical 20 or so lines. The authors clearly put a lot of time and attention into every step, from developing the malware dropper to creating the executable JAR file…
Read MoreFurther analysis on this sample was not conducted. F5 Labs has reported extensively on the Mirai botnet, IoT landscape, and some of its variants. For a detailed breakdown on current Mirai botnets seen in the threat landscape, the Hunt for IoT Research Series publishes current threat data. Conclusion All of the vulnerabilities targeted this month…
Read More