TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Vulnerabilities, Exploits, and Malware Driving Attack Campaigns in January 2019

2019-02-21 · Read original ↗

ATT&CK techniques detected

10 predictions
T1190Exploit Public-Facing Application
99%
"component rce vulnerability ( cve - 2017 - 10271 ). figure 6. the same threat actor was earlier detected exploiting elasticsearch and weblogic servers horde webmail remote code execution ( cve - 2012 - 0791 ) a new campaign was detected targeting horde imp, an application that co…"
T1190Exploit Public-Facing Application
96%
"thinkphp remote code execution ( cve - 2018 - 10225 ) almost half of the campaigns we detected in january targeted thinkphp servers vulnerable to remote code execution ( rce ). according to shodan, over 46, 000 web servers are running thinkphp, and most of them are located in chi…"
T1190Exploit Public-Facing Application
96%
"detected exploiting elasticsearch search groovy sandbox bypass vulnerability ( cve - 2014 - 3120 ). as figure 9 illustrates, attackers must conduct a significant amount of reconnaissance scanning looking for vulnerable systems before they can actually launch attacks. figure 9. af…"
T1190Exploit Public-Facing Application
95%
"##t vulnerabilities to deliver mirai variants added the thinkphp exploit to their arsenals in january. attacking network storages ( cve - 2018 - 11510 ) in january, we also detected a new campaign for the asustor adm network attached storage ( nas ) portal vulnerable to an unauth…"
T1204.002Malicious File
90%
"the malicious file download. php before the researchers could download it to analyze. weathermap editor ( cacti plugin ) arbitrary code execution ( cve - 2013 - 3739 ) another known threat actor was detected trying to exploit the php weathermap editor cacti plugin. this vulnerabi…"
T1190Exploit Public-Facing Application
87%
"vulnerabilities, exploits, and malware driving attack campaigns in january 2019 security researchers at f5 networks constantly monitor web traffic at various locations throughout the world. this allows us to detect current “ in the wild ” malware, and to get an insight into a thr…"
T1190Exploit Public-Facing Application
82%
"the base64 - encoded string, we can see in figure 12 that the attacker is trying to open a shell on the vulnerable server. the input, output, and error messages are then provided through the uploaded malicious file. figure 12. after decoding the base64 - encoded string shown in f…"
T1204.002Malicious File
75%
"threat actor was previously seen spreading mirai malware on other vulnerable applications. figure 14. same threat actor targeting iot and oracle web logic applications from october 2018 through january 2019 figure 15. contents of the file downloaded from the download server as we…"
T1190Exploit Public-Facing Application
43%
"became a popular attack vector. figure 2. malicious attempts on f5 threat detection systems increased by a factor of 14 from december to january two of the campaigns we observed were spreading a variation of the mirai malware. this malware turns networked devices running linux in…"
T1190Exploit Public-Facing Application
31%
"the malicious file download. php before the researchers could download it to analyze. weathermap editor ( cacti plugin ) arbitrary code execution ( cve - 2013 - 3739 ) another known threat actor was detected trying to exploit the php weathermap editor cacti plugin. this vulnerabi…"

Summary

January threat actor activity focused heavily on exploiting a ThinkPHP remote code execution vulnerability and infecting vulnerable Oracle WebLogic systems with a Mirai variant.