"vulnerabilities, exploits, and malware driving attack campaigns in may 2019 security researchers at f5 networks constantly monitor web traffic at various locations throughout the world. this allows us to detect “ in the wild ” malware, and to get an insight into the current threa…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
98%
"1003000 ) : the threat actor instructs the server to download and execute a cryptocurrency miner. - ecshop remote code execution : the threat actor tries to upload a webshell on a vulnerable server. oracle weblogic server deserialization remote code execution oracle weblogic serv…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
91%
"4 shows the content of the malicous file wow _ ora. this file checks to see if a process named dblaunched is running. if the process is not running, the script tries to download and execute the cryptominer from a pastebin page or an ip address controlled by the threat actor. this…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
84%
"a threat actor we have not previously seen was detected running a reconnaissance campaign by using the following new deserialization gadget : com. bea. core. repackaged. springframework. context. support. filesystemxmlapplicationcontext as shown in figure 11, the threat actor use…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
81%
"- 10271 ) a new exploit request was received by our honeypot where the threat actor is trying to exploit cve - 2017 - 10271 to download a malicious file from an ip controlled by the threat actor. figure 1 shows the initial request received by our honeypot. an oracle weblogic serv…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
65%
"by the threat actor. figure 7 shows the configuration file. this file contains the wallet address of the cryptominer. figure 7. the configuration file containing the cryptominer ’ s wallet address. figure 8 illustrates that the threat actor is trying to mine monero ( xmr ) crypto…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
45%
"- 10271 ) a new exploit request was received by our honeypot where the threat actor is trying to exploit cve - 2017 - 10271 to download a malicious file from an ip controlled by the threat actor. figure 1 shows the initial request received by our honeypot. an oracle weblogic serv…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
44%
"and execute malicious files in the following order. - kok : contains code for killing other competing malwares - wow _ ora : watchdog to ensure the cryptominer is running - rc6 : downloads and executes the cryptominer figure 2. contents of file tx. 3. this file attempts to kill c…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Similar to April, threat actors in May continued targeting the deserialization vulnerabilities found in Oracle WebLogic to mine cryptocurrency.