← All stories

F5 Labs

Vulnerabilities, Exploits, and Malware Driving Attack Campaigns in July 2019

2019-08-28 · Read original ↗

ATT&CK techniques detected

14 predictions

T1105Ingress Tool Transfer

98%

"the windows and the linux malware followed the same flow pattern for downloading the malware and for mining xmr cryptocurrency. figure 2. flow diagram for the cryptomining malware the next sections of this monthly wrap up will walk through the flow of this campaign in a more in -…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1027.002Software Packing

98%

". 1 : the file contains the ip for the private mining pool and the same uuid as the one seen in the uuid file. the previously mentioned configuration file provides instructions on how to decode the malware. figure 5. screenshot showing the configuration file used by the cryptomin…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

95%

"script. the same threat actor was previously detected exploiting elasticsearch search groovy sandbox bypass vulnerability. - eacms search remote code execution - die md5 : this campaign aims to identify seacms servers vulnerable to seacms search remote code execution vulnerabilit…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

94%

". - two campaigns targeted elasticsearch servers vulnerable to groovy scripting engine sandbox security bypass vulnerability ( cve - 2015 - 1427 ). - in addition to the campaigns exploiting oracle weblogic vulnerabilities, the following notable campaigns were also detected : - jo…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

88%

"vulnerabilities, exploits, and malware driving attack campaigns in july 2019 security researchers at f5 networks constantly monitor web traffic at various locations all over the world. this allows us to detect “ in the wild ” malware, and to get an insight into the current threat…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1027.002Software Packing

66%

"figure 11. upx packed malware for windows server the same name of the file for the cryptominer is also used by this malware. figure 12. screenshot showing the crypto miner version the malware also creates a new folder within programdata called googlelib. the following are the fil…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

65%

"- airmail. cc : this campaign aims to identify wordpress installations vulnerable to unauthenticated administrator creation in the convert plus plugin. the threat actor in this campaign tried to create an administrator account on a vulnerable wordpress installation. oracle weblog…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

58%

"( cve - 2019 - 2725 ) found in april 2019. oracle weblogic is used widely by large corporations, and the servers are resource - intensive. this attracts threat actors looking to exploit the processing power of these servers to mine cryptocurrency. deserialization vulnerabilities …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

52%

"##e in the googlelib folder. figure 14. screenshot showing how the malware ensures persistence researchers further observed network traffic of the windows malware to confirm that although it targed two different architectures, the malware communicated the same way. figure 15. net…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1496.001Compute Hijacking

51%

"process. figure 8. screenshot showing the process tree and where the packed malware sits on it the malware is an xmr cryptocurrency miner that uses xmrig v2. 14. 1. xmr is the symbol for the moreno cryptocurrency, a recent favorite of many threat campaigns as it can be mined in a…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.004Unix Shell

38%

"execute a file from a remote server. figure 16. screenshot showing the initial request sent to a vulnerable server payload the downloaded file contains a bash script that instructs the vulnerable server to download two more files,. ssh4 and. " " figure 17. downloaded bash script,…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1496Resource Hijacking

36%

"- airmail. cc : this campaign aims to identify wordpress installations vulnerable to unauthenticated administrator creation in the convert plus plugin. the threat actor in this campaign tried to create an administrator account on a vulnerable wordpress installation. oracle weblog…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059Command and Scripting Interpreter

33%

"execute a file from a remote server. figure 16. screenshot showing the initial request sent to a vulnerable server payload the downloaded file contains a bash script that instructs the vulnerable server to download two more files,. ssh4 and. " " figure 17. downloaded bash script,…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1105Ingress Tool Transfer

33%

"execute a file from a remote server. figure 16. screenshot showing the initial request sent to a vulnerable server payload the downloaded file contains a bash script that instructs the vulnerable server to download two more files,. ssh4 and. " " figure 17. downloaded bash script,…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

In July, vulnerable web servers continued to be the target of threat actors attempting to install cryptominers.