Welcome to another Threat Week update, today we are going to look at some of the active threats in the wild and in the news.

Top Threats

Attack Vectors

Common attack vectors are still the usual suspects. Phishing, drive by infections, insecure internet exposed services (e.g. FTP, RDP, SSH, web services etc.) We’ve seen phishing attacks using legitimate services such as Zoho CRM to hijack their mail domain to bypass mail filters, so again good education plus technical controls are the best defence against these attacks.

Firewall Analysis

Xservus run a vulnerable lab which hosts honeypots, web services and is used to detect threats. The following graph showcases external threats detected.

We can see here that a high volume of vulnerabilities are targeted against DLINK DSL routers via command injection and MVPower DVR command injection. It is highly likely these devices are being targeted to form Internet of Things (IoT) botnets such as the ‘Reaper’ botnet.

The IoT landscape presents an easy target for threat attacks, it seems not a week goes by without new vulnerabilities being found, you can see here a recently published issue with Swann security cameras!

https://www.bbc.co.uk/news/technology-44809152

Firewall Logs

The following table show’s unique IP addresses and threat types obtained from the lab’s firewall.

Source address Threat/Content Name
41.37.247.158 DLink DSL Remote OS Command Injection Vulnerability(54505)
223.135.114.142 DLink DSL Remote OS Command Injection Vulnerability(54505)
41.45.153.19 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
41.45.203.1 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.202.245.194 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.216.189.217 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.212.41.16 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.205.2.154 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.220.239.219 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
79.43.141.236 DLink DSL Remote OS Command Injection Vulnerability(54505)
41.44.17.129 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
196.202.83.110 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.196.227.147 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.218.91.96 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.220.124.33 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.210.222.2 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.209.240.189 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.219.132.125 DLink DSL Remote OS Command Injection Vulnerability(54505)
197.35.122.237 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
156.221.66.77 MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
197.43.19.223 DLink DSL Remote OS Command Injection Vulnerability(54505)
221.132.101.247 DLink DSL Remote OS Command Injection Vulnerability(54505)
158.181.147.43 DLink DSL Remote OS Command Injection Vulnerability(54505)
77.157.38.206 DLink DSL Remote OS Command Injection Vulnerability(54505)
114.148.49.86 DLink DSL Remote OS Command Injection Vulnerability(54505)
41.44.125.29 DLink DSL Remote OS Command Injection Vulnerability(54505)
41.233.150.200 DLink DSL Remote OS Command Injection Vulnerability(54505)
27.142.132.247 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.208.243.23 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.205.170.57 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.218.227.92 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.218.50.252 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.218.186.12 DLink DSL Remote OS Command Injection Vulnerability(54505)
118.19.126.68 DLink DSL Remote OS Command Injection Vulnerability(54505)
153.200.68.7 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.199.238.55 DLink DSL Remote OS Command Injection Vulnerability(54505)
180.196.248.187 DLink DSL Remote OS Command Injection Vulnerability(54505)
41.45.39.127 DLink DSL Remote OS Command Injection Vulnerability(54505)
151.26.10.90 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.220.207.167 DLink DSL Remote OS Command Injection Vulnerability(54505)
197.34.114.72 DLink DSL Remote OS Command Injection Vulnerability(54505)
92.4.84.196 DLink DSL Remote OS Command Injection Vulnerability(54505)
197.38.199.141 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.221.80.198 DLink DSL Remote OS Command Injection Vulnerability(54505)
109.1.114.155 DLink DSL Remote OS Command Injection Vulnerability(54505)
197.48.170.117 DLink DSL Remote OS Command Injection Vulnerability(54505)
156.219.157.212 DLink DSL Remote OS Command Injection Vulnerability(54505)
41.42.32.21 DLink DSL Remote OS Command Injection Vulnerability(54505)
92.8.95.119 DLink DSL Remote OS Command Injection Vulnerability(54505)
47.104.92.23 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
218.84.168.2 MAIL: User Login Brute Force Attempt(40007)
185.104.125.70 DLink DSL Remote OS Command Injection Vulnerability(54505)
47.90.92.121 Apache Struts ClassLoader Security Bypass Vulnerability(36932)
217.147.169.230 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
119.167.165.106 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
79.10.148.140 DLink DSL Remote OS Command Injection Vulnerability(54505)
54.201.148.215 Generic HTTP Cross Site Scripting Attempt(31476)
54.201.148.215 HTTP /etc/passwd Access Attempt(30852)
122.152.209.78 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
47.91.252.154 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
47.98.157.248 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
203.125.159.186 MAIL: User Login Brute Force Attempt(40007)
47.100.214.221 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
212.237.42.226 FTP: login Brute Force attempt(40001)
101.132.125.196 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
203.195.154.118 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
212.237.41.181 FTP: login Brute Force attempt(40001)
118.25.70.166 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
212.237.42.95 FTP: login Brute Force attempt(40001)
139.199.162.127 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
111.230.54.59 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
101.132.96.96 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
103.213.249.26 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
139.199.193.200 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
120.78.88.164 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
118.24.117.110 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
71.255.131.72 HTTP /etc/passwd access attempt(35107)
140.143.96.132 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
123.207.96.227 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
103.78.103.58 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
125.211.216.56 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
193.112.7.211 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
116.196.68.215 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
210.209.93.236 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
118.193.239.48 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
45.7.231.174 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
192.144.149.159 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
116.196.120.180 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
139.199.199.144 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
119.27.162.157 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
89.248.168.171 GPON Home Routers Remote Code Execution Vulnerability(37264)
111.121.193.195 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
218.108.27.2 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
42.51.209.140 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
122.227.194.35 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
203.189.235.205 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
222.211.86.214 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
116.228.150.150 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
123.206.98.86 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
47.90.46.156 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
84.42.139.238 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
58.87.117.86 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
111.230.181.88 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
47.52.101.88 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
45.127.99.213 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
113.108.192.2 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
123.160.10.16 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
122.152.227.105 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
47.52.26.165 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
139.159.225.146 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
120.78.129.155 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
140.143.206.197 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
193.112.218.196 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
118.24.88.196 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
35.169.173.59 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
116.196.86.102 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
101.254.149.242 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
103.246.246.246 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
108.186.134.87 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
60.174.69.158 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
140.143.226.195 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
119.146.223.85 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
116.113.33.130 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
201.151.197.153 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
222.187.220.247 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
219.148.170.178 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
193.112.154.67 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
101.254.149.188 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
222.83.228.182 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
58.21.173.126 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
193.112.188.241 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
61.163.101.56 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
190.8.40.10 JBoss.Worm Command and Control Traffic(13121)
211.149.183.63 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
58.56.98.137 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
122.112.214.95 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
113.107.235.91 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
119.28.179.124 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
42.51.152.72 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
123.206.87.129 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
74.208.166.46 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
116.196.117.76 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
203.195.139.201 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
1.9.132.216 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
165.228.65.32 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
31.184.194.114 Bash Remote Code Execution Vulnerability(36729)
113.160.16.194 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
114.82.183.224 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
185.70.76.35 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
197.221.130.54 Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
218.17.246.223 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
198.20.70.114 F5 Ticketbleed Information Disclosure Vulnerability(40383)
122.114.248.240 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
123.56.211.204 MAIL: User Login Brute Force Attempt(40007)
103.236.254.19 Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)

Cryptomining

Once again Cryptomining is on the agenda. As you may know 2017’s top hitter of ransomware has been displaced by Crypytomining. Ransomware was highly obvious and had a low time to detect (usually too late but it’s fairly obvious that it’s hit you, the big message tends to give it away).

On Alienvault’s OTX we’ve got Win32/CoinMiner trending, but that’s not the only player in the field.

Banking Trojans – Kronos Returns

The banking trojan that @Malwaretechblog was detained for contributing code towards after Defcon last year, has a new variant targeting Germany, Japan and Poland.

IOC’s include the following DNS names:

dkb-agbs/./com
fritsy83/./website
gameboosts/./net
jhrppbnh4d674kzh/./onion
jmjp2l7yqgaj5xvv/./onion
milliaoin/./info
mysit/./space
mysmo35wlwhrkeez/./onion
oo00mika84/./website
startupbulawayo/./website
suzfjfguuis326qw/./onion

For more Intel on the new Kronus variant Proof Point have a good post covering this: https://www.proofpoint.com/us/threat-insight/post/kronos-reborn

Summary

In the news/media we often here a great volume of information of 0-days and advanced persistent threats, and while that’s useful for some organisations and verticals, the mainstay of activity we see both in the wild and with clients is opportunistic attacks based on spray and pray techniques. Most of the threats mentioned in this week can be mitigated by using relatively simply security controls which are available out of the box on most systems.

Threat/Content Name
DLink DSL Remote OS Command Injection Vulnerability(54505)
MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553)
Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865)
Apache Struts ClassLoader Security Bypass Vulnerability(36932)
Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221)
GPON Home Routers Remote Code Execution Vulnerability(37264)
JBoss.Worm Command and Control Traffic(13121)
Bash Remote Code Execution Vulnerability(36729)
F5 Ticketbleed Information Disclosure Vulnerability(40383)

We can see here that the mainstay of vulnerabilities can be mitigated simply by patching the known vulnerability. So keep the basics tight (https://www.cyberessentials.org/) and ensure you understand the threat landscape, your assets and protect, defend and respond accordingly. Until next time, stay safe!

 

Leave a Reply

Your email address will not be published. Required fields are marked *