![]() In this class of vulnerability, server software attempts to deserialize untrusted content without validation allowing an attacker to abuse the application for code execution.įigure 2: Complete staging process without execution signal. ![]() Java deserialization vulnerabilities are not unique to Oracle, and plague several older versions of WebSphere, JBoss, Jenkins, OpenNMS, etc. Throughout the recently observed campaign, attackers originating from multiple source addresses (191.101.18084, 78) leveraged CVE-2017-10271, a java deserialization vulnerability in the Oracle WebLogic Server, to target outdated servers (Figure 1). Attack Walkthrough ExploitationĪttackers primarily rely on opportunistic exploitation of well known (and signatured) vulnerabilities in applications running on internet connected systems, and exhibit complete disregard for stealth or disguise. In this post, we will provide a walkthrough of an attack campaign that the Gigamon ATR team has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack. Simply stated, criminal post-exploitation has become an efficient and wide-spread business that poses a threat to all enterprises, especially those with a significant and historical internet footprint that may contain undocumented or obsolete systems and pages. Is it really a criminal performing coin mining or is that a disguise? What will they do with the access if coin mining is no longer profitable? The Gigamon Applied Threat Research (ATR) team has witnessed incidents stemming from criminals who decided to sell their access to other parties, and the increasingly common malware-as-a-service scheme contributes to the risk from “simple” coin mining. While on the surface, the business impact from coin mining seems minimal, having an unauthorized party in control of systems you own introduces a dangerous wild card. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. With the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |