“executes a cryptominer. analysis of xm64 each month, the f5 research teams encounters many different cryptominers in the wild. most of the time, new cryptominers are similar to previous iterations. attackers frequently reuse code and / or techniques that have worked for others in…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
98%
“vulnerabilities, exploits, and malware driving attack campaigns in june 2019 security researchers at f5 networks constantly monitor web traffic at various locations all over the world. this allows us to detect “ in the wild ” malware, and to get an insight into the current threat…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
88%
“threat actor initiating the download of the file 8zxx from termbin. an oracle weblogic server vulnerable to cve - 2017 - 10271 downloads the malicious file from the termbin address and executes it, creating the reverse shell as described above. based on the team ’ s analysis, we …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
87%
“and execute a cryptominer. this malware was written in golang. to learn more about this, check out the analysis on f5 labs. - elasticsearch search groovy sandbox bypass ( cve - 2014 - 3120 ) the threat actor instructs the server to download and execute a cryptocurrency miner. - t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
83%
“driving attack campaigns in april 2019 ( / content / f5 - labs - v2 / en / labs / articles / threat - intelligence / vulnerabilities - - exploits - - and - malware - driving - attack - campaigns - in - april - 2019. html ) and for more details on some of the payloads used check t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
76%
“threat actor initiating the download of the file 8zxx from termbin. an oracle weblogic server vulnerable to cve - 2017 - 10271 downloads the malicious file from the termbin address and executes it, creating the reverse shell as described above. based on the team ’ s analysis, we …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1496.001Compute Hijacking
47%
“connects to miningv2. duckdns. org on port 1336 to mine xmr cryptocurrency. figure 9 : network traffic for the cryptominer. cryptominers are frequently included in recent attack campaigns ; if you would like to learn more about cryptominers, please check out some of our previous …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
33%
“team that monitors the health of your critical systems. most cryptominers try to exploit as much cpu power as possible ; a system that is constantly running at maximum capacity may, therefore, be infected. a stealthy threat actor might try to harness multiple exploited servers, o…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Similar to April and May, threat actors in June continued targeting the deserialization vulnerabilities found in Oracle WebLogic to mine cryptocurrency.