Threat Intel
Welcome to another Threat Week update, today we are going to look at some of the active threats in the wild and in the news.
Top Threats
Attack Vectors
Common attack vectors are still the usual suspects. Phishing, drive by infections, insecure internet exposed services (e.g. FTP, RDP, SSH, web services etc.) We’ve seen phishing attacks using legitimate services such as Zoho CRM to hijack their mail domain to bypass mail filters, so again good education plus technical controls are the best defence against these attacks.
Firewall Analysis
Xservus run a vulnerable lab which hosts honeypots, web services and is used to detect threats. The following graph showcases external threats detected.
We can see here that a high volume of vulnerabilities are targeted against DLINK DSL routers via command injection and MVPower DVR command injection. It is highly likely these devices are being targeted to form Internet of Things (IoT) botnets such as the ‘Reaper’ botnet.
The IoT landscape presents an easy target for threat attacks, it seems not a week goes by without new vulnerabilities being found, you can see here a recently published issue with Swann security cameras!
https://www.bbc.co.uk/news/technology-44809152
Firewall Logs
The following table show’s unique IP addresses and threat types obtained from the lab’s firewall.
| Source address | Threat/Content Name |
| 41.37.247.158 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 223.135.114.142 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 41.45.153.19 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 41.45.203.1 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.202.245.194 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.216.189.217 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.212.41.16 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.205.2.154 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.220.239.219 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 79.43.141.236 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 41.44.17.129 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 196.202.83.110 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.196.227.147 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.218.91.96 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.220.124.33 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.210.222.2 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.209.240.189 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.219.132.125 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 197.35.122.237 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 156.221.66.77 | MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| 197.43.19.223 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 221.132.101.247 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 158.181.147.43 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 77.157.38.206 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 114.148.49.86 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 41.44.125.29 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 41.233.150.200 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 27.142.132.247 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.208.243.23 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.205.170.57 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.218.227.92 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.218.50.252 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.218.186.12 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 118.19.126.68 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 153.200.68.7 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.199.238.55 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 180.196.248.187 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 41.45.39.127 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 151.26.10.90 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.220.207.167 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 197.34.114.72 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 92.4.84.196 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 197.38.199.141 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.221.80.198 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 109.1.114.155 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 197.48.170.117 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 156.219.157.212 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 41.42.32.21 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 92.8.95.119 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 47.104.92.23 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 218.84.168.2 | MAIL: User Login Brute Force Attempt(40007) |
| 185.104.125.70 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 47.90.92.121 | Apache Struts ClassLoader Security Bypass Vulnerability(36932) |
| 217.147.169.230 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 119.167.165.106 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 79.10.148.140 | DLink DSL Remote OS Command Injection Vulnerability(54505) |
| 54.201.148.215 | Generic HTTP Cross Site Scripting Attempt(31476) |
| 54.201.148.215 | HTTP /etc/passwd Access Attempt(30852) |
| 122.152.209.78 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 47.91.252.154 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 47.98.157.248 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 203.125.159.186 | MAIL: User Login Brute Force Attempt(40007) |
| 47.100.214.221 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 212.237.42.226 | FTP: login Brute Force attempt(40001) |
| 101.132.125.196 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 203.195.154.118 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 212.237.41.181 | FTP: login Brute Force attempt(40001) |
| 118.25.70.166 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 212.237.42.95 | FTP: login Brute Force attempt(40001) |
| 139.199.162.127 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 111.230.54.59 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 101.132.96.96 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 103.213.249.26 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 139.199.193.200 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 120.78.88.164 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 118.24.117.110 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 71.255.131.72 | HTTP /etc/passwd access attempt(35107) |
| 140.143.96.132 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 123.207.96.227 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 103.78.103.58 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 125.211.216.56 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 193.112.7.211 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 116.196.68.215 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 210.209.93.236 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 118.193.239.48 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 45.7.231.174 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 192.144.149.159 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 116.196.120.180 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 139.199.199.144 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 119.27.162.157 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 89.248.168.171 | GPON Home Routers Remote Code Execution Vulnerability(37264) |
| 111.121.193.195 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 218.108.27.2 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 42.51.209.140 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 122.227.194.35 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 203.189.235.205 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 222.211.86.214 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 116.228.150.150 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 123.206.98.86 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 47.90.46.156 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 84.42.139.238 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 58.87.117.86 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 111.230.181.88 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 47.52.101.88 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 45.127.99.213 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 113.108.192.2 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 123.160.10.16 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 122.152.227.105 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 47.52.26.165 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 139.159.225.146 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 120.78.129.155 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 140.143.206.197 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 193.112.218.196 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 118.24.88.196 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 35.169.173.59 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 116.196.86.102 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 101.254.149.242 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 103.246.246.246 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 108.186.134.87 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 60.174.69.158 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 140.143.226.195 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 119.146.223.85 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 116.113.33.130 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 201.151.197.153 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 222.187.220.247 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 219.148.170.178 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 193.112.154.67 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 101.254.149.188 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 222.83.228.182 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 58.21.173.126 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 193.112.188.241 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 61.163.101.56 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 190.8.40.10 | JBoss.Worm Command and Control Traffic(13121) |
| 211.149.183.63 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 58.56.98.137 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 122.112.214.95 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 113.107.235.91 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 119.28.179.124 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 42.51.152.72 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 123.206.87.129 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 74.208.166.46 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 116.196.117.76 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 203.195.139.201 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 1.9.132.216 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 165.228.65.32 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 31.184.194.114 | Bash Remote Code Execution Vulnerability(36729) |
| 113.160.16.194 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 114.82.183.224 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 185.70.76.35 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 197.221.130.54 | Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| 218.17.246.223 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 198.20.70.114 | F5 Ticketbleed Information Disclosure Vulnerability(40383) |
| 122.114.248.240 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| 123.56.211.204 | MAIL: User Login Brute Force Attempt(40007) |
| 103.236.254.19 | Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
Cryptomining
Once again Cryptomining is on the agenda. As you may know 2017’s top hitter of ransomware has been displaced by Crypytomining. Ransomware was highly obvious and had a low time to detect (usually too late but it’s fairly obvious that it’s hit you, the big message tends to give it away).
On Alienvault’s OTX we’ve got Win32/CoinMiner trending, but that’s not the only player in the field.
Banking Trojans – Kronos Returns
The banking trojan that @Malwaretechblog was detained for contributing code towards after Defcon last year, has a new variant targeting Germany, Japan and Poland.
IOC’s include the following DNS names:
For more Intel on the new Kronus variant Proof Point have a good post covering this: https://www.proofpoint.com/us/threat-insight/post/kronos-reborn
Summary
In the news/media we often here a great volume of information of 0-days and advanced persistent threats, and while that’s useful for some organisations and verticals, the mainstay of activity we see both in the wild and with clients is opportunistic attacks based on spray and pray techniques. Most of the threats mentioned in this week can be mitigated by using relatively simply security controls which are available out of the box on most systems.
| Threat/Content Name |
| DLink DSL Remote OS Command Injection Vulnerability(54505) |
| MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(54553) |
| Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability(38865) |
| Apache Struts ClassLoader Security Bypass Vulnerability(36932) |
| Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability(34221) |
| GPON Home Routers Remote Code Execution Vulnerability(37264) |
| JBoss.Worm Command and Control Traffic(13121) |
| Bash Remote Code Execution Vulnerability(36729) |
| F5 Ticketbleed Information Disclosure Vulnerability(40383) |
We can see here that the mainstay of vulnerabilities can be mitigated simply by patching the known vulnerability. So keep the basics tight (https://www.cyberessentials.org/) and ensure you understand the threat landscape, your assets and protect, defend and respond accordingly. Until next time, stay safe!
