

Trend Micro Vision One helps security teams have an overall view of attempts in ongoing campaigns by providing them a correlated view of multiple layers such as email, endpoints, email, endpoints, servers, and cloud workloads. In addition to the vendor patches, security solutions can also help in further securing the system. Both Atlassian and Oracle WebLogic servers have released security guidelines for the vulnerabilities discussed here. This recommendation is also a possible preventative measure. It is highly recommended for administrators to apply all patches as soon as possible, especially if their deployed servers match the known affected versions. The following are some of the best practices to combat these threats. Vulnerability exploits can heavily compromise user and enterprise systems. How to Protect Systems Against Vulnerability Exploit Campaigns Attackers behind the botnet fund their operation by mining cryptocurrency with the help of such tools as XMRig and cgmining, and also by providing DDoS-for-hire services.
The operators behind Muhstik target vulnerabilities in public-facing web applications to increase the botnet's reach. Muhstik targeted vulnerable internet of things (IoT) devices, such as routers, to grow its malicious network and perform other tasks, such as mining for cryptocurrency or launching distributed denial-of-service (DDoS) attacks. One notable attack traffic that we have seen so far on CVE-2021-26084 was by the Muhstik botnet campaign, which mostly has the purpose of cryptomining as well. The in-depth analysis of the campaign techniques observed in our research can be found in our technical brief.Īlmost immediately after Atlassian released the patch for CVE-2021-26084, we saw many different types of attack campaigns seeking to exploit this vulnerability, most of which are cryptomining campaigns. This entry shows Trend Micro Cloud One™ and Trend Micro Vision One at work in detecting and tracking these vulnerability exploits.

With the help of these solutions, we were able to investigate attacks launched by adversaries as well as attempt some attack scenarios ourselves. To observe the following campaigns, we used detection data and set up honeypots, which we managed with Trend Micro Cloud One™ – Workload Security and Trend Micro Vision One™. We also include recommendations on how security teams can safeguard their workloads. In particular, we look into the Atlassian Confluence Server Webwork Object-Graph Navigation Language (OGNL) injection vulnerability, CVE-2021-26084, and three Oracle WebLogic Server vulnerabilities, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883. In this research, we look into how malware campaigns target server vulnerabilities. Vulnerabilities serve as entry points for threats, and even relatively new ones have swarms of exploit campaigns that target them.
