Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
Growing attacks using Accept-Charset exploit

Growing attacks using Accept-Charset exploit

Juniper Threat Labs is seeing a growing attack on Accept-Charset HTTP Header. This request header allows the client to indicate what character sets, i.e., ISO-8859-1 or utf-8,  are available for response. Attackers are trying to exploit this header by passing a base64-encoded PHP code. During the course of our investigation, we have identified the vulnerable software to be a tampered version of phpStudy. At some point in time, hackers were able to hack into phpStudy and tamper on 2016 and 2018 versions of the software to make it vulnerable to this specific exploit.

Read more...

Juniper Employee
How to defend against every day IOT threats

How to defend against every day IOT threats

Internet of Things has been around for years, but it has started to become more and more prevalant.  This ever growing footprint has made it a juicier target.  How are they attacking and how do we work to better defend our networks.

Read more...

JesseLands
Masad Stealer: Exfiltrating using Telegram

Masad Stealer: Exfiltrating using Telegram

Juniper Threat Labs discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a Command and Control (CnC) channel allows the malware some anonymity, as Telegram is a legitimate messaging application with 200 million monthly active users. The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.



Read more...

Juniper Employee
RCE Attacks Targeting Misconfigured Open PHP-FPM

RCE Attacks Targeting Misconfigured Open PHP-FPM

 

On August 7, 2019, Juniper Threat Labs started seeing attacks on PHP-FPM (FastCGI Process Manager) on port 9000. This attack works by passing PHP configuration options that allows injection of a PHP script to a listening PHP-FPM service. The attack payload is a base64 encoded PHP script that collects system information, presumably as part of a reconnaissance stage.

Read more...

Juniper Employee
Security Pitfalls with Multicloud Deployments

Security Pitfalls with Multicloud Deployments

I recently had the pleasure of participating in a panel discussion at the Cyber Security Summit USA in Denver, CO, on the topic of cloud INsecurity. The panel needed to cover the common pitfalls that organizations make when moving to the cloud and how to avoid them. Joined by several distinguished panelists from the security industry, we tackled some key questions and I wanted to share the key takeaways with those who were not so fortunate to join us live during the event.

Read more...

Juniper Employee
Satan Ransomware used in Multi-Platform Cryptomining and Ransomware Campaign

Satan Ransomware used in Multi-Platform Cryptomining and Ransomware Campaign

Juniper Threat Labs has been monitoring a campaign that delivered multiple stages of malware to install a cryptocurrency miner and ransomware. On March 16, 2019, we identified a surge in attacks that target an Apache Struts vulnerability to deliver their payload.

Read more...

Juniper Employee
Top Kudoed Members
Latest Comments
threatresearch | 10-13-2019
Re: RCE Attacks Targeting Misconfigured Open PHP-FPM
By  vidyasp
threatresearch | 09-28-2018
Re: Kronos - The Banking Chronicle
threatresearch | 05-24-2018
Re: VPNFilter: a nation state campaign for surveillance and destruction
By  omarg