Posts

Over 3,000 F5 BIG-IP endpoints vulnerable to CVE-2020-5902

On Sunday, July 5, 2020, our honeypots detected opportunistic mass scanning activity originating from multiple hosts targeting F5 BIG-IP servers vulnerable to CVE-2020-5902. This critical vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the targeted server. Our latest CVE-2020-5902 scans have identified 3,012 vulnerable F5 hosts worldwide. Bad Packets vulnerability scan results are freely available for authorized government CERT, CSIRT, and ISAC teams. Submit request here: https://t.co/0eV9Go1Fsw https://t.co/Sh4lAHpQVn — Bad Packets (@bad_packets) July 7, 2020 How many hosts are vulnerable to CVE-2020-5902? Using data provided by BinaryEdge, we scanned 8,204 F5 BIG-IP servers to determine which were vulnerable. …

Read MoreOver 3,000 F5 BIG-IP endpoints vulnerable to CVE-2020-5902

SpiderFoot HX module now available for Bad Packets® CTI

What is SpiderFoot HX? SpiderFoot HX is the premium, subscription-based version of the open-source intelligence (OSINT) tool SpiderFoot that offers additional performance enhancements and data visualization capabilities. What is SpiderFoot HX used for? SpiderFoot automates the OSINT process by gathering data from cybersecurity-related research resources such as Archive.org, BinaryEdge, HaveIBeenPwned, Spamhaus, urlscan.io VirusTotal, and more. SpiderFoot generates a summarized threat intelligence report for indicators such as: IP addresses Domain names Email addresses Bad Packets® CTI SpiderFoot HX module prerequisites Create a SpiderFoot HX account Sign up for Bad Packets® CTI to obtain your API key. How to configure Bad Packets® …

Read MoreSpiderFoot HX module now available for Bad Packets® CTI

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw. Mass scanning activity detected from 82.102.16.220 (🇩🇪) checking for Citrix NetScaler Gateway endpoints vulnerable to CVE-2019-19781. Affected organizations are advised to apply the mitigation steps provided by Citrix as no patch exists yet. https://t.co/weFVYpEWi2#threatintel pic.twitter.com/mTfky68JEh — Bad Packets Report (@bad_packets) January …

Read MoreOver 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

Over 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510

On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks. ⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️Mass scanning activity detected from 2.137.127.2 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510).#threatintel pic.twitter.com/fiRUMKjwbE — Bad Packets Report (@bad_packets) …

Read MoreOver 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510

Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw

Our honeypots frequently detect scans targeting various home automation protocol endpoints. Many of these attacks aim to exploit vulnerable consumer routers. Upon further investigation, we’ve discovered a persistent flaw affecting Linksys Smart Wi-Fi routers that allows unauthenticated remote access to sensitive information. How can the vulnerability be exploited? Go to the Linksys Smart Wi-Fi router’s public IP address in your web browser Open the developer console (F12 key) and go to the Network tab Scroll down to JNAP (there’s multiple) and click to open it The leak can also be reproduced by sending a request to this JNAP endpoint: X-JNAP-ACTION: …

Read MoreOver 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw