CVE-2020-14882 Archives - The DFIR Report

Intro Towards the end of October, we started seeing attackers take advantage of a WebLogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, … Read More

Ryuk in 5 Hours

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

Ryuk’s Return

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

NetWalker Ransomware in 1 Hour

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Dridex – From Word to Domain Dominance

Ransomware Again…But We Changed the RDP Port!?!?!

Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More

Category: CVE-2020-14882

Cryptominers Exploiting WebLogic RCE CVE-2020-14882