Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Ian Thornton-Trump CD" data-source="post: 2458" data-attributes="member: 219"><p>Good solid analysis and I have a couple of of points to add. 1) There is clearly an architecture based mitigation with use of reverse proxying of the target host response to the malicious input - the attack then can be defanged almost completely. Port 389 LDAP over UDP and TCP would also (and would be a more effective) mitigation as would a more advanced firewall which would filter Protocols (rather than just ports) Blasting out LADAP into the Internet is kind of how we got here with the need for a "malicious LDAP" server connection from the target host. Although WAF as you said can be tricked - 99.9% of this is bot scanning with fairly easy finger printing - if your threat model is APT you are 100% right an actor can blast through pretty effectively. I'm not fussed as if your behind CloudFlare and other CDN's they are blocking it, EDR on your end points are all updated to kill it and kill any payload delivery and the big kicker here is not every Apache install is configured in a way to get "one shot exploited". Also keep in mind this is bot scanning and not a Worm so again I just feel we should not be at Defcon 5 like Wannacry, NotPetya or BadRabbit.</p></blockquote><p></p>
[QUOTE="Ian Thornton-Trump CD, post: 2458, member: 219"] Good solid analysis and I have a couple of of points to add. 1) There is clearly an architecture based mitigation with use of reverse proxying of the target host response to the malicious input - the attack then can be defanged almost completely. Port 389 LDAP over UDP and TCP would also (and would be a more effective) mitigation as would a more advanced firewall which would filter Protocols (rather than just ports) Blasting out LADAP into the Internet is kind of how we got here with the need for a "malicious LDAP" server connection from the target host. Although WAF as you said can be tricked - 99.9% of this is bot scanning with fairly easy finger printing - if your threat model is APT you are 100% right an actor can blast through pretty effectively. I'm not fussed as if your behind CloudFlare and other CDN's they are blocking it, EDR on your end points are all updated to kill it and kill any payload delivery and the big kicker here is not every Apache install is configured in a way to get "one shot exploited". Also keep in mind this is bot scanning and not a Worm so again I just feel we should not be at Defcon 5 like Wannacry, NotPetya or BadRabbit. [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu