Java Deserialization Exploits: Registry Whitelist Bypass
May 25, 2020
In 2019, An Trinh discovered two vulnerabilities, CVE-2019-9670 (XXE/SSRF) and CVE-2019-6980 (deserialization vulnerability), in Zimbra.
As usual, An Trinh did not disclose any details.
Luckily, Hans Martin Munch is more generous than An Trinh and has shared many interesting ideas. For example, he once advised using YouDebug to fix the CVE-2017-3241 vulnerability.
ysoserial.payloads.JRMPClient is designed to trick a victim into accessing a malicious DGC server as a DGC client. When the victim deserialization comes from a malicious object of the DGC server, a filter is configured by default. For details, see the implementation of sun.rmi.transport.DGCImpl.checkInput().
A new idea proposed by An Trinh is to trick a victim into accessing a malicious RMI Registry server as an RMI Registry client. In this case, there is no filter involved if the victim deserialization comes from a malicious object of the RMI Registry server. No default filter is configured on JEP 290 for this scenario.
(more…)635Gbps DDoS attack spike During Covid-19 Pandemic
May 22, 2020
NSFOCUS cloud scrubbing center witnessed a torrent of DDoS attack traffic, with peak volume up to 634.8 Gbps.
At 5 p.m. of May 20th, 2020, NSFOCUS SOC team detected an enormous DDoS attack – three IPs of a Hong Kong customer were hit by DDoS attacks and inbound traffic kept increasing sharply. As DDoS attack traffic constantly gushing into the scrubbing center, the peak attack traffic reached 634.8 Gbps, a new height encountered by NSFOCUS’s customers in the year of 2020. When NSFOCUS reported this event to the customer after the attack mitigation, they extended their grateful thanks to NSFOCUS and said selecting NSFOCUS Anti-DDoS solution was their best choice they made because they were well protected even when they were not aware of being targeted by DDoS attacks.
(more…)SecureCRT Memory Corruption Vulnerability (CVE-2020-12651) Threat Alert
May 22, 2020
Overview
A memory corruption vulnerability (CVE-2020-12651) was fixed in the latest version 8.7.2 of SecureCRT. When the CSI function receives a large negative number as a parameter, it may allow the remote system to destroy the memory in the terminal process, resulting in the execution of arbitrary code or the program crashes.
(more…)IP Reputation Report-05172020
May 21, 2020
1. Top 10 countries in attack counts: The above diagram shows the top 10 regions with the most malicious IP addresses from the NSFOCUS IP Reputation databases at May 17, 2020. 2. Top 10 countries in attack percentage: The Belarus is in first place. The Cape Verde is in the second place. The country China […]
DDoS Attack Landscape 8
May 20, 2020
Participation of IoT Devices in DDoS Attacks
According to our observation, there were a total of more than 1,280,000 IP addresses of abnormal IoT devices around the world, accounting for 2.1% of all global IoT devices. Of all those abnormal IoT devices, 170,000 were involved in DDoS attacks, making up 13.08% of the total.
(more…)WebLogic Remote Code Execution Vulnerabilities (CVE-2020-2883 and CVE-2020-2884) Protection Solution
May 19, 2020
Overview
Oracle released Critical Patch Update (CPU) for April 2020 that fixes multiple vulnerabilities of different risk levels, including two critical ones (CVE-2020-2883 and CVE-2020-2884) with a CVSS score of 9.8 that allow unauthenticated attackers with network access via T3 to compromise vulnerable Oracle WebLogic Server. Successful exploitation could result in takeover of Oracle WebLogic Server, hence remote code execution.
The two vulnerabilities that exist in the Core component of WebLogic Server could be exploited without authentication or additional interaction. Since the T3 protocol is enabled by default on the WebLogic console, the two vulnerabilities can cause an extensive impact. Affected users are strongly advised to apply protection measures as soon as possible for risk aversion.
(more…)NetWire Controllers Are Dropping COVID-19-Themed Decoy Files
May 18, 2020
With the outbreak of the COVID-19 pandemic around the world, trending hashtags related to the epidemic are flooding social media, attracting attention of a number of international hacker organizations, which jump at the chance to conduct social engineering based on decoy messages.
Recently, NSFCOUS found that NetWire controllers began to drop the trojan with the aid of decoy files concerning COVID-19.
(more…)Firmware Analysis: Extraction of ASP Files in the GoAhead Architecture
May 15, 2020
GoAhead is an open-source web architecture that is widely used in embedded systems thanks to its high performance and high availability. Traditional servers built on the GoAhead architecture usually see a large number of dynamic pages written in the Active Server Pages (ASP) scripting language and functions written in C/C++ that are registered to the scripting layer for ASP scripts’ invocation. For the purpose of more thorough security audits, we should not only understand how these functions are implemented but also analyze how ASP scripts are handled. This article uses the firmware of a certain switch as an example to illustrate how to extract ASP files when GoAhead is involved.
(more…)IP Reputation Report-05102020
May 14, 2020
1. Top 10 countries in attack counts: The above diagram shows the top 10 regions with the most malicious IP addresses from the NSFOCUS IP Reputation databases at May 10, 2020. 2. Top 10 countries in attack percentage: The Belarus is in first place. The Cape Verde is in the second place. The country China […]
DDoS Attack Landscape 7
May 13, 2020
Attack Gang Size
Gang Size
Figure 3-27 shows the distribution of our identified IP gangs by size. Two gangs consist of over 10,000 members and the largest gang has 88,000 members.
