Non-negligible ICS Security Risks — Device Simulator Security
January 23, 2021
Background
To facilitate debugging and analysis by developers, a lot of master computer configuration software often comes with a simulator that simulates a real programmable logic controller (PLC) or human-machine interface (HMI) device. Such simulators exchange data with master computer configuration software through TCP/IP and therefore some will listen on a designated port which is sometimes even bound to the IP address 0.0.0.0 and open to other remote users.
As simulators may share the code base with real devices, vulnerabilities in simulators will affect real devices and vice versa, especially vulnerabilities in private protocols such as remote code execution vulnerabilities caused by buffer overflows. If simulators provide a publically available service that contains a high-risk vulnerability, attackers could exploit it to compromise developers’ hosts for further penetration.
(more…)WebLogic Multiple Remote Code Execution Vulnerabilities Threat Alert
January 22, 2021
Vulnerability Description
On January 20, 2021, NSFOCUS detected that Oracle released the January 2021 Critical Patch Update (CPU), which fixed 329 vulnerabilities of varying risk levels. Seven of these vulnerabilities are severe and assigned CVE-2021-1994, CVE-2021-2047, CVE-2021-2064, CVE-2021-2108, CVE-2021-2075, CVE-2019-17195, and CVE-2020-14756. Unauthenticated attackers could exploit these vulnerabilities to execute code remotely. These vulnerabilities are assigned a CVSS Base Score of 9.8 and are easy to exploit. Users are advised to take measures without delay to protect against the preceding vulnerabilities.
(more…)Annual IoT Security Report 2019-17
January 22, 2021
Malicious Behaviors Targeting UPnP Vulnerabilities
We captured four kinds of UPnP exploits 1, as shown in Table 4-7. Apparently, all the exploits targeted remote command execution vulnerabilities. Besides, we found that when a vulnerability is found on a specific port, attackers usually directly hit this port by skipping the UPnP discovery phase.
JumpServer Remote Command Execution Vulnerability Threat Alert
January 21, 2021
Overview
On January 15, 2021, Beijing time, JumpServer released an emergency bulletin to announce a remote command execution vulnerability in its bastion host and advised users to fix it as soon as possible, especially those whose JumpServer can be accessed via the Internet.
(more…)Suggestions on Detection and Prevention of the Incaseformat Virus
January 20, 2021
Overview
On January 13, 2021, NSFOCUS’s emergency response team received feedback on the incaseformat virus from a host of customers in the government, healthcare, education, and telecom sectors. According to analysis, we found that this virus mainly infected hosts installed with financial management application systems. Also, we observed that all other files than system partition files are deleted from infected hosts and that this virus is named incaseformat because an empty file with the name incaseformat.log exists in the root directory of the partition where the deleted files are stored.
(more…)Enterprise Blockchain Security 2020-1
January 19, 2021
Blockchains are distributed digital ledgers of cryptographically signed transactions that are grouped into blocks. Each block is cryptographically linked to the previous one (making it tamper evident) after validation and undergoing a consensus decision. As new blocks are added, older blocks become more difficult to modify (creating tamper resistance). New blocks are replicated across copies of the ledger within the network, and any conflicts are resolved automatically using established rules. Since its launch, the blockchain technology has gone through ups and downs, but predictably, will gain momentum for rapid growth in the years to come.
Generally, blockchains are divided into public, consortium, and private blockchains, each applied in particular scenarios.
(more…)Watch Out! “Incaseformat” Came Back
January 18, 2021
The outbreak of Incaseformat virus has affected many industries recently. It is critical because it has removed all non-system files and caused serious data loss. This virus appeared before, now it has come back and infected many hosts, especially in China. As of 14 Jan, 2:00 P.M.(GMT+8), NSFOCUS Labs and NSFOCUS Threat Intelligence have detected 468 file hash of its variants.
(more…)Annual IoT Security Report 2019-16
January 15, 2021
The following sections analyze threats from the port mapping service based on UPnP port mapping tables collected from network-wide devices.
Overview
In the 2018 Annual IoT Security Report , we focused our attention on four types of malicious port mappings that had the most distinctive characteristics and the most extensive impact. Of the four major malicious types, EternalSilence, IntraScan, and NodeDoS were mainly used for intranet intrusions, while MoniProxy acted as a proxy for access to the Internet. In 2019, we also turned our eyes to other malicious port mapping types to get a whole picture of devices infected with malicious port mappings.
(more…)Apache Flink Directory Traversal Vulnerability (CVE-2020-17518/17519) Threat Alert
January 13, 2021
Overview
Recently, Apache Flink announced two directory traversal vulnerabilities, CVE-2020-17518 and CVE-2020-17519. Currently, Apache Flink has released a new version to fix the preceding vulnerability. Affected users are advised to upgrade as soon as possible.
(more…)SolarWinds Supply Chain Attack Threat Alert
January 12, 2021
Overview
On December 14, 2020, Beijing time, FireEye posted a blog on a SolarWinds supply chain attack. The blog shows that SolarWinds software was trojanized by attackers around March 2020 and suffered a severe supply chain attack. Currently, SolarWinds has released relevant updates. Users are advised to install the updates immediately.
(more…)