Botnet Trend Report 2019-16
October 26, 2020
Conclusion
Botnets have evolved to use weak passwords, exploits, and phishing emails as major propagation and intrusion means. Dormant attackers that are seeking opportunities to do wrong tend to exploit vulnerabilities during the time between vulnerability disclosure and remediation. Botnet hackers often exploit newly revealed vulnerabilities to infect new targets to enlarge their attack surface quickly. We can see that hackers attach much significance to vulnerability exploitation.
(more…)Adobe Releases October’s Security Updates Threat Alert
October 23, 2020
Overview
On October 13, 2020 (local time), Adobe released security updates which address a vulnerability in Adobe Flash Player.
For details about the security bulletins and advisories, visit the following link:
(more…)Yii2 Deserialization Remote Command Execution Vulnerability (CVE-2020-15148) Protection Solution
October 21, 2020
Overview
Recently, NSFOCUS detected that Yii Framework 2 disclosed a deserialization remote command execution vulnerability (CVE-2020-15148) in its update log published on September 14, 2020.
By adding the _wakeup() function to Class yii\db\BatchQueryResult, Yii Framework 2 disables yii\db\BatchQueryResult deserialization and prevents remote command execution caused by application calling ‘unserialize()’ on arbitrary user input.
Yii2 is a high-performance, open-source, component-based PHP framework for rapidly developing modern Web applications.
At present, Yii Framework 2 has released a new version to fix the vulnerability. NSFOCUS detection and protection products are capable of scanning and detecting the vulnerability. Affected users are advised to take preventive measures as soon as possible.
(more…)Linux Kernel Privilege Escalation Vulnerability (CVE-2020-14386) Threat Alert
October 20, 2020
Vulnerability Description
Recently, NSFOCUS detected a privilege escalation vulnerability in the Linux kernel (CVE-2020-14386). An integer overflow exists in the way net/packet/af_packet.c processes AF_PACKET, which leads to out-of-bounds write, thereby escalating privileges. An attacker could exploit this vulnerability to gain system root privileges from unprivileged processes. This vulnerability may affect virtualized products using the Linux kernel, such as OpenShift, Kubernetes, and docker, thus leading to VM escape. Affected users should take preventive measures.
(more…)Botnet Trend Report 2019-15
October 19, 2020
Five Major APT Groups In 2019, NSFOCUS Security Labs tracked and delved into five major APT groups: BITTER, OceanLotus, MuddyWater, APT34, and FIN7. The following sections illustrate the latest developments of these APT groups by explaining how they optimize attack chains, refine attack methods, and sharpen RAT tools. BITTER BITTER is an attack group with […]
Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-2
October 17, 2020
Honeypot-captured Threats in 2020 H1
In terms of honeypot-captured threats, in 2020 H1, Internet attack activities mainly consisted of malicious scanning, over 50% of which were attacks on or scanning of port 443. As for exploits, most attacks were directed at Power cameras, Dlink routers, and JBoss servers. Weak password attacks were mainly launched from the Netherlands, Russia, Seychelles, Moldova, and the USA. DDoS reflection attacks were dominated by DNS, CLDAP, and NTP service attacks, and NTP reflections accounted for nearly 40%. 2020 H1 witnessed the capture of more than 24 million DDoS reflection attacks, of which the longest duration was about 86 hours.
(more…)Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-1
October 16, 2020
Overview
In the distributed denial-of-service (DDoS) botnet activities in 2020 H1, most were from Mirai, Gafgyt, and other major families.
In 2020 H1, DDoS attack means were dominated by UDP floods, CC, and TCP floods.
In 2020 H1, Hostwinds, Digital Ocean, and OVH were the major hosted cloud service providers of C&C servers. We predict that it will remain unchanged in 2020 H2.
In the same period, 128 types of vulnerabilities were detected to be spread and exploited by the Internet of Things (IoT) trojans. Of all these vulnerabilities, CVE-2017-17215 (in Huawei HG532 routers), CVE-2014-8361 (Realtek rtl81xx SDK remote code execution vulnerability), and ThinkPHP remote code execution vulnerability were the most frequently exploited.
Through NSFOCUS’s threat hunting system, we have kept an eye on a botnet specializing in Monero cryptomining for a long time. The botnet intrudes upon hosts by cracking weak passwords and gains control privileges by implanting bot programs. Meanwhile, it downloads and executes Monero cryptomining scripts via the downloader for malicious cryptomining. The cryptomining botnet became increasingly active in 2020 H1, involving a total of 20,830 active bots. China was the country with the most bots, which were as many as 8304, accounting for 40% of the total. Port 22 was opened on 13,664 bots, approximately 66% of all bots. According to known asset intelligence, routers and cameras were dominant device types reduced to bots.
(more…)WebSphere XML External Entity Injection Vulnerability (CVE-2020-4643) Handling Guide
October 14, 2020
Vulnerability Description
Recently, IBM released a security bulletin to announce the fix of an XML external entity injection (XXE) vulnerability (CVE-2020-4643) on WebSphere Application Server (WAS). Since WAS fails to properly process XML data, a remote attacker could exploit this vulnerability to obtain sensitive information on the server.
The NSFOCUS security research team reported CVE-2020-4643 to IBM. CVE-2020-4643 can be used in combination with CVE-2020-4450 to trigger an XXE vulnerability that requires no authentication to exploit, thereby causing the disclosure of sensitive server information. The vulnerability is comparatively easy to exploit and involves high risks. Affected users should take preventive measures as soon as possible.
(more…)Intelligent Threat Analytics: Graph Data Structuring
October 13, 2020
The artificial intelligence (AI) technology based on deep neural networks has made breakthroughs in a wide range of fields, but only seen limited adoption in cybersecurity. At present, it is impractical to expect a hierarchical neural network to implement threat identification, association, and response from end to end. According to Zhou Tao, an algorithm expert, AI can hardly play its role in threat detection for the following reasons:
- Machine learning is good at detecting behavior of normal patterns, but intrusion is a type of behavior deviating from the normal.
- Possession of big data is not equivalent to control of large quantities of labeled data. Unsupervised learning delivers inaccurate data.
- Threat detection is an open-ended issue as the loss function is very difficult to define.
- There is a permanent pursuit of accountable results.
Zhou’s explanations touch upon the model, data, and usage scenarios, providing a penetrating insight into why machine learning, especially deep learning, cannot fit in well with security modeling. However, deep learning and machine learning are not all AI is about. In cyberspace, deep learning and machine learning, when used with intelligent threat analytics platforms with capabilities of anomaly awareness, event inference, and threat response, can serve as normal data processing tools rather than core capabilities.
(more…)Botnet Trend Report 2019-14
October 12, 2020
New Trends of APT Groups
Here are three trends that shaped APT groups in 2019:
Firstly, mobile devices became common constituents of the attack surface. In 2019, MuddyWater developed malicious files against Android platforms, heading towards mobile devices. Google’s Project Zero team revealed five exploit chains deployed in the wild to attack iOS systems and noted that these exploit chains, relying on 0-day vulnerabilities, could be easily used by APT groups to target multiple iOS versions.
(more…)