Botnet Trend Report 2019-12
September 28, 2020
This chapter describes active botnet families under long-term tracking of and other families newly captured by NSFOCUS Security Labs, from the perspectives of their background, activity, and association with other families.
Botnet Families
- GoBrut
Malware in the GoBrut family, written in Go, made its debut in early 2019, in a bid to detect services on a target website and obtain the login user name and password via brute force attacks. The GoBrut family emerged during an epoch characterized by poor security of website management frameworks (like Magento, WordPress, and Drupal) and ubiquitous weak passwords. After obtaining the user name and password of the target website, the attacker can log in to the website to gain shell privileges for further malicious operations.
(more…)Apache DolphinScheduler High-Risk Vulnerabilities (CVE-2020-11974, CVE-2020-13922) Handling Guide
September 26, 2020
1. Vulnerability Description
On September 11, 2020, NSFOCUS detected that the Apache Software Foundation released security advisories fixing Apache DolphinScheduler permission overwrite vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974). CVE-2020-11974 is related to mysql connectorj remote code execution vulnerability. When choosing mysql as database, an attacker could execute code remotely on the DolphinScheduler server by inputting {“detectCustomCollations”:true, “autoDeserialize”:true} through jdbc connect parameters. CVE-2020-13922 allows an ordinary user to overwrite other users’ passwords in the DolphinScheduler system through api interface /dolphinscheduler/users/update. Affected users are advised to upgrade without delay.
(more…)Analysis of the 2020 H1 Malware Trend
September 25, 2020
1. Overview
From data collected throughout 2019 and data as of June 30, 2020, we extracted information about malware, whose distribution by type is shown in Figure 1-1. Compared with 2019, the percentages of various types of malware in 2020 H1 changed, with backdoors overtaking crytominers to become No .1 with a percentage of 48.05%, and the percentage of cryptominers fell significantly. Meanwhile, worms’ activity level was basically flat on 2019. Cryptominers, worms, and backdoors together accounted for 87% of all malware activities.
(more…)Apache DolphinScheduler High-Risk Vulnerabilities (CVE-2020-11974, CVE-2020-13922) Threat Alert
September 23, 2020
1. Vulnerability Description
On September 11, 2020, NSFOCUS detected that the Apache Software Foundation released security advisories fixing Apache DolphinScheduler permission overwrite vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974). CVE-2020-11974 is related to mysql connectorj remote code execution vulnerability. When choosing mysql as database, an attacker could execute code remotely on the DolphinScheduler server by inputting {“detectCustomCollations”:true, “autoDeserialize”:true} through jdbc connect parameters. CVE-2020-13922 allows an ordinary user to overwrite other users’ passwords in the DolphinScheduler system through api interface /dolphinscheduler/users/update. Affected users are advised to upgrade without delay.
(more…)BT.CN Unauthenticated phpmyadmin Vulnerability Threat Alert
September 22, 2020
Overview
On August 23, 2020, Beijing time, BT.CN released an urgent security update announcing that BT-Panel for Linux 7.4.2 and BT-Panel for Windows 6.8 are vulnerable.
Unauthenticated phpmyadmin causes direct database login by accessing a specific address.
BT-Panel is server management software that improves the operation and maintenance efficiency. It supports more than 100 server management functions, such as cluster, monitoring, website, FTP, database, and Java.
(more…)Botnet Trend Report 2019-11
September 21, 2020
Overview
Overall, malware on mobile platforms, though evolving in the same way as those on PC, has a complex composition.
In 2019, ad apps still dominated the list of malware threatening the security of Android users. Potentially dangerous software involving sensitive operations also made up a large proportion. Agent programs launching attacks via remote code execution, thanks to the inherent nature of Android, were another type of mobile threats at the top of the list. In addition, it becomes quite common to use dropper or downloader to drop malicious payloads, but the scale is yet to be as large as those released by PCs. High-risk threats, such as spyware, banking Trojans, and ransomware, were small in number, but most of them had been around for some time and some even for years.
(more…)QEMU VM Escape Vulnerability (CVE-2020-14364) Threat Alert
September 18, 2020
Vulnerability Description
On August 24, QEMU released a security patch to fix a VM escape vulnerability (CVE-2020-14364) which is the result of an out-of-bounds read/write access issue in the USB emulator in QEMU. This vulnerability resides in ./hw/usb/core.c. When the program handles USB packets from a guest, this vulnerability is deemed to exist if USBDevice ‘setup_len’ exceeds its ‘data_buf[4096]’ in the do_token_in and do_token_out routines. An attacker could exploit this vulnerability to cause out-of-bounds read of the 0xffffffff contents following the heap, forcibly terminating the virtual process and realizing VM escape.
(more…)SANGFOR Endpoint Detection Response Remote Command Execution Vulnerability Handling Guide
September 16, 2020
Vulnerability Description On August 18, 2020, the China National Vulnerability Database (CNVD) listed SANGFOR Endpoint Detection Response (EDR) remote command execution vulnerability (CNVD-2020-46552) as a new entry. An unauthenticated attacker could exploit this vulnerability to send a maliciously crafted HTTP request to a target server, thereby obtaining the privileges of the target server and causing […]
Function Identification in Reverse Engineering of IoT Devices
September 15, 2020
This document dwells upon function identification and symbol porting in reverse engineering of Internet of things (IoT) devices without using BinDiff and PatchDiff2, which are “too good” for the purposes here and are inapplicable in certain scenarios. Typical function identification technologies include the Fast Library Identification and Recognition Technology (FLIRT) in IDA and the rizzo method developed by Craig Heffner, whose rationale and engineering practices are detailed here. The rest of this document explains the usage of some other IDA plug-ins.
(more…)Botnet Trend Report 2019-10
September 14, 2020
Adware
For many years, large grey software supply chains on the Internet have been showing their own prowess for self-promotion. A specific piece of software is often bundled with unnecessary software, even malware, during the download and installation.
(more…)