Botnet Trend Report 1
July 13, 2020
Executive Summary
With the rapid advancement of computer technologies and more and more network devices joining the Internet, the global Internet has expanded at an unbelievably high speed. However, efforts made in enhancing cybersecurity are lagging far behind the growth of the Internet, leaving an ever-growing gap in between. Many cybercrime groups and individuals are trying to take hold of insufficiently secured network resources and turn them into botnet clusters for the purpose of garnering illegal profits.
(more…)2019 Cybersecurity Insights -10
July 10, 2020
Second Largest Gang by the Number of Attack Sources
The second largest gang in terms of the number of attack sources generated the largest traffic. This gang had 23,000 recidivists and favored volumetric SYN flood attacks. According to historical attack records, 99.54% of recidivists had resorted to this kind of attack. This gang stayed active from January to October and was at its busiest in May.
Figure 5-14 shows the monthly quantity trend of attack sources and attack targets of this gang. We can see that this gang remained active from January to October, having more attack sources in January, April, May, and June. On average, 6000 active attack sources launched attacks against seven targets each month.
(more…)IP Reputation Report-07052020
July 9, 2020
1.Top 10 countries in attack counts:
- The above diagram shows the top 10 regions with the most malicious IP addresses from the NSFOCUS IP Reputation databases at July 5, 2020.
2019 Cybersecurity Insights -9
July 8, 2020
In 2019, 7% of recidivists1 were responsible for 78% of DDoS attacks. Obviously, recidivists are too menacing to overlook. Several groups of DDoS recidivists often work together to initiate attacks. Such groups are collectively referred to as an “IP gang”. In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack gangs. In this section, we will profile and analyze major attack gangs.
(more…)2019 Cybersecurity Insights -8
July 7, 2020
In 2019, most frequently seen attacks were UDP floods, SYN floods, and ACK floods, which together accounted for 82% of all DDoS attacks. By contrast, reflection attacks took up only 10%. Compared with 2018, reflection attacks rose slightly in number, but remained small in proportion.
(more…)Apache Dubbo Remote Code Execution Vulnerability (CVE-2020-1948) Patch Bypass Threat Alert
July 6, 2020
Overview
On June 23, NSFOCUS reported that Apache Dubbo contained a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization.
Apache Dubbo is a high-performance Java RPC framework. The vulnerability exists in Hessian, a default deserialization tool used by Apache Dubbo. An attacker may exploit it by sending malicious RPC requests which usually contain unidentifiable service or method names and some malicious parameter loads. When malicious parameters are deserialized, the vulnerability is triggered, allowing the attackers to remotely execute code.
(more…)2019 Cybersecurity Insights -7
July 3, 2020
Key Findings:
Maturity: The technical maturity of attackers keeps growing, opening more possibilities than DDoS attacks for attackers to garner profits.
Combination: Of all DDoS attacks in 2019, 12.5% employed multiple vectors. This percentage was even higher among super-sized attacks (> 300 Gbps) to reach more than one-third. These factors have posed a greater challenge to the performance of cleaning devices, the stability of cleaning lines, and the effectiveness of defense operations.
Recidivists: In 2019, a total of 1.3 million DDoS recidivists (involved in more than 20 attacks) were spotted, 7% of whom were responsible for 78% of attacks. Recidivist behavior deserves continuous attention.
Gangs: In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack groups.
(more…)Apache Dubbo Remote Code Execution Vulnerability (CVE-2020-1948) Threat Alert
July 2, 2020
Overview
Recently, Apache Dubbo was reported to contain a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization.
Apache Dubbo is a high-performance Java RPC framework. The vulnerability exists in hessian, a default deserialization tool used by Apache Dubbo. An attacker may trigger it by sending malicious RPC requests which usually contain unidentifiable service or method names and some malicious parameter loads. When malicious parameters are deserialized, the attacker achieves the goal of executing code.
(more…)2019 Cybersecurity Insights -6
June 30, 2020
Deserialization vulnerabilities are still frequently exploited for web attacks and special attention should be paid to the security of mainstream frameworks.
This section describes web vulnerabilities that had an extensive impact in 2019:
WebLogic
In 2017, Oracle released an official patch that fixed the XMLDecoder vulnerability (CVE-2017-10352) in WebLogic Server. This patch was evaded twice by exploits targeting two vulnerabilities (CVE-2019-2725 and CVE-2019-2729), sparking new rounds of WebLogic-targeting attacks. The two vulnerabilities reside in components built in WebLogic and could be exploited without authentication. With carefully crafted XML data in the SOAP format, an attacker could trigger the two vulnerabilities via an HTTP request. The two vulnerabilities, due to the high exploitability, are favored by hacking groups. According to statistics, after Oracle released the official security patch in April, the proof of concept (PoC) of the vulnerability (CVE-2019-2725) was publically available, encouraging a marked increase in attacks against WebLogic. Later, researchers discovered that the security patch was circumvented by an exploit (CVE-2019-2729). Obviously, the official remediation did not work, resulting in attacks reaching the culmination in May.
(more…)