Apache Flink Directory Traversal Vulnerability (CVE-2020-17518/17519) Threat Alert
January 13, 2021
Overview
Recently, Apache Flink announced two directory traversal vulnerabilities, CVE-2020-17518 and CVE-2020-17519. Currently, Apache Flink has released a new version to fix the preceding vulnerability. Affected users are advised to upgrade as soon as possible.
(more…)SolarWinds Supply Chain Attack Threat Alert
January 12, 2021
Overview
On December 14, 2020, Beijing time, FireEye posted a blog on a SolarWinds supply chain attack. The blog shows that SolarWinds software was trojanized by attackers around March 2020 and suffered a severe supply chain attack. Currently, SolarWinds has released relevant updates. Users are advised to install the updates immediately.
(more…)Unauthorized Access of FireEye Red Team Tools Protection Solution
January 11, 2021
Overview
On December 8, 2020, FireEye, a cybersecurity company, posted a blog stating that its internal network was attacked by a sophisticated organization and that FireEye Red Team tools were stolen.
According to FireEye, the stolen Red Team tools were mainly used to provide its customers with basic penetration testing services and did not contain zero-day exploits or unknown techniques. The tools involved include open-source tools, secondary development versions of open-source tools, and some independently developed weaponized tools. In terms of usage, the tools basically cover the various stages of the life cycle of attacks, such as persistence, privilege escalation, defense bypass, credential acquisition, information collection within the domain, and lateral movement. Some of these tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.
(more…)Annual IoT Security Report 2019-15
January 8, 2021
In the 2018 Annual IoT Security Report, we analyzed threats against UPnP and you can refer to the report for basics of UPnP. In this report, we updated UPnP-related data and added new findings.
Viewpoint 6: Approximately 2.28 million IoT devices around the world had the UPnP/SSDP service (port 1900) publicly accessible and therefore were vulnerable to DDoS attacks. The year of 2019 saw a reduction of about 22% in such IoT devices, compared with last year. The UPnP port mapping service, exposed on about 390,000 IoT devices, is likely to be misused as a proxy or render intranet services accessible on the extranet.
(more…)Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17144) Threat Alert
January 6, 2021
Overview
Microsoft disclosed a remote code execution vulnerability (CVE-2020-17144) Microsoft Exchange Server 2010 in its latest December security updates, rating the vulnerability as Important.
The vulnerability exists because the program improperly verifies cmdlet parameters. An authenticated attacker could exploit this vulnerability to cause remote code execution.
This vulnerability is similar to CVE-2020-0688 and requires login before being exploited. However, to exploit it does not require a plaintext password but NTHash. In addition to regular mail services and OWA, the EWS interface also provides the necessary methods for exploitation. The functions of the vulnerability are also persistent.
(more…)OpenSSL Denial-of-Service Vulnerability (CVE-2020-1971) Threat Alert
January 5, 2021
Overview
On December 8, 2020, local time, OpenSSL released a security advisory disclosing a NULL pointer dereference vulnerability (CVE-2020-1971), rating the vulnerability as High-risk.
The vulnerability exists in the GENERAL_NAME_cmp function in OpenSSL. GENERAL_NAME_cmp compares different instances of a GENERAL_NAME to see if they are equal or not. When both GENERAL_NAMEs contain EDIPartyName, a NULL pointer dereference and a crash may occur, eventually causing a denial of service.
Therefore, if an attacker can control both items being compared, a crash might be triggered. For example, the attacker can trick a client or server into checking a malicious certificate against a malicious CRL.
(more…)Struts2 S2-061 Remote Code Execution Vulnerability (CVE-2020-17530) Threat Alert
January 4, 2021
Overview
On December 8, 2020, Struts released a security bulletin disclosing a potential remote code execution vulnerability (CVE-2020-17530) in S2-061.
The vulnerability stems from insufficient input validation. This results in two forced Object Graph Navigation Library (OGNL) evaluations when the original user input is calculated.
When the OGNL expression is forced in Struts tag attributes and can be modified by external input, an attacker could craft a malicious OGNL expression to trigger the vulnerability.
The vulnerability has been fixed in Struts 2.5.26. Affected users are advised to upgrade to Struts 2.5.26 without delay.
(more…)Annual IoT Security Report 2019-14
January 2, 2021
This section analyzes WS-Discovery reflection attacks. For details about the WS-Discovery service, see section 1.6 WS-Discovery First Found to Be Abused for DDoS Reflection Attacks.
(more…)A Global DTLS Amplification DDoS Attack Is Ongoing
January 1, 2021
Attackers are targeting Citrix ADC (Application Delivery Controller) and utilize it to launch amplification attacks. However, no official patch has been released yet.
(more…)Annual IoT Security Report 2019-13
December 30, 2020
Introduction
This chapter analyzes IoT threats from the perspective of protocols. According to the data from NSFOCUS’s threat hunting system, Telnet services (port 23) were targeted most frequently1. Therefore, we first analyze the attacks launched via Telnet. WS-Discovery reflection attacks are a new type of DDoS reflection attacks emerging in 2019 and will be described in section 4.3 WS-Discovery. In the 2018 Annual IoT Security Report, we analyzed UPnP-based reflection attacks. In this document, we update related data and add some new findings.
(more…)