XStream Multiple High-Risk Vulnerabilities Threat Alert
October 15, 2021
Overview Recently, NSFOCUS found that XStream released security advisories disclosing 14 security vulnerabilities in its products. An attacker could exploit these vulnerabilities to conduct a DoS, server-side request forgery (SSRF), or remote code execution (RCE) attack. XStream is a tool to serialize Java objects to XML and back again. When serializing JavaBeans or deserializing XML […]
Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) Threat Alert
October 12, 2021
Overview On September 8, Beijing time, NSFOCUS CERT found that Microsoft released a security bulletin to disclose a remote code execution vulnerability (CVE-2021-40444) in Microsoft MSHTML. Attackers could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine, and convince the user to open a malicious […]
Attack Path Visualization in Security Operations
October 7, 2021
Cyberattacks are becoming increasingly sophisticated, usually involving multiple steps. This necessitates corresponding protections. Attack path analysis is a process of analyzing detected attacks from the network attributes, alerts, vulnerabilities, and assets, finding out the attack logic, and identifying attack paths. Such analysis can inform security operations personnel in their event and risk analysis so that […]
Atlassian Confluence Remote Code Execution Vulnerability (CVE-2021-26084) Threat Alert
October 4, 2021
Overview Recently, NSFOCUS CERT found that Atlassian released a security bulletin to announce the fix of the Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084). This vulnerability allows an authenticated attacker, and in some instances, an unauthenticated user, to execute arbitrary code on Confluence Server or Data Center by injecting a crafted OGNL expression. This vulnerability […]
How to Analyze Security Alarms (1): A Perspective into Data
September 30, 2021
In today’s business security operations, the tide of security information and event management (SIEM) is on the ebb. Many enterprises have established the security operations center (SOC) and collected massive security data. But how to make use of and analyze such data remains a problem to be resolved. Data, after being collected, is usually stored, […]
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 2-2
September 27, 2021
Analysis of the Kill Chain of the LockFile Ransomware Group KDU Tool Terminating Multiple Antivirus Processes The attacker renames the KDU tool (open-source Windows driver loader implementing DSG bypass via an exploit) autologin, copies the related program to the temporary directory, and loads and executes the designated driver file to execute code with kernel privileges […]
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
September 26, 2021
Event Overview Recently, NSFOCUS CERT discovered a slew of security incidents that exploited security vulnerabilities (ProxyShell) in Microsoft Exchange. Also, NSFOCUS found that the new LockFile ransomware group LockFile took advantage of these ProxyShell and PetitPotam vulnerabilities to target enterprise domain environments, finally encrypting quite a few hosts from enterprises for ransom. In April, a […]
New Architecture, New Challenges: Service Security Issues in the 5G Core Network and How to Detect Them
September 24, 2021
Abstract: 5G is the fifth-generation technology standard for mobile communication networks. The service-based architecture (SBA) of the 5G core network is designed with a cloud-native approach. By borrowing the “microservice” concept implemented in the IT field and dividing a whole entity with multiple functions into individual parts, each providing an independent function, the SBA provides […]
Linux Kernel Arbitrary Code Execution Vulnerability (CVE-2021-3490) Threat Alert
September 18, 2021
Overview Recently, NSFOCUS CERT found that a security researcher published details and the PoC of an arbitrary code execution vulnerability (CVE-2021-3490) in eBPF and exploited this vulnerability to cause local privilege escalation on Ubuntu 20.10 and 21.04. This vulnerability exists because the eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the […]
Cloud Native Security in Infrastructure Construction
September 15, 2021
Cloud native security is the development trend of cloud security in the coming years. On the one hand, inherent security of cloud native is worthy of in-depth study. On the other hand, with the reconstruction and upgrade of infrastructure, there is a clear trend towards the integration of cloud native technologies and information infrastructure. 5G, edge […]