JumpServer Remote Command Execution Vulnerability Threat Alert
January 21, 2021
Overview
On January 15, 2021, Beijing time, JumpServer released an emergency bulletin to announce a remote command execution vulnerability in its bastion host and advised users to fix it as soon as possible, especially those whose JumpServer can be accessed via the Internet.
(more…)Suggestions on Detection and Prevention of the Incaseformat Virus
January 20, 2021
Overview
On January 13, 2021, NSFOCUS’s emergency response team received feedback on the incaseformat virus from a host of customers in the government, healthcare, education, and telecom sectors. According to analysis, we found that this virus mainly infected hosts installed with financial management application systems. Also, we observed that all other files than system partition files are deleted from infected hosts and that this virus is named incaseformat because an empty file with the name incaseformat.log exists in the root directory of the partition where the deleted files are stored.
(more…)Enterprise Blockchain Security 2020-1
January 19, 2021
Blockchains are distributed digital ledgers of cryptographically signed transactions that are grouped into blocks. Each block is cryptographically linked to the previous one (making it tamper evident) after validation and undergoing a consensus decision. As new blocks are added, older blocks become more difficult to modify (creating tamper resistance). New blocks are replicated across copies of the ledger within the network, and any conflicts are resolved automatically using established rules. Since its launch, the blockchain technology has gone through ups and downs, but predictably, will gain momentum for rapid growth in the years to come.
Generally, blockchains are divided into public, consortium, and private blockchains, each applied in particular scenarios.
(more…)Watch Out! “Incaseformat” Came Back
January 18, 2021
The outbreak of Incaseformat virus has affected many industries recently. It is critical because it has removed all non-system files and caused serious data loss. This virus appeared before, now it has come back and infected many hosts, especially in China. As of 14 Jan, 2:00 P.M.(GMT+8), NSFOCUS Labs and NSFOCUS Threat Intelligence have detected 468 file hash of its variants.
(more…)Annual IoT Security Report 2019-16
January 15, 2021
The following sections analyze threats from the port mapping service based on UPnP port mapping tables collected from network-wide devices.
Overview
In the 2018 Annual IoT Security Report , we focused our attention on four types of malicious port mappings that had the most distinctive characteristics and the most extensive impact. Of the four major malicious types, EternalSilence, IntraScan, and NodeDoS were mainly used for intranet intrusions, while MoniProxy acted as a proxy for access to the Internet. In 2019, we also turned our eyes to other malicious port mapping types to get a whole picture of devices infected with malicious port mappings.
(more…)Apache Flink Directory Traversal Vulnerability (CVE-2020-17518/17519) Threat Alert
January 13, 2021
Overview
Recently, Apache Flink announced two directory traversal vulnerabilities, CVE-2020-17518 and CVE-2020-17519. Currently, Apache Flink has released a new version to fix the preceding vulnerability. Affected users are advised to upgrade as soon as possible.
(more…)SolarWinds Supply Chain Attack Threat Alert
January 12, 2021
Overview
On December 14, 2020, Beijing time, FireEye posted a blog on a SolarWinds supply chain attack. The blog shows that SolarWinds software was trojanized by attackers around March 2020 and suffered a severe supply chain attack. Currently, SolarWinds has released relevant updates. Users are advised to install the updates immediately.
(more…)Unauthorized Access of FireEye Red Team Tools Protection Solution
January 11, 2021
Overview
On December 8, 2020, FireEye, a cybersecurity company, posted a blog stating that its internal network was attacked by a sophisticated organization and that FireEye Red Team tools were stolen.
According to FireEye, the stolen Red Team tools were mainly used to provide its customers with basic penetration testing services and did not contain zero-day exploits or unknown techniques. The tools involved include open-source tools, secondary development versions of open-source tools, and some independently developed weaponized tools. In terms of usage, the tools basically cover the various stages of the life cycle of attacks, such as persistence, privilege escalation, defense bypass, credential acquisition, information collection within the domain, and lateral movement. Some of these tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.
(more…)Annual IoT Security Report 2019-15
January 8, 2021
In the 2018 Annual IoT Security Report, we analyzed threats against UPnP and you can refer to the report for basics of UPnP. In this report, we updated UPnP-related data and added new findings.
Viewpoint 6: Approximately 2.28 million IoT devices around the world had the UPnP/SSDP service (port 1900) publicly accessible and therefore were vulnerable to DDoS attacks. The year of 2019 saw a reduction of about 22% in such IoT devices, compared with last year. The UPnP port mapping service, exposed on about 390,000 IoT devices, is likely to be misused as a proxy or render intranet services accessible on the extranet.
(more…)Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17144) Threat Alert
January 6, 2021
Overview
Microsoft disclosed a remote code execution vulnerability (CVE-2020-17144) Microsoft Exchange Server 2010 in its latest December security updates, rating the vulnerability as Important.
The vulnerability exists because the program improperly verifies cmdlet parameters. An authenticated attacker could exploit this vulnerability to cause remote code execution.
This vulnerability is similar to CVE-2020-0688 and requires login before being exploited. However, to exploit it does not require a plaintext password but NTHash. In addition to regular mail services and OWA, the EWS interface also provides the necessary methods for exploitation. The functions of the vulnerability are also persistent.
(more…)