Pay or Die!
December 21, 2020
“Pay or Die” is an opening phrase often used by DDoS blackmailers. Github was attacked, NZX was unable to provide services for 4 days… these are all serious DDoS blackmail incidents this year. This is just the tip of the iceberg of such lucrative crimes. In various forms of digital black mailings, using “distributed denial of service attacks” (DDoS) to attack target companies has become attackers’ first choice.
(more…)Introduction of common attack types in manufacturing industry
December 18, 2020
Abstract
The real economy with manufacturing as the core industry is the basis for maintaining national competitiveness and healthy economic development. Based on the universal recognition of this concept, the Industry 4.0 strategy of Germany, the national advanced manufacturing strategy of the United States, and the national manufacturing policy of India, have taken place as national strategic plans.
(more…)Citrix SD-WAN Vulnerabilities Threat Alert
December 16, 2020
Overview
Recently, Citrix SD-WAN released a security update to address three vulnerabilities (CVE-2020-8271, CVE-2020-8272, CVE-2020-8273). These vulnerabilities allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root.
At present, there exist detailed analysis of relevant vulnerabilities and the proof of concept (POC) concerning CVE-2020-8271.
(more…)Annual IoT Security Report 2019-10
December 15, 2020
IoT Exploits
Viewpoint 3: Over 30 types of IoT exploits were captured, most of which targeted remote command execution vulnerabilities. Though hundreds of to thousands of IoT vulnerabilities were unveiled each year, only a few can exert an extensive impact. Attackers were keen on targeting devices (routers and video surveillance devices) exposed in large quantities, so as to broaden their influence.
Based on the logs generated by NSFOCUS’s threat hunting system from May 6 to November 6, 2019, we made an analysis of global IoT exploits.
Over 30 types of IoT exploits were captured, most of which targeted remote command execution vulnerabilities. Obviously, from the perspective of global IoT threats, though hundreds of to thousands of IoT vulnerabilities were unveiled each year, only a few can exert an extensive impact. We counted all logs generated one day for the same source IP address as one attack event. Upon deduplication of attack IP addresses, we got top 10 most frequently exploited IoT vulnerabilities listed in descending order of the number of exploitations in Table 3-1. It can be seen that attackers’ exploits mainly targeted routers and video surveillance devices, which fits in with the fact that routers and video surveillance devices were major IoT devices exposed on the Internet. Evidently, attackers hit devices exposed in large quantity to expand the scope of impact. The PoC of most of these vulnerabilities can be found in the Exploit-DB and those beyond this database existed in GitHub. These publicly available PoCs have substantially reduced attackers’ cost of crafting attack payloads.
(more…)Multiple Cisco Vulnerabilities Threat Alert-1
December 14, 2020
Overview
On November 18, 2020 (local time), Cisco released security advisories fixing vulnerabilities in multiple products. These vulnerabilities include three high-risk ones: CVE-2020-3531, CVE-2020-3586, and CVE-2020-3470.
Reference link:
Drupal Remote Code Execution Vulnerability (CVE-2020-13671) Threat Alert
December 11, 2020
Overview
On November 19, 2020 (Beijing time), Drupal released a security advisory that fixes a remote code execution vulnerability (CVE-2020-13671). Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
(more…)XStream Remote Code Execution Vulnerability (CVE-2020-26217) Threat Alert
December 9, 2020
Overview
Recently, XStream released a security advisory that fixes a remote code execution vulnerability (CVE-2020-26217). The vulnerability may allow a remote attacker to execute arbitrary code by sending crafted requests to the web application that uses XStream and thereby taking control of the target server. XStream is a commonly used tool for converting between Java objects and XML.
The vulnerability is a variation of CVE-2013-7285. This time, it uses a different set of classes to bypass blacklist restriction in the deserialization process, thus leading to remote code execution.
(more…)Annual IoT Security Report 2019-9
December 8, 2020
Introduction
This chapter analyzes IoT threats from the perspective of vulnerabilities. We first analyze the change trends of IoT vulnerabilities and exploits 1 in the NVD and Exploit Database (Exploit-DB) in 2019 and then IoT exploits captured by NSFOCUS’s threat hunting system. The following dwells upon some representative exploits.
(more…)Trend Analysis on 2020 Q3 Phishing Email
December 7, 2020
Chapter 1. Brief on the risk
In phishing email attacks worldwide, Covid-19 is still an important topic. With the increasing availability of epidemic prevention material supplies in various countries and the transparency of news channels, attackers have begun to look for “hot issues” from other perspectives that may attract people’s attention.
With the impact of the pandemic, some companies have also begun to adjust their working systems, including the use of remote working. In this case, some companies need to notify every employee of the revised system and remote office network access methods. Naturally, attackers will not let go of this huge “opportunity”.
Consistent with the trend of real phishing attacks received internally by our company, external phishing attacks are gradually shifting from malicious links to malicious attachments. In order to prevent them from being intercepted by email security products or being checked and killed by anti-virus software on computers, more and more attackers are using a “multi-stage” attack mode, that is, malicious attachments in phishing emails only function for downloading and running malicious files. The actual malicious code is located in malicious files downloaded from the Internet.
In addition to new attack forms, attackers continue to innovate in attack technology. For example, in this quarter, attackers used new “zero font”, “hexadecimal IP address” and other methods to attack external users. In the third chapter of the report, the principles of these new attack techniques will also be discussed.
(more…)Annual IoT Security Report 2019-8
December 4, 2020
Heuristic Recon via the Dual-Stack UPnP Service
In addition to the recon of IPv6 addresses based on their characteristics, we can also use UPnP to detect IoT assets by referring to the method described in a blog post 28 from Cisco Talos Labs.
Principle
UPnP is a set of protocols designed to achieve interconnectivity between devices on a LAN. Due to misconfiguration, many UPnP services are exposed on the Internet. We can use UPnP to uncover dualstack IoT devices — devices with both an IPv4 and IPv6 address. Two roles are available in the UPnP protocol, namely, the control point and device. Each time when the control point goes live, it sends an M-SEARCH message to the multicast address 239.255.255.250:1900 for searching for controllable devices.
After receiving the M-SEARCH message or joining the network, a device sends a NOTIFY message to the multicast address, notifying its own information to other devices. In a NOTIFY message, the LOCATION field indicates the link to the device description. Upon receiving the NOTIFY message sent by the device, the control point will access the link contained in the LOCATION field. Figure 2-16 shows the workflow of UPnP.
(more…)