Trend Analysis on 2020 Q3 Phishing Email
December 7, 2020
Chapter 1. Brief on the risk
In phishing email attacks worldwide, Covid-19 is still an important topic. With the increasing availability of epidemic prevention material supplies in various countries and the transparency of news channels, attackers have begun to look for “hot issues” from other perspectives that may attract people’s attention.
With the impact of the pandemic, some companies have also begun to adjust their working systems, including the use of remote working. In this case, some companies need to notify every employee of the revised system and remote office network access methods. Naturally, attackers will not let go of this huge “opportunity”.
Consistent with the trend of real phishing attacks received internally by our company, external phishing attacks are gradually shifting from malicious links to malicious attachments. In order to prevent them from being intercepted by email security products or being checked and killed by anti-virus software on computers, more and more attackers are using a “multi-stage” attack mode, that is, malicious attachments in phishing emails only function for downloading and running malicious files. The actual malicious code is located in malicious files downloaded from the Internet.
In addition to new attack forms, attackers continue to innovate in attack technology. For example, in this quarter, attackers used new “zero font”, “hexadecimal IP address” and other methods to attack external users. In the third chapter of the report, the principles of these new attack techniques will also be discussed.
(more…)Annual IoT Security Report 2019-8
December 4, 2020
Heuristic Recon via the Dual-Stack UPnP Service
In addition to the recon of IPv6 addresses based on their characteristics, we can also use UPnP to detect IoT assets by referring to the method described in a blog post 28 from Cisco Talos Labs.
Principle
UPnP is a set of protocols designed to achieve interconnectivity between devices on a LAN. Due to misconfiguration, many UPnP services are exposed on the Internet. We can use UPnP to uncover dualstack IoT devices — devices with both an IPv4 and IPv6 address. Two roles are available in the UPnP protocol, namely, the control point and device. Each time when the control point goes live, it sends an M-SEARCH message to the multicast address 239.255.255.250:1900 for searching for controllable devices.
After receiving the M-SEARCH message or joining the network, a device sends a NOTIFY message to the multicast address, notifying its own information to other devices. In a NOTIFY message, the LOCATION field indicates the link to the device description. Upon receiving the NOTIFY message sent by the device, the control point will access the link contained in the LOCATION field. Figure 2-16 shows the workflow of UPnP.
(more…)Windows Network File System Vulnerabilities (CVE-2020-17051, CVE-2020-17056) Threat Alert
December 2, 2020
Overview
On November 10, 2020 local time, Microsoft fixed two vulnerabilities in the Windows Network File System (NFS) in its monthly security updates, which are CVE-2020-17051 and CVE-2020-17056.
CVE-2020-17051 is a remote code execution vulnerability on the nfssvr.sys driver. It is said that the vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the driver [3].
CVE-2020-17056 is a remote out-of-bounds read vulnerability on the nfssvr.sys driver, which can lead to an address space layout randomization (ASLR) bypass.
(more…)Annual IoT Security Report 2019-7
December 1, 2020
Heuristic Recon of IPv6 Addresses Based on Their Characteristics
Previously, we mentioned that IPv6 addresses, when assigned, can, for example, include random values in particular bytes or embed MAC addresses. With these facts in mind, we exercised some restrictions to narrow down the address space to be scanned.
Specifically, we employed the following approaches to conduct the recon based on data from the collection of IPv6 addresses available on Hitlist.
- Recon of low-byte addresses and addresses containing random bits in particular bytes
For low-byte IPv6 addresses, the recon method is similar to that for IPv4 addresses. Such addresses contain 0s in all bytes except the least significant byte, so it is only necessary to base the scan on this part (least significant byte).
For those containing random bits in particular bytes than in the least significant byte, Scan6 uses hexadecimal notation to specify the scanning scope so as to traverse only specified bits. To do so, we ran the “scan6 -i eth0 -d ****:983:0-3000::1” command, in which 0-3000 (hexadecimal) specifies
the traversal scope. It took about 1 minute to complete a scan of 12,288 IPv6 addresses, with 3853 active ones found, as shown in Figure 2-13.
Microsoft’s November 2020 Patches Fix 112 Security Vulnerabilities Threat Alert
November 30, 2020
Overview
Microsoft released November 2020 security updates on Tuesday which fix 112 vulnerabilities ranging from simple spoofing attacks to remote code execution, including 17 critical vulnerabilities, 93 important vulnerabilities, and two low vulnerabilities. All users are advised to install updates without delay.
These vulnerabilities affect Azure DevOps, Azure Sphere, Common Log File System Driver, Microsoft Browsers, Microsoft Dynamics, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Teams, Microsoft Windows, Microsoft Windows Codecs Library, Visual Studio, Windows Defender, Windows Kernel, Windows NDIS, Windows Update Stack, and Windows WalletService.
(more…)Adobe Releases November’s Security Updates Threat Alert
November 28, 2020
Overview
On November 11, 2020 (local time), Adobe released security updates which address multiple vulnerabilities in Adobe Connect and Adobe Reader Mobile.
(more…)SaltStack Multiple Vulnerabilities (CVE-2020-16846, CVE-2020-17490, CVE-2020-25592) Threat Alert
November 27, 2020
Overview
Recently, SaltStack released a security update to address multiple vulnerabilities (CVE-2020-16846, CVE-2020-17490, CVE-2020-25592). These vulnerabilities can cause authentication bypass and command execution. SaltStack recommends users upgrade as soon as possible.
Salt is an open-source IP architecture management solution written in Python. It has been widely used in data centers worldwide.
(more…)Annual IoT Security Report 2019-6
November 25, 2020
Identification of IoT Assets from Known IPv6 Addresses
The preceding section gives a brief account of difficulties in the blind-scan of IPv6 addresses. To work around these problems, we based our recon on some available IPv6 addresses, in a bid to discover IoT assets operating in IPv6 environments. Sources of these addresses include Hitlist27, which maintains about 3 million IPv6 addresses, and NSFOCUS Threat Intelligence (NTI), which provides a collection of about 1.7 billion IPv6 addresses extracted from domain name intelligence. Note that the IPv6 addresses available for our recon are but a very small portion of the total number. Besides, IoT assets found active in IPv6 environments were rather small in number.
(more…)Supply Chain Attack Event — Targeted Attacks on Java Projects in GitHub
November 24, 2020
Preface
Recently, GitHub’s Security Incident Response Team (SIRT) published an article saying that a set of Github code repositories were serving open-source projects that were infected with malicious code (https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain). According to the article, attackers submitted malicious code to the open-source projects, which were referenced by other open-source projects. After being used by developers, these open-source projects with malicious code will search the developers’ machines for NetBeans IDE. If the IDE is found, all Java Archive (JAR) files created by NetBeans will be infected and loaders of malware will be implanted to ensure that the projects can release a remote administration tool (RAT).
(more…)Annual IoT Security Report 2019-5
November 23, 2020
This section presents the exposure of IPv6 assets on the Internet and methods for recon of these assets. IPv6 Evolution With the IoT and 5G gaining ground, the demand of network applications for IP addresses is undergoing an explosive growth. However, the IPv4 address space has been depleted and IPv4 addresses have been unevenly allocated. […]
