Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-1
October 16, 2020
Overview
In the distributed denial-of-service (DDoS) botnet activities in 2020 H1, most were from Mirai, Gafgyt, and other major families.
In 2020 H1, DDoS attack means were dominated by UDP floods, CC, and TCP floods.
In 2020 H1, Hostwinds, Digital Ocean, and OVH were the major hosted cloud service providers of C&C servers. We predict that it will remain unchanged in 2020 H2.
In the same period, 128 types of vulnerabilities were detected to be spread and exploited by the Internet of Things (IoT) trojans. Of all these vulnerabilities, CVE-2017-17215 (in Huawei HG532 routers), CVE-2014-8361 (Realtek rtl81xx SDK remote code execution vulnerability), and ThinkPHP remote code execution vulnerability were the most frequently exploited.
Through NSFOCUS’s threat hunting system, we have kept an eye on a botnet specializing in Monero cryptomining for a long time. The botnet intrudes upon hosts by cracking weak passwords and gains control privileges by implanting bot programs. Meanwhile, it downloads and executes Monero cryptomining scripts via the downloader for malicious cryptomining. The cryptomining botnet became increasingly active in 2020 H1, involving a total of 20,830 active bots. China was the country with the most bots, which were as many as 8304, accounting for 40% of the total. Port 22 was opened on 13,664 bots, approximately 66% of all bots. According to known asset intelligence, routers and cameras were dominant device types reduced to bots.
(more…)WebSphere XML External Entity Injection Vulnerability (CVE-2020-4643) Handling Guide
October 14, 2020
Vulnerability Description
Recently, IBM released a security bulletin to announce the fix of an XML external entity injection (XXE) vulnerability (CVE-2020-4643) on WebSphere Application Server (WAS). Since WAS fails to properly process XML data, a remote attacker could exploit this vulnerability to obtain sensitive information on the server.
The NSFOCUS security research team reported CVE-2020-4643 to IBM. CVE-2020-4643 can be used in combination with CVE-2020-4450 to trigger an XXE vulnerability that requires no authentication to exploit, thereby causing the disclosure of sensitive server information. The vulnerability is comparatively easy to exploit and involves high risks. Affected users should take preventive measures as soon as possible.
(more…)Intelligent Threat Analytics: Graph Data Structuring
October 13, 2020
The artificial intelligence (AI) technology based on deep neural networks has made breakthroughs in a wide range of fields, but only seen limited adoption in cybersecurity. At present, it is impractical to expect a hierarchical neural network to implement threat identification, association, and response from end to end. According to Zhou Tao, an algorithm expert, AI can hardly play its role in threat detection for the following reasons:
- Machine learning is good at detecting behavior of normal patterns, but intrusion is a type of behavior deviating from the normal.
- Possession of big data is not equivalent to control of large quantities of labeled data. Unsupervised learning delivers inaccurate data.
- Threat detection is an open-ended issue as the loss function is very difficult to define.
- There is a permanent pursuit of accountable results.
Zhou’s explanations touch upon the model, data, and usage scenarios, providing a penetrating insight into why machine learning, especially deep learning, cannot fit in well with security modeling. However, deep learning and machine learning are not all AI is about. In cyberspace, deep learning and machine learning, when used with intelligent threat analytics platforms with capabilities of anomaly awareness, event inference, and threat response, can serve as normal data processing tools rather than core capabilities.
(more…)Botnet Trend Report 2019-14
October 12, 2020
New Trends of APT Groups
Here are three trends that shaped APT groups in 2019:
Firstly, mobile devices became common constituents of the attack surface. In 2019, MuddyWater developed malicious files against Android platforms, heading towards mobile devices. Google’s Project Zero team revealed five exploit chains deployed in the wild to attack iOS systems and noted that these exploit chains, relying on 0-day vulnerabilities, could be easily used by APT groups to target multiple iOS versions.
(more…)IBM Spectrum Protect Plus Directory Traversal and Arbitrary Code Execution Vulnerabilities (CVE-2020-4711, CVE-2020-4703) Threat Alert
October 9, 2020
Vulnerability Description
On September 15, 2020, NSFOCUS detected that IBM released a security bulletin, which fixed directory traversal and arbitrary code execution vulnerabilities (CVE-2020-4711, CVE-2020-4703) in IBM Spectrum Protect Plus Administrative Console. The directory traversal vulnerability (CVE-2020-4711) exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. An unauthenticated attacker could send a crafted HTTP request to view arbitrary files on the system. CVE-2020-4703 allows an authenticated attack to upload arbitrary files, which could then be used to execute arbitrary code on the vulnerable server. This vulnerability is due to an incomplete fix for CVE-2020-4470. Currently, the proof of concept (PoC) of this vulnerability has been made publicly available. Relevant users are advised to take protective measures as soon as possible.
IBM Spectrum Protect Plus is a data protection and availability solution for virtual environments. It can be implemented as an independent solution or environmentally integrated into IBM Spectrum Protect, thereby offloading copies for long-term storage and data governance efficiently at scale.
(more…)DHDiscover reflection attacks can magnify nearly 200 times of the attack 2
October 8, 2020
DHDiscover reflection attack analysis
In this chapter, we’ll demonstrate the threat status quo of DHDiscover reflection attack after referring to log data captured by the NSFOCUS Threat Capture System[AZ1] from June 1, 2020 to August 18, 2020 at the port 37810.
We analyzed the number of logs at the port 37810 as shown in the figure. It can be seen from the figure that the attacks increased in an upward trend from early June to early August, and then decreased in mid-August, with the maximum number of packets captured by a single honeypot reaching 900,000 in a single day.
Figure 1.1 DHDiscover[AZ3] server accessing trend
We also have counted the payload in the log data received at the port 37810. And out of the concern not to spread the attack messages, we have named them here according to the length of the messages. As we can tell in Figure 1.1, the more common payloads used by attackers are 4 bytes and 62 bytes in length, between which the 62-byte payload also has been mentioned in an article written by Tencent.
(more…)GovWare 2020
October 7, 2020
GovWare Virtual Conference and Exhibition October 7-8, 2020 Virtual Event
Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Handling Guide
October 7, 2020
Vulnerability Description
Recently, NSFOCUS detected that security personnel disclosed the procedure for exploiting the Microsoft Exchange Server remote code execution vulnerability (CVE-2020-16875) online. The vulnerability was made public by Microsoft in its September 2020 Security Updates. A remote code execution vulnerability exists in the way that Microsoft Exchange Server handles objects in memory. The prerequisite for successfully exploiting the vulnerability is to have user rights that can be authenticated as an Exchange role. An attacker could trigger the vulnerability by sending an email that contains special cmdlet arguments to the affected Exchange server. An attacker who successfully exploited the vulnerability could execute arbitrary code with system privileges on the affected system. Users should take preventive measures as soon as possible.
(more…)
Botnet Trend Report 2019-13
October 5, 2020
Mirai
At present, Mirai is among the biggest IoT botnet families which have the most variants and infect the most devices to impose the most extensive impact. In 2019, NSFOCUS Security Labs captured 10,635 Mirai samples in total (excluding the repetitive malware arising from cross compilation), identified 1660 C&C addresses, and detected more than 40 exploits.
(more…)