IP Reputation Report-04192020
April 23, 2020
Top 10 countries in attack counts:
- The above diagram shows the top 10 regions with the most malicious IP addresses from the NSFOCUS IP Reputation databases at April 19, 2020.
DDoS Attack Landscape 5
April 22, 2020
Controlled DDoS Attack Sources
According to statistics, China was still home to the largest number of controlled DDoS attack sources (36.19%) in 2019, followed by the USA and UK. Although China’s ranking remained
unchanged in terms of the number, the proportion decreased compared with 2018. This indicates that China’s DDoS governance and defenses have yielded fruits. (more…)
Google Chrome Update Fixes Multiple High-Severity Vulnerabilities Threat Alert
April 21, 2020
Overview
On March 31, 2020, local time, Google published an advisory, announcing that the newest version of Chrome 80.0.3987.162 to be rolled out in the coming days would address eight security vulnerabilities. Now this version has been released.
The most severe of these vulnerabilities could allow attackers to execute arbitrary code in the context of the browser. (more…)
Overseas APT Organization Exploits Vulnerabilities to Breach Sangfor SSL VPNs and Deliver Malicious Code Threat Alert
April 20, 2020
Overview
On April 6, Sangfor released an advisory, announcing that an overseas APT organization illegally took control of some of their SSL VPN devices and sent malicious files to clients by exploiting a client upgrade vulnerability. NSFOCUS has kept a close eye on this issue and conducted overall analysis. We advise related users to take precautions as soon as possible.
The vulnerability exists due to the defect of the upgrade module signature authentication mechanism of the Windows client of SSL VPN devices. The prerequisite for exploitation is that attackers must take control of SSL VPN privileges. According to Sangfor’s analysis, this vulnerability is difficult to exploit. Therefore, Sangfor estimates that there are only a limited number of affected VPN devices. According to the NSFOCUS security team, not many VPN devices have been compromised by the APT organization, but the affected versions are widely used in enterprises in China.
WebSphere Application Server Remote Code Execution Vulnerability (CVE-2020-4276 and CVE-2020-4362) Threat Alert
April 17, 2020
Overview
IBM released security advisories to announce the fix of two remote code execution vulnerabilities (CVE-2020-4276 and CVE-2020-4362) in WebSphere Application Server.
The two vulnerabilities exist when WebSphere uses token-based authentication in an admin request over the SOAP connector.
By sending a maliciously crafted request to WebSphere SOAP Connector, an attacker could execute arbitrary code on an affected server in an unauthorized way.
IP Reputation Report-04122020
April 16, 2020
-
Top 10 countries in attack counts:
- The above diagram shows the top 10 regions with the most malicious IP addresses from the NSFOCUS IP Reputation databases at April 12, 2020.
DDoS Attack Landscape 4
April 15, 2020
Attack Distribution by Duration
In 2019, the average duration of DDoS attacks was registered at 52 minutes, an 18% increase from 2018. We noticed that the longest DDoS attack in 2019 lasted around 20 days, far longer than attacks detected in previous years.
In 2019, a DDoS attacks lasting less than 30 minutes accounted for 75%, approximate to the figure registered in 2018. The high proportion of short attacks signals that attackers are attaching more
and more importance to the attack cost and efficiency and are more inclined to overwhelm the target service with floods of traffic in a short time, getting users offline and causing high latency
and jitters. In addition, Botnet-as-a-Service (BaaS) and DDoS-as-a-Service (DDoS) have gained momentum for rapid development, which were also to blame for the prevalence of short attacks.
Thanks to their availability, platform users are able to launch massive attacks in a very short time as long as they are willing to pay a certain amount of money for a whole lot of mercenary attack resources4. In the long run, repeated burst attacks, which are under effective cost control, will greatly aggravate the quality of target services.
Vollgar Botnet Threat Alert
April 14, 2020
Overview
On April 1, the Guardicore Labs team uncovered a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. At least since May 2018, the campaign uses password brute force to breach victim machines, deploys multiple backdoors, and executes numerous malicious modules, such as remote access tools (RATs). We dubbed the campaign Vollgar.
It is not uncommon for attackers to use password brute force to breach systems and then inject malware. However, according to the report, there are still 2000–3000 databases being attacked every day. Victims are distributed in different countries (including China, India, South Korea, Turkey, and the USA) and belong to various industry sectors (including healthcare, aviation, IT, telecommunications, and higher education). (more…)
A Look into RSAC 2020: Cloud Security
April 13, 2020
RSA Conference (RSAC) 2020 was held still at the Moscone Center in San Francisco in February as scheduled. Unfortunately, I failed to attend this conference. So, instead of talking about my actual feelings of visiting the scene, I focus on what I think after watching session tracks of this conference.
Linux Kernel Information Disclosure and Privilege Escalation Vulnerability Threat Alert
April 10, 2020
Vulnerability Description
On March 31, the Linux kernel privilege escalation vulnerability demonstrated by the competitor Manfred Paul on the Pwn2Own contest was included in the CVE database and identified as CVE-2020-8835. This vulnerability exists because the bpf verifier in the Linux kernel does not properly calculate register bounds for certain operations. A local attacker could exploit this vulnerability to read confidential information (kernel memory) or gain administrative privileges. Users should take preventive measures as soon as possible.
