Emergency Response

Deep Analysis of Memcached Large DRDoS Attacks – China Telecom DamDDoS & NSFOCUS Jointly Released

March 5, 2018 | Adeline Zhang

Recently, many domestic and foreign security companies and agencies issued warnings about the Memcached Distributed Reflection Denial of Service attack, which aroused the concern of all parties. According to our monitoring, the peak traffic for this attack has now reached 1.35T. On Feb. 27, Memcached’s reflection DDoS attacks ranged from hundreds of megabytes to a maximum of […]

Technical Analysis Report on Rowdy, A New Type of IoT Malware Exploiting STBs

October 19, 2017 | Adeline Zhang

In August 2017, NSFOCUS’s DDoS situation awareness platform detected anoma-lous bandwidth usage over a customer’s network, which, upon analysis, was confirmed to be a distributed denial-of-service (DDoS) attack. The attack was characterized by different types of traffic, including TCP flood, HTTP flood, and DNS flood. Tracing source IP addresses, we found that the attack had […]

Analysis and Solution of Spring Data REST Server PATCH Request RCE Vulnerability

October 11, 2017 | Adeline Zhang

  Overview Recently, Pivotal released a security advisory to reveal the Spring Data REST server is prone to a remote code execution vulnerability (CVE-2017-8046) when processing PATCH requests. Attackers could exploit this vulnerability by sending a crafted PATCH request to the Spring Data REST server. The submitted JSON data contains a SPEL expression, which could […]

Struts 2 S2-052 REST Plug-in Remote Code Execution Vulnerability Analysis

September 8, 2017 | Adeline Zhang

Overview On September 5, 2017, Apache Struts released the latest security bulletin announcing that the REST plug-in in Apache Struts 2.5.x and some 2.x versions is prone to a high-risk remote code execution vulnerability, which has been assigned CVE-2017-9805 (S2-052). When using an XStream handler with an instance of XStream for deserialization, the REST plug-in […]

Analysis of Phishing Attacks Targeting Ukrainian Banks

September 1, 2017 | Adeline Zhang

Overview On August 17, 2017, the National Bank of Ukraine (NBU) warned financial institutions in the country about a potential cyberattack. The virus would exploit the CVE-2015-2545 vulnerability to cause remote code execution by sending emails with the code disguised as a Microsoft Word document. Subsequently, a cybersecurity institution found traces of such an attack […]

Joao Malware Analysis

August 31, 2017 | Adeline Zhang

Overview Security researchers from the security firm ESET spotted a piece of malware dubbed Joao targeting gamers. This malware is found inside an Aeria game installation pack provided by a third party. Upon the start of a game, this malware runs in the background, sending the victim’s machine information to the attacker, including the operating […]

Moyou Trojan Analysis

August 31, 2017 | Adeline Zhang

Overview On August 2, 2017, ANTIY discovered a new DDoS trojan and dubbed it Moyou. After obtaining the related sample, NSFOCUS conducted a detailed analysis of the trojan. Sample Analysis The following figure shows the detection result of NSFOCUS Threat Analysis Center (TAC). The sample obtains the C&C server address (www.linux288.com) by reading data from […]

Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution

August 18, 2017 | wangyang2

This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South Korea. This RAT spreads mainly through phishing emails. Specifically, the attacker first tries to have a powershell script executed via an .scr file, and then downloads the malware of an […]

Dahua Cameras Unauthorized Access Vulnerability Analysis & Solution

March 17, 2017 | Adeline Zhang

Overview Dahua Technology, a well-known security camera and digital video recorder (DVR) vendor in China, released firmware updates to address serious security vulnerabilities for several of their products. By exploiting this vulnerability an attacker can access the user database of a Dahua camera without needing administrative privileges and extract the user name and password hash. […]

Anatomy of An Attack – DNS Amplification

February 9, 2017 | Adeline Zhang

Author: Vann Abernethy, Field CTO Overview DNS amplification attacks ramp up the power of a botnet when targeting a victim.  The basic technique of a DNS amplification attack is to spoof the IP of the intended target and send a request for a large DNS zone file to any number of open recursive DNS servers.  The […]