Attack and Defense Around PowerShell Event Logging
novembro 10, 2020
0x00 Overview
PowerShell has been a focus of concern for network defense. The fileless PowerShell, featuring LotL and excellent ease of use, is widely used in various attack scenarios. In order to capture PowerShell-based attacks, an increasing number of security professionals tend to, through PowerShell event log analysis, extract attack records such as post-exploitation data for enterprise security monitoring, alerting, trackback, and forensics. At the same time, attackers are finding and using different ways to evade event logging. Keeping tabs on continuous improvements in security features in the PowerShell event viewer, attackers employ a variety of techniques and methods to corrupt data concerning the PowerShell logging tool itself and compromise the integrity of event logs. The vulnerability (CVE-2018-8415) patched by Microsoft in October 2018 is another means to evade the logging of the PowerShell event viewer. This document dwells upon security features of the logging function of major versions of PowerShell, as well as attack means, ideas, and techniques against each version of the event viewer.
(mais…)Annual IoT Security Report 2019-2
novembro 9, 2020
Extensive Power Outages in Venezuela and New York
Starting from the evening of March 7, 2019, a cyberattack hit Venezuela, leaving most parts of the country, including the capital Caracas, without power for more than 24 hours1. Because of the outage, the subway service in Caracas came to a halt, resulting in massive traffic jams. Schools, hospitals, factories, and airports were all greatly affected by this incident. Even mobile phones and networks could not work properly.
Just four months after the power outage in Venezuela, on July 13, 2019, 18:47, a large-scale blackout affected Midtown to the Upper West Side in Manhattan, leaving the Times Square, subway stations, cinemas, and Broadway in the dark2. At its peak, the New York blackout shut off power to about 73,000 people. At a press conference, New York City Mayor Bill de Blasio claimed that the blackout was caused by a transformer fire. Though not a malicious cyberattack, this incident sounds the alarm on the security
of critical infrastructure.
WebLogic High-Risk Vulnerabilities (CVE-2020-14841, CVE-2020-14825, CVE-2020-14859) Threat Alert
novembro 6, 2020
Overview
On October 21, 2020, Beijing time, Oracle released Critical Patch Update (CPU) for October 2020 that fixes 402 vulnerabilities of different risk levels.
The WebLogic Server Core component is prone to three severe vulnerabilities with a CVSS base score of 9.8, which are assigned CVE-2020-14841, CVE-2020-14825, and CVE-2020-14859 respectively.
(mais…)Annual IoT Security Report 2019-1
novembro 4, 2020
Executive Summary
With the constant evolution of the Internet of Things (IoT), the security of IoT is becoming an issue that more and more people are concerned about. In 2016, we issued the IoT Security Whitepaper to popularize IoT security for a general audience. In 2018, we released the 2017 Annual IoT Cybersecurity Report to present our analysis of exposure of IoT assets on the Internet, device vulnerabilities, and threats and risks to which IoT devices are exposed. Our 2018 Annual IoT Security Report is focused on the actual exposure of IoT assets on the Internet, aimed at revealing the overall security posture of IoT assets based on threat intelligence. The report also allots quite a few pages to the security of the UPnP protocol stack, which is often used in IoT applications. In the 2019 Annual IoT Security Report, we continue to delve into IoT assets and the risks and threats facing them: In IoT asset reconnaissance (“recon” for short), we update data on the actual exposure of IoT assets on IPv4 networks and add data on the exposure of IoT assets on IPv6 networks; as for threats, we analyze IoT security incidents and threat sources from the perspectives of vulnerability exploitation and protocol exploitation. Finally, we provide a solution for protecting IoT devices.
(mais…)Apache Solr ConfigSet API Upload Function Vulnerability (CVE-2020-13957) Threat Alert
novembro 3, 2020
Overview
Recently, Apache Solr fixed a vulnerability (CVE-2020-13957) in the Configsets API upload function. Attackers could perform unauthorized operations by using a combination of UPLOAD/CREATE actions, which might eventually lead to command execution.
Apache Solr is an enterprise search server that is based on Lucene.
(mais…)Windows TCP/IP Remote Code Execution Vulnerability (CVE-2020-16898) Threat Alert
novembro 2, 2020
Overview
On October 13, 2020 (local time), Microsoft fixed a critical vulnerability dubbed Bad Neighbor (CVE-2020-16898) in the Windows TCP/IP stack in its latest monthly patch update. An attacker might execute arbitrary code on a remote system by sending maliciously crafted ICMPv6 Router Advertisement packets.
McAfee said the proof-of-concept code shared with MAPP (Microsoft Active Protection Program) members is both simple and reliable and can result in an immediate BSOD (Blue Screen of Death)
(mais…)Oracle October 2020 Critical Patch Update for All Product Families Threat Alert
outubro 31, 2020
Overview
On October 20, 2020, local time, Oracle released Critical Patch Update (CPU) for October 2020, its own security advisories, and third-party security bulletins, which fix 402 vulnerabilities of varying severity levels. For details about affected products and available patches, see the appendix.
For complete information, see Oracle’s official security advisory from the following link:
Analysis of the 2020 H1 Vulnerability Trend
outubro 30, 2020
Overview
In 2020 H1, a total of 1419 vulnerabilities were added to the NSFOCUS Vulnerability Database (NSVD), 714 of which were high-risk vulnerabilities. Among these high-risk vulnerabilities, 184 vulnerabilities were Microsoft-related ones. High-risk vulnerabilities were mainly distributed in major products of Microsoft, Oracle, Adobe, Google, Cisco, IBM, Moxa, Apache, and other vendors.
(mais…)Microsoft’s October 2020 Patches Fix 87 Security Vulnerabilities Threat Alert
outubro 28, 2020
Overview
Microsoft released October 2020 security updates on Tuesday which fix 87 vulnerabilities ranging from simple spoofing attacks to remote code execution in various products, including .NET Framework, Azure, Group Policy, Microsoft Dynamics, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft NTFS, Microsoft Office, Microsoft Office SharePoint, Microsoft Windows, Microsoft Windows Codecs Library, PowerShellGet, Visual Studio, Windows COM, Windows Error Reporting, Windows Hyper-V, Windows Installer, Windows Kernel, Windows Media Player, Windows RDP, and Windows Secure Kernel Mode.
(mais…)Analysis of Ripple20 Vulnerabilities
outubro 27, 2020
1. Background
Recently, the JSOF research lab discovered a series of vulnerabilities on the Treck TCP/IP stack, which were dubbed Ripple20. Successful exploit of these vulnerabilities may allow remote code execution or disclosure of sensitive information. Technical details will be fully released at BlackHat USA 2020.
(mais…)