Adeline Zhang

2019 Cybersecurity Insights -16

agosto 19, 2020

In this section, we analyzed threats against three major protocols.

Threats Against Telnet

According to data from NSFOCUS’s threat hunting system, Telnet (available on port 23), targeted by a total of 120,000 attack sources, was the IoT protocol most favored by attackers1 . Figure 7-3 shows the activity trend of Telnet attack sources from March to October in 2019. We can see that the number of Telnet-based attacks increased month by month from March to August, with August seeing the most attack sources (over 60,000) that carried out more than 50,000 weak password detection activities. In addition, June witnessed the most sample download activities (more than 40,000). Overall, attack sources were on the decline in the latter half of 2019.

(mais…)

2020 Mid-Year DDoS Attack Landscape Report-1

agosto 18, 2020

Summary

  1. Global distribution of DDoS attacks: U.S. suffered the most DDoS attacks, and Japan received the largest volume of DDoS traffic.
  2. DDoS attack trend: March and April witnessed the most frequent DDoS attacks, and May saw the peak of attack traffic.
  3. DDoS attacks and COVID-19 pandemic: DDoS attacks fluctuated noticebly with the worldwide outbreak of the COVID-19 pandemic. Germany and the U.S. were two typical examples.
  4. Attack lethality: Compared with the first half of 2019, the first half of 2020 experienced a decline in the number of attacks withincreasing magnitute.
  5. Attack types: SYN flood and UDP flood remained dominant DDoS attacks.
  6. Attack duration: Short-duration and effective attacks were the norm, with 68% of the attacks lasting less than 5 minutes.
  7. Attack peak: May was exposed to the strongest attack, with the peak reaching 634.6 Gbps.
  8. Attack gangs: Among the 15 IP gangs under our continuous monitoring in the first half of 2020, the largest attack utilized 217,000 attack sources.
(mais…)

TP-Link Tapo C200 IP Camera High-Risk Vulnerability Threat Alert

agosto 18, 2020

Overview

Recently, TP-Link fixed a high-risk vulnerability in the C200 IP camera.

A user’s hashed password can be found in the memory dump by using the discovered Heartbleed vulnerability exposed on TCP port 443. The hash was then used for a pass-the-hash attack by exploiting the login process on the API. This caused a login token called “stok” to be issued, which could be used to authenticate to the device as the user.

Later, an attacker could perform authenticated operations, such as moving the camera’s motor, formatting the SD card, creating an RTSP account to view the camera’s video feed, and disabling the privacy mode.

(mais…)

Botnet Trend Report 2019-6

agosto 17, 2020

Overview of DDoS Attacks in 2019

According to the observation of NSFOCUS Security Labs, DDoS botnets in 2019, though with some changes, continued with the same patterns in attack targets, families, and operating platforms overall.

Among the track data of NSFOCUS Security Labs in 2019, there were more than 1.1 million instructions given by DDoS botnet families, 63% of which (over 700,000) were effective ones. According to the Labs’ metrics, these DDoS instructions resulted in over 400,000 attack events.

In terms of geographic locations, the USA was still the most targeted country, followed by China, the UK, and Australia.

(mais…)

Adobe Releases Updates to Fix High-Risk Vulnerabilities Threat Alert

agosto 14, 2020

Overview

On July 21, 2020, local time, Adobe released security updates to fix high-risk code execution vulnerabilities in its various products, including Adobe Bridge, Adobe Photoshop, Adobe Prelude, and Adobe Reader Mobile.

For details about the security bulletins and advisories, visit the following link:

https://helpx.adobe.com/security.html
(mais…)

2019 Cybersecurity Insights -15

agosto 12, 2020

Finding 1: In 2019, over 30 types of IoT vulnerability exploits were captured, most of which targeted remote command execution vulnerabilities. Though hundreds of to thousands of IoT vulnerabilities are unveiled each year, only a few can exert an extensive impact. Attackers were keen on targeting devices (routers and video surveillance devices) exposed in large quantities, in a bid to broaden their influence.

Finding 2: IoT devices, especially cameras and routers, were major targets of Telnet weak password cracking attacks.

Finding 3: Since security researchers from Baidu disclosed that the Web Services Dynamic Discovery (WSD) protocol could be exploited for DDoS reflection attacks, there has been a notable increase in reflection attack events based on this protocol in the latter half of 2019. Since mid-August, WSD reflection attacks captured by us have been on the rise. Worse still, September has witnessed a sharp increase in such attacks. All parties concerned, including security vendors, service providers, and telecom carriers, should pay due attention to this type of threats.

Finding 4: Approximately 2.28 million IoT devices (port 1900) worldwide had the UPnP/SSDP service publicly accessible and were thus at risk of being exploited to launch DDoS attacks, an decrease of 22% from 2018.The UPnP port mapping service, exposed on about 390,000 IoT devices, was likely to be abused as a proxy or render intranet services accessible on the extranet.

(mais…)

Microsoft Windows DNS Server Remote Code Execution Vulnerability SigRed (CVE-2020-1350) Threat Alert

agosto 11, 2020

Overview

On July 14, 2020 local time, Microsoft addressed a wormable Windows DNS server vulnerability dubbed SigRed (CVE-2020-1350) in its latest monthly patch updates. Once exploited by attackers, the vulnerability could spread between vulnerable computers without user interaction, thereby probably infecting the network of the whole organization.

It is reported that the vulnerability has existed for 17 years and assigns a score of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

When a DNS server parses uploaded queries or responds to forwarded requests, the vulnerability could be exploited.

Check Point researchers found that sending DNS responses containing SIG records (greater than 64 KB) could cause a stack-based buffer overflow, further allowing attackers to control a server.

(mais…)

Botnet Trend Report -5

agosto 10, 2020

Spear Phishing and Malicious Documents

In the past few years, including malicious attachments in emails has become one of the most common methods that APT groups and various cybercriminal groups use to launch spear phishing attacks. Compared with previous years, 2019 saw more spear phishing attacks with a bigger impact, which was linked with the following facts.

(mais…)

FBI Warning: New DDoS Reflection Attacks Are Coming, Are You Ready?

agosto 7, 2020

According to ZDNet’s reports, FBI released a warning last week that some new network protocols were used by criminals to launch large-scale DDoS attacks. Three protocols and one Web applications were found as DDoS attack vectors, including CoAP, WS-DD, ARMS and Web-based Jenkins.

(mais…)

WebLogic Remote Code Execution Vulnerabilities (CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, CVE-2020-14687) Threat Alert

agosto 7, 2020

Overview

On July 15, 2020, Beijing time, Oracle released a Critical Patch Update (CPU) for July 2020 that fixes 443 vulnerabilities of different risk levels.

The WebLogic Server Core component is prone to four severe vulnerabilities with a CVSS base score of 9.8, which are assigned CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, and CVE-2020-14687 respectively.

These vulnerabilities are related to T3 and IIOP protocols and allow unauthenticated attackers to execute code remotely via the Internet.

T3 and IIOP protocols are used to transmit data between WebLogic and other Java programs. The default WebLogic installation automatically enables the console, which, in turn, enables the T3 protocol by default. IIOP allows access to remote objects in the form of Java interfaces, which is enabled by default.

(mais…)

Search

Inscreva-se no Blog da NSFOCUS