WebSphere XML External Entity Injection Vulnerability (CVE-2020-4643) Handling Guide
outubro 14, 2020
Vulnerability Description
Recently, IBM released a security bulletin to announce the fix of an XML external entity injection (XXE) vulnerability (CVE-2020-4643) on WebSphere Application Server (WAS). Since WAS fails to properly process XML data, a remote attacker could exploit this vulnerability to obtain sensitive information on the server.
The NSFOCUS security research team reported CVE-2020-4643 to IBM. CVE-2020-4643 can be used in combination with CVE-2020-4450 to trigger an XXE vulnerability that requires no authentication to exploit, thereby causing the disclosure of sensitive server information. The vulnerability is comparatively easy to exploit and involves high risks. Affected users should take preventive measures as soon as possible.
(mais…)Intelligent Threat Analytics: Graph Data Structuring
outubro 13, 2020
The artificial intelligence (AI) technology based on deep neural networks has made breakthroughs in a wide range of fields, but only seen limited adoption in cybersecurity. At present, it is impractical to expect a hierarchical neural network to implement threat identification, association, and response from end to end. According to Zhou Tao, an algorithm expert, AI can hardly play its role in threat detection for the following reasons:
- Machine learning is good at detecting behavior of normal patterns, but intrusion is a type of behavior deviating from the normal.
- Possession of big data is not equivalent to control of large quantities of labeled data. Unsupervised learning delivers inaccurate data.
- Threat detection is an open-ended issue as the loss function is very difficult to define.
- There is a permanent pursuit of accountable results.
Zhou’s explanations touch upon the model, data, and usage scenarios, providing a penetrating insight into why machine learning, especially deep learning, cannot fit in well with security modeling. However, deep learning and machine learning are not all AI is about. In cyberspace, deep learning and machine learning, when used with intelligent threat analytics platforms with capabilities of anomaly awareness, event inference, and threat response, can serve as normal data processing tools rather than core capabilities.
(mais…)Botnet Trend Report 2019-14
outubro 12, 2020
New Trends of APT Groups
Here are three trends that shaped APT groups in 2019:
Firstly, mobile devices became common constituents of the attack surface. In 2019, MuddyWater developed malicious files against Android platforms, heading towards mobile devices. Google’s Project Zero team revealed five exploit chains deployed in the wild to attack iOS systems and noted that these exploit chains, relying on 0-day vulnerabilities, could be easily used by APT groups to target multiple iOS versions.
(mais…)IBM Spectrum Protect Plus Directory Traversal and Arbitrary Code Execution Vulnerabilities (CVE-2020-4711, CVE-2020-4703) Threat Alert
outubro 9, 2020
Vulnerability Description
On September 15, 2020, NSFOCUS detected that IBM released a security bulletin, which fixed directory traversal and arbitrary code execution vulnerabilities (CVE-2020-4711, CVE-2020-4703) in IBM Spectrum Protect Plus Administrative Console. The directory traversal vulnerability (CVE-2020-4711) exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. An unauthenticated attacker could send a crafted HTTP request to view arbitrary files on the system. CVE-2020-4703 allows an authenticated attack to upload arbitrary files, which could then be used to execute arbitrary code on the vulnerable server. This vulnerability is due to an incomplete fix for CVE-2020-4470. Currently, the proof of concept (PoC) of this vulnerability has been made publicly available. Relevant users are advised to take protective measures as soon as possible.
IBM Spectrum Protect Plus is a data protection and availability solution for virtual environments. It can be implemented as an independent solution or environmentally integrated into IBM Spectrum Protect, thereby offloading copies for long-term storage and data governance efficiently at scale.
(mais…)DHDiscover reflection attacks can magnify nearly 200 times of the attack 2
outubro 8, 2020
DHDiscover reflection attack analysis
In this chapter, we’ll demonstrate the threat status quo of DHDiscover reflection attack after referring to log data captured by the NSFOCUS Threat Capture System[AZ1] from June 1, 2020 to August 18, 2020 at the port 37810.
We analyzed the number of logs at the port 37810 as shown in the figure. It can be seen from the figure that the attacks increased in an upward trend from early June to early August, and then decreased in mid-August, with the maximum number of packets captured by a single honeypot reaching 900,000 in a single day.
Figure 1.1 DHDiscover[AZ3] server accessing trend
We also have counted the payload in the log data received at the port 37810. And out of the concern not to spread the attack messages, we have named them here according to the length of the messages. As we can tell in Figure 1.1, the more common payloads used by attackers are 4 bytes and 62 bytes in length, between which the 62-byte payload also has been mentioned in an article written by Tencent.
(mais…)GovWare 2020
outubro 7, 2020
GovWare Virtual Conference and Exhibition October 7-8, 2020 Virtual Event
Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Handling Guide
outubro 7, 2020
Vulnerability Description
Recently, NSFOCUS detected that security personnel disclosed the procedure for exploiting the Microsoft Exchange Server remote code execution vulnerability (CVE-2020-16875) online. The vulnerability was made public by Microsoft in its September 2020 Security Updates. A remote code execution vulnerability exists in the way that Microsoft Exchange Server handles objects in memory. The prerequisite for successfully exploiting the vulnerability is to have user rights that can be authenticated as an Exchange role. An attacker could trigger the vulnerability by sending an email that contains special cmdlet arguments to the affected Exchange server. An attacker who successfully exploited the vulnerability could execute arbitrary code with system privileges on the affected system. Users should take preventive measures as soon as possible.
(mais…)
Botnet Trend Report 2019-13
outubro 5, 2020
Mirai
At present, Mirai is among the biggest IoT botnet families which have the most variants and infect the most devices to impose the most extensive impact. In 2019, NSFOCUS Security Labs captured 10,635 Mirai samples in total (excluding the repetitive malware arising from cross compilation), identified 1660 C&C addresses, and detected more than 40 exploits.
(mais…)DHDiscover reflection attacks can magnify nearly 200 times of the attack 1
outubro 4, 2020
1. Abstract
In March 2020, Tencent published an article about a DVR being used for reflection attacks. Service port of this DVR is 37810, we named it DHDiscover service as there was DHDiscover shown in it. In the reflection attacks captured by Tencent, the scale of attack traffic exceeded 50G, and the reflection source regions were concentrated in many countries and regions in America, Asia, and Europe, with South Korea and Brazil being the hardest hit areas. Based on the network-wide surveying and mapping data of NSFOCUS Threat Intelligence (NTI) and the captured data of NSFOCUS Threat Capture System, this article provides analisys on its network-wide exposure, reflection attack trends, attack methods commonly used by attackers, and reflection attack bandwidth amplification factors.
(mais…)