Donot APT组织是一个长期针对南亚地区(主要是巴基斯坦)实施网络间谍活动的APT组织,2017年6月,360威胁情报中心首次发现和曝光了该团伙针对巴基斯坦的定向攻击活动,并详细分析了该组织使用的EHDevel恶意代码框架。2018年3月,国外安全团队ASERT继续披露了该组织新的恶意代码框架yty,并根据PDB路径中的机器用户名将该组织命名为Donot。 Donot APT组织主要针对巴基斯坦等南亚地区国家进行网络间谍活动,该组织主要针对政府机构等领域进行攻击,其中以窃取敏感信息为主。从2017年至今,该组织针对巴基斯坦至少发动了4波攻击攻击行动,攻击过程主要是以携带Office漏洞或者恶意宏的鱼叉邮件进行恶意代码的传播,并先后使用了两套独有的恶意代码框架:EHDevel和yty。 自第一次发现该组织的攻击活动以来,360威胁情报中心对该组织一直保持着持续跟踪,近期我们再次跟踪到该团伙利用较新的Office Nday漏洞发起的新的攻击活动,并对攻击中使用的yty框架最新的恶意代码进行了详细分析。
In May 2018, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious office sample that uses a browser 0-day vulnerability. The sample exploited a use-after-free vulnerability in the VBScript engine which was fixed by Microsoft as CVE-2018-8174 in May 2018 security update, the detailed analysis of the bug could be found at: http://blogs.360.cn/blog/cve-2018-8174-en/ After analyzing the patch for CVE-2018-8174 carefully, we realized that the fix was not so complete and there still exists similar problems which could be leveraged to achieve reliable remote code execution in VBScript engine. We reported the issues we found to Microsoft immediately and Microsoft addressed them with a new fix (CVE-2018-8242) in July 2018 security update. In this blog, we will introduce the details of the new exploitable issues with CVE-2018-8174 patch we found. We will also discuss how we exploit the new bug we found and get reliable remote code execution in an upcoming blog (part II).
360烽火实验室
随着信息技术的发展,移动存储介质由于其具有体积小、容量大的特点,作为信息交换的一种便捷介质,如今已经得到广泛应用,在个人、政府和企业中经常被使用。但也因此而来一直存在着持续的各种安全攻击问题,每当出现一种新型的移动存储介质,之后总会有一系列随之而来的攻击事件发生,举例历史两个“著名”的攻击事件:
Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team
CVE:CVE-2018-6120
Affected versions:Chrome Version < 66.0.3359.170
关键词:蓝宝菇、核危机、APT
On June 1, 2018, the Advanced Threat Response Team of 360 Core Security discovered an attack using a new Flash 0-day vulnerability on a global scale. The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East. This vulnerability is the second Flash 0-day vulnerability discovered in 2018 and is currently affecting Adobe Flash Player 29.0.0.171 and below versions.
2018年6月1日,360核心安全高级威胁应对团队在全球范围内率先捕获了新的一起使用Flash 零日漏洞(CVE-2018-5002)的在野攻击,黑客精心构造了一个从远程加载Flash漏洞的Office文档,打开文档后所有的漏洞利用代码和恶意荷载均通过远程的服务器下发,此次攻击主要针对中东地区。该漏洞目前影响Adobe Flash Player 29.0.0.171及其以下版本,是今年出现的第二波Flash零日漏洞在野攻击。
Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security
我们发现了EOS区块链系统在解析智能合约WASM文件时的一个越界写缓冲区溢出漏洞,并验证了该漏洞的完整攻击链。 使用该漏洞,攻击者可以上传恶意的智能合约至节点服务器,在节点服务器解析恶意合约后,攻击者就能够在节点服务器上执行任意代码并完全控制服务器。 在控制节点服务器后,攻击者可以将恶意合约打包进新的区块,进而攻击和控制其他新的节点,最终攻击和控制整个EOS网络。
Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security
We found and successfully exploit a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file. To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and taken control of it. After taken control of the nodes server, attacker could then pack the malicious contract into new block and further control all nodes of the EOS network.
