分类Threat Intelligence下的文章

heliosteam 发布于 07月26, 2018

Donot APT组织-针对巴基斯坦最新攻击活动分析

背景

Donot APT组织是一个长期针对南亚地区(主要是巴基斯坦)实施网络间谍活动的APT组织,2017年6月,360威胁情报中心首次发现和曝光了该团伙针对巴基斯坦的定向攻击活动,并详细分析了该组织使用的EHDevel恶意代码框架。2018年3月,国外安全团队ASERT继续披露了该组织新的恶意代码框架yty,并根据PDB路径中的机器用户名将该组织命名为Donot。 Donot APT组织主要针对巴基斯坦等南亚地区国家进行网络间谍活动,该组织主要针对政府机构等领域进行攻击,其中以窃取敏感信息为主。从2017年至今,该组织针对巴基斯坦至少发动了4波攻击攻击行动,攻击过程主要是以携带Office漏洞或者恶意宏的鱼叉邮件进行恶意代码的传播,并先后使用了两套独有的恶意代码框架:EHDevel和yty。 自第一次发现该组织的攻击活动以来,360威胁情报中心对该组织一直保持着持续跟踪,近期我们再次跟踪到该团伙利用较新的Office Nday漏洞发起的新的攻击活动,并对攻击中使用的yty框架最新的恶意代码进行了详细分析。

阅读全文 »

heliosteam 发布于 06月07, 2018

CVE-2018-5002 - Analysis of the Second Wave of Flash Zero-day Exploit in 2018

Background

On June 1, 2018, the Advanced Threat Response Team of 360 Core Security discovered an attack using a new Flash 0-day vulnerability on a global scale. The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East. This vulnerability is the second Flash 0-day vulnerability discovered in 2018 and is currently affecting Adobe Flash Player 29.0.0.171 and below versions.

阅读全文 »

heliosteam 发布于 06月07, 2018

CVE-2018-5002---2018年第二波Flash零日漏洞在野攻击分析预警

背景

2018年6月1日,360核心安全高级威胁应对团队在全球范围内率先捕获了新的一起使用Flash 零日漏洞(CVE-2018-5002)的在野攻击,黑客精心构造了一个从远程加载Flash漏洞的Office文档,打开文档后所有的漏洞利用代码和恶意荷载均通过远程的服务器下发,此次攻击主要针对中东地区。该漏洞目前影响Adobe Flash Player 29.0.0.171及其以下版本,是今年出现的第二波Flash零日漏洞在野攻击。

阅读全文 »

admin001 发布于 05月29, 2018

EOS节点远程代码执行漏洞 --- EOS智能合约WASM函数表数组越界

漏洞报告者

Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security

漏洞描述

我们发现了EOS区块链系统在解析智能合约WASM文件时的一个越界写缓冲区溢出漏洞,并验证了该漏洞的完整攻击链。 使用该漏洞,攻击者可以上传恶意的智能合约至节点服务器,在节点服务器解析恶意合约后,攻击者就能够在节点服务器上执行任意代码并完全控制服务器。 在控制节点服务器后,攻击者可以将恶意合约打包进新的区块,进而攻击和控制其他新的节点,最终攻击和控制整个EOS网络。

阅读全文 »

admin001 发布于 05月29, 2018

EOS Node Remote Code Execution Vulnerability --- EOS WASM Contract Function Table Array Out of Bounds

Vulnerability Credit

Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security

Vulnerability Description

We found and successfully exploit a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file. To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and taken control of it. After taken control of the nodes server, attacker could then pack the malicious contract into new block and further control all nodes of the EOS network.

阅读全文 »

heliosteam 发布于 05月09, 2018

APT-C-06组织在全球范围内首例使用“双杀”0day漏洞(CVE-2018-8174)发起的APT攻击分析及溯源

第一章 概述

日前,360核心安全事业部高级威胁应对团队在全球范围内率先监控到了一例使用0day漏洞的APT攻击,捕获到了全球首例利用浏览器0day漏洞的新型Office文档攻击,我们将该漏洞命名为“双杀”漏洞。该漏洞影响最新版本的IE浏览器及使用了IE内核的应用程序。用户在浏览网页或打开Office文档时都可能中招,最终被黑客植入后门木马完全控制电脑。对此,我们及时向微软分享了该0day漏洞的相关细节,并第一时间对该APT攻击进行了分析和追踪溯源,确认其与APT-C-06组织存在关联。 2018年4月18日,在监控发现该攻击活动后,360核心安全事业部高级威胁应对团队在当天就与微软积极沟通,将相关细节信息提交到微软。微软在4月20日早上确认此漏洞,并于5月8号发布了官方安全补丁,对该0day漏洞进行了修复,并将其命名为CVE-2018-8174。在漏洞得到妥善解决后,我们于5月9日发布本篇报告,对攻击活动和0day漏洞进一步的技术披露。

阅读全文 »

heliosteam 发布于 05月09, 2018

Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack

I Overview

Recently, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first Office malicious sample that uses a browser 0-day vulnerability. We code named the vulnerability as "double kill” exploit. This vulnerability affects the latest version of Internet Explorer and applications that use the IE kernel. When users browse the web or open Office documents, they are likely to be potential targets. Eventually the hackers will implant backdoor Trojan to completely control the computer. In response, we shared with Microsoft the relevant details of the 0day vulnerability in a timely manner. This APT attack was analyzed and attributed upon the detection and we now confirmed its association with the APT-C-06 Group. On April 18, 2018, as soon as 360 Core Security detected the malicious activity, we contacted Microsoft without any delay and submitted relevant details to Microsoft. Microsoft confirmed this vulnerability on the morning of April 20th and released an official security patch on May 8th. Microsoft has fixed the vulnerability and named it CVE-2018-8174. After the vulnerability was properly resolved, we published this report on May 9th, along with further technical disclosure of the attack and the 0day.

阅读全文 »

heliosteam 发布于 10月11, 2017

最新Office 0day漏洞(CVE-2017-11826)在野攻击通告

2017年9月28日,360核心安全事业部高级威胁应对团队捕获了一个利用Office 0day漏洞(CVE-2017-11826)的在野攻击。该漏洞几乎影响微软目前所支持的所有office版本,在野攻击只针对特定的office版本。攻击者以在rtf文档中嵌入了恶意docx内容的形式进行攻击。通过对攻击样本的C&C进行追踪溯源分析,我们发现攻击者从8月中旬开始筹备攻击,在9月底真正发动攻击,...

阅读全文 »

heliosteam 发布于 10月11, 2017

New Office 0day (CVE-2017-11826) Exploited in the Wild

On September 28, 2017, Qihoo 360 Core Security (@360CoreSec) detected an in-the-wild attack that leveraged CVE-2017-11826, an office 0day vulnerability. This vulnerability exists in all the supported office versions. The attack only targeted limited customers. The attacker embedded malicious .docx in the RTF files. Through reversing analysis of the sample C&C, we found that the attack was initiated in August and the launch date of the attack can be dated back to September. It was in this time window that the vulnerability has been exploited as a 0day. Qihoo 360 Core Security has been the first security vendor to share the details of the vulnerability and coordinated with Microsoft to disclose the news, as well as a timely patch to resolve the Office 0day vulnerability within a week. The latest versions of 360 security products could detect and prevent exploitation of this vulnerability and are available for download. In the meanwhile, we also highly suggest users to update Microsoft Patch in time.

阅读全文 »