分类Vulnerability Analysis下的文章

admin001 发布于 09月21, 2018

Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment

Chapter 1 Overview

1. Main Findings

Through research, 360 Helios Team has found that, since 2007, the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments, such as national defense, government, science and technology, education and maritime agencies. The group mainly targets military industry, Sino-US relations, cross-strait relations and ocean-related fields. It indicates that the group’s interest is similar to that of our previously published OceanLotus APT Group.

360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007. In the following 11 years, we have captured 13 versions of malicious code, involving 73 samples. In the initial attack, the Group mainly used spear phishing emails. Before the attack, the target was deeply investigated and carefully selected. Contents that are closely related to the target industry or field were used to construct the bait files and emails, such as specific conference materials, researches or announcements. The lure documents contain 10 vulnerable document samples, including a 0day vulnerability. Infections of this Trojan are distributed in 31 provincial-level administrative regions. The number of C&C domain names is 59 located in 4 different countries or regions according to the returned addresses.

In this cyber espionage campaign that lasted for 11 years in China, the following points in time are worthy of attention:

  • In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
  • In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
  • In February 2009, attacks against the military industry began (a well-known military journal magazine)
  • In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
  • In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
  • In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
  • In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
  • In October 2013, carried out watering hole attack on a Chinese government website
  • In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as "military (军)", "aviation (航)", and "report (报告)" was added.
  • On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
  • On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
  • On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
  • In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
  • In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
  • In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.

Note: The above first attack time is based on the existing statistics we have. It does not mean that we have known all the attacks and behaviors of the organization.

2. About the Codename of the Group

Since 2015, APT researches in China has gradually started and accelerated. Following the exposure of APT organizations such as “OceanLotus” and “LanBao Mushroom”, the Poison Ivy Group (APT-C-01) is another APT organization that launches persistent attacks targeting government, military, and maritime organizations and stealing sensitive information.

This cyberespionages group was independently discovered by 360 and was first disclosed previously with part of the information. The code-naming is in line with 360’s naming standard for APT organizations.

360 Threat Intelligence Center named the APT-C-01 organization "Poison Ivy", mainly considering the following factors: First, the organization used Poison Ivy Trojans in several attacks. Second, the attack organization used the Cloud disk as a springboard to transmit information. This is similar to the feature of vines that can climb across the wall. According to the 360 Threat Intelligence Center's naming rules for APT organizations (see the report: China APT Annual Report 2016). Considering the common vine plants in the associated areas of the Group, APT-C-01 is named "Poison Ivy".

In addition, Antiy Lab revealed the APT organization "Green Spot" on September 19, 2018. According to the mutual recognition agreement between 360 Threat Intelligence Center and Antiy Lab, the “Poison Ivy” (APT-C-01) and “Green Spot” are different names for the same group. Therefore, we have also announced our discovery.  

Chapter 2 Purposes and Victims

1. Purposes

The main purpose of the attacks is to steal data from the Chinese government and scientific research institutions, which are mainly documents. The following keywords and extension are what the actor searched for :

  • Key words:

阅读全文 »

admin001 发布于 08月17, 2018

NEO Smart Contract Platform Runtime_Serialize Calls DoS

Zhiniang Peng from Qihoo 360 Core Security

NEO is a non-profit, community-based blockchain project. It is a distributed network that uses blockchain technology and digital identity for asset digitization. It is also an intelligent management of digital assets using intelligent contracts to create “Smart Economy”. At present, NEO’s market capitalization ranks fifteenth in the world in coinmarket, being one of the remarkable blockchain projects. We found a Denial of Service vulnerability in the NEO smart contract platform which attacker could use to instantly crash the entire neo network.

阅读全文 »

admin001 发布于 08月16, 2018

NEO智能合约平台Runtime_Serialize调用拒绝服务漏洞

Zhiniang Peng from Qihoo 360 Core Security

NEO是一个非盈利的社区化的区块链项目。它是利用区块链技术和数字身份进行资产数字化,利用智能合约对数字资产进行自动化管理,实现“智能经济”的一种分布式网络。目前Neo市值在coinmarket上排名全球第十五,是备受关注的区块链项目之一。我们在neo智能合约平台中发现一处拒绝服务漏洞,攻击者可利用该漏洞在瞬间使得整个neo网络崩溃。

阅读全文 »

admin001 发布于 08月08, 2018

EOS官方API中Asset结构体的乘法运算溢出漏洞描述

古河@360 Vulcan Team

综述

asset是EOS官方头文件中提供的用来代表货币资产(如官方货币EOS或自己发布的其它货币单位)的一个结构体。在使用asset进行乘法运算(operator *=)时,由于官方代码的bug,导致其中的溢出检测无效化。造成的结果是,如果开发者在智能合约中使用了asset乘法运算,则存在发生溢出的风险。

阅读全文 »

admin001 发布于 08月08, 2018

EOS Asset Multiplication Integer Overflow Vulnerability

Yuki Chen of Qihoo 360 Vulcan Team

Description

The asset structure is defined in EOS’s system header file, it can be used to define the amount of some tokens (such as the official EOS token or some custom tokens defined by user). Recently we discovered a bug in asset’s multiplication operator(operator *=) which makes the integer overflow check in the function to have no effect. If a developer uses asset multiplication in his EOS smart contract, he may need to face the risk of integer overflow.

阅读全文 »

heliosteam 发布于 06月07, 2018

CVE-2018-5002 - Analysis of the Second Wave of Flash Zero-day Exploit in 2018

Background

On June 1, 2018, the Advanced Threat Response Team of 360 Core Security discovered an attack using a new Flash 0-day vulnerability on a global scale. The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East. This vulnerability is the second Flash 0-day vulnerability discovered in 2018 and is currently affecting Adobe Flash Player 29.0.0.171 and below versions.

阅读全文 »