来自 DDOS 2021-10-12 20:01 的文章

香港高防cdn_高防服务器租_如何解决

香港高防cdn_高防服务器租_如何解决

Scanner for "BlueKeep" vulnerability and newly minted exploits for Exim and Jira incorporated into cryptocurrency mining malware. Background On July 24, researchers at Intezer published a blog about a new variant of the WatchBog malware. WatchBog is a "cryptocurrency mining botnet" that deploys a Monero (XMR) miner on infected systems. WatchBog was previously identified by AlibabaCloud in May 2019, but there are some indications that it has been around since at least November 2018 based on a blog post from Sudhakar Bellamkonda. Analysis Most notable in the new variant of WatchBog is a scanning module for BlueKeep (CVE-2019-0708), a critical remote code execution vulnerability in Microsoft’s Remote Desktop Service that was patched in May 2019, which included fixes for out-of-support versions of Windows. The scanner module appears to be a port of a proof-of-concept scanner published to GitHub nearly two months ago. However, the module variant described in the Intezer blog doesn’t contain any exploit code. Nearly 80 days after the announcement of BlueKeep, threats of exploitation remain. Learn more here. According to the researchers, WatchBog will scan a predefined list of IP addresses fetched from a command-and-control (C2) server to identify vulnerable Windows systems. The researchers surmise that the inclusion of such a module is to prepare for future attacks once exploit code does become public, or to sell the data on vulnerable systems to a third party. In its latest iteration, WatchBog has incorporated new exploits in what is referred to as its "pwn" modules. These exploits are for two recently disclosed vulnerabilities and they include: CVE-2019-10149 is a critical remote command execution in Exim, the widely used mail transfer agent (MTA) that was revealed in June 2019 CVE-2019-11581 is a critical template injection vulnerability in Atlassian Jira Server and Jira Data Center that was patched earlier this month on July 10 These two vulnerabilities join three other exploits in WatchBog’s "pwn" modules, as well as two bruteforcing modules targeting databases. The following is the list of exploits, scanners and bruteforcing modules incorporated into WatchBog: CVE Affected Product Patched 类型 Privileges CVE-2018-1000861 Jenkins Dec 2018 Exploit Unauthenticated CVE-2019-7238 Nexus Repository Manager 3 Feb 2019 Exploit Unauthenticated CVE-2019-0192 Apache Solr Mar 2019 Exploit Unauthenticated CVE-2019-10149 Exim Jun 2019 Exploit Unauthenticated CVE-2019-11581 Atlassian Jira Server and Data Center Jul 2019 Exploit Both CVE-2019-0708 Microsoft Remote Desktop Services May 2019 Scanner Unauthenticated 不适用 CouchDB 不适用 Bruteforce 不适用 不适用 Redis 不适用 Bruteforce 不适用 Proof of concept There are proofs-of-concept (PoCs) available for all of the vulnerabilities used by WatchBog. CVE Affected Product Proof of Concept Source CVE-2018-1000861 Jenkins 博客 CVE-2019-7238 Nexus Repository Manager 3 GitHub CVE-2019-0192 Apache Solr GitHub CVE-2019-10149 Exim GitHub CVE-2019-11581 Atlassian Jira Server and Data Center GitHub CVE-2019-0708 Microsoft Remote Desktop Services GitHub 解决方案 For Windows users, applying the patch to address BlueKeep is paramount. The inclusion of the BlueKeep scanner is worrisome enough, but the lingering possibility that exploit code may soon become public underscores the sheer importance of patching against it. This is highlighted by a recent report that there are over 800,000 systems vulnerable to BlueKeep that are still internet accessible. All of the vulnerabilities leveraged by WatchBog have been patched over the last eight months. Users running Jenkins, Nexus Repository Manager 3, Apache Solr, Exim, Atlassian Jira Server and Data Center should apply the available patches as soon as possible. If you have CouchDB or Redis servers in your environment, it is important to ensure that they’re not exposed publicly, but if they are, use strong and unique passwords and review the CouchDB and Redis security guides. 识别受影响的系统 A list of Tenable plugins to identify these vulnerabilities can be found here: CVE-2018-1000861 CVE-2019-0192 CVE-2019-7238 CVE-2019-10149 CVE-2019-11581 Additionally, customers can utilize custom YARA rules as well as the file scanning feature on Tenable.io and Nessus to scan for hashes associated with WatchBog on Linux hosts. The following Linux malicious file detection and YARA plugins are available to customers: Linux Malicious File Detection Linux Malicious File Detection: User Defined Malware YARA File Scan (Linux) Intezer provided three SHA-256 sample hashes that can be used in a list of known bad hashes: b17829d758e8689143456240ebd79b420f963722707246f5dc9b085a411f7b5e 26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4 cdf11a1fa7e551fe6be1f170ba9dedee80401396adf7e39ccde5df635c1117a9 In the user interface, customers can provide a list of known bad hashes: There are some advanced options that customers can use to scan $PATH locations, /home as well as custom directories. The following is an example scan result for known bad hashes for WatchBog: Additionally, Intezer provided a custom YARA rule that can be used to identify unknown or newly discovered Watchbog samples. The following is an example scan output for the YARA file scanning plugin. 获取更多信息 Watching the WatchBog: New BlueKeep Scanner and Linux Exploits Return of Watchbog: Exploiting Jenkins CVE-2018-1000861 Blocking Watchbog Malware/Ransomware with IPTables on Linux 加入 Tenable Community 中的 Tenable 安全响应团队 了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,ddos攻击的防御手段,服务器防御ddos有几种,全面管理现代攻击面。 Get a free 60-day trial of Tenable.io Vulnerability Management.

,ddos防御实践,云服务器ddos防御,免费dd和cc防御