Petya Variant Sample Technical Analysis

On the evening of June 27, 2017, multiple enterprises were attacked by ransomware, hence service interruption was caused. The first infections were identified in Ukraine. Since then, it has spread to many countries, including Brazil, Germany, Russia, and the US. This event had such an extensive and significant impact that technical support personnel of NSFOCUS paid close attention to it, and captured and analyzed the sample immediately.

Analysis on Exposed IoT Assets in China

With the maturity of sensing, computing, and communication technologies, the Internet of Things (IoT) will be more and more widely used in various industries. Gartner, a market research agency, predicts that endpoints of the IoT will grow at a 33% CAGR from 2015 through 2020, reaching an installed base of 20.4 billion units, with almost two-thirds of them consumer applications. Spending on networked consumer and business endpoints will displace non-networked, growing at a 20% CAGR to $2.9 trillion.

Analysis Report on the WannaCry Sample

The sample exploits the ETERNALBLUE SMB vulnerability or DOUBLEPULSAR backdoor for propagation and infection of the ransomware. The sample first connects to the domain name http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, to test network connectivity. If the network is reachable, the sample exits; otherwise, the sample carries out subsequent behaviors. Therefore, a reachable domain name can be registered to stop further attacks.

Microsoft Windows Server 2003 R2 IIS 6.0 Remote Code Execution Technical Analysis and Solution

On March 37, Zhiniang Peng and Chen Wu disclosed the Internet Information Services (IIS) 6.0 WebDAV remote code execution vulnerability, which has been assigned CVE-2017-7269 and CNNVD-201703-1151. This vulnerability, which could cause buffer overflows, is associated with the ScStoragePathFromUrl function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2.

Apache Struts 2 Remote Code Execution Vulnerability (S2-046) Technical Analysis and Solution

In the wee hours of March 21, Apache Struts 2 released a security bulletin, announcing a remote code execution (RCE) vulnerability in the Jakarta Multipart parser, which has been assigned CVE-2017-5638.

Dridex Banking Malware Sample Technical Analysis and Solution

IBM’s X-Force security team recently discovered an updated version of Dridex, called Dridex v4. Dridex is one of the most popular banking trojans. It was first spotted in 2014 when it was viewed as the successor of GameOver ZeuS (GoZ) because it uses GoZ-related techniques. An important improvement in Dridex v4 is that it evades detection antivirus software by introducing the AtomBoming technique for malicious code injection.

Dahua Cameras Unauthorized Access Vulnerability Technical Analysis and Solution

Recently, Dahua Technology, a well-known security camera and digital video recorder (DVR) vendor in China, released firmware updates to address a serious security issue in certain products. Before the vendor made an official statement on this issue, however, a security researcher named Bashis said that this vulnerability seemed to be a backdoor intentionally left by the vendor and so made his findings public without notifying Dahua in advance.

Apache Struts2 Remote Code Execution Vulnerability (S2-045) Technical Analysis and Solution

Apache Struts2 is prone to a remote code execution vulnerability (CNNVD-201703-152) in the Jakarta Multipart parser plug-in. When uploading a file with this plug-in, an attacker could change the value of the Content-Type header field of an HTTP request to trigger this vulnerability, causing remote code execution.

Power Outage Caused by the Cyber Attack on Ukrenergo Technical Analysis and Solution

Ukrenergo, a major energy provider in Ukraine, experienced a power failure on the night of December 17, 2016, which involved the automatic control system of the “North” substation in New Petrivtsi close to Kiev. The blackout affected the northern part of Kiev, the country’s capital, and surrounding areas.