Clik here to view.
DNS data mining case study - skidmap
As the foundation and core protocol of the Internet, the DNS protocol carries data that, to a certain extent, reflects a good deal of the user behaviors, thus security analysis of DNS data can cover a...
View ArticleClik here to view.
LILIN DVR/NVR 在野0-day漏洞攻击报告2
本文作者:马延龙,叶根深 背景介绍 2020年8月26号,360网络安全研究院Anglerfish蜜罐系统监测到有攻击者,使用Merit LILIN DVR/NVR 默认密码和0-day漏洞,传播Mirai僵尸网络样本。 2020年9月25号,Merit LILIN联络人在收到漏洞报告后,快速地响应并提供了固件修复程序(4.0.26.5618 firmware version for...
View ArticleClik here to view.
Another LILIN DVR 0-day being used to spread Mirai
Author: Yanlong Ma, Genshen Ye Background Information In March, we reported[1] that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices,...
View ArticleClik here to view.
DNSMon: 用DNS数据进行威胁发现(2)
----DNSMon抓李鬼记背景本文是介绍DNSMon在生产威胁情报(域名IoC)系列文章的第二篇。为了对抗安全人员的分析,钓鱼域名是恶意样本经常采用的一种技术手段。从字符组成和结构上看,钓鱼域名确实具有混淆视听的功效,但对于DNSMon这种具备多维度关联分析的系统来说,模仿知名公司域名的效果则适得其反,因为这样的域名一旦告警,反而更容易引起分析人员的注意。本案例从一组疑似钓鱼域名出发,逐步介绍DN...
View ArticleClik here to view.
Clik here to view.
Necro is going to version 3 and using PyInstaller and DGA
Overview. Necro is a classic family of botnet written in Python that was first discovered in 2015, at the beginning, it targeted Windows systems and often tagged by security vendors as Python.IRCBot...
View ArticleClik here to view.
新威胁:能云端化配置C2的套娃(Matryosh)僵尸网络正在传播
版权 版权声明:本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 背景...
View ArticleClik here to view.
New Threat: Matryosh Botnet Is Spreading
Background On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirai's characteristics. This anomaly caught our attention, and...
View ArticleClik here to view.
Clik here to view.
DNSMon: using DNS data to produce threat intelligence (3)
BackgroundThis article is the third in our series of articles introducing DNSMon in the production of threat intelligence (Domain Name IoC).As a basic core protocol of the Internet, DNS protocol is one...
View ArticleClik here to view.
rinfo卷土重来,正在疯狂扫描和挖矿
版权 版权声明:本文为Netlab原创,依据CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述 2018年我们公开过一个利用ngrok.io传播样本的扫描&挖矿型botnet家族:...
View ArticleClik here to view.
Rinfo Is Making A Comeback and Is Scanning and Mining in Full Speed
Overview In 2018 we blogged about a scanning&mining botnet family that uses ngrok.io to propagate samples: "A New Mining Botnet Blends Its C2s into ngrok Service ", and since mid-October 2020, our...
View ArticleClik here to view.
Fbot僵尸网络正在攻击交通和运输智能设备
背景介绍 Fbot是一个基于Mirai的僵尸网络,它一直很活跃,此前我们曾多次披露过该僵尸网络[1][2]。我们已经看到Fbot僵尸网络使用了多个物联网(Internet of things)设备的N-day漏洞和0-day漏洞(部分未披露),现在它正在攻击车联网(Internet of Vehicles)领域的智能设备,这是一个新现象。...
View ArticleClik here to view.
Fbot is now riding the traffic and transportation smart devices
Background Fbot, a botnet based on Mirai, has been very active ever sine we first blogged about it here[1][2], we have seen this botnet using multiple 0 days before(some of them we have not disclosed...
View ArticleClik here to view.
Gafgtyt_tor and Necro are on the move again
Overview Since February 15, 2021, 360Netlab's BotMon system has continuously detected a new variant of the Gafgyt family, which uses Tor for C2 communication to hide the real C2 and encrypts sensitive...
View ArticleClik here to view.
Gafgtyt_tor,Necro作者再次升级“武器库”
版权 版权声明: 本文为Netlab原创,依据CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述...
View ArticleClik here to view.
QNAP NAS在野漏洞攻击事件2
背景介绍 2021年3月2号,360网络安全研究院未知威胁检测系统监测到攻击者正在使用台湾QNAP Systems, Inc.公司的网络存储设备诊断程序(Helpdesk)的未授权远程命令执行漏洞(CVE-2020-2506 & CVE-2020-2507),获取到系统root权限并进行恶意挖矿攻击。 我们将此次挖矿程序命名为UnityMiner,值得注意的是攻击者专门针对QNAP...
View ArticleClik here to view.
QNAP NAS users, make sure you check your system
Background On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability...
View ArticleClik here to view.
威胁快讯:z0Miner 正在利用 ElasticSearch 和 Jenkins 漏洞大肆传播
版权版权声明: 本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。概述 最近几个月受比特币、门罗币大涨的刺激,各种挖矿家族纷纷活跃起来,我们的 BotMon 系统每天都能检测到几十上百起的挖矿类 Botnet 攻击事件。根据我们统计,它们多数是已经出现过的老家族,有的只是换了新的钱包或者传播方式,z0Miner 就是其中一例。 z0Miner...
View ArticleClik here to view.
Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and...
Overview In recent months, with the huge rise of Bitcoin and Monroe, various mining botnet have kicked into high gear, and our BotMon system detects dozens of mining Botnet attacks pretty much every...
View Article