Shulou(Shulou.com)05/31 Report--

How to analyze APT attacks, in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

0x1: an introduction to APT:

What is APT?

APT (AdvancedPersistent Threat) Advanced persistent threat. It refers to the attack form in which organizations (especially the government) or small groups use advanced attacks to carry out long-term and persistent cyber attacks on specific targets. APT is a network attack and invasion launched by hackers for the purpose of stealing core data against customers.

APT maneuver?

The attack method of APT is to hide itself and steal data long-term, planned and organized against specific objects. This kind of attack can not be effectively detected by traditional security detection systems. The frontier defense method is to use non-commercial virtual machine analysis technology to conduct in-depth dynamic behavior analysis of various e-mail attachments and files, and to find malicious files specially constructed by advanced technologies such as system vulnerabilities. In order to discover and confirm APT attacks. Due to the characteristics of APT, it is difficult to find and the potential threat is great. Once attacked, a large amount of data of enterprises, governments, medical organizations and so on will be stolen, and the company's important financial and secrets will be stolen.

0x2: a preliminary study of the APT gate (entering the intranet)

DMZ region

In Company A, he is going to use a server to open web services for others to see and promote his company's products. Xiao Wang (project leader) thinks that recently data from many large companies have been stolen, so he thinks of a way to put the web server on another network, unable to access a space in the company's intranet. Set up the smtp server and web server in the DMZ area to prevent the company's data from being stolen due to website intrusion.

The space between two firewalls is called DMZ. Compared with Internet, DMZ can provide higher security, but its security is lower than that of internal network. It is a buffer between non-security system and security system to solve the problem that users of external network cannot access internal network server after installing firewall.

The buffer is located in the small network area between the enterprise internal network and the external network, in which some server facilities that must be disclosed, such as enterprise Web server, FTP server and forum, can be placed. On the other hand, through such a DMZ area, the internal network is more effectively protected. Because of this kind of network deployment, compared with the general firewall scheme, there is another hurdle for attackers from the external network.

The DMZ area can communicate with both the external network and the internal network, but it is limited by security policies.

So nowadays, it is unrealistic to use web server as a springboard to invade the intranet, so is there any simple and easy to operate intrusion method?

0x3: common uses

You may have thought of artifacts such as office suites, as the saying goes: the biggest loophole is not in any system, but in people.

List of OFFICE vulnerabilities:

=

CVE-2009-2496 heap depletion remote code execution vulnerability, also known as "Office Web component heap depletion vulnerability harvest action CVE-2010-3333RTF analyzer stack overflow vulnerability, also known as" RTF stack buffer overflow vulnerability "

CVE-2012-0158Microsoft Windows Common Controls ActiveX control remote code execution vulnerability, stack memory copy overflow vulnerability, also known as "MSCOMCTL.OCX RCE vulnerability" Maha grass

Manling flower

White elephant

Remote code execution vulnerability exists in Rotten TomatoCVE-2013-3906Microsoft Graphics component when processing specially crafted TIFF graphics Maha grass

White Elephant CVE-2014-1761Microsoft Word RTF File parsing error Code execution vulnerability Maha Grass

Pitty Tiger

White elephant

Rotten TomatoCVE-2014-4114OLE package management INF arbitrary code execution vulnerability Maha grass

Type obfuscation vulnerability MONSOON in white elephant CVE-2015-1641RTF parsing

Maha grass

White elephant

Fantasy bear

Rotten Tomato

Harvest Action CVE-2015-2545EPS graphics file arbitrary execution code Rotten TomatoCVE-2015-2546UAF (reuse after release) vulnerability

CVE-2016-7193RTF file parsing vulnerability that allows remote execution of arbitrary code

The first Microsoft Office RTF vulnerability in CVE-2017-0199 Maha Grass in the Hacker Stack CVE-2017-0261EPS

White elephant

Type confusion vulnerability Maha grass in TurlaCVE-2017-0262EPS

White Elephant CVE-2017-11826OOXML Parser Type obfuscation vulnerability A stack overflow vulnerability in the formula editor of CVE-2017-11882 "Nightmare Formula" in an East Asian organization that allows remote code execution of white elephants

Rattlesnake

Parasitic animal

Maha grass

Human-faced horse

Black pineapple CVE-2017-8464 has a high-risk vulnerability of remotely executing arbitrary code when parsing shortcuts

Logic vulnerabilities in CVE-2017-8570OLE objects (patch bypassed by CVE-2017-0199), "sand worms" second-generation vulnerability white elephants

Parasitic animal

Logic loopholes in CVE-2017-8759.NET Framework

CVE-2018-0802 Nightmare Formula II uses the formula editor EQNEDT32.EXE embedded in office to attack the black pineapple CVE-2018-0798Microsoft Office remote memory damage vulnerability.

CVE-2018-8174 A New Office document attack exploiting browser 0day vulnerabilities

=

List of Adobe vulnerabilities:

=

Multiple buffer overflow vulnerabilities in CVE-2007-5659Adobe Acrobat/Reader PDF files Adobe Acrobat 8

Adobe Reader 8

Adobe Reader 7 Harvest Action CVE-2008-2992Adobe Reader util.printf () JavaScript function stack overflow vulnerability Adobe Acrobat < 8.1.3

Adobe Reader < 8.1.3 Harvest Action CVE-2009-0927Adobe Acrobat and Reader Collab getIcon () JavaScript Mode Stack overflow vulnerability Adobe Acrobat 9

Adobe Acrobat 8

Adobe Acrobat 7.0

Adobe Reader 9

Adobe Reader 8

Adobe Reader 7 Harvest Action CVE-2009-4324Adobe Reader and Acrobat newplayer () JavaScript memory destruction vulnerability Adobe Acrobat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.