2018年国内外信息安全相关大事件

纵观2018年网络安全事件，网络犯罪分子攻击手段变幻莫测，除了零日漏洞的利用外，勒索软件、恶意挖矿大行其道，区块链领域险象环生，暗网数据泄露更是层出不穷，而且攻击渠道日益变幻，IoT设备、工业网亦成为不法黑客的攻击重点，以上这些皆都为整个网络空间安全环境带来全新挑战。

Throughout the cyber-security incident of 2018, cyber-criminal attacks have become unpredictable, in addition to the use of zero-day loopholes, extortion software, malicious mining, dangerous rings in the area of the block chain, leaks of dark network data, and increasingly volatile channels of attack, as well as the targeting of IOT equipment and industrial networks by illegal hackers, all of which pose new challenges to the overall security environment in cyberspace.

知道创宇404实验室通过监控、分析全球威胁活动信息，积极参与各类安全事件应急响应，并结合2018年全年国内外各个安全研究机构、安全厂商披露的重大网络攻击事件，基于这些重大攻击事件的攻击技术、危害程度等，评选出2018年信息安全相关大事件。

Knowing that the 404st Laboratory was actively involved in the emergency response to various security incidents by monitoring and analysing information on global threats, and in the context of major cyberattacks disclosed by various national and international security research institutions and security manufacturers throughout 2018, the major information security-related events of 2018 were selected on the basis of the strike techniques, hazard levels, etc. of these major attacks.

国际篇

International

1. Memcache DDoS攻击

1. Memcache DDos attack

2018年3月1日，Github遭受遭 1.35TB 大小的DDoS攻击，随后的几天，NETSCOUT Arbor 再次确认了一起由 Memcache DDoS 造成的高达 1.7 Tbps 的反射放大DDoS 攻击。在2018年上半年虚拟货币价值飙升、黑灰产转向至挖矿领域、反射放大攻击持续下降的情况下，利用Memcache DDoS 造成如此大流量的攻击，其威力可见一斑。

On March 1, 2018, Github was attacked by DDos, the size of 1.35 TB, and in the days that followed, NetScout Arbor again confirmed that a response from Memcache DDos magnified the DDos attack by up to 1.7 Tbps. In the first half of 2018, when virtual monetary values soared, black ash turned to mining, and the backscaling attack continued to decline, the power of the Memcache DDos was visible.

2. Cisco路由器被攻击事件

2. Attacks on Cisco routers

2018年1月，Cisco官方发布了一个有关Cisco ASA防火墙webvpn远程代码执行漏洞的公告。2018年3月，Cisco官方发布了Cisco Smart Install远程命令执行漏洞的安全公告。这两个漏洞都是未授权的远程命令执行漏洞，攻击者无需登录凭证等信息即可成功实施攻击。2018年4月6日，一个名为"JHT"的黑客组织攻击了包括俄罗斯和伊朗在内的多个国家网络基础设施，遭受攻击的Cisco设备的配置文件会显示为美国国旗，所以该事件又被称为"美国国旗"事件。

In January 2018, Cisco officially issued a bulletin on a remote code implementation gap in the Cisco ASA firewall, Webvpn. In March 2018, Cisco officially issued a security notice on a remote command enforcement gap in Cisco Smart Install. Both were unauthorized remote command enforcement gaps, and the attacker could successfully carry out the attack without having to log in, for example. On 6 April 2018, one named &quat; JHT&quat; hacker group attacked a network infrastructure in various countries, including Russia and Iran, and the configuration of Cisco equipment that was attacked was shown to be the American flag, so the incident was called &quat; US flag &quat; etc.

3. 供应链攻击

3. Supply chain attacks

供应链攻击一直以隐蔽、高效著称。2018年供应链攻击在不同层面都有发生、发生原因也不尽相同。有火绒安全最先曝光的针对驱动人生公司进行的攻击，有由于NodeJS库作者随意给相关库权限导致被攻击者植入后门的攻击，也有感染易语言模块并使用“微信支付”进行勒索的勒索病毒。供应链中任何薄弱的地方都有可能导致供应链攻击的发生。

Supply chain attacks have been known for their hidden and efficient nature. Supply chain attacks occurred at different levels in 2018 for different reasons.

　　4. GPON远程命令执行漏洞

4. GPON Remote Command Implementation Gap

　　2018年4月30日，vpnMentor公布了GPON路由器的两个高危漏洞，绕过验证漏洞(CVE-2018-10561)和命令注入漏洞(CVE-2018-10562)。结合这两个漏洞，只需要发送一次请求就可以在GPON路由器上执行任意命令。在该漏洞披露后的十天内，该漏洞就已经被多个僵尸网络家族整合、利用、在公网上以蠕虫的方式传播。

On April 30, 2018, vpnMentor published two high-risk holes in the GPON router, bypassing the verification gap (CVE-2018-10561), and the injection of the order into the gap (CVE-2018-10562). Together, only one request is required to execute an arbitrary order on the GPON router. Within 10 days of disclosure of the breach, the breach has been integrated, used, and transmitted by worms on the public web by multiple zombie network families.

　　5. Java反序列化漏洞

5. Java counter-sequencing bugs

　　2018年的Java反序列化漏洞还在持续爆发，在知道创宇404实验室2018年应急的漏洞中，受此影响最严重的是WebLogic，该软件是美国Oracle公司出品的一个Application Server。2018年知道创宇404实验室应急了5个WebLogic的反序列化漏洞。由于Java反序列化漏洞可以实现执行任意命令的攻击效果，是黑客用来传播病毒，挖矿程序等恶意软件的攻击方法之一。

Java's counter-sequencing gap continued to erupt in 2018, and the most affected was WebLogic, an application of the United States company Oracle, which responded to five of the WebLogic's anti-sequencing loopholes in 2018. One of the methods used by hackers to spread viruses, mining procedures, etc.

　　6. Drupal远程代码执行漏洞(Drupalgeddon2)

Drupal remote code implementation bug (Drupalgeddon2)

　　Drupal是使用PHP编写的开源内容管理框架，Drupal社区是全球最大的开源社区之一，全球有100万个网站正在使用Drupal，今年3月份，Drupal安全团队披露了一个非常关键的(21/25 NIST等级)漏洞，被称为Drupalgeddon 2(CVE-2018-7600)，此漏洞允许未经身份验证的攻击者进行远程命令执行操作。

Drupal is an open-source content management framework using PHP, and the Drupal community is one of the largest open-source communities in the world, where 1 million websites are using Drupal. In March this year, the Drupal security team revealed a very critical (21/25 NIST grade) gap known as Drupalgeddon 2 (CVE-2018-7600), which allows uncertified assailants to conduct remote command operations.

　　7. 数据泄漏事件

7. Data leak incidents

　　2018年多起大型数据泄漏事件被曝光，2018年6月12日，知道创宇暗网雷达监控到国内某视频网站数据库在暗网出售。2018年8月28日，暗网雷达再次监控到国内某酒店开房数据在暗网出售。2018年11月30日，某公司发布公告称，旗下某酒店数据库遭入侵，最多约5亿客人信息被泄漏。2018年12月，一推特用户发文称国内超2亿用户的简历信息遭到泄漏。除此之外，facebook向第三方机构泄漏个人信息数据也引起了极大的关注。随着暗网用户的增多，黑市及加密数字货币的发展，暗网威胁必定会持续增长，知道创宇404安全研究团队会持续通过技术手段来测绘暗网，提供威胁情报，追踪和对抗来自暗网的威胁。

On November 30, 2018, a company announced that a hotel database under the flag had been compromised and about 500 million guests had been leaked. In December 2018, a Twitter user wrote that the profile of over 200 million domestic users had been leaked. In addition, facebook leaks personal information data to third-party agencies.

　　8. EOS平台远程命令执行漏洞

8. EOS platform remote command implementation gap

　　2018年5月末，360公司Vulcan(伏尔甘)团队发现EOS平台的一系列高危漏洞，部分漏洞可以在EOS节点上远程执行任意代码。这也就意味着攻击者可以利用这个漏洞直接控制和接管EOS上运行的所有节点。从漏洞危害等方面来说，称该漏洞为“史诗级”名副其实。

In late May 2018, the 360 company Vulcan team discovered a series of high-risk holes in the EOS platform, some of which could be executed remotely on the EOS node. This also means that the attackers could use the gap to directly control and take over all the nodes running on the EOS.

　　9. 多个区块链项目RPC接口安全问题

9. Multi-block chain project RPC interface security

　　2018年3月20日，慢雾区和BLOCKCHAIN SECURITY LAB揭秘了以太坊黑色情人节事件(以太坊偷渡漏洞)相关攻击细节。2018年8月1日，知道创宇404实验室在前者的基础上结合蜜罐数据，补充了后偷渡时代多种利用以太坊RPC接口盗币的利用方式：离线攻击、重放攻击和爆破攻击。2018年08月20日，知道创宇404实验室再次补充了一种攻击形式：“拾荒攻击”。RPC接口并非以太坊独创，其在区块链项目中多有应用。2018年12月1日，腾讯安全联合实验室对NEO RPC接口安全问题提出预警。区块链项目RPC接口在方便交易的同时，也带来了极大的安全隐患。

On March 20, 2018, the slow fog zone and BLOCKCHAIN SECURITY LAB revealed the details of the attack in connection with the Black Valentine's Day incident in Ether. On August 1, 2018, it became known that Otomo 404 Labs, based on the former, had combined honey can data to complement the various ways in which the post-smuggling era was used to steal currency using the community's RPC interface: offline attacks, re-launching attacks, and blast attacks. On August 20, 2018, it became known that the Otaku 404 Laboratory had added another form of attack: “scavening attacks.” The RPC interface was not unique and its applications were used in the sector chain project.

　　10. 区块链智能合约相关漏洞

10. Gaps in block chain intelligence contracts

　　区块链安全漏洞很多都出现在智能合约上。昊天塔(HaoTian)”是知道创宇404区块链安全研究团队独立开发的用于监控、扫描、分析、审计区块链智能合约安全自动化平台。将智能合约各种审计过程中遇到的问题总结成漏洞模型，并汇总为《知道创宇以太坊合约审计CheckList》。涵盖了超过29种会在以太坊审计过程中会遇到的问题，其中部分问题更是会影响到 74.49% 已公开源码的合约。、

HaoTian is an independent security automation platform for monitoring, scanning, analysing, and auditing block-chain smart contracts that has been developed independently by the Xuantue 404 section security research team. The issues encountered in the various audits of smart contracts are summarized as a gap model and summarized as the "Know-What-E-Team Contract Audit CheckList". It covers more than 29 problems that will be encountered during the Etherm audits, some of which will affect 74.49% of the open source contracts, and 74.49% of the open source contracts.

　　随着2017年年末的一款名为CryptoKitties(以太猫)的区块链游戏爆火，智能合约DApp成了2018年区块链发展的主旋律。2018年4月22日，攻击者利用BEC智能合约转账函数中的一处乘法溢出漏洞，清空了BEC的所有合约代币。2018年7月24日，外国的一位安全研究者利用Fomo3D的Airdrop特性加上随机数漏洞，让Fomo3D损失了空投池中所有的代币。2018年8月22日，Fomo3D第一轮大奖被开出，攻击者利用以太坊底层的交易顺序问题获得了超过10000枚以太币，这个漏洞的曝光也标志着对交易顺序依赖的智能合约正式的死亡。包括以太坊DApp和EOS DApp在内，从实际的安全漏洞到业务安全问题，智能合约安全漏洞直接威胁着代币安全，这也标志着智能合约会经受着更大挑战。

On April 22, 2018, the attackers overflowed with one of the BEC smart contract transfer functions, clearing all BEC contract tokens. On July 24, 2018, a foreign security researcher took advantage of Fomo3D’s Airdrop features, adding random loopholes, causing Fomo3D to lose all of its proxy currency in the drop pool. On August 22, 2018, Fomo3D’s first round of prizes was launched, using the bottom of the BEC’s transaction sequence for more than 10,000 coins, the exposure of which also marked the official death of a smart contract that relied on the order of transactions.

　　国内篇

National

　　1. 驱动人生供应链事件

1. Driving life supply chain events

　　2018年12月14日下午，一款通过“驱动人生”升级通道进行传播的木马突然爆发，在短短两个小时的时间内就感染了十万台电脑。通过后续调查发现，这是一起精心策划的供应链入侵事件。

On the afternoon of 14 December 2018, a wooden horse, which spread through the “life-driven” upgrading route, erupted and infected 100,000 computers in just two hours. A follow-up investigation found that it was a well-planned supply-chain invasion.

　　2. 数据泄漏事件

2. Data leak incidents

　　2018年6月12日，知道创宇暗网雷达监控到国内某视频网站数据库在暗网出售。2018年8月28日，暗网雷达再次监控到国内某酒店开房数据在暗网出售。2018年12月，一推特用户发文称国内超2亿用户的简历信息遭到泄漏。除此之外，facebook向第三方机构泄漏个人信息数据也引起了极大的关注。随着暗网用户的增多，黑市及加密数字货币的发展，暗网威胁必定会持续增长，知道创宇404安全研究团队会持续通过技术手段来测绘暗网，提供威胁情报，追踪和对抗来自暗网的威胁。

On June 12, 2018, it became known that the Darkwig radar had been monitoring the sale of a video site database in the country. On August 28, 2018, the Darkwig radar was again monitoring the sale of data from a hotel in the country. In December 2018, a Twitter user leaked biographical information from more than 200 million users in the country. In addition, facebook leaks personal information to third-party agencies.

　　3. 勒索病毒继续在内网肆虐

3. Extortion virus continues to rage on the inside of the Internet

　　2018年勒索病毒在永恒之蓝漏洞的助力下继续在内网肆虐。2018年11月，知道创宇404实验室捕获到一款名为 Lucky 的勒索病毒。在对病毒加密算法进行分析后，知道创宇404安全研究团队发布了该勒索病毒的解密工具(https://github.com/knownsec/Decrypt-ransomware)。

The blackmail virus continued to rage on the inner net in 2018, aided by a permanent blue hole. In November 2018, it was known that Tatsuko lab captured a blackmail virus called Lucky. After an analysis of the virus encryption algorithm, Tatsuko’s 404 security research team released a declassification tool for the blackmail virus (https://github.com/Knownsec/Decrypt-ransomware).

　　4. 虚拟货币交易所被攻击等事件

4. Incidents such as attacks on the Virtual Currency Exchange

　　2018年上半年是区块链行业飞速发展的时期。区块链行业发展速度与安全建设速度的不对等造成安全事件频发。除区块链本身的问题外，虚拟货币交易所等也是黑客攻击的主要目标之一。入侵交易所、通过交易所漏洞间接影响币价等攻击方式都是黑客常用的攻击手法。在这些攻击背后，往往都会造成巨大的损失。

The first half of 2018 was a time of rapid growth in the block chain industry. The pace of development of the block chain industry and the uneven pace of security construction caused frequent security incidents. In addition to the problems of the block chain itself, virtual currency exchanges, among others, were one of the main targets of hacker attacks.

　　5. Weblogic组件多个远程命令执行漏洞

5. Multiple remote command execution bugs for the Weblogic component

　　2018年知道创宇404实验室应急了5个WebLogic的反序列化漏洞(CVE-2018-2628/2893/3245/3191/3252)。由于Java反序列化漏洞可以实现执行任意命令的攻击效果，这些漏洞都成为了黑客传播病毒，挖矿程序等恶意软件的攻击方法之一。

In 2018, it became known that the Kotsu 404 Laboratories had responded to five WebLogic counter-sequencing loopholes (CVE-2018-2628/3293/3245/3191/3252), which became one of the methods used to attack malicious software such as hacking viruses, mining procedures and so forth, since Java's anti-sequencing loopholes could have the effect of carrying out arbitrary orders.

　　6. “应用克隆”攻击

“Application of cloning” attacks

　　2018年1月9日，腾讯安全玄武实验室和知道创宇404实验室联合披露攻击威胁模型“应用克隆”。值得一提的是，几乎所有的移动应用都适用该攻击威胁模型。在该攻击威胁模型下，攻击者可以“克隆”用户账户，实现窃取隐私信息、盗取账号和资金等操作。

On 9 January 2018, the Stort Safety Pretzel Laboratory and the Occult 404 Laboratory jointly disclosed the “Application Cloning” of the attack threat model. It is worth mentioning that almost all mobile applications apply the attack threat model. Under the attack threat model, the attacker can “clon” the user account and operate to steal privacy information, account and money.

　　7. ZipperDown 通用漏洞

ZipperDown Generic Gap

　　2018年5月，盘古实验室在对IOS应用安全审计过程中发现了一类通用安全漏洞，可能影响10%的IOS应用。该漏洞被取名为 ZipperDown。根据盘古实验室披露的信息，微博、陌陌、网易云音乐、QQ 音乐、快手等流行应用受影响。

In May 2018, during a security audit of IOS applications, the Cycling Laboratory discovered a generic security gap that could affect 10% of IOS applications. The bug was named ZipperDown. According to the information disclosed by the Cycling Laboratory, popular applications such as microblogging, unfamiliarity, mesh music, QQ music, and fast hands were affected.

　　8. 智能门锁安全需要被重视

8. Smart door lock security needs attention

　　随着物联网的发展，智能门锁应运而生，智能门锁的安全性却一直颇受争议。2018年5月26日，第九届中国(永康)国际门业博览会上王海丽女士就通过特斯拉线圈打开了八家品牌商的智能门锁。除此之外，通过手机/指纹等方式开锁也引入了新的攻击面，重放等方式的攻击大放异彩。智能门锁厂家对智能门锁本身安全的不重视也让智能门锁漏洞被曝光后不修复或未完全修复成为了常态。

On May 26, 2018, Ms. Wang Hailey opened the locks of eight branders through the Tesla ring. In addition, locks, such as mobile phones/prints, have introduced new faces of attack, and attacks, such as re-loading, have become more colourful.

　　9. WEB应用程序0day攻击事件

9. WEB application 0-day attack

　　2018年6月13日，知道创宇404积极防御团队通过知道创宇旗下云防御产品“创宇盾”防御拦截并捕获到一个针对某著名区块链交易所网站的攻击，通过分析，发现攻击者利用的正式ECShop 2.x版本的0day漏洞攻击。于2018年6月14日，提交到知道创宇Seebug漏洞平台并收录。

On June 13, 2018, an analysis of an attack on the website of a well-known block chain exchange, known to have been intercepted and captured by the OZO 404 active defense team through knowledge of OZO's cloud defense product, revealed that the attackers were using the official ECShop 2.x version of the 0-day leak attack. On June 14, 2018, a platform for knowledge of the OZSeebug gap was submitted and recorded.

　　2018年12月10日，ThinkPHP官方发布《ThinkPHP 5.\*版本安全更新》，修复了一个远程代码执行漏洞。经过知道创宇404实验室积极防御团队排查相关日志，该漏洞尚处于0day阶段时就已经被用于攻击多个虚拟货币类、金融类网站。在漏洞详情披露后的一周时间内，该漏洞就已经被僵尸网络整合到恶意样本并通过蠕虫的方式在网络空间传播。

On December 10, 2018, ThinkPHP officially released a secure update of the ThinkPHP version 5.\*, restoring a remote code implementation gap. The gap was used to attack several virtual monetary and financial sites when it was in the 0-day phase, after it became known that the 4004 Laboratories' active defence teams were checking the logbooks.

　　在2018年区块链虚拟货币价格高涨的刺激下 网络黑产利用0day攻击虚拟货币/金融类网站日益增多。

The Internet black industry is increasingly attacking virtual money/finance-type websites using 0day, as a stimulus to the rise in virtual currency prices in the block chain in 2018.

　　10. xiongmai摄像头漏洞影响数百万摄像头

10. The xiongmai camera bugs affect millions of cameras

　　2018年多个厂商/型号的摄像头被披露出多个漏洞。在知道创宇404实验室应急的漏洞中，影响设备数量最多的要属Xiongmai IP摄像头。通过ZoomEye搜索引擎能得到200万的Xiongmai设备暴露在公网上，但是通过枚举Cloud ID，能访问到约900万Xiongmai设备。并且该设备还存在着硬编码凭证和远程代码执行漏洞，如果这些设备被用来传播僵尸网络，将会给网络空间造成巨大的危害。

In 2018, multiple manufacturers/models of cameras were exposed. The largest number of devices affected were Xiongmai IP cameras, which were known to have been detected in the emergency response at the Ostom 404 Laboratory. Two million Xiongmai devices were exposed to the Internet through Zoomeye search engines, but some 9 million Xiongmai devices were accessed by Cloud IDs. And there were hard-coded vouchers and remote code enforcement gaps in the facility, which would cause huge damage to cyberspace if they were used to spread zombie networks.