National Engineering Laboratory Safety Information Weekly Report 20210615

content

Picture Technical Standard Specification

Cross-border data flow | Full text translation of the new EU standard contract clauses (final version)

Global SaaS Cloud Computing Industry Research: Answers to Some Key Questions in the Domestic Software SaaS Industry

Notice of the National Medical Security Administration on Issuing Guidance Opinions on Strengthening Cyber ​​Security and Data Protection

Announcement of the Central Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Market Supervision on the implementation of centralized control of black products such as camera peeping

Heavy | Data Security Law Passed by Vote

The Ministry of Industry and Information Technology and the Central Cyberspace Affairs Office issued the “Guiding Opinions on Accelerating the Application of Blockchain Technology and Industrial Development”

Picture industry development trends

The Massachusetts ferry operator, the largest U.S. ferry service operator, suffered a ransomware attack

The U.S. Army plans to invest heavily in network modernization

The White House issues a memo to avoid ransomware against companies

The Kimsuky APT organization continues to use AppleSeed backdoors to attack the South Korean government

Military operations are an option to combat cybercrime; the Secretary of Energy raises the alarm: the adversary has the ability to shut down the U.S. power grid

Enlightenment from Colonial Pipeline Attack

FBI develops “phishing” encryption platform, destroys international drug trafficking organization

Amazon, GitHub and other websites go offline collectively, and Fastly CDN is interrupted

Image security threat analysis

Kaspersky: 2021 Q1 IT threat evolution report

Interpretation|Network Security Attack and Defense: Threat Intelligence

Original | Texas power failure highlights power grid attack hazards

Searching for remote desktop application AnyDesk on Google will show fake malicious programs

TeaBot: Android malware targeting European banks

GitHub’s new policy sparked heated debate: allow hosting of malware for security research purposes

Global Internet “blackout”, CDN security exposes vulnerabilities

International Phishing Law Enforcement Action Net: Intercept communication information through encrypted chat platform

Azure Confidential Ledger: Microsoft launches blockchain-based secure ledger

Mediator: a powerful end-to-end encrypted reverse shell

Extortion attacks affect political security, and U.S. congressmen voter communication platform interrupted service

Picture Security Technology Solution

Original | China-US cyber security review and my country’s countermeasures

Original | Analysis of Siemens S7CommPlus_TLS protocol

Fight against extortion gangs-Australian Defence Signals Agency will implement a “progressive counterattack”

Google releases open source dependency “endoscope”

Hyper-V vulnerability analysis and PoC

SideWinder arsenal update: analysis of attacks against Pakistan using foreign policy

Zero trust network construction and some detailed discussions

Commonly used logic programming for industrial safety entry

Original | A report on the exploitation of 2 0Day vulnerabilities of QNAP equipment-RoonServer permission authentication vulnerability and command injection vulnerability

Use MYSQL to read arbitrary files to make a honeypot

Analysis of the difference between big data security and traditional data protection

Technical Standard Specification

1. Cross-border data flow | Full text translation of the new EU standard contract clauses (final version)

On June 4, the European Commission announced the final version of the new standard contract clauses (new SCCs) for the transfer of personal data from the EU to third countries. Personal information protection practitioners around the world have been waiting for a long time for the new standard contract clauses.

https://mp.weixin.qq.com/s/F0yxItU88cBlMHxtNiGQqQ

2. Global SaaS cloud computing industry research: answers to some key questions in the domestic software SaaS industry

At present, the domestic market has basically formed a full consensus on the excellent characteristics of the software SaaS industry itself. It has also seen the good performance of the software SaaS sector in the US stock market in recent years. However, the current domestic market is weak in the software industry foundation and high-quality listed software SaaS companies are relatively scarce. As well as the seemingly slow development pace of the industry itself, they have become the main concerns and points of divergence in the current capital market. Therefore, it is urgent and necessary to clarify the long-term development logic of the domestic software SaaS industry.

https://mp.weixin.qq.com/s/FrKBosUc0JkSAkheO0XPPw

3. Notice of the National Medical Security Administration on Issuing Guidance Opinions on Strengthening Cyber ​​Security and Data Protection

The “Guiding Opinions of the National Medical Security Administration on Strengthening Network Security and Data Protection” has been deliberated and approved at the 44th Director-General’s Office Meeting. It is now issued to you. Please follow and implement it.

https://mp.weixin.qq.com/s/DwXsiGf3HAJe5avYUvKDQA

4. Announcement of the Central Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration of Market Supervision on the implementation of centralized control of black products such as camera peeping

In recent years, criminals have used hacking techniques to hack and control cameras in homes and public places, convert smartphones, sports bracelets, etc. into sneak shots, sell cracking software, and teach sneak shots to allow customers to “spy” on private images and use them for profit. A chain of black production has been formed, which has seriously violated the privacy of citizens, and the people have responded strongly to this.

https://mp.weixin.qq.com/s/1aHwWPgNEejO8_pkGW2Suw

5. Blockbuster | Data Security Law is voted on

According to CCTV News, on June 10, the 29th meeting of the Standing Committee of the 13th National People’s Congress passed a number of bills and two decisions, including the recent data security law.

https://mp.weixin.qq.com/s/vOwdax3_WgQpWwZVTBEDHQ

6. The Ministry of Industry and Information Technology and the Central Cyberspace Administration of China issued the “Guiding Opinions on Accelerating the Application of Blockchain Technology and Industrial Development”

Blockchain is an important part of a new generation of information technology. It is a new type of database software integrated with a variety of technologies such as distributed networks, encryption technologies, and smart contracts. It is expected to solve the trust and Security issues promote the transformation of the Internet from transmitting information to transmitting value, and reconstruct the information industry system.

https://mp.weixin.qq.com/s/e5c6qVuBERVdT3YzMSDwIw

Industry Development Trends

7. The Massachusetts ferry operator, the largest ferry service operator in the United States, suffered a ransomware attack

At present, the largest ferry service operator in the United States was attacked by ransomware on Wednesday and some operations were blocked. This is the latest in a series of cyber attacks in recent weeks.

https://mp.weixin.qq.com/s/yrjigdBDWqCR8UvkFA3Vmw

8. The U.S. Army plans to invest heavily in network modernization

According to George Bush, the US Army’s agent procurement chief, approximately US$2.7 billion is spent on network upgrades, more than any other Army’s priority area.

https://mp.weixin.qq.com/s/Y3BqITy-O9n2lnprIjtj7Q

9. The White House issued a memo to avoid ransomware against companies

The US Biden administration aims to prevent ransomware infection, data theft, and payment of huge sums of money to cybercriminal groups through a series of security directives and practices.

https://mp.weixin.qq.com/s/nLuTwZii3TpKnBufmKqi5g

10. The Kimsuky APT organization continues to use AppleSeed backdoors to attack the South Korean government

Kimsuky (also known as Thallium, BlackBanshee, VelvetChollima) APT is a North Korean cyber espionage organization that mainly conducts cyber threat activities against South Korean government entities. The organization has been active since 2012. In December 2020, KISA (Korea Internet and Security Agency) provided a detailed analysis of the infrastructure and TTP used by Kimsuky for phishing.

https://mp.weixin.qq.com/s/ge3Ip-w0JTYlGgvadwzAkg

11. Military operations are an option to combat cybercrime; the Secretary of Energy raises the alarm: the adversary has the ability to shut down the U.S. power grid

US Secretary of Energy Jennifer Granholm (Jennifer Granholm) said in an interview with CNN that the US energy network is vulnerable to enemy attacks.

https://mp.weixin.qq.com/s/Yciv_NorC5VYXbtpEBalbQ

12.Colonial pipeline attack incident enlightenment

Colonial is an important artery in the eastern United States and the main source of gasoline, diesel, and aviation fuel on the East Coast. Its systems range from Houston to North Carolina and New York. Four weeks ago, the closure of the Colonial pipeline aroused great concern from security agencies, governments and consumers.

https://mp.weixin.qq.com/s/l6f-yGSxMRcrmmL43Q7RGA

13. The FBI develops a “phishing” encryption platform to destroy the international drug trafficking organization

In recent days, in the largest and most complex global joint law enforcement operation to date, international law enforcement agencies have used a fake end-to-end encrypted chat platform (including customized encrypted mobile phones) to arrest members of international drug cartels on a large scale. , And seized large quantities of drugs, guns and other illegal assets.

https://mp.weixin.qq.com/s/cPkmTaWIF1-jRRaNT8LydQ

14. Amazon, GitHub and other websites are collectively offline, and Fastly CDN is interrupted

On June 8, due to the outage of Fastly CDN, the global Internet content delivery network, a large number of websites around the world, including Reddit, Spotify, PayPal, GitHub, gov.uk, CNN, and BBC, encountered a “dilemma” of being inaccessible for more than an hour. .

https://mp.weixin.qq.com/s/7hmBNSZNqXA985y_c-NF8A

Security threat analysis

15. Kaspersky: 2021 Q1 IT threat evolution report

In December 2020, SolarWinds, an international IT management software provider, was found to have an infected update program on its Orion software update server. This incident caused more than 18,000 SolarWinds customers (including many large companies and government agencies) around the world to be infected. , A custom backdoor named Sunburst was deployed on the victim’s machine.

https://mp.weixin.qq.com/s/1aKsx22xMdKXLRz1mdgsGw

16. Interpretation|Network Security Attack and Defense: Threat Intelligence

Security confrontation in cyberspace is becoming increasingly fierce, and traditional security technologies cannot fully meet the needs of security protection. At present, the security industry generally agrees with the idea that defense alone is not enough, and continuous detection and response are more necessary. However, for continuous and effective detection and rapid response, security breaches and security intelligence are indispensable.

https://mp.weixin.qq.com/s/XX4RaLTChPnR6Fs-QcVjxQ

17. Original | Texas power failure highlights the harm of power grid attacks

The power system has always been a key driver of economic growth and prosperity in all countries. Nowadays, with the increasing popularity and importance of Internet services in various economic sectors, and the increasing momentum of the electrification of heating energy for automobiles and buildings, its importance is growing exponentially.

https://mp.weixin.qq.com/s/UdSfQP_ub9K2GJ76WLSKeg

18. Searching for remote desktop application AnyDesk on Google will show fake malicious programs

The well-known remote desktop application AnyDesk provided a malicious version of the program in an ad in Google search results. The search ranking of this malicious version even surpassed the legal AnyDesk ad ranking on Google.

https://mp.weixin.qq.com/s/XgdF2SQ_gIk_4amatTMSJA

19.TeaBot: Android malware targeting European banks

Bank malware has always been the focus of our Shadow Lab. Recently, a new type of Android malware appeared in Italy. Researchers found that it is not related to the currently known banking Trojan horse family. They named this new banking Trojan family TeaBot (also named Anatsa).

https://mp.weixin.qq.com/s/Eeya-u6HuC5JYBqRx2OW9g

20. GitHub’s new policy sparked heated debate: allow hosting of malware for security research purposes

As a super popular source code management platform, GitHub has reached the position of the world’s largest code repository with its practical functions and user-friendly interface. Today, it hosts more than 80 million source code repositories. Companies and individuals are using GitHub to store and manage source code to keep software development projects going smoothly.

https://mp.weixin.qq.com/s/3qYHpkUbRvsAXoCtPGJSaA

21. The global Internet “blackout”, CDN security exposes vulnerabilities

On Tuesday, June 8, 2021, at around 7 pm (11 am on Tuesday, British Summer Time), a global Internet outage occurred and lasted for about half an hour. During this period, most of the Internet was temporarily offline, including well-known sites such as Amazon, Reddit, and Twitch.

https://mp.weixin.qq.com/s/QPJaCESGgETRiGxYn1twjA

22. International Phishing Law Enforcement Operation Nets: Interception of Communication Information through Encrypted Chat Platform

In 2018, the US FBI and the Australian police jointly seized the encrypted chat platform Phantom Secure and arrested a large number of criminals during the control of the platform. The occurrence of this incident also gave the FBI new ideas, why not operate it yourself How about an encrypted chat platform for phishing law enforcement?

https://mp.weixin.qq.com/s/1292TrqP-_uPOBFyA5B9vA

23.Azure Confidential Ledger: Microsoft launches a blockchain-based secure ledger

On May 10, Microsoft announced that it will stop Azure blockchain services on September 10, 2021. Services that have been deployed will continue to be supported until September 10, but new deployments or member creation will no longer be supported after May 10.

https://mp.weixin.qq.com/s/VyZtCSA7KhF-yvaQPBDW4A

24.Mediator: a powerful end-to-end encrypted reverse shell

Mediator is a powerful end-to-end encrypted reverse shell. This tool can help researchers connect with a “Mediator” server through a Shell, so that there is no need for researchers or handlers to set up port forwarding to monitor connections.

https://mp.weixin.qq.com/s/BDuGABzJAR4D-h38PN4JUg

25. Extortion attacks affect political security, and the communication platform for U.S. congressmen and voters is interrupted.

Catherine Szpindor, Chief Administrative Officer of the U.S. House of Representatives, said that lawmakers did receive news that the iConstituent communication system was attacked by ransomware. But the attackers did not obtain or access any data from the House of Representatives, and the network used by the House of Representatives was not affected.

https://mp.weixin.qq.com/s/yWZMM7qzILrIrcHZe0HjRQ

Security Technical Solution

26. Original | China-U.S. Cyber ​​Security Review and Research on my country’s Countermeasures

The U.S. government’s governance of cybersecurity is subordinate to the national security strategy. Based on the importance and particularity of cybersecurity issues, the United States has individually designed strategies, policies, and legal systems, and developed many corresponding organizational structures and review principles.

https://mp.weixin.qq.com/s/kTfA8E36OEMue7XDRWwHpw

27. Original | Analysis of Siemens S7CommPlus_TLS protocol

Siemens is the world’s top supplier of automation systems. The Siemens SIMATIC series PLC is used on a large scale in key infrastructures around the world. It is precisely because of its reliability and stability that more users will choose to use it.

https://mp.weixin.qq.com/s/VkT7Q_eRybA8QuGdQT8XCw

28. Fight against extortion gangs-Australian Defence Signals Agency will implement a “progressive counterattack”

A member of the Australian Parliament called on government intelligence agencies to take action against the most notorious ransomware group in the world.

https://mp.weixin.qq.com/s/5iFhPcNoUXk7T-fHWr7VXA

29. Google releases open source dependency “endoscope”

The software development of modern enterprises is highly dependent on open source projects, and it has also caused many enterprises (including users of these enterprises) to seriously underestimate the dependence of software projects on open source code, and the huge security risks caused by this.

https://mp.weixin.qq.com/s/h5rVQGeC67Q94Yh69HAtMA

30. Hyper-V vulnerability analysis and PoC

This is an explanation of the Hyper-V remote code execution vulnerability (CVE-2021-28467), which is an arbitrary memory read in vmswitch.sys (network virtualization service provider) patched by Microsoft in May 2021.

https://mp.weixin.qq.com/s/QQEABKY4XgY6PJB4pKHc2w

31. SideWinder arsenal update: analysis of attacks against Pakistan using foreign policy

The Rattlesnake (also known as SideWinder) APT organization is an APT organization suspected of having a South Asian background. Its attack activities can be traced back to 2012. Attacks are mainly aimed at the government, military, energy and other fields of neighboring countries, with the purpose of stealing sensitive information.

https://mp.weixin.qq.com/s/YQtiZ8qacHvRUE73KLYfsg

32. Zero-trust network construction and some detailed discussions

The construction of a zero-trust network is a difficult and long-term task. The construction process involves a lot of work done in collaboration with the SRE team, the network team and even the business team, but its visible effects are worth the investment and continuous iteration of the enterprise.

https://mp.weixin.qq.com/s/DuywtGrfU14M35tDgaYZpg

33. Commonly used logic programming for industrial safety entry

SIMATIC Step 7 is an engineering configuration software based on the TIA Portal platform. It supports SIMATIC S7-1500, SIMATIC S7-1200, SIMATIC S7-300 and SIMATIC S7-400 controllers. It also supports HMI and PC-based SIMATIC WinAC automation systems. . Due to the support of various programmable controllers, SIMATIC Step 7 has flexible and expandable software engineering configuration capabilities and performance, which can meet various requirements of automation systems.

https://mp.weixin.qq.com/s/z2DKVHJzewsWvn6HB51s2g

34. Original | A report on the exploitation of 2 0Day vulnerability combinations of QNAP equipment-RoonServer permission authentication vulnerability and command injection vulnerability

On May 9, 2021, according to the monitoring clues of the CNCERT IoT threat intelligence data platform, the Venus Chen Jinjing security research team and the CNCERT IoT security research team discovered two zero-day vulnerabilities in the wild.

https://mp.weixin.qq.com/s/xfT3LkYNlzFYJdG1z0c7ug

35. Use MYSQL to read arbitrary files to make a honeypot

You can access the remote server when you log in. When logging in to a maliciously constructed Mysql server, you can use load data infile to read any file on the server. Of course, the prerequisite is that it is in the directory allowed by the secure_file_priv parameter, and the user of phpmyadmin has the permission to read the file.

https://mp.weixin.qq.com/s/I-_15gvfByjOzZmrxLgkLg

36. Analysis of the difference between big data security and traditional data protection

In recent years, thanks to the rise of digital transformation and big data, data security has become a hot topic that has received widespread attention. Although the concept of big data was proposed as early as 2005, there has been no leap from quantity to quality until the Internet of Things and the construction of smart cities in recent years have quickly made big data a reality.

The Links:   LB104V03-A1 STM8L052R8T6