Preface: It looks that who have vaccine of COVID-19 will be grant the dominance of the world.

Reference: DVC APIs will help you to implement modules on the server and client side of a Remote Desktop Services connection that communicate with each other.A remote code execution vulnerability exists in Remote Desktop Services. When an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests,…… (CVE-2019-1182)

Description: Perhaps my research does not clearly reflect the actual status of the current malicious goal. However every people is looking for vaccine. My personal interest bring my attention to a malware so called “SOREFANG”. It looks that a vendor became a victim of this case. It was because attacker or APT group do a re-engineering their VPN software. As a matter of fact, their company footprint a large in China. The details of my observation and research are written down on attached diagram. For those who is interested. Please refer attached diagram for reference.

Highlight: Vendor announcement : The only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by attacker.

Preface: Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi …

Review historical event: Mirai is an IoT botnet that was designed to exploit vulnerabilities in IoT devices for use in large-scale DDoS attacks.In September 2016, the Mirai malware launched a DDoS attack. A massive attack causes the domain registration services provider (Dyn) interrupted the services in October 2016.

Design weakness on universal plug and play: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Concerns by security expert: The attacker can send a specially crafted HTTP SUBSCRIBE request to the vulnerable devices. Meanwhile, An it could utilize this vulnerability to conduct a DDoS attack. For more details, please refer offical articles in the following url – https://www.kb.cert.org/vuls/id/339275

Preface: A conspiracy was leaked this week, someone ambitious to spying the world.

Details: The espionage activities will be exploit computer technology as 1st approach in today. It is merely relies on design weakness. Yes, it is the vulnerability. When I read the conspiracy details, I was wonder that if the formulation of this design (see attached diagram) goals to do a DDoS. Perhaps this is no a perfect way. However when US Homeland security urge to US citizen staying alert of the vulnerability found in DrayTek Devices. As everyone knows, today’s Tor network cannot perfectly hide the whereabouts of hackers. Because law enforcement already shutdown the proxy servers on the network. Besides, attacker also worries that does the proxy server has monitoring function. From attacker view point, they should perfectly hide itself. Refer to attached diagram, the new formulation of botnet technique will be exploited the new vulnerability found on IoT as a component. It looks like a plug-in module.

There are two types of operating system that sit under the SDK. Low cost and lower specification routers will select the RTOS. Since low end router cannot fulfill their requirement. Perhaps the VPN Router is the correct target because when compromised VPN router form a bot net group can compensate the current resources outage in Tor network.

Immediate action: Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. If you are customer of DrayTek. Please do the upgrade immediately. https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)