Previously, ZoomEye released a survey report on the Plex UDP port used for reflection amplification DDos attacks (https://80vul.medium.com/zoomeye-report-nearly-40-000-plex-services-around-the-world-may-be-used-for-reflective-ddos-c1257dade7df ). Baidu Labs released a report (https://paper.seebug.org/1482/ ) on the use of https DTLS protocol for reflection amplification DDos attacks on February 5, 2021.

We noticed that as early as December 2020, we have seen some reports of reflection amplification attacks based on the HTTPS DTLS protocol,and These reports are attributed to the DTLS protocol service opened by Citrix (NetScaler) Gateway:

https://www.meinekleinefarm.net/potentially-ongoing-worldwide-udp443-edt-ddos-amplify-attack-against-citrix-netscaler-gateway/

https://msandbu.org/citrix-netscaler-ddos-and-deep-dive-dtls-protocol/

Subsequently, based on the report of Baidu Security Lab, this type of attack was also captured in January 2021…

On January 7, 2021, Baidu Security Lab issued an early warning saying that a DDoS reflection attack initiated by the network service of Plex (media playback platform) was captured in January 2021 [1]

According to the article of Baidu Security Lab, the hacker used the DDoS reflection attack based on the Plex service (UDP port 32414) in this attack, and it is found that Plex’s two UDP port(32414 and 32410) accesses can be used for reflection amplification attacks.

After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21…

Author: Heige(a.k.a Superhei) of KnownSec 404 Team 01/16/2021

Currently, the objects of cyberspace surveying and mapping are mainly around IPv4/IPv6/website/darkweb ，Of course most search engines only support IPv4/IPv6 addresses . In addition to ZoomEye that focuses on IPv4/IPv6/Website mapping, we have also developed a product for dark web mapping ,we call it “暗网雷达(DarkEye)”

A great significance for cyberspace surveying and mapping is to complete the mapping between cyberspace and real space, so IPv4/IPv6/Website/darkweb may point to devices in the same physical space at the same time, So I think cross-surveying and mapping can help trace the real world mapping.

Just…

Author: Heige(a.k.a Superhei) of KnownSec 404 Team 12/10/2020

As the world’s leading search engine for cyberspace mapping, ZoomEye has been working hard! I would like to thank all the friends who support ZoomEye.

API-KEY

ZoomEye has always been committed to being more friendly and open to developers. For example, in August of this year, we announced the removal of API data output restrictions. Another example is the API-KEY authentication mode introduced to you today. Developers and users do not need to directly expose user names and The clear text password can be used to call the ZoomEye API interface more securely…

Author: Heige(a.k.a Superhei) of KnownSec 404 Team 05/25/2020

[Article release: https://paper.seebug.org/1219/ (Chinese) https://paper.seebug.org/1220/ (English)]

We had released ZoomEye’s historical data API query interface in ZoomEye 2020 that had launched in January this year: https://medium.com/@80vul/zoomeye-2020-has-started-8414d6aaf38 Next, I will introduce some examples of using ZoomEye History API to capture the traces of APT team attacks.

[Instructions for using the historical query API interface: https://www.zoomeye.org/doc#history-ip-search ,Of course we have also updated our ZoomEye SDK support history api: https://github.com/knownsec/ZoomEye ]

Before the cases are explained, I must explain the ZoomEye online data update mode again: it is the overwrite update mode. Many malware teams…

by Heige of KnownSec 404 Team 04/10/2020

Last year, I posted an article “Identifying Cobalt Strike team servers in the wild by using ZoomEye” (https://medium.com/@80vul/identifying-cobalt-strike-team-servers-in-the-wild-by-using-zoomeye-debf995b6798) . In the article, I introduce a method for identifying Cobalt Strike through ZoomEye, which is different from the “extraneous space” method proposed by Fox-it.

Cobalt Strike also changed the order of the http banner while fixing the “extraneous space” bug in Cobalt Strike 3.13, released on January 2nd of 2019. So the ZoomEye Dork :

https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20404%20Not%20Found%20%20%20Content-Type%3A%20text%2Fplain%20Date%3A%22%20%2B%22Content-Length%3A%200%22%20-Connection

It is only suitable for Cobalt Strike < 3.13 .

So “how do we find new versions of…

“Build The Best Cyberspace Search Engine” is what we do now and continue to do.

I remember mentioning some key points at KCon 2019 : “More Data and Data Life” and “More data” , It should be mentioned that the ZoomEye “500 Nodes Plan” has been deployed in October 2019.

This update is mainly based on “More data”:

First, we released ZoomEye’s historical data API query interface. Of course, it is currently only developed for paid users.

https://www.zoomeye.org/doc#history-data

Second, we provide whois data and (r/f)DNS data for IP and domain names.

by Heige(a.k.a Superhei) of KnownSec 404 Team 10/09/2019

CVE-2019–16920 https://nvd.nist.gov/vuln/detail/CVE-2019-16920 is a RCE vulnerability in D-Link products that was discovered and reported by Fortinet’s FortiGuard Labs https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html

In their report, the device models affected by the vulnerability are DIR-655C, DIR-866L, DIR-652, and DHP-1565. In fact, through our KnownSec 404 team’s research, we found that the device model affected by this vulnerability is far more than these. Other device models affected by the vulnerability are:

• DIR-855L
• DAP-1533
• DIR-862L
• DIR-615
• DIR-835
• DIR-825

Obviously, these device models are determined to be based on ZoomEye’s search results.First …