Sign in

Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/12/2021

[Note: The ZoomEye search data in the article is based on the results of the query on September 11, and the target data has been overwritten and updated]

Before starting the article, please read the following articles to facilitate understanding of related theories:

“Behavior Mapping” in Cyberspace https://80vul.medium.com/behavior-mapping-in-cyberspace-one-net-cleans-apt-and-botnet-c2s-ed49a9b7d426
One ZoomEye Query Cleans BazarLoader C2s https://80vul.medium.com/one-zoomeye-query-cleans-bazarloader-c2s-4b49a71ec10d

For related information about CVE-2021–40444, you can refer to the security bulletin issued by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 Our purpose is to carry out the survey and mapping of the organization that used this 0day to attack…


Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/08/2021

Yesterday, a detailed article on “behavior mapping” in cyberspace was published. The article introduced an example of using a ZoomEye query to get all the Trickbot C2 ips all at once:

https://80vul.medium.com/behavior-mapping-in-cyberspace-one-net-cleans-apt-and-botnet-c2s-ed49a9b7d426

Today I will bring you another typical case: How to hunt more BazarLoader C2s through a ZoomEye Query?

I noticed on September 1 that @TheDFIRReport released two ip addresses about BazarLoader C2 https://twitter.com/TheDFIRReport/status/1433055791964049412

#BazarLoader
64.227.73.80
64.225.71.198

Through the search of ZoomEye, I found that their banners are very similar, which is the feature of “behavioral mapping” mentioned in…


Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/07/2021

“Behavior (American English) or behaviour (British English; see spelling differences) is the actions and mannerisms made by individuals, organisms, systems or artificial entities in conjunction with themselves or their environment, which includes the other systems or organisms around as well as the (inanimate) physical environment. It is the computed response of the system or organism to various stimuli or inputs, whether internal or external, conscious or subconscious, overt or covert, and voluntary or involuntary.”

— from https://en.wikipedia.org/wiki/Behavior

Cyberspace is the activity space of humans on the Internet, so different groups…


Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 06/15/2021

In recent years, there have been many cases of power outages at the national level due to cyber attacks and other reasons. Of course, there are also occasions when the country actively disconnects from the Internet due to sudden political incidents.

Cyberspace surveying and mapping can grasp the development progress of these events through continuous dynamic surveying and mapping of countries or regions with power outages or network outages, and can even be used to predict certain trend developments, or can draw a country or region’s infrastructure distribution map, etc.


* Add filter “iconhash:” to support favicon.ico hash search (support both md5 hash and mmh3 hash) Eg: iconhash:891e510219786f543ca998282ed99f45 or iconhash:325177753


Previously, ZoomEye released a survey report on the Plex UDP port used for reflection amplification DDos attacks (https://80vul.medium.com/zoomeye-report-nearly-40-000-plex-services-around-the-world-may-be-used-for-reflective-ddos-c1257dade7df ). Baidu Labs released a report (https://paper.seebug.org/1482/ ) on the use of https DTLS protocol for reflection amplification DDos attacks on February 5, 2021.

We noticed that as early as December 2020, we have seen some reports of reflection amplification attacks based on the HTTPS DTLS protocol,and These reports are attributed to the DTLS protocol service opened by Citrix (NetScaler) Gateway:

https://www.meinekleinefarm.net/potentially-ongoing-worldwide-udp443-edt-ddos-amplify-attack-against-citrix-netscaler-gateway/

https://msandbu.org/citrix-netscaler-ddos-and-deep-dive-dtls-protocol/

Subsequently, based on the report of Baidu Security Lab, this type of attack was also captured in January 2021…


On January 7, 2021, Baidu Security Lab issued an early warning saying that a DDoS reflection attack initiated by the network service of Plex (media playback platform) was captured in January 2021 [1]

According to the article of Baidu Security Lab, the hacker used the DDoS reflection attack based on the Plex service (UDP port 32414) in this attack, and it is found that Plex’s two UDP port(32414 and 32410) accesses can be used for reflection amplification attacks.

After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21…


Author: Heige(a.k.a Superhei) of KnownSec 404 Team 01/16/2021

Currently, the objects of cyberspace surveying and mapping are mainly around IPv4/IPv6/website/darkweb ,Of course most search engines only support IPv4/IPv6 addresses . In addition to ZoomEye that focuses on IPv4/IPv6/Website mapping, we have also developed a product for dark web mapping ,we call it “暗网雷达(DarkEye)”

A great significance for cyberspace surveying and mapping is to complete the mapping between cyberspace and real space, so IPv4/IPv6/Website/darkweb may point to devices in the same physical space at the same time, So I think cross-surveying and mapping can help trace the real world mapping.

Just…


Author: Heige(a.k.a Superhei) of KnownSec 404 Team 12/10/2020

As the world’s leading search engine for cyberspace mapping, ZoomEye has been working hard! I would like to thank all the friends who support ZoomEye.

API-KEY

ZoomEye has always been committed to being more friendly and open to developers. For example, in August of this year, we announced the removal of API data output restrictions. Another example is the API-KEY authentication mode introduced to you today. Developers and users do not need to directly expose user names and The clear text password can be used to call the ZoomEye API interface more securely…


Author: Heige(a.k.a Superhei) of KnownSec 404 Team 05/25/2020

[Article release: https://paper.seebug.org/1219/ (Chinese) https://paper.seebug.org/1220/ (English)]

We had released ZoomEye’s historical data API query interface in ZoomEye 2020 that had launched in January this year: https://medium.com/@80vul/zoomeye-2020-has-started-8414d6aaf38 Next, I will introduce some examples of using ZoomEye History API to capture the traces of APT team attacks.

[Instructions for using the historical query API interface: https://www.zoomeye.org/doc#history-ip-search ,Of course we have also updated our ZoomEye SDK support history api: https://github.com/knownsec/ZoomEye ]

Before the cases are explained, I must explain the ZoomEye online data update mode again: it is the overwrite update mode. Many malware teams…

heige

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store