One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1493481 |
| Date de publication | 2019-12-04 15:28:00 (vue: 2019-12-07 01:23:23) |
| Titre | The “Great Cannon” has been deployed again |
| Texte |
Summary
The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it unavailable:
Figure 1: Simplified diagram of how the Great Cannon operates
The Great Cannon was the subject of intense research after it was used to disrupt access to the website Github.com in 2015. Little has been seen of the Great Cannon since 2015. However, we’ve recently observed new attacks, which are detailed below.
Most recent attacks against LIHKG
The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from UrlScan.io, we identified new attacks likely starting Monday November 25th, 2019.
Websites are indirectly serving a malicious javascript file from either:
http://push.zhanzhang.baidu.com/push.js; or
http://js.passport.qihucdn.com/11.0.1.js
Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code:
Figure 2: Malicious code served from the Great Cannon
The code attempts to repeatedly request the following resources, in order to overwhelm websites and prevent them from being accessible:
http://lihkg.com/
https://i.loli.net/2019/09/29/hXHglbYpykUGIJu.gif?t=
https://na.cx/i/XibbJAS.gif?t=
https://na.cx/i/UHr3Dtk.gif?t=
https://na.cx/i/9hjf7rg.gif?t=
https://na.cx/i/qKE4P2C.gif?t=
https://na.cx/i/0Dp4P29.gif?t=
https://na.cx/i/mUkDptW.gif?t=
https://na.cx/i/ekL74Sn.gif?t=
https://i.ibb.co/ZBDcP9K/LcSzXUb.gif?t=
https://66.media.tumblr.com/e06eda7617fb1b98cbaca0edf9a427a8/tumblr_oqrv3wHXoz1sehac7o1_540.gif?t=
https://na.cx/i/6hxp6x9.gif?t=
https://live.staticflickr.com/65535/48978420208_76b67bec15_o.gif?t=
https://i.lihkg.com/540/https://img.eservice-hk.net/upload/2018/08/09/181951_60e1e9bedea42535801bc785b6f48e7a.gif?t=
https://na.cx/i/E3sYryo.gif?t=
https://na.cx/i/ZbShS2F.gif?t=
https://na.cx/i/LBppBac.gif?t=
http://i.imgur.com/5qrZMPn.gif?t=
https://na.cx/i/J3q35jw.gif?t=
https://na.cx/i/QR7JjSJ.gif?t=
https://na.cx/i/haUzqxN.gif?t=
https://na.cx/i/3hS5xcW.gif?t=
https://na.cx/i/z340DGp.gif?t=
https://luna.komica |
| Envoyé | Oui |
| Condensat | $external $home alert et “man “packer”: 10: 13: 200 2015 2015: 2017 2019 2019: 25: 25th 26th 540 55de6aac9af0e3c086b83bf433493004 60e1e9bedea42535801bc785b6f48e7a 76b67bec15 access accessible: across activity; additional addresses after again against alert alien alienvault all also analytics anti any appear appended are associated at&t attack attacks attempt attempted attempting attempts august available avcannonddos; baidu bandwidth based been began behind being below blend blocking both bugs bypass cannon cannon” causes causing censorship certain changing chinese citizenlab classtype:misc classtype:policy client client; co/m10eah/atsps co/zbdcp9k/lcszxub code code: code; collateral com com/ com/11 com/540/ com/540/https://img com/5qrzmpn com/65535/48978420208 com/e06eda7617fb1b98cbaca0edf9a427a8/tumblr com/media/9lztc9dqjaal5jmuck/giphy com/pulse/5d6d4da02ee2b6fbff703067; com/push commentators compromise computationally connections consider consume content content: continue continued could current currently cx/i/0dp4p29 cx/i/3hs5xcw cx/i/6hxp6x9 cx/i/9hjf7rg cx/i/e3syryo cx/i/ekl74sn cx/i/hauzqxn cx/i/j3q35jw cx/i/lbppbac cx/i/mukdptw cx/i/qke4p2c cx/i/qr7jjsj cx/i/uhr3dtk cx/i/xibbjas cx/i/z340dgp cx/i/zbshs2f d33e27ec27b054afcc911be1411b5e5a damage data data; ddos democracy denial deployed described detailed detect detection diagram discuss disrupt distinct distributed disturbing domains due during early edition eg; https://na either: emerging enable eservice established; excerpt exchange expensive exploitation external figure file firewall firing flow:established flow:to flowbits:isset flowbits:noalert; flowbits:set fly following forums from functionality get gif gif becomes https://i giphy github global great greatfire had has have here hidden hijack historical hong host; hosted how however html http http: http://i http://js http://lihkg http://push https https://66 https://i https://image https://img https://live https://luna https://media https://na ibb identified identified: image images imgur impact impacted implemented improved incidents including indicators indirectly info initial initiated injected injecting insert instead intended intense internet isimgcomplete its javascript js; key kg/540/https://i kg/540/https://na komica kong labs language largely last later least libraries lih lihkg like likely limited little locations: loli make making malicious march may media members meme memes method; millions mingjingnews mitigations monday monitors more most movement msg: multiple net net/2019/09/29/hxhglbypykugiju net/upload/2018/06/02/213756 net/upload/2018/06/13/171314 net/upload/2018/08/09/181951 new news normal normally not noted november number obfuscated obfuscation obfuscator observed odd offline onward onward: open operated operates oqrv3whxoz1sehac7o1 order org org/23/src/1573785127351 organization organize originally otx outage over overflow overwhelm owners packer packets page pages partly passport percentage perform plan points potential potentially power prevent previous probabilistically protests proxy pulse push qihucdn real recent recently reference:url regularly related remote repeatedly request requests require research resources response resulted return rev:1; rules same samples script scripts see seem seen selection sent september seriously serve served server service services serving sid:2027961 et sid:2027962 et sid:2027963 et sid:2027964 sid:4001470; sid:4001471; sid:4001472; sid:4001473; side” significantly similar simple simplified sinasjs since single site sites sitting size smd snippet some stack stages standard start starting starts stat staticflickr subject successful summary suricata swaps t=6009966493 take taking target targeted targeting targets task test them then these threat threats time timeline times tool tracking traffic tumblr two unavailable: unchanged unlikely unsuccessfully uri; url urls urlscan use used user users users’ uses using versions very violation; want we’v |
| Tags | Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.