Gun and bullet – SMBV1 and Ransomware (Nov 2019)

Preface: Starting from around 2012 the use of ransomware scams has grown internationally.

Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.

Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.

Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.

For more information on headline news, please refer –

Interested in this vulnerability CVE-2019-5541?

Preface: As far as I know, VMware announced CVE-2019-5541 on April 2019. But the security update just released two days ago. Perhaps this products not in profitable area. But the flaw awaken quite a lot of people to concerning the weakness in virtual machine design.

Background: VMware Workstation is for Windows/Linux while Fusion is for Intel Based Apple Computers only running Mac OS X 10.4.9 and later.

Type 1 hypervisors are commonly considered bare metal hypervisors, in that the hypervisor code itself runs directly on top of your hardware.
VMware Workstation is an example of a type 2 hypervisor. You can install it on top of an existing instance of Windows (and a number of Linux distributions).

Vulnerability details: VMware workstation and Fusion versions identified as victims to out-of-bounds write vulnerability in the e1000 virtual network adapter. The affected guest may allow to execute a malicious code on the hypervisor.

Supplement: The idea of heap buffer overflow is generally to achieve out-of-bounds write. According to the data of write, there are more specific subdivisions. For more details, please refer to attached diagram.

Official announcement –

CVE-2019-0721, CVE-2019-1397, CVE-2019-1398, CVE-2019-1399 – Hyper-V Remote Code Execution Vulnerabilities

Preface: Virtualization in the virtualization platform. It is definitely a microsystem architecture.

Technical background: Windows Sandbox requires a Type 1 hypervisor. Therefore, to run Sandbox on a virtual machine, nested virtualization must be enabled. Nested virtualization allows running Hyper-V on a virtual machine. In addition, it allows Windows Sandbox to run on a virtual machine.

The Hyper-V vSwitch is a software-defined, layer-2, Ethernet network-traffic switch. It allows administrators to connect VMs to either physical or virtual networks. The adapter for the Hyper-V virtual switch is completely unbound from anything that the Windows Firewall has access to. Packets will pass through it without ever being inspected by the management operating system’s firewall.

Vulnerability details: An attacker could run malicious code on a guest operating system, which could cause the Windows Hyper-V host to execute arbitrary code. For the successful of the attack, hacker will run malicious code on a guest operating system. The attacker can do a escape of the VM sandbox once successful. Meanwhile the victim guest VM could cause the Windows Hyper-V host to execute arbitrary code.

Reference: Official announcement –

The arbitrary code execution (ACE) is on your wrist CVE-2019-8718

Preface: XNU is an operating system kernel developed by Apple Computer for the macOS operating system. It is part of the Darwin operating system. XNU is a hybrid kernel combining the Mach kernel .

Background: IOKit – Gain user-space access to hardware devices and drivers. The IOKit object representing a hub device on the USB bus. It is a subclass of IOUSBDevice. A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.

Impact: Attacker can sending an USB control message to a target device exploit the vulnerability which lets the application to execute arbitrary code with kernel privileges.

Current Status:
– Entry added October 29, 2019
– Proof of concept release on 11th Nov 2019

Nov 2019 – malware samples, staying alert!

Preface: The Trojan mostly arrive via email or spread from infected websites that users visit.

Background: U.S. Cyber Command has released seven malware samples. The malware hash shown as below: a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442 fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32

Our observation: VC++ method of injecting code into other programs is popular (see below):

  1. Put your code into a DLL; then use the windows hook to map it to the remote program.
  2. Put your code into a DLL; then use CreateRemoteThread and LoadLibrary to map it to the remote program.
  3. Copy your code directly to the remote program without using a DLL (using WriteProcessMemory)

So, how can you protect yourself against malicious code? Staying alert!

When you receive a word document. Perhaps document contained evasion technique. But you can do a basic health check by yourself. Nov 2019

Preface: Hot topic in the city this week perhaps is uncover the secret of surveillance power.

My focus: Perhaps quite a lot of reader are interested of the program code of the surveillance program ( ). As far as we know, similar of surveillance program infection technique will be relied on email attachment (especially MS word document).

This underground cyber attack method was exposed by Kaspersky on November 5, 2019, and named Dark Universe, literally translating the Dark Universe.
Since this kind of surveillance program sometimes focus on evadsion technique. And therefore the earlier phase of infection do not insists to use the Malicious code . From technical point of view, when you open the word document you can do a health check by yourself on unknown word document.

MS Word document validation method (DIY) – Remove an embedded file or object

1.Open MS word document
2.Select the chart area and press Ctrl+C.
3.Select the location where you want to paste a picture of the chart, press Ctrl+Alt+V, and pick a Picture format.
4.Select the original embedded chart and press Delete.

— End —

Apache solr 8.2.0 remote code execution (nov 2019)

Preface: Apache Solr is an application based on J2EE and uses Lucene libraries internally to provide user-friendly search as well as to generate the indexes.

Background: Apache Solr powers the search and navigation features of many of the world’s largest internet sites.

Vulnerability details: When an attacker can directly access the Solr console, he can make changes to the node’s configuration file by sending a POST request like /nodename/config.

Apache Solr integrates the “VelocityResponseWriter” plugin by default. The “params.resource.loader.enabled” option in the plugin’s initialization parameters is used to control whether the parameter resource loader is allowed to specify template in the Solr request parameter. This option default setting is false. When “params.resource.loader.enabled” is set to true, the user will be allowed to specify the loading of related resources by setting the parameters in the request, which means that the attacker can construct a threatening attack request on the server. A remote code execution will be occurred.

Current status: waiting for CVE reference number

Security focus -malicious cyber activity 1 st November 2019

Preface: U.S Homeland security released a report that urge the public to protect computer facilities to avoid Trojan attack. The Trojan found on 2014 which continuous upgrade itself in last half decade.

Background: Trojan.Hoplight is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.

Security focus: We found quite a lot of malware target 32-bit machine in past.In most cases 32-bit code cannot access the memory of a 64-bit process.
In addition, malware which wishes to run malicious code inside a 64-bit process must, in most cases, be written as a 64- bit application. The HOPLIGHT variant capable to 64-bit machine.This malware artifact a malicious 64bit Windows dynamic library. From technical point of view, such change enhance his capability in modern system platform. Meanwhile, in order to evade antivirus vendor detection through secure gateway (HTTPS-man-in-the middle), they encodes it’s data with XOR Ox47 SUB Ox28 prior to being TLS encrypted. The goal is make it seal and nobody can crack this cipher. As far as we seen, this malware growth up with advanced technique.

Should you have interested to know the details, please refer url.

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url:

past history, new attacks (cve-2015-0008) – 28th Oct 2019

Preface: Microsoft will be ending support for Windows 7 and Server 2008 on January 14, 2020. This means no more security patching and no more support from Microsoft.

Vulnerability details: Found design flaw on 2015. Microsoft Windows Group Policy could allow a remote attacker to take complete control of the system, caused by improper application of policy data. By social engineering attacks to convinces a privileges user with domain-configured system to connect to an attacker-controlled network, an attacker could exploit this vulnerability to execute arbitrary code and take complete control of the system.

Current status: Microsoft Windows Server 2012 suffers from a Group Policy remote code execution vulnerability.

Proof of concept release on 29th October 2019. The exploit code targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).

Perhaps this vulnerability without any significant impact to MS product in the moment. But information security expert should be take care of this issue.