Staying alert of Emotet infection, even though you are a Mac User. Feb 2020

Preface: Apple Mac OS as not as easy to compromised compare with other popular operation system.

Details (A): Emotet is malware originally engineered as a banking Trojan designed to steal sensitive information.
It is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. But their design presents challenges for traditional security tools, because it is designed specifically to bypass endpoint solutions. Even Mac computers are no exception.

Details (B): See attached diagram, Emotet keen to infect the computer by email. It traditionally will display several reasons require you to execute next action (clicks on it). As Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.

Official channel:
What can you do if your MacOS is infected by Emotet?
AppleCare does not provide support for removal of the malware. But customer can go to the Apple Online Store and the Mac App Store for antivirus software options.

Additional: Just do a google search, there are solution everywhere. So, you can make your decision.

Vulnerabilities in VMware (RMI communication in vRealize Operations for Horizon) are also apply for those vendor who is using RMI in Java environment. (20th Feb 2020)

Preface: JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol).

Synopsis: A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.

Security Focus: CVE-2020-3943 – The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to the affected software uses a JMX RMI service which is not securely configured. A remote attacker can execute arbitrary code in vRealize Operations, with the Horizon Adapter running.

Horizon wiki – The Horizon adapter runs on a cluster node or remote collector node in vRealize Operations Manager. You can create a single Horizon adapter instance to monitor multiple Horizon pods. During broker agent configuration, you pair the broker agent with a Horizon adapter instance.

Attack basis: The attacker would have to trick the victim to open a a specially crafted file.

Official announcement:

APT Group attack major focus: time window before release and patched (19th Feb 2020)

Preface: In normal circumstance, the remediation of vulnerabilities is time consumption. Even though Software-based vulnerabilities policy allow up to 90 days for the vendor to provide a patch.

Background: It looks that existing period of time can be happen plenty of matters. So far APT Group have talented and knowledge to discover the defect of the I.T product. Refer to cyber security evaluation report found that the new round of cyber attack for specify APT group will be focusing the SSL VPN products vulnerability. Refer to attached diagram, it shown that at least 3 different products of SSL VPN service encountered vulnerabilities last year (2019).

Our Focus: Perhaps vendor will based on the severity level priority the remedy schedule. This gap can provide such a space to hacker engage cyber attack.

The suspected defect like Sonicwall SSL-VPN. APT Group not difficult to conduct this attack.The memcpy function can be overflow the local buffer. So overwriting EIP and using a rop chain to execute commands is simple.

*Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

Hacker exploit Coronavirus Crisis, send scam email to different industries – 18th Feb 2020


a. Attackers disguise their scam email as an official (WHO) alert issued by the Centers for Disease Control Health Alert Network. (Targeting individuals from the United States and the United Kingdom)

b. Attackers disguise their scam email as an alert of Coronavirus status, they are target to shipping industry.

Description: About the attack to shipping industry – Hacker exploit the vulnerability of CVE 2017-11882, perhaps they found that the patch management on the boat not enforce in frequent. And therefore the attack explicitly target shipping industry. About the attack to individuals from the United States and the United Kingdom – WHO urge that if anyone see similar type of scam email. Report to WHO –

The slogan – Do not rush to open a URL or open a email. Take care.

Hong Kong Broadband Network customer staying alert! 17th Feb 2020

Synopsis: The threat actors hidden their email phishing package anywhere. As common we know, email phishing scam foot print are wide in area. But the antivirus and malware solution vendor setup blacklist domain name and content filtering function has reduced the infection ratio of malware and ransomware. It looks that the similar of idea to hunting cyber victim still valid. In my observation, the attacker sometimes will be reuse their technique. This time they store the trap in social media web. Found that the scam activities which mimic Hong Kong Broadband luck draw online program activities is awaken again. I found similar activities on yesterday (16th Feb 2020). Even the VirusTotal repository has only one cybersecurity vendor detected a similar record type. In the sense that they can escape your defense solution.

For more detail, please refer to announcement by HKBN in past.

FIFO project problem tracker – SEND_FILE_WITH_HEADER Use-After-Free (Feb 2020)

Preface: The security of FIDO deployment largely depends on the choice of underlying security subsystems and their implementation.

Background: An ioctl , which means “input-output control” is a kind of device-specific system call. There are only a few system calls in Linux (300-400), which are not enough to express all the unique functions devices may have. So a driver can define an ioctl which allows a userspace application to send it orders.
Samsung’s kernel tree contains two implementations of device-side MTP. One of them (drivers/usb/gadget/function/f_mtp.c), based on its copyright headers,seems to be from Google, but this one is disabled at build time.
The second one is drivers/usb/gadget/function/f_mtp_samsung.c.
Both of them have ioctl handlers that handle the ioctl command SEND_FILE_WITH_HEADER; the Google version runs this handler under a lock, but Samsung version doesn’t hold any locks.

Impact: If the object has been freed and then filled with data controlled by attacker, the EIP/RIP register for x86/x64 architecture or the register for ARM architecture is to be hijacked to injected shellcode and an arbitrary code execution in kernel will be achieved.

Remedy: Waiting for response by vendor

Perhaps you don’t use Internet Explorer, you could still be at risk. Conduct patch install on IE today – 12th Feb 2020

Preface: If you try to open an .MHT file on a computer including Windows 10, or Windows Server 2012 R2 then it will attempt to load the file using Internet Explorer eventhough of the default browser in place!

Security Focus: Microsoft released an emergency security update on Monday (February 10, 2020) to fix a vulnerability in Internet Explorer (IE) designed to alert business customers. This issue occurs because the ‘scripting engine’ fails to properly handle objects in memory. Attackers can exploit this issue by enticing an unsuspecting user of the affected application to view a specially crafted web page.

Remedy: For more details, please refer to official announcement –

2019 – The security protection of Docker, where are they?

Preface: Sysadmin may unintentionally expose a Docker registry service without enforcing proper access control, said Palo Alto Networks.

Background: Easy to deploy, one of the goal of container-based technology. Docker storing image in a managed collection, with standardized methods of identifying, committing, and pulling individual images. With this feature it is equivalent as a image Repositories. It makes Docker so useful is how easy it is to pull ready-to-use images from a Docker’s Central Registry. Meanwhile you can’t share your repository with other because it contains proprietary code or confidential information.

Technical details: Docker-Registry is a simple Python app. Your Registry can develop as a Private Registries. Besides, in some environments, sysadmin can setup the Registry SRV on port 443 and make it accessible on internet (Registry-dot-com). Such services are popular on AWS S3 or Azure.

Key areas of concern: Compromised Containers, mis-configuration & access control.

What we can do? Perhaps we can reference to NIST SP 800-190 application container security guide. URL display as below:

HKMA alerting public of the hsbc phishing email – 6th Feb 2020

Preface: Not the first time heard that cyber criminals mimics email from bank to hunting the victims.

Historical record: HSBC’s “Payment Notification” malware email was discovered in 2018.
These emails are designed to confuse people’s vigilance and use the HSBC brand name to reduce the defensive awareness of email recipients. An “auto-generated” email suggests that you open an attachment to view the payment proposal document.
If you open the attached Microsoft word file, you will be prompted to enable macros. If you do allow, a malicious macro will run in the background, The macro will download and install malware on your computer. I believed that cyber criminals hunting the mobile phone users this round.

Staying alert: For more details, please refer to official announcement for reference.

Learn more about CVE-2019-18634 – sudo vulnerability

Preface: Sudo (substitute user [or superuser] do) is a program used in Unix-like operating systems such as BSD, Mac OS X, and GNU / Linux to allow users to execute programs in a secure manner with special permissions (usually the system Super user).

Highlight: When pwfeedback is set, sudo will provide visual feedback when the user presses a key. This function allows the system to indicate the currently entered character with an asterisk character.

Vulnerability details: In January 2020, CVE-2019-18634 announced a vulnerability that had existed for more than 9 years, pointing out in the pwfeedback feature option. This function allows the system to indicate the currently entered character with an asterisk character. However, after the pwfeedback function is enabled in the sudoer file, it may allow users to trigger a stack buffer overflow attack, allowing users without system management rights, even those not listed in the sudoer file. Users in can be elevated to root account permissions.

Remedy: The bug is fixed in sudo 1.8.31.