Why US Homeland security urge to public stay alert of the vulnerability on DrayTek Devices? 3rd April 2020

Preface: A conspiracy was leaked this week, someone ambitious to spying the world.

Details: The espionage activities will be exploit computer technology as 1st approach in today. It is merely relies on design weakness. Yes, it is the vulnerability. When I read the conspiracy details, I was wonder that if the formulation of this design (see attached diagram) goals to do a DDoS. Perhaps this is no a perfect way. However when US Homeland security urge to US citizen staying alert of the vulnerability found in DrayTek Devices. As everyone knows, today’s Tor network cannot perfectly hide the whereabouts of hackers. Because law enforcement already shutdown the proxy servers on the network. Besides, attacker also worries that does the proxy server has monitoring function. From attacker view point, they should perfectly hide itself. Refer to attached diagram, the new formulation of botnet technique will be exploited the new vulnerability found on IoT as a component. It looks like a plug-in module.

There are two types of operating system that sit under the SDK. Low cost and lower specification routers will select the RTOS. Since low end router cannot fulfill their requirement. Perhaps the VPN Router is the correct target because when compromised VPN router form a bot net group can compensate the current resources outage in Tor network.

Immediate action: Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. If you are customer of DrayTek. Please do the upgrade immediately. https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)

Marriott says 5.2 million guest records were stolen in another data breach, said Marriott. 31st Mar 2020

Preface: Perhaps this is not the key factor causes data breach on Jan 2020. But the sound can tell.

Observation: It is believed that a new round of data breaches by Marriott this week has attracted attention. Maybe the hotel industry will run within 24 hours. Do maintenance or system upgrade is not easy. We only look at the homepage of Marriott’s “Member Credit Card Rewards”. Found a vulnerable “jquery” still in operation. From attacker point of view, such hints similar give him an indication that this web site may have more space for exploitation. As we know, jQuery(version 1.11.3) which has XSS vulnerability found on March, 2017. Why still valid in an enterprise web site. The root cause is hard to tell. May be it is a extend legacy web application. I think you will be concern the details of official announcement. See below url:


Kwampirs Targeted Attacks Involving Healthcare Sector – (31st Mar 2020)

Preface: Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015.

Synopsis: Why does Kwampirs fall into the “Advanced Persistent Threat (APT)” category?

  • For tradition malware “click and action” attacks. APT attack not condct the similar action. Instead, APT merely do the infiltration on network and communicate with C&C peer daily. asking for updates.
  • The APT malware rare to do the destructive action especially encrypting data. Ask victim to pay the ransome.

About Kwampirs : FBI alert that Kwampirs goal to implant the remote-access Trojan (RAT). His target include organizations that run industrial control systems (ICS), financial services firms, energy companies and healthcare institutions. As a matter of fact, The Kwampirs was used by Orangeworm group as a backdoor Trojan. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines in past. So it was not suprising with Cyber security Guru that he return to healthcare industry.

How did Kwampirs infiltrate my computer? There are several ways to distribute Kwampirs. For instance, by using email campaigns, fake software updates, untrustworthy third party software download channels and unofficial software activation tools. So only relies on Yara rules in IDS not a effective solution to avoid this attack. The observation proves that the internal access control of the 3rd party device is one of the effective channel.

Should you have interested of this matter, please refer to URL – https://www.infragard-la.org/wp-content/uploads/2020/02/FLASH-CP-000118-MW-TLP-GREEN-YARA-Rules-to-Identify-Kwampirs-Malware-Employed-in-Ongoing-Cyber-Supply-Chain-Campaign-Targeting-Global-Industries.pdf

By the way, we hope that the corona-virus will disappear in the world as soon as possible.

Apocalypse: Unknown secret plan – project citing Mirai malware and intend to exploit IoT design weakness triggers cyber attack (29th Mar 2020)

Preface: The Greece Myth – During the war against Cronus, the Cyclops gave Lightning Fire to Zeus as weapon. Meanwhile Poseidon received Trident, and Hades achieve Invisible Helmet.

Background: The strategic outsourced concept of IT services not limited to commercial In-house IT team. It is also practiced in intelligence circles.

The group claimed that it is inspired by Mirai. The primary approach of attack is exploit factory default logins and common username/password combinations for IoT devices. Once a password attack was successful, the device would be integrated into the botnet.

Mirai DDoS attack capabilities include SYN flooding, User Datagram Protocol flooding, ACK flooding and HTTP GET, POST and HEAD attacks. Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search.

Details: In past decade, even though how was the attack technique you has. Perhaps the destructive power will be limited by society situation. Comparing today, all the people at least has a mobile phone and wireless router at home. The threat actors can conduct a DDoS to web hosting or collaboration service cloud within an hour. The headline news uncovers the contractors of the Russian national secret service FSB was hack which let the world know this conspiracy.

Perhaps this is a alert signal to smart city.

You may be interested of article shown below:

If you are using Adobe Creative Cloud Desktop Application for Windows. You should do the update immediately. 24th Mar 2020

Preface: Maybe the software vendor didn’t disclose it explicitly. But you will be interested review this concept.

Background: Adobe Creative Cloud is a set of applications and services from Adobe Inc. that gives subscribers access to a collection of software used for graphic design, video editing, web development, photography, along with a set of mobile applications and also some optional cloud services. The Creative Cloud desktop application is instralled automatically when you download your first Creative Cloud product. If you have Adobe Application Manager installed, it auto-updated to the Creative Cloud desktop application.

Vulnerability Details: Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. Successful exploitation could lead to arbitrary code execution. As the software vendor did not disclose details. The vulnerability is suspected to come from the synchronization feature. See whether the diagram can provides an hints to you.

Official Announcement https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

Microsoft Windows Type 1 font parsing remote code execution vulnerabilities – 23rd Mar 2020

Preface: Make our life easy, just rename or disable it.

Background: Type 1 is a font format which came to market around 1984, together with PostScript and the Apple LaserWriter. Perhaps ATMFD.DLL was first built into Windows 2000. Through observation, this vulnerability was caught by Google project Zero in 2015. Over time, maybe someone has forgotten this. Therefore, the direct method is to disable it.

Impact: Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner. In most modern computer systems, each thread has a reserved region of memory referred to as its stack. A specially-crafted font that is capable of operating on any data on the thread stack and has all the instructions (including arithmetic, logic, condition, and other instructions) in the Type 1 / Type 2 Charstring instruction set. Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Or quick and Dirty: Right-click C:\Windows\System32\atmfd.dll Properties | Security | Advanced | Owner, take ownership. Close dialogs, go back in and give yourself Full Control.

Centreon – Remote code execution can be configured via Poller (18th Mar 2020)

Preface: Centreon Engine allows you to schedule periods of planned downtime for hosts and service that you’re monitoring. So if design weakness occurs in this place. It provides a way to attacker for exploit.

Background: Centreon is an open source IT monitoring solution by Centreon. It is easy to install and you can deploy within minutes.

Vulnerability details: An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. Meanwhile, it provides a path for attacker to exploit. Official announcement: No status update yet. But you can receive the updated release note in this place – https://documentation-fr.centreon.com/docs/centreon/en/latest/release_notes/index.html

Perhaps vulnerability might happen in open source in frequent. But I support opensource personally.

Security Focus – CVE-2020-326 – So called New wine in old bottles (18th Mar 2020)

Preface: Cisco SD-WAN Solution Privilege Escalation Vulnerability. Sound dangerous but it can only conduct internally. If someone can make it happen. It can elevate privileges to root on the underlying operating system.

Details: Perhaps Cisco fans still remember that a vulnerability encountered on SDWAN on Jun 2019. I presumably there may be similarities to this matter. The official announcement said An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain root-level privileges. The details happened on June 2019 shown as below:

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9

Other than that perhaps you will be interested of other vulnerabilities found on SDWAN

Buffer overflow – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

Command Injection – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v

Outline the definition of data breach law in five major U.S. population areas – Mar 2020

Preface: For those who conducting Ransomware attack to another person may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.

Perhaps cybersecurity experts will focus on design weaknesses, including the circumstances under which data breaches can occur. We all know that the GDPR brings the subject of data privacy to court. The fine will be based on the actual situation. But GDPR regulations are valid in European countries. What about the United States of America?

About who must obey the law:

New York (N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208)- https://www.nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf

California (Cal. Civ. Code §§ 1798.29, 1798.82) – http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82

Illinois (815 ILCS §§ 530/1 to 530/25) – http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act

Texas (Tex. Bus. & Com. Code §§ 521.002, 521.053) – https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002

Arizona (Ariz. Rev. Stat. § 18-545) – https://www.azleg.gov/viewDocument/?docName=http://www.azleg.gov/ars/18/00545.htm

Pennsylvania (73 Pa. Stat. §§ 2301 et seq) – https://govt.westlaw.com/pac/Browse/Home/Pennsylvania/UnofficialPurdonsPennsylvaniaStatutes?guid=N9B3F41908C4F11DA86FC8D90DD1949D4&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

Security Focus – Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948) – 12thMar2020

Preface: ThinPrint technology offload the print burden on all virtual and physical desktops, and keeps all client hardware free of printer drivers.

Background: VMware Workstation is a type 2 hypervisor. Type 2 hypervisors are essentially treated as applications because they install on top of a server’s OS. If the host gets cracked, the hypervisor gets cracked. If the hypervisor gets cracked, it depends on the host will have vulnerability let hacker to be use. From technical point of view, it is difficult but it may possible.

Vulnerability details: Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM. For the details of attack. Please refer to diagram.

Official announcement https://www.vmware.com/security/advisories/VMSA-2020-0004.html