Microsoft windows defender make the world safe. The threat actor masquerading a legitimate file goal to doing bitcoin mining. Windows defender just kill it within seconds. It is very powerful. It hints to the world that there will be formed different countries will have their own operation system. Why? Nobody want that all the time under monitoring.
For more details, about this news, please refer below url for reference.
Heard that a rumors on discussion website. A victim stated that an unknown counterfeit cryptocurrency transaction submitted in his account. I retrospectively his discussion detail and feeling that the problem may not happen in his endpoint. The victim stated that he noticed that a 3rd API key has been created, without IP white listing. But the API key not his own belongings. Regarding to the BINANCE Exchange client specification, they support REST API. What if when they are using REST API caching middleware,acting as a reverse proxy between load balancers and your REST API workers. Is there a way let threat actors do the dirty tricks in the cache space?
Should you have interest about this news. Please refer below url for reference.
https://www.ft.com/content/58a32050-22aa-11e8-add1-0e8958b189ea
The IT technology vulnerability like cough, running nose,..etc. Medicine please.
Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-cpcp
Cisco Secure Access Control System Java Deserialization Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2
Cisco Web Security Appliance FTP Authentication Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-wsa
Reminder: Cisco Secure Access Control System
NOTE: This product is no longer being sold and might not be supported.
To be honest, web browser architecture looks messy due to plug-in, Flash,etc. Google has released Chrome version 65.0.3325.146 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to obtain access to sensitive information. A design flaw looks strange. I speculate that Chrome browser shared previous Flash vulnerability.A memory write is not a necessity. The “use-after-free” type of exploits is that the threat actor duplicate the virtual function table in use. My comment similar NIST, it is strongly recommended upgrade your Chrome to version 65.0.3325.146. Otherwise it is a nightmare especially enterprise IT campus. Below url is the official announcement by Google.
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
A Cantonese mantra so called “蝦碌”. “蝦碌” means similar exclamation. Citrix product now falling into this situation. It allow remote attackers to execute a system command or read arbitrary files via SSH login prompt. From technical point of view it is similar Authentication Bypass Vulnerability.
In short, the official announcement shown below url:
Preface:
Till 2018-02-01, the official announcement provides the following details.
Security patch level—Vulnerability details
Start discussion:
ART (Android RunTime) is the next version of Dalvik. Unlike Dalvik, ART introduces the use of ahead-of-time (AOT) compilation by compiling entire applications into native machine code upon their installation. Regarding to Android security bulletin on February 2018, the official announcement did not had cyber incident reports of active customer exploitation or abuse of reported issues. But why do security expert said Andorid smartphone system is under cyber attack.
Basic understanding of ART boot sequence (see below diagram for reference)
Zygote is running as UID=0 (root). After forking child process, its UID is changed by setuid system call.
A closer look on above diagram step 4 to step 6 operation flow (see below)
Software/application installation workflow
We heard that Google App store sometimes contains malicious code APK. And such a way compromise the Android OS. Below diagram can explicitly provide an idea how Android download and install a application program in normal way.
Lock down
Refer to above information (3 items of diagrams), we lock down 2 items of components for our investigation.
Zygote – When the application start, the Zygote will be forked, target into 2 units of VM. Since all the core library interconnect with zygote. And therefore both zygote and application sharing the library. The memory will only be copied if the new process tries to modify it.
Even thought the core library is read only. However the copy of memory procedure lure threat actors modifies Zygote system process in the memory to achieve their goal.
How does it works? – The injection code works is that their payload is part of any new process spawned, whereas if you use Frida to inject into Zygote it will stay behind when it calls fork() to become the app to be spawned. (Though technically Frida’s code Frida 9.x) will be part of the newly forked child, but no threads survive the fork except the thread that called fork(), so any hooked functions will call into Frida code (Frida 9.x) in an undefined state.
Summarize of the concept
Reference: Frida (Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers).
APK – We notice that Google scan the apps on their play store to avoid malicious APK place on their store. However the security expert aware that it is hard to scan the APK which contained the malicious script embedded in APK file. Below example may a old style technique. However we only provides awareness and therefore I quote this example for reference.
The Android ZIP APIs do not prevent directory traversals by default, allowing for a file with a directory traversal in the name to be injected into the ZIP. This allows us to gain an arbitrary write in the context of the app. The zip was injected with a directory traversal that writes inside of the app directory. As a result, the malicious zip files were written in the application’s data directory. You can gain an arbitrary file write primitive. But the Arbitrary File contains risk causes remote code execution. For instance, Mercury Browser for Android is prone to directory traversal vulnerability and a security bypass vulnerability. Exploiting these issues will allow an attacker to bypass security restrictions, perform unauthorized actions and access, read and execute files. Information harvested may aid in launching further attacks.
Recommendation
In order to avoid unforeseen cyber incident encounter. Below details is the recommendation provided by federal government.
— End of discussion —
Auto Pilot system has been implemented in many countries. Perhaps Auto Pilot function enabled become a hot topic. You are allow to install mobile apps on your Android phone keep track the status of your car. We are really appreciate for Controller Area Network (CAN bus) technology assistance. The vulnerability found on car automation not surprising the world. Since this is a computer technology. The design flaw found on Android App this round belongs to Volkswagen.An attacker can leverage this vulnerability to inject CAN messages. How does it work?
The messages sent seem to fall into one of three categories. One is informative. The other type of message is one requesting action of another ECU (Electronic Control Units). The final type of message is diagnostic. For details, please refer below url for reference.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1170
Is this the cost we are going to pay for automation world?
The design limitation of Intel Software Guard eXtensions (SGX) start discussion end of 2017. The security expertise focusing the topic on software development for SDK. Since the programming language are mainly written by programming language C and C++. A possibility factor predict that it will be lured for threat actors interest. And therefore a conference held last year 2017 focus the specifics issue. Regarding to the observation of The Ohio State University observe (Department of Computer Science and Engineering), they found hack tricks which may allow to do in Intel Software Guard eXtension during SDK development. Perhaps Meltdown and Spectre incident override this issue. The security expert including myself awaken this week and starting the similar discussion. This attack so called SgxSpectre attack. No matter what will be happen in future. It tell the world that our electronic industry running too fast. It lack of business maturity model concept involvement.. Yes, we a living in a huge competition market which do not concerning long product life cycle. And the final way encounter hard to resolve issue occurs like the situation today. Technical article for your reference.
http://web.cse.ohio-state.edu/%7Ezhang.834/papers/SgxPectre.pdf
US-CERT encourages users and administrators to review ISC Knowledge Base Article.
https://kb.isc.org/article/AA-01565/75/CVE-2018-5732
https://kb.isc.org/article/AA-01562/74/CVE-2018-5734
Perhaps it is out of end user control!
What is ISC(Internet Systems Consortium)?
F Root System (ISC) – Enables users around the world to find top-level domains such as .com, .uk, .edu; Reliable anycast network with over 125 nodes; Hosted in local IXes, and on the Cloudflare network, managed by ISC. A vulnerability found on ISC (DHCP) and (BIND). Does it a precaution?
Cyber computer world news similar Hollywood celebrity scandal. It can’t maintain longer and easy to forget. Intel learned by experience. Thus invite Microsoft for assistance.
About CPU platforms around Spectre Variant 2 (CVE 2017-5715 (“Branch Target Injection”)).
I speculate that a technical problem occurs by Intel patch program last time cause by the following issue.
An invalid pool request has been made by the current thread. Typically this is at a bad IRQL level or double freeing the same memory allocation, etc.
KB4090007: Intel microcode updates
Applies to: Windows 10 version 1709Windows Server, version 1709 (Datacenter, Standard)
https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates