My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

Preface:

Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)

https://blog.talosintelligence.com/2018/05/VPNFilter.html

However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is a an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four itemd of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).

Summary:

In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

 

Vulnerabilities – Waiting for vendor response – 23rd May 2018

The cyber attacks are wreak havoc today. In order to protect the power facility, water supply, Gas supply and petroleum industry daily operations. The SCADA control system vendor implemented security control in their system infrastructure. However when vulnerabilities encounter on their products. The remediation step of the vendor response sometimes not in effecient. For instance, Advantech one of the key player of SCADA WebAccess. But it lack of motivation to drive the remedation solution on their products. There is no official announcement how to do the remedation on their products so far. Vulnerabilities are shown as below:

CVE-2018-7499 – buffer overflow vulnerabilities which may allow an attacker to execute arbitrary code
CVE-2018-7503 – a path transversal vulnerability which may allow an attacker to disclose sensitive
CVE-2018-7505 – information on the target TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-10591 – allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
CVE-2018-10590 – exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.
CVE-2018-10589 – WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7497 – several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-8845 – a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7495 – an external control of file name or path vulnerability has been identified, which may
CVE-2018-8841- allow an attacker to delete files.
an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.
CVE-2018-7501 – several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

21 May 2018 – CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks

Regarding to the subject matter, please refer to below url for reference.

Q2 2018 Speculative Execution Side Channel Update

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Quick look in virtual machine Zone (CVE-2018-8897) – 05/18/2018

Technology world is a challengeing zone. The key word “rest” looks do not apply to system developer, application programmer and IT expert! I re-call the vulnerability (CVE-2018-8897) to review. It ennounced by security experts for week ago. Perhaps you have full understanding. However no harm in my view point to do the review since it is important. I have time to drill down the detail and visualize my standpoint. This CVE subject mainly focus mishandling of assembler command syntax by system developer since they overlook some advice by CPU vendor. In short the issue is that if the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. So the focus will be go to virtual machine world. Yes, we are a cloud computing world in the moment. For more details, please refer below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2018-8897

Software design limitation causes hardware Involved software Attacks – Shanghai 2345 Network

Shanghai 2345 Network major business focusing Mainland China. This companyprovides Internet access platforms. It provides 2345 Website navigation that facilitates users to find their own needs of the site entrance, as well as provides weather forecasts, practical inquiries, commonly used software download, e-mail login, search engine portal, online collection, and other Internet common service; 2345 Accelerated browser, a computer software; mobile applications; and 2345 Loan King, an Internet credit platform.However there are vulnerabilties found on their Security Guard 3.7 software. Regarding to the vulnerabilities, it is better to uninstall this software. It looks strange that the official website still have ver 3.7 software available to download. Besides, it without any security alert to customer. If you visit the official website today, the latest software update issued on 20th April 2018. Nothing to do or remediation. Strange!

Official web site shown as below:

http://safe.2345.cc/log.htm

Remark: Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers.

May 18, 2018 – ISC Releases Security Advisories for BIND

ISC Releases Security Advisories for BIND on May 18, 2018. This alert awaken my defense thinking. I was written few articles about the electronic war and the cyber arsenal. But forgot to contains a scenario which annoucned by ISC today (Security Advisories for BIND). Regarding to to the subject (ISC Releases Security Advisories for BIND) indeed described a hacking scenario who focus to doing bad things to the world (distrubuted deniel of services to worldwide DNS services). It is not difficult to understand the way. The method is CVE-2018-5737 + CVE-2018-5736.

Such cyber attack on phase 1 is one to many distribution (Initiating a Zone Transfer), then execute vulnerability (CVE-2018-5737) . As a result the smartphone, server and workstation all can’t work because no DNS service will be availabe! You can find hints in attached diagram. For more details about the vulnerabilities, please refer below url for references.

CVE-2018-5737: BIND 9.12’s serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.

https://kb.isc.org/article/AA-01606/0

CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c

https://kb.isc.org/article/AA-01602/0

16th May 2018 – Cisco security update awaken SDLC (software development life cycle) process.

The vulnerabilities occurred so far, it awaken the SDLC (software development life cycle) process. The design bug common appear in development cycle. The bug checker may record in details and put in the report let the decision maker know the actual statis. Project management office member better to use your knowledge learned during PMP or Prince 2 lesson. Don’t let your certificate become a paper!

Default user username cannot be changed looks not strange to IT guy!

Release 1.1.0 – The default username is maglev and cannot be changed.

Release 1.0 – The default username is grapevine and cannot be changed.

Cisco Digital Network Architecture Center Static Credentials Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dnac

May 16, 2018 – Cisco Releases Security Updates

Cisco Releases Security Updates

Original release date: May 16, 2018

  • Digital Network Architecture Center Static Credentials Vulnerability
  • Digital Network Architecture Center Authentication Bypass Vulnerability
  • Digital Network Architecture Center Unauthorized Access Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna

Enterprise NFV Infrastructure Software Linux Shell Access Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis

Meeting Server Media Services Denial-of-Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-msms

Identity Services Engine EAP TLS Certificate Denial-of-Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-iseeap

IoT Field Network Director Cross-Site Request Forgery Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-fnd

Published Wednesday, May 16, 2018 – Red Hat Addresses DHCP Client Vulnerability

Red Hat has released security updates to address a vulnerability in its Dynamic Host Configuration Protocol (DHCP) client packages for Red Hat Enterprise Linux 6 and 7. An attacker could exploit this vulnerability to take control of an affected system. See whether below command syntax will be the root cause of this problem?

For more details, please refer below url for reference.

Bug 1567974 – (CVE-2018-1111) – Command injection vulnerability in the DHCP client NetworkManager integration script

https://bugzilla.redhat.com/show_bug.cgi?id=1567974

May 15, 2018 – VMware releases security update. Alert!

VMware just released a security update to address a vulnerability in NSX SD-WAN Edge by VeloCloud. I couldn’t find techincal details but vendor state that VeloCloud by VMware will be removing the web ui component service from the product in future releases. My speculation is that the existing design limitation can merge with former vulnerability (CVE-2017-4947). As a result it cause risk happens. See below hints for reference.

There are two different product editions of NSX: NSX for vSphere and NSX for Multi-Hypervisor (MH). It’s speculated they will merge down the road, but for many possible, or soon to be, users of NSX, it doesn’t matter, because they are used to support different use cases. NSX for vSphere is ideal for VMware environments, while NSX for MH is designed to integrate into cloud environments that leverage open standards, such as OpenStack.

Vulnerability Details for reference:

Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud

https://www.vmware.com/security/advisories/VMSA-2018-0011.html

CVE-2017-4947: vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2018-0006.html