When you receive a word document. Perhaps document contained evasion technique. But you can do a basic health check by yourself. Nov 2019

Preface: Hot topic in the city this week perhaps is uncover the secret of surveillance power.

My focus: Perhaps quite a lot of reader are interested of the program code of the surveillance program ( sigs.py ). As far as we know, similar of surveillance program infection technique will be relied on email attachment (especially MS word document).

This underground cyber attack method was exposed by Kaspersky on November 5, 2019, and named Dark Universe, literally translating the Dark Universe.
Since this kind of surveillance program sometimes focus on evadsion technique. And therefore the earlier phase of infection do not insists to use the Malicious code . From technical point of view, when you open the word document you can do a health check by yourself on unknown word document.

MS Word document validation method (DIY) – Remove an embedded file or object

1.Open MS word document
2.Select the chart area and press Ctrl+C.
3.Select the location where you want to paste a picture of the chart, press Ctrl+Alt+V, and pick a Picture format.
4.Select the original embedded chart and press Delete.

— End —

Apache solr 8.2.0 remote code execution (nov 2019)

Preface: Apache Solr is an application based on J2EE and uses Lucene libraries internally to provide user-friendly search as well as to generate the indexes.

Background: Apache Solr powers the search and navigation features of many of the world’s largest internet sites.

Vulnerability details: When an attacker can directly access the Solr console, he can make changes to the node’s configuration file by sending a POST request like /nodename/config.

Apache Solr integrates the “VelocityResponseWriter” plugin by default. The “params.resource.loader.enabled” option in the plugin’s initialization parameters is used to control whether the parameter resource loader is allowed to specify template in the Solr request parameter. This option default setting is false. When “params.resource.loader.enabled” is set to true, the user will be allowed to specify the loading of related resources by setting the parameters in the request, which means that the attacker can construct a threatening attack request on the server. A remote code execution will be occurred.

Current status: waiting for CVE reference number

Security focus -malicious cyber activity 1 st November 2019

Preface: U.S Homeland security released a report that urge the public to protect computer facilities to avoid Trojan attack. The Trojan found on 2014 which continuous upgrade itself in last half decade.

Background: Trojan.Hoplight is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.

Security focus: We found quite a lot of malware target 32-bit machine in past.In most cases 32-bit code cannot access the memory of a 64-bit process.
In addition, malware which wishes to run malicious code inside a 64-bit process must, in most cases, be written as a 64- bit application. The HOPLIGHT variant capable to 64-bit machine.This malware artifact a malicious 64bit Windows dynamic library. From technical point of view, such change enhance his capability in modern system platform. Meanwhile, in order to evade antivirus vendor detection through secure gateway (HTTPS-man-in-the middle), they encodes it’s data with XOR Ox47 SUB Ox28 prior to being TLS encrypted. The goal is make it seal and nobody can crack this cipher. As far as we seen, this malware growth up with advanced technique.

Should you have interested to know the details, please refer url. https://www.us-cert.gov/ncas/analysis-reports/ar19-304a