Kwampirs Targeted Attacks Involving Healthcare Sector – (31st Mar 2020)

Preface: Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015.

Synopsis: Why does Kwampirs fall into the “Advanced Persistent Threat (APT)” category?

  • For tradition malware “click and action” attacks. APT attack not condct the similar action. Instead, APT merely do the infiltration on network and communicate with C&C peer daily. asking for updates.
  • The APT malware rare to do the destructive action especially encrypting data. Ask victim to pay the ransome.

About Kwampirs : FBI alert that Kwampirs goal to implant the remote-access Trojan (RAT). His target include organizations that run industrial control systems (ICS), financial services firms, energy companies and healthcare institutions. As a matter of fact, The Kwampirs was used by Orangeworm group as a backdoor Trojan. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines in past. So it was not suprising with Cyber security Guru that he return to healthcare industry.

How did Kwampirs infiltrate my computer? There are several ways to distribute Kwampirs. For instance, by using email campaigns, fake software updates, untrustworthy third party software download channels and unofficial software activation tools. So only relies on Yara rules in IDS not a effective solution to avoid this attack. The observation proves that the internal access control of the 3rd party device is one of the effective channel.

Should you have interested of this matter, please refer to URL – https://www.infragard-la.org/wp-content/uploads/2020/02/FLASH-CP-000118-MW-TLP-GREEN-YARA-Rules-to-Identify-Kwampirs-Malware-Employed-in-Ongoing-Cyber-Supply-Chain-Campaign-Targeting-Global-Industries.pdf

By the way, we hope that the corona-virus will disappear in the world as soon as possible.

Apocalypse: Unknown secret plan – project citing Mirai malware and intend to exploit IoT design weakness triggers cyber attack (29th Mar 2020)

Preface: The Greece Myth – During the war against Cronus, the Cyclops gave Lightning Fire to Zeus as weapon. Meanwhile Poseidon received Trident, and Hades achieve Invisible Helmet.

Background: The strategic outsourced concept of IT services not limited to commercial In-house IT team. It is also practiced in intelligence circles.

The group claimed that it is inspired by Mirai. The primary approach of attack is exploit factory default logins and common username/password combinations for IoT devices. Once a password attack was successful, the device would be integrated into the botnet.

Mirai DDoS attack capabilities include SYN flooding, User Datagram Protocol flooding, ACK flooding and HTTP GET, POST and HEAD attacks. Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search.

Details: In past decade, even though how was the attack technique you has. Perhaps the destructive power will be limited by society situation. Comparing today, all the people at least has a mobile phone and wireless router at home. The threat actors can conduct a DDoS to web hosting or collaboration service cloud within an hour. The headline news uncovers the contractors of the Russian national secret service FSB was hack which let the world know this conspiracy.

https://twitter.com/campuscodi/status/1241052762852515840?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1241052762852515840&ref_url=https%3A%2F%2Fborncity.com%2Fwin%2F2020%2F03%2F21%2Ffsb-contractor-hacked-iot-hacking-project-discovered%2F

Perhaps this is a alert signal to smart city.

You may be interested of article shown below:

If you are using Adobe Creative Cloud Desktop Application for Windows. You should do the update immediately. 24th Mar 2020

Preface: Maybe the software vendor didn’t disclose it explicitly. But you will be interested review this concept.

Background: Adobe Creative Cloud is a set of applications and services from Adobe Inc. that gives subscribers access to a collection of software used for graphic design, video editing, web development, photography, along with a set of mobile applications and also some optional cloud services. The Creative Cloud desktop application is instralled automatically when you download your first Creative Cloud product. If you have Adobe Application Manager installed, it auto-updated to the Creative Cloud desktop application.

Vulnerability Details: Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. Successful exploitation could lead to arbitrary code execution. As the software vendor did not disclose details. The vulnerability is suspected to come from the synchronization feature. See whether the diagram can provides an hints to you.

Official Announcement https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

Microsoft Windows Type 1 font parsing remote code execution vulnerabilities – 23rd Mar 2020

Preface: Make our life easy, just rename or disable it.

Background: Type 1 is a font format which came to market around 1984, together with PostScript and the Apple LaserWriter. Perhaps ATMFD.DLL was first built into Windows 2000. Through observation, this vulnerability was caught by Google project Zero in 2015. Over time, maybe someone has forgotten this. Therefore, the direct method is to disable it.

Impact: Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner. In most modern computer systems, each thread has a reserved region of memory referred to as its stack. A specially-crafted font that is capable of operating on any data on the thread stack and has all the instructions (including arithmetic, logic, condition, and other instructions) in the Type 1 / Type 2 Charstring instruction set. Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Or quick and Dirty: Right-click C:\Windows\System32\atmfd.dll Properties | Security | Advanced | Owner, take ownership. Close dialogs, go back in and give yourself Full Control.

Centreon – Remote code execution can be configured via Poller (18th Mar 2020)

Preface: Centreon Engine allows you to schedule periods of planned downtime for hosts and service that you’re monitoring. So if design weakness occurs in this place. It provides a way to attacker for exploit.

Background: Centreon is an open source IT monitoring solution by Centreon. It is easy to install and you can deploy within minutes.

Vulnerability details: An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. Meanwhile, it provides a path for attacker to exploit. Official announcement: No status update yet. But you can receive the updated release note in this place – https://documentation-fr.centreon.com/docs/centreon/en/latest/release_notes/index.html

Perhaps vulnerability might happen in open source in frequent. But I support opensource personally.

Security Focus – CVE-2020-326 – So called New wine in old bottles (18th Mar 2020)

Preface: Cisco SD-WAN Solution Privilege Escalation Vulnerability. Sound dangerous but it can only conduct internally. If someone can make it happen. It can elevate privileges to root on the underlying operating system.

Details: Perhaps Cisco fans still remember that a vulnerability encountered on SDWAN on Jun 2019. I presumably there may be similarities to this matter. The official announcement said An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain root-level privileges. The details happened on June 2019 shown as below:

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9

Other than that perhaps you will be interested of other vulnerabilities found on SDWAN

Buffer overflow – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

Command Injection – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v

Outline the definition of data breach law in five major U.S. population areas – Mar 2020

Preface: For those who conducting Ransomware attack to another person may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.

Perhaps cybersecurity experts will focus on design weaknesses, including the circumstances under which data breaches can occur. We all know that the GDPR brings the subject of data privacy to court. The fine will be based on the actual situation. But GDPR regulations are valid in European countries. What about the United States of America?

About who must obey the law:

New York (N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208)- https://www.nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf

California (Cal. Civ. Code §§ 1798.29, 1798.82) – http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82

Illinois (815 ILCS §§ 530/1 to 530/25) – http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act

Texas (Tex. Bus. & Com. Code §§ 521.002, 521.053) – https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002

Arizona (Ariz. Rev. Stat. § 18-545) – https://www.azleg.gov/viewDocument/?docName=http://www.azleg.gov/ars/18/00545.htm

Pennsylvania (73 Pa. Stat. §§ 2301 et seq) – https://govt.westlaw.com/pac/Browse/Home/Pennsylvania/UnofficialPurdonsPennsylvaniaStatutes?guid=N9B3F41908C4F11DA86FC8D90DD1949D4&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

Security Focus – Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948) – 12thMar2020

Preface: ThinPrint technology offload the print burden on all virtual and physical desktops, and keeps all client hardware free of printer drivers.

Background: VMware Workstation is a type 2 hypervisor. Type 2 hypervisors are essentially treated as applications because they install on top of a server’s OS. If the host gets cracked, the hypervisor gets cracked. If the hypervisor gets cracked, it depends on the host will have vulnerability let hacker to be use. From technical point of view, it is difficult but it may possible.

Vulnerability details: Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM. For the details of attack. Please refer to diagram.

Official announcement https://www.vmware.com/security/advisories/VMSA-2020-0004.html

For my imagination only – Mona Lisa smile – Mar 2020

In order to prevent people know the information, Da Vinci use wrote backwards handwriting. Also known as mirror-writing, where the words appear as normal when seen with a mirror.

Modern people know very little about Da Vinci’s early life, and he only recorded two childhood story. This happened during Da Vinci’s expedition in the mountains. Da Vinci discovered a cave during his expedition. He was afraid that there would be some huge monster lurking in the cave, but he was driven by curiosity and wanted to know what was inside. When he walked into the cave and found a huge unknown object lying quietly in the cave, Da Vinci was shocked. Later, several non man kind emerged from the unknown object, and they imparted knowledge to Da Vinci. Before he pass away, Da Vinci spend decade to finish his Arts work. It is the famous Mona Lisa smile.

I can seen the cave in his art work. How about you?

When we received the SMB V3 failure message from Microsoft on March 11, 2020, Citrix actually hinted to its customers in early September last year.

Preface: Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3) on 11th Mar 2020.

Vulnerability details: A remote attacker can exploit this vulnerability (CVE-2020-0796) to take control of an affected system. A “potentially wormable” vulnerability exists in SMBv3 and specifically the compression. Citrix already hints that SMB3 has design limitation occurs (see below):

CIFS compression—CIFS connections are compressed automatically whenever they meet the requirements for CIFS protocol acceleration. In addition, SMB3 connections are compressed when unsigned and unsealed.

Why is it dangerous? SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Remedy solution by Microsoft – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005