To avoid malware misuse “PACKET_MMAP” function,from Linux environment. CISA Releases Free Detection Tool for Azure/M365 Environment (29th Dec 2020)

Preface: Neither shellcode or shellcode injection have anything to do with shell scripting. It is a sophisticated way of finding a vulnerable spot on the cyber security layer of an organization and exploiting it for malicious purposes.

Background: Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. The platform consists of the integration of hardware built around a secured silicon chip; the Azure Sphere OS (operating system), a custom high-level Linux-based operating system; and the Azure Sphere Security Service, a cloud-based security service….

About “PACKET_MMAP” function: From official article, it illustrated below:
PACKET_MMAP provides a size configurable circular buffer mapped in user space that can be used to either send or receive packets. However a design weakness has occured! The mmap‘ed memory buffer will be filled by the kernel when using PACKET_RX_RING. As a result, the user’s process, it’s enough to mmap a buffer with PROT_READ|PROT_EXEC permissions flags, and let the kernel fill the buffer.

Remedy: Perhaps shellcode injection sometimes can evade your malware protection mechanism. In certain point of view, use SIEM is one of the cost effective solution. Meanwhile, CISA Releases Free Detection Tool for Azure/M365 Environment. Reference link – https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment

Just heard Whirlpool hit in Nefilim ransomware attack (28th Dec 2020)

Preface: Do you have doubt? For example: Mimikatz tool & Psexec.exe will detected by antivirus. How ransomware disable antivirus?

Technical Reference: Malware can no longer disable Microsoft Defender via the Registry.So it increase the difficulties to evade the defense mechanism. But it still cause great damage. A ransomware wreaked havoc on the digital world.

The most common ransomware attack vectors are:

  • Remote desktop protocol (RDP).
  • Email phishing.
  • Software vulnerabilities.
  • Malicious code hidden on the site
  • Malicious Email Links

How ransomware disable antivirus?

According to the vulnerability in operating system, software application,..etc. For more details, please refer to attached diagram. In additional, hackers exploit a vulnerability in a legitimate (.SYS) driver to gain kernel access will be an additional way. As a result, ransomware installs legitimate driver kill antivirus services.

Headline News: Home appliance giant Whirlpool hit in Nefilim ransomware attack – https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/

Reminder: For those who are using it (SCO Openserver) 28th Dec 2020

Preface: Today’s web design tools are quite mature, and you can complete large websites without even touching HTML syntax. Maybe the vulnerability can happen in this way!

What’s HTTP Method?
OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT

What is the difference between GET and POST?
In HTTP GET Method, it is not allowed to pass data in message-body, because it is GET.
The original POST is to send the form data in the message-body. In addition, multi-part encoding will be used when sending files, and the files and other form fields will be placed in the message-body for sending.

Vulnerability details: It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application’s responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. For more details, please refer below url: https://nvd.nist.gov/vuln/detail/CVE-2020-25494

CISA Insights for ongoing APT Cyber Activity One of the key topics: CISA Issues Emergency Directive to Mitigate the Compromise of SolarWinds Orion Network Management Products. (24th Dec 2020)

Design weakness on SolarWinds Patch Manager found April, 2019. The flaw is that when Notepad++ and 7-Zip do not requiure trust sign verification. Fundamentally, 7-Zip has never signed their packages. Meanwhile the certificate to sign Notepad++ is expired at that time. SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to Orion Platform 2019.4 HF 6, which is available at https://customerportal.solarwinds.com/

Quick verification – CHECK FILES AND HASHES:
The presence of any of the following files indicates that a trojanized version of SolarWinds is installed.

1.File Name: SolarWinds.Orion.Core.BusinessLayer.dll, File Hash (MD5): b91ce2fa41029f6955bff20079468448

2.File Path and Name: C:[\]WINDOWS[\]SysWOW64[\]netsetupsvc.dll

Remedy: https://www.solarwinds.com/securityadvisory

Reference: http://www.antihackingonline.com/potential-risk-of-cve/fireeye-detected-apt-activities-go-through-solarwinds-product-13th-dec-2020/

Before the end of 2020, there are two important notes to remind Citrix users (22nd Dec 2020)

Preface: Many companies, especially law firms, and financial institutions will choose Citrix thin client functions. The decision seems to be correct, because their function looks perfect. For example, TCP offloading and network security protection. However, in order to cope with on demanding digital technology market. As a result, they are involved in some technologies and zone which will be interest to hackers.

Highlight: Design weakness on specific product:
1. Citrix Gateway Plug-in for Windows: If exploited, could result in a local user escalating their privilege level to SYSTEM.

Design weakness: When the service runs, it executes a periodic PowerShell script, executed as SYSTEM, every five minutes. To exploit this vulnerability, an attacker could create a malicious file, name it powershell.exe and copy it to every directory they have access to. This would allow them to achieve elevation of privileges on system’s running the Citrix Gateway Plug-In for Windows.

2. Starting 1st Oct 2020, ADC MPX and SDX will use serial number of applicance as password

Official announcement: Citrix Gateway Plug-in for Windows Security Update – https://support.citrix.com/article/CTX282684

The other side of the Pyramid. Other episode of the human civilization (Dec 2020)

Preface: In according to my article (Quantum entanglement in Pyramid internal compartment)

My idea defined it is a prequel. The following details are based on Exodus (Pentateuch of Moses). So far, the mainstream viewpoint of Catholicism hiding the old testament of bible. However, the unearthed cultural relics including “Death Sea Scrolls” and “Ancient Mesopotamia wedge shaped marks on clay tablets”. Their descriptions has similarity. Perhaps many people do not have interest of these information and the origin of human civilization. However if you have heard the details of old testament of bible. You will questioning that the phenomenon described on the books contains of scientific logic. It is unknown information in that period of time. According to the documentation, the pharaoh during the Exodus was Ramses II (c. 1304–c. 1237). In short, Moses was probably born in the late 14th century BCE. According to the write down by Hebrew Bible. It describe how the Israelites took the ark with them into battle where the powers of the ark helped the Israelites defeat their enemies. Perhaps it is a myth or it is a advance civilization technology power?

God parts the waters of the Red Sea (Exodus 14:22). If there is advanced technology, is it possible?

According to historical records, the integration of machines into human life began with the American Industrial Revolution. If following the logic, we assume that informations in bible using accumulation method. Who is the person who wrote the Bible (Old Testament). This is unknown. They are the ancient people. So they do not have concept air-plane will fly on the sky. Therefore when they encounter unknown scientific matter. They will use their religious to do the interpretation. When I was young, listening to “Exodus” was a traditional view. It was a myth. But when you think into details. Moses went with Jews though Red Sea. We so called that unbelievable phenomenon. Perhaps the phenomenon given by nature. The following details may expand your thinking space.

In some places, the tide will dry the seabed for several hours and then resume. In fact, in 1798, Napoleon Bonaparte and a small group of soldiers on horseback crossed the Gulf of Suez at the northern end of the Red Sea, where Moses and the Israelis are said to have crossed here. In the mile-long dry seabed exposed by the low water.

The invisible power on the earth will be the magnetic field and atmosphere (air pressure). However, on the surface of the earth, the strength of the magnetic field is about 0.5 Gauss units (50,000 nano-Tesla or 50,000 nT). In contrast, typical toy magnets or magnets used in refrigerators produce about 100 Gauss. Therefore, it seems not possible to transform the magnet field in earth to block the sea water. Even the Red Sea located in the middle of two poles (refer above diagram) it is not possible to use the natural magnetic power. Because the power is too weak.

Before we go to topic (ark of the covenant). We first look at ancient construction build on earth. The Temple of Bacchus is part of the Baalbek temple complex located in the broad Al-biqā (Bekaa Valley), Lebanon. German archeologists recently discovered a 2,000-year-old stone dating back to the Roman Empire in a quarry in Baalbek, Lebanon. At 64 feet long by almost 20 feet wide, the new stone weighs in at a massive 1,650 tons. Refer to below picture, the architecture of Bacchus contains similar sizes of stone installed. The archaeologist also had doubt in this matters. How do they move the stone?

Utilizing a strong magnetic field as a powerful tool requires electricity power.

Perhaps, the expert trusted that the ancient people can installed a wheel on both end of the stone let it move. Oh! it is talking about 1650 tons. Do you think this is the correct way. According to my article (Quantum entanglement in Pyramid internal compartment). I agree with some experts said, the King’s chamber had major component which has lost. I speculated that it is a Hadron Collider which mentioned in my article. (The stone coffin installed in King’s Chamber is not a coffin. It is the stand of a machine. Perhaps it is a Hadron Collider). Quite a lot of expert speculated that magnetic technology involves to ancient relics construction. So, they can move the items which modern technology cannot move.

Remark: All the magnets on the LHC are electromagnets. The main dipoles generate powerful 8.3 tesla magnetic fields – more than 100,000 times more powerful than the Earth’s magnetic field. In our modern world, a Large Hadron collider has located in Swiss. The LHC consists of a 27-kilometre ring of superconducting magnets with a number of accelerating structures that boost the energy of the particles along the way. CERN uses 1.3 terawatt hours of electricity annually. According to logic, advanced civilization will not use human being traditional electric power generation method. They will use nuclear power. This is not a assumption.

Reference: As a matter of fact, Archaeologist found that a heavy layer of radioactive ash in Rajasthan, India, covers a three-square mile area, ten miles west of Jodhpur. This is the famous place Mohenjo-daro. An evidence shows an nuclear reaction related disaster in this place. It dating back thousands of years (from 8,000 to 12,000 years).

The Crusaders own the Ark of covenant. So, they can win the battles.

In fact, archaeologist cannot confirm the timeline for ancient people build the Khufu Pyramid. According to the markings on the foreman and Pharaoh Khufu of Egypt’s fourth dynasty on the wall of tomb, Egyptologists believe this pyramid is this tomb.

Moses was ordered by the Lord rescue the Jews leave Egypt, said old testament of bible. My study also according to this information. Even today, the Catholics all around the world. They do not have doubt of his Lord identifications. Perhaps, Lord is part of advanced civilizations. Because some rumours described that ark of the covenant contains mystery power. When Christianity army carried the Ark with them. They did not lost battle. My speculation of this article is also driven by this unconfirmed matters. I assume when advanced civilization instructed Moses rescue the Jews. It has possibility that they will militarized themself. So they took the component in Pyramid. The facts is that if they would like to against huge amount of enemies and save the life of Jews. Advanced technological weapons are a success factor. Therefore, nuclear power and magnetic power are appropriate elements.

Moses led more than 300,000 Israelites across the Red Sea to the Sinai Peninsula. The messenger used the pillar of cloud to protect the Israelites from the Egyptians. He ascended Mount Sinai and received the Ten Commandments from God. So, he build the ark according to God’s instructions and designs. Inside the ark are two stone tablets (with the Ten Commandments written on them). (Exodus 25:8-10,16; 31:18; 40:20).

In 14th April,1561, an unidentified flying objects (UFO) above Nuremberg, Germany. Above diagram shown a broadsheet news article printed in April 1561. Is it a coincidence? A pillar shape unknown flying object shown on the picture. As we know, in 1903 the Wright brothers had invented the first successful airplane. Talking about three hundred and fifty years ago, human being do not have airplane concept. As a result, when they seen similar shape of UFO. Perhaps they will only draw or use the key word pillar for description.

Build the ark according to God’s instructions and designs

The ark of the covenant was built by the ancient Israelis according to God’s instructions and designs. Inside the ark are two stone tablets (with the Ten Commandments written on them). (Exodus 25:8-10,16; 31:18; 40:20)

Inside covenant the ark, it contains the following items:

  • The two stone tablets of the Law.
  • Aaron’s rod that budded.
  • The golden pot of ‘hidden’ manna.

Together these three items form the Testimony (Exodus 25:21)

The dimension for ark of the covenant shown below:

3.6417322835(ft) x 2.1981627297(ft) x 2.1981627297(ft)

But I speculated that the the golden pot store in the ark is the minimized nuclear power generator. Our civilization know how to utilize the nuclear power technologies since 40’s. The well known matters is the Manhattan Project. Robert Oppenheimer which use Albert Einstein theory to invent the Atomic bomb. Our experience in this nuclear technology area was less than hundred years. For example, fusion reaction technique (see below diagram) can generate huge volume of electricity power. However the extreme temperature generated during reaction is the problem which make them headache. Furthermore the size of the facilities are huge big. The advanced civilization even know how to pass through the milky way. And therefore they know how to minimized the overall size of nuclear facility. This is not surprising.

The theory of mass-energy conversion found by Albert Einstein in earlier nineteen century. The sun’s energy is produced in its interior, via thermonuclear fusion. That is, mass is converted to energy in a way described by Albert Einstein’s famous equation, E=mc2. See below conceptual diagram for fusion reaction in the sun. There are currently several main controllable nuclear fusion methods: laser confinement (inertial confinement) nuclear fusion, magnetic confinement nuclear fusion (tokamak) and (plasma) magnetic confinement. This is also the principle used in the so-called Tokamak nuclear fusion reactor.

In October 2014, Lockheed Martin announced the invention of a small nuclear fusion reactor, the 100 MW reactor was reduced to 7×10 feet in size. Perhaps in future, it can create a mini nuclear fusion reactor put into the ark again.

In addition, some issues are mentioned in Exodus (see below). See if my next article covers the following items.

  1. According to the Chapter 16 of the Book of Exodus, manna appeared on the 15th day of the second month after the Israelites came out of Egypt. At that time, Moses led the Israelites to the wilderness between Elim and Sinai. There was nothing to eat, so Israel People complained to Moses that they were about to starve to death. The Lord therefore promised that Moses would give food to the Israelites.
  2. Gold has capability to block Gamma radiation. Jewish and Christian holy scriptures dictate that the Ark of the Covenant can be carried only by Levites, who constituted the ancient Jewish priestly class. They must carry the Ark by using two wooden poles inserted through rings on its sides, as touching the Ark itself will result in death at the hands of God.
  3. At night, quail flew over and covered the camp; in the morning there was dew on the ground around the camp. After the dew rose, unexpectedly, there were small round objects (Algae) like hoarfrost on the wild ground. When the Israelites saw it, but didn’t know what it was, they asked each other: What is it? Moses said to them: This is the food the Lord gives you to eat. This food is called manna in Israel; it looks like coriander seeds, is white in color, and tastes like pancakes mixed with honey.

Here, I wish you a Merry Christmas and a Happy New Year.

CVE-2020-4829 – AIX owner should be staying alert! (14th Dec 2020)

Preface: When I was young, there were two giants in the mid-range system market. They are IBM and Sun Micro. Over the time, IBM won this market. To this day, the business world likes to use IBM AIX OS the most.

Background: About twenty years ago, a well known buffer overflow vulnerabilities discovered in Kerberos 5 due to buffer overflows in the Kerberos 4 compatibility code. As a result, it impacting the MIT Kerberos 5 releases (1.0.x, 1.1 and 1.1.1) and MIT Kerberos 4 patch level 10.
According to IBM AIX 7.2 security guidebook. It described that when Kerberos authentication is successful. The secldapclntd daemon saves the bind credentials to the [/]etc[/]security[/]ldap[/]krb5cc_secldapclntd directory. Whereby, it shown that AIX 7.2 is using Kerberos 5. Since CVE-2020-4829 not explicitly describe the vulnerability details. Perhaps it let me speculated that the vulnerability announced this month has relationship between flaw found 20 years ago.

Reminder: This bug looks critical in my personal opinion. It is recommended to patch immediately.

Official announcement: https://aix.software.ibm.com/aix/efixes/security/ksu_advisory.asc

FireEye detected APT activities go through Solarwinds product – 13th Dec 2020

Preface: SolarWinds Orion is an IT performance monitoring platform that helps businesses manage and optimize their IT infrastructure.

Vulnerability details: SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds. However, when connection come from trusted vendor (valid signature ) which carry malware. Existing design do not have defense mechanism.

Impact: CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

Remedy: https://www.solarwinds.com/securityadvisory

Chakra scripting engine countdown. However, you still need to patch (11th DEc 2020)

Preface: Microsoft Edge no longer uses Chakra. Microsoft will continue to provide security updates for Chakracore 1.11 until 9th March 2021 but do not intend to support it after that.

Background: Chakra, a JavaScript engine that powers Windows applications written in HTML/CSS/JS and used to power Microsoft Edge. ChakraCore supports Just-in-time (JIT) compilation of JavaScript for x86/x64/ARM, garbage collection, and a wide range of the latest JavaScript features. ChakraCore also supports the JavaScript Runtime (JSRT) APIs, which allows you to easily embed ChakraCore in your applications. To make JIT in Chakra (JavaScript Engine in Microsoft Edge) work with ACG enabled, Microsoft runs the parts of Chakra responsible for compiling code in a separate process – JIT Server. The JIT server then compiles the bytecode and writes the resulting executable code back into the calling process using shared memory.

Vulnerability details: Microsoft did not describe too much details. However the design weakness of ChakraCore not only discover this time. For the rest of the details, please refer of the attached diagram.

Official announcement – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17131

The CERT Coordination Center Bulletin – About the vulnerabilities affecting the open source TCP/IP Stack (8th Dec, 2020)

Preface: October 1, 2019 – A security firm has identified 11 vulnerabilities, named “URGENT/11.

Background: TCP/IP stack was developed using subset of the ‘C’ language. The open source TCP/IP stack design is widely used in embedded systems in the market. Briefly describe it as an IoT device. It runs in your business environment and in your home. In addition, Smart City is using them. Open Source implementations includes uIP,LwIP,uC/IP,tinytcp, wattcp and BSD 4.4. Furthermore, the commnerical implementations will be covered CMX-tcp-/ip, NetX, NicheStack, ARC RTCS TCP/IP, RTXC Quadnet TCP/IP, TargetTCP and uc/TCP-IP.

Traditional embedded OS memory Footprint – RAM requirements can vary widely depending on application needs but are typically as low as 12kB. It is possible, with a minimum configuration UDP application,
to use less than 5kB of ROM and a few hundred bytes of RAM (plus network buffers).

Limitation: In normal circumstance, embedded OS itself do not have plenty space lets manufacture install antivirus software. Even it can install, there is difficulties to conducting virus signature update. So, it is a dead end?

Reader space: vulnerabilities make experts worry about this. For more details, please refer to link – https://www.kb.cert.org/vuls/id/815128