Ransomware hard to hunt because they are doing the Guerrilla warfare! 31st May,2021

Preface: A Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support, New York Times said.

My observation: My observation: Perhaps cyber criminals learn from practice. They know the system infrastructure weakness of industrial especially oil, powers supply facilities even logistic industry.

Since Java has large capability. The test developer sometimes will use the JavaScript to test their remote application. For instance (jj[.]js – JavaScript Testing Framework). Java provides a number of method calls to check and change the permission of a file, such as a read-only file can be changed to have permissions to write. If ransomware criminals have luck. They can rely on this ways to implant a foothold see whether they can exploit the vulnerability on victim workstation. As mentioned above, jj.js sometime can evade the defense mechanism if there is no application defense function in place. Furthermore, ransomware criminals can do a re-engineering of the file.

Remark: ransomware criminal will select dynamic cloud computing as a base. If victim web server is using IaaS service, it is most likely is their target.

NYTimes headline – https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

VMware Releases Security Updates (CVE-2021-21985 & CVE-2021-21986) – May 26, 2021

Preface: There are plenty of astronomical events every year.
In the evenings of 26 May 2021, it was total lunar eclipse. Do you believe rumours of super moon (astronomical phenomenon)?

Background: Virtual SAN Health check plugin checks all aspects of a Virtual SAN configuration. It implements a number of checks on hardware compatibility, networking configuration and operations,
advanced Virtual SAN configuration options, storage device health as well as virtual machine object health. The Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

Vulnerability details: The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CVE-2021-21985 – VMSA-2021-0010 (Virtual SAN Health Check Plugin)

CVE-2021-21986 – VMSA-2021-0010 (Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability Plugins)

Workaround: Plugins must be set to “incompatible.” On vCenter Linux and Windows platforms, simply disabling plugins from within the UI will not prevent exploitation.

Official announcement https://www.vmware.com/security/advisories/VMSA-2021-0010.html

The Chronicle of Ransomware – 26th May 2021

Preface: The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the ‘father of ransomware’). It was called the AIDS Trojan, also known as the PC Cyborg.

Synopsis: Perhaps mankind cannot imagine that in our modern world. We still impact by viral infection. The situation looks like we are replaying the seen in 1346 – 1353 (plague). But the digital world is the same. In past few weeks we heard ransomware wreak havoc. As far as we know, ransomware not only appears today. Since 2013, CryptoLocker attack found. But what is the standpoint by public began to focusing “WannaCry” ransomware in 2017. Unlike crypto-ransomware (WannaCry), Locker ransomware does not encrypt files. Instead goes one step further, and it locks the victim out of their device.

What is the countermeasure after the ransomware attack?
– Changed passwords for all end-users and privileged users.
– Changed access keys for all service accounts.
– Enhanced malware/ransomware protection on endpoints and servers.
– Enhanced monitoring and logging to identify malicious activities.

The objective of this topic is only for information base. Perhaps when you read below article posted in 2017. You will have resonance.


Aforementioned – Insurance company infected by ransomware – 25th May 2021

News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.

Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own.
The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.

What is the consequence if AXA underestimate this matter? Or it is just a bluff!

A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Latest news: https://www.thestandard.com.hk/section-news/section/2/230327/Axa-HK-unaffected-by-cyberattack

Exposes ring 0 code execution in the context of the driver, defense software perhaps will encounter this mistake (CVE-2021-31728 MalwareFox AntiMalware)

24th May, 2021

Preface: It let you avoid malware infection in your computer. MalwareFox can detect and remove malware in precise way. MalwareFox Antimalware at low cost comparing to other competitors.

Background: In a computer, ioctl is a system call dedicated to the input and output operations of the device. The call receives a request code related to the device. The function of the system call depends entirely on the request code.

Remark: The ioctl system call first appeared in Version 7 of Unix under that name. Microsoft Windows provides a similar function, named “DeviceIoControl”, in its Win32 API.

Vulnerability details: IOCTL 0x80002040 exposes kernel memory allocation in the NonPagedPool where a user-mode string is copied into the target buffer, this buffer can be used for shellcode by forcing the input data to be larger than 0x1000 bytes, a buffer larger than 0x834 will cause a STATUS_ACCESS_VIOLATION. Hacker must trick the IOCTL into failing and forgetting to free the buffer, you can then search SystemBigPoolInformation for the newly allocated buffer with the shellcode.

* When writing to a file Microsoft sets the bufferSize to 4096 bytes, but when reading they are using [0x1000].

Official details: As of today, vendor does not provide update related to this matter. Their homepage can be found in the following link – https://www.malwarefox.com/

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Cyber Security Focus – use a Raspberry Pi for Windows 10 (17th May 2021)

Preface: Windows 10 IoT Core is a version of Windows 10 that is optimized for smaller devices with or without a display, and that runs on the Raspberry Pi 2 and 3.

Background: ASP.NET Core is one of the best frameworks available to make cross-platform web applications. The free Windows 10 IoT Core along with ASP.NET 3.0 allows one to build applications or background run services on an IoT device. Since Windows 10 requires greater amounts of RAM than most Linux distributions, only a Raspberry Pi 4, 3, or 2 with at least 1 GB of RAM can run the ARM edition through the WoR project.

Vulnerability details: An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

Reminder: If you plan to run Windows 10 IoT Core on Raspberry Pi. Don’t forget to fix it.

Remedy: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

Headline news – Insurer AXA hit by ransomware (17th May 2021)

Preface: Perhaps we think that ransomware only looked at hard drive C. But the truth is that other mapped drives like D:, E:, F will be compromised.

Headline News: PARIS (Reuters) – French insurer Axa said on Sunday that one of its businesses in Asia was hit by a ransomware attack, adding that it was investigating after some data processed in Thailand was accessed, said Reuters News (May 16, 2021).

Possible attack scenario: A possibility may occur when setup ssl VPN. Perhaps we can overlook the routing option. For instance SSL VPN route the target subnet. For the rest, it will allow go to internet.
For example: If Phishing Email encountered by remote SSL VPN client. When they click the link, if the option (refer to attached diagram), not enable. It will allow ramsomware to do his dirty works.

Headline News: https://www.reuters.com/article/us-axa-cyber/axa-division-in-asia-hit-by-ransomware-cyber-attack-idUSKCN2CX0B0

Small storm in Big data world (CVE-2021-22135 & CVE-2021-22136) 13th May 2021

Preface: 3350 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Organizations can use big data analytics systems and software to make data-driven decisions that can improve business-related outcomes. Elasticsearch is a popular open-source search
and analytics engine for use cases such as log analytics, real-time application monitoring, and click stream analytics.

Remark: Elastic, the company behind Elasticsearch and Kibana, has made a change to their licensing. They’ve taken a unique approach to “doubling down on open”: customers can now choose between two non-open source licenses. 

Vulnerability details: Flaw found in Kibana and Elasticsearch version before 7.11.2 abd 6.8.15. It risk to exposure of Sensitive Information to an Unauthorized person and unintentionally extending authenticated users sessions. Details shown as below:

CVE-2021-22136 – https://nvd.nist.gov/vuln/detail/CVE-2021-22136

CVE-2021-22135 – https://nvd.nist.gov/vuln/detail/CVE-2021-22135