The Thirty-six stratagems – Know yourself and the ransomware, never lost in cyber war. 30-06-2021

Preface: The Thirty-six stratagems is a Chinese essay use to illustrate a series of stratagems used in war. It also applies to cyber warfare.

Background: Kernel-based Virtual Machine (KVM) is an open source virtualization technology built into Linux®. Specifically, KVM lets you turn Linux into a hypervisor that allows a host machine to run multiple, isolated virtual environments called guests or virtual machines (VMs).
KVM is part of Linux. VMware relied on Linux during its early history. The early version of its hypervisor, called ESX, included a Linux kernel
(the central part of an OS that manages the computer hardware). When VMware released ESXi, it replaced the Linux kernel with its own.

Security Focus: Security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.

Ransomware, menacing! Experts observe that ransomware is not limited to Windows operating system attacks. The evidence proves that they can run on Linux. Other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty
have also created Linux encryptors to target ESXi virtual machines.

Reference:

  • HelloKitty targeted a UK Healthcare organisation
  • DarkSide target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
  • GoGoogle is a malicious program designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals’ email address and the “.google” extension.
  • Mespinoza TheMespinozaransomware was first used in October 2018 at least. The first versions produced encrypted filescarrying the «.locked» extension, common to many ransomwares. Since December 2019, a new version ofMespinozais documented in open sources. This version is often calledPysabecause it produces encrypted fileswith the «.pysa» extension.

Staying alert!

Who makes supercomputers faster and faster (CPU, fibre interconnect, parallel processing or virtual machine)? 29th June, 2021.

Preface: In Japanese mythology, the Namazu (鯰) or Ōnamazu (大鯰) is a giant underground catfish who causes earthquakes. This giant not caused disaster, he is the fastest supercomputer in the world. His name is FUGAKU.

Background: Riken and Fujitsu started developing the system in 2014, working closely with ARM to design the A64FX processor. Each of these ships has 48 CPU cores based on the ARM architecture version 8.2A, making it the first such chip in the world. Furthermore, more than 94.2% of supercomputers are based on Linux. In addition, supercomputers can run Windows operating systems.

Do you think today’s supercomputers only rely on a few sets of multi-core processors and standalone operating systems?

When using two virtual machines, VMware found that the overall benchmark results using an 8 TB data set were almost as fast as native hardware, while when using 4 virtual machines, the virtualization method was actually 2% faster. If the system architecture is constructed by many virtual machines. In order to achieve parallel computing to improve efficiency. The supercomputer also apply similar concept.

Base on design goals. HPC workload manager focuses on running distributed memory jobs and supporting high throughput scenarios, and Kubernetes is mainly used to orchestrate containerized microservice applications. If the system architecture is constructed by many virtual machines. Realize parallel computing to improve efficiency. So when the above concepts are implemented on a supercomputer, the processing power will be improved.

The fastest supercomputer this month is FUGAKU. But who can guarantee that FUGAKU will always be number one?

Similar or not relevant – QEMU: net: eepro100: stack overflow via infinite recursion (27-06-2021)

Preface: Similar vulnerability with another CVE record was announced on Feb 2021. Perhaps Citrix waiting for other vendor response and confirmation . Whereby, supculated that this is one of the possible factor of the announcement by the Citrix on Friday (25th June, 2021).

Background: How is memory allocated when recursive functions are called? Calling a function recursively is done just like any other function. So the memory will be allocated the same way as if you are calling any regular function.

Vulnerability Details: Two security issues (CVE-2021-3416 & CVE-2021-20257) have been identified in Citrix Hypervisor 8.2 LTSR, each of which may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues only affect Citrix Hypervisor 8.2 LTSR.

Ref: A recursive function calls itself, so the memory for a called function is allocated on top of the memory allocated for calling the function. Remember, a different copy of local variables is created for each function call.
How is memory allocated when recursive functions are called?
Each recursive call pushes a new stack frame in that manner, then pops it when it returns. If the recursion fails to reach a base case, the stack will rapidly be exhausted leading to the eponymous Stack Overflow crash.

Official announcement – https://support.citrix.com/article/CTX316325

Security Focus – About the CVE-2021-21999 VMware vulnerability (23rd June 2021)

Preface: An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl[.]cnf’ in an unrestricted directory which would allow code to be executed with elevated privileges,” VMware said.

Background:

VMware App Volumes provides a system to deliver applications to desktops through virtual disks. Installing App Volumes involves installing the App Volumes Manager, App Volumes agents, and related components.
The installers for VMware Tools for Windows is built into VMware Workstation as ISO image files. The new features of VMware Tools for Windows (11.2.6) including OpenSSL version has been updated to 1.1.1k.
VMware Remote Console Open-source components have been updated, including jansson 2.10, libjpeg-turbo 2.0.5, libgksu 2.0.13, openssl 1.1.1h, pcre 8.44, sqlite 3.23.3, and rsvg 2.40.21.

Vulnerability details: VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103) contain a local privilege escalation vulnerability.

One of the possibilities: The vmware-vdiskmanager (command line utility) work with libeay32.dll[.] OpenSSL default of “[/]usr[/]local[/]ssl” is used in linux, but in windows it translates to c:[\]usr[\]local[\]ssl.

If a low privilege user creates the directory structure c:[\]usr[\]local[\]ssl[\], copies an openssl.cnf file and malicious .dll library inside it will result is arbitrary code execution when the command line (vmware-vdiskmanger) is executed. Furthermore, VDDK working with some of DLLs (ssleay32.dll, libeay32.dll, diskLibPlugin.dll) because VDDK needs to maintain state information and callback functions. Therefore, the privileges escalation vulnerability will be occurred.

Official announcement (CVE-2021-21999)https://www.vmware.com/security/advisories/VMSA-2021-0013.html

Ref: There is another vulnerability on other products. VMware Carbon Black App Control update address authentication bypass (CVE-2021-21998) – https://www.vmware.com/security/advisories/VMSA-2021-0012.html

Authorization bypass in Cortex XSOAR (palo alto networks) REST API – CVE-2021-3044

Preface: REST API has similar vulnerabilities as a web application. The possibilities will be from various threats, such as Man-in-the-Middle attacks, lack of XML encryptions, insecure endpoints, API URL parameters, ..etc.

Technical background: Cortex XSOAR is the Security Orchestration, Automation and Response (SOAR) solution from Palo AltoNetworks. Cortex XSOAR (formerly Demisto) is able to configuration with active API Key integrations. In Cortex XSOAR Server, you can add Integration.

1. Go to Cortex XSOAR, then to Settings -> Integrations, search for iLert integration and click on the Add instance button.

2. On the modal window, name the instance, paste the iLert API Key that that you generated in iLert and click on the Save & exit button.

Vulnerability details: The vulnerability exists due to an error in the REST API. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Note: This vulnerability affects only to Cortex XSOAR configurations with active API key integrations.

Ref: Perhaps it can exploit IDOR vulnerability. For instance – The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If the application does not perform user verification, the attacker can access any user’s account or other methods.

Official announcements and remedies – https://security.paloaltonetworks.com/CVE-2021-3044

CVE-2021-32994 – OPC UA C++ SDK is vulnerable to a denial of service 17th June, 2021

Preface: OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.

Background: The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers and Clients. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types
that are defined in the OPC UA Communication Stack by the OPC Foundation.

Vulnerability details: OPC UA C++ SDK is vulnerable to a denial of service, caused by improper restriction of operations within
the bounds of a memory buffer. A remote attacker could exploit this vulnerability to cause the system to crash.

In the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API.
In this vulnerability, the exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.

Remedy: Click here to download the latest software package from the Softing website. https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks.html

ICS Advisory (ICSA-21-168-02) – https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02

Digital world situation similar ambush from all sides. Chrome Releases updates (CVE-2021-30554) – 17th June 2021.

Preface: The new Edge and Chrome are very similar, as both are built on the same Chromium platform. Meanwhile, Microsoft Edge is based on the Chromium open-source project. Furthermore, when chrome has vulnerability occurs, perhaps Microsoft browser (edge) will be get involves.

Background: WebGL enables web content to use an API based on OpenGL ES 2.0 to perform 2D and 3D rendering in an HTML canvas
in browsers that support it without the use of plug-ins.

Vulnerability details: Just days after having issued patches for (14) Google Chrome vulnerabilities, zero day found again. The issue is that cyber criminals can exploit the flaw (Use after free) in WebGL. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation.

Ref 1: Vulnerability found on 15th June, 2021 – Type confusion in V8 in Google Chrome before 91.0.4472.101 allowed a remote malicious user to potentially exploit heap corruption via a crafted HTML page. The CVE-2021-30551 insect is noted by Google as kind complication in V8,
implying that JavaScript safety can be bypassed for running unapproved code. Google’s V8 open-source JavaScript and WebAssembly engine.

Ref 2: Enable WebGL – In your Chrome URL bar, go to chrome://flags
Ensure that WebGL is enabled, and not disabled (You’ll need to relaunch Chrome for any changes to take effect)

Announcement by Microsoft – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-30554

Announcement by Google – https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html

Reduce e-waste and achieve environmental protection: ​outdated iphone models – Security updates (14-06-2021)

Preface: To protect the safety of customers, Apple will not disclose, discuss or confirm security issues until the investigation is completed and patches or updated versions are provided.

My observations on CVE-2021-30737:

Background: PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa.
PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT.

Vulnerability details:
A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code.
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 Generalized Time decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution.

Official announcement: https://support.apple.com/en-us/HT212548

Another alert in the medical industry (ZOLL Defibrillator Dashboard design weakness) 15th Jun 2021

Preface: A defibrillator is a device that gives a high energy electric shock to the heart of someone who is in cardiac arrest.

What is Defibrillator Dashboard ? A Web-based application provides ability to login. The Dashboard contained monitoring the defibrillators function.

Vulnerability details: The U.S. Department of Homeland Security urges the medical industry to be vigilant about design weaknesses in ZOLL products (defibrillator dashboards). The official articles can be found in following url – https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01

Security Focus: According to attached diagram, CVE-2021-27489 contain critical risk. Medical environment especially hospital will be installed the medical equipment in a separate network. In order to prevent unknown cyber attack, their solution most likely do not provide internet access function. To avoid cyber criminals to exploit the vulnerability of this product. Perhaps stop internet function on workstation not enough. The hospital should setup alert (correlations firing rules) in their SIEM. When anonymous host connect, it should do the monitoring. Because the anonymous host might be capable of gateway function and let vulnerable products becomes victims.

Workaround: If it is urgent to use the monitoring function remotely. It is highly recommended to use VPN. Detailed information about protection. Please refer to the CISA article.

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.