About GriftHorse Malware (30th Sep 2021)

Preface: Large portion of smartphone will not installed antivirus software. Even though it is installed. The antivirus vendor similar doing racing campaign with cyber criminals. Nowadays, vendor established malware sinkhole to find zero day vulnerability and existing cyber attack. If cyber criminals relies on software design limitation hiding itself on phone. Perhaps sinkhole not easy to figure it is a malicious acclivities. Therefore certain amount of personal data will be go to unknown area.

Ref: Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.

Background: Headline News (Bleepingcomputer) report today that there is a malware nickname GriftHorse. It did the infiltration to Android and causes hundred of million smartphones become a victims. According to the article by Bleepingcomputer expert. A mobile security solution firm (Zimperium) observe malware (GriftHorse) exploiting the software flexibility of Apache Cordova. And hunting over 10 million victims globally.

Details: The Trojans are developed using the mobile application development framework named Apache Cordova, Zimperium said. They uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing. Before you read the details of the article. Perhaps you can quickly read the attached picture to understand that there are many ways to exploits Apache Cordova feature to sniff the data on the endpoint.

Ref: Cordova wraps your HTML/JavaScript app into a native container which can access the device functions of several platforms. Apache Cordova is an open source framework that enables web developers to use their HTML, CSS, and JavaScript content to create a native application for a variety of mobile platforms.

Reference article, please refer to the link:

Bleepingcomputer – https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

Zimperium – https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Stealth attack of UEFI bootkit (29th Sep 2021)

Preface: Digital spyware and monitoring tech that allows the user to covertly monitor a target’s communications, or collect personal data emitted from their devices.

Background: FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

Synopsis: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit.

– Bypasses kernel protections (NX and Patch guard)
– Bypasses local authentication
– Elevated process privileges

Technical details: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. Kaspersky said.

Ref: FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio.

For more detailed information on the findings of this survey, please visit the Kaspersky website for details – https://securelist.com/finspy-unseen-findings/104322/#iocs

About CVE-2021-20034 – (SMA 100 series) Unauthenticated SMA100 arbitrary file delete vulnerability – 27th Sep 2021

Point of view: More than 20 years ago, the firewall function was independent, excluding the firewall policy service and vpn function.
The advantage is that when the firewall box is compromised. Nothing else will be found in the box by the attacker.
Over time, the trend of unified threat management has grown. From a technical point of view, it is a multifunctional service.
Maybe it’s hardening. But we can’t say that it is a state machine model (Bell-LaPadula model).

Having said that, the specific design responds to more and more technological developments in the world.
But it is hard to avoid vulnerability occurs due to design weakness.
This time an alert annouced by Sonicwall that an improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. This defect can do a DoS attack.

One of the possibilities encounter this defect: Incorrect configuration of aliases may allow an attacker to read files stored outside the target folder. For more details, please refer to attached diagram.

Official announcement: Please refer to link – https://www.sonicwall.com/support/product-notification/security-notice-critical-arbitrary-file-delete-vulnerability-in-sonicwall-sma-100-series-appliances/210819124854603/

About BTCPayment server – CVE-2021-3830 (26th Sep, 2021)

Preface: Cryptocurrency look like myth. Someone avoid to use. But somebody like it. If Cryptocurrency only provide payment function. That is no investment value. Furthermore if someone going to transfer money will be know who is sender and recipient. If it come true, what is the result?

Background: BTCPay Server is an open source, P2P payment processor for Bitcoin and other cryptocurrencies where users can self-host their own server and effectively process their own payments.

Quick and easy setup (for individual and retail business): You just open an account on BTCpayserver. it is web GUI and internet everywhere. So, your customer can pay to you by cryptocurrency.

Users have even built web based point of sales payment solutions using the project. Physical stores can leverage the PoS app for accepting crypto payments. BTCPay Server is code, not a company. There is no third-party between a merchant and a customer. The merchant is always in full control of their funds. There are no processing or subscription fees.

Vulnerability details: BTCpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). So called Cross-site Scripting, btcpayserver” stored XSS, also known as persistent XSS. In stored XSS, the malicious code is stored on the server of the application. Stored XSS is possible only when the application is designed to store user input. The attacker would inject the code through requests to the application.

Cause: During page generation, the application does not prevent the data from containing content that is executable by a web browser, hsuch as JavaScript, HTML tags, HTML attributes. For details of vulnerability , please refer to attached diagram.

Official details: – https://nvd.nist.gov/vuln/detail/CVE-2021-3830

Does SpaceX use C language? 23rd Sep, 2021

Preface: SpaceX was founded in 2002 by Elon Musk with the goal of reducing space transportation costs to enable the colonization of Mars.

Background: Exploring Mars helps scientists understand major changes in climate that can fundamentally change the planet. It also allows us to look for biological features that might reveal whether there was abundant life on Mars in the past?

SpaceX engineers shared the programming languages they code in are: “C & C++ for flight software, HTML, JavaScript & CSS for displays
and python for testing,” adding that they “use HTML, JavaScript & CSS. We use Web Components heavily.”

Common programming weaknesses: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.

  • Mistaken assumptions about the size
  • By design, forming a piece of data is the root cause of most buffer overflows.

Ref: In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer. The data sets the value of the return pointer so that when the function returns, it transfers control to malicious code contained in the attacker’s data.

Reality factor: There are many additional programming functions make the situation complex that a programmer cannot accurately predict its behavior.

My view point: Human beings want to explore the universe to meet their needs, and find a way to develop our living space free from the limitations of the earth. In fact, the speed of the rocket is the limit. If you think about it, it will take nine months to reach Mars. But we know that Mars is not suitable for human habitation. Why don’t we take time to improve the air pollution on the planet. In addition, if we can adjust the global greenhouse effect. Therefore, our new life is coming.

It is not mystery. The findings address that an original function for CEIP feature is able to misuse (CVE-2021-22005) – 22nd Sep, 2021

Preface: Rapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet.

Background: As of May 1 2020, the Pivotal Telemetry program is governed by VMware’s Customer Experience Improvement Program.
Data and continuous feedback loops play an important role in shaping the way Pivotal builds software.

VMware analytics service consists of components that gather and upload telemetry data from various vSphere components to the VMware Analytics Cloud and manage the Customer Experience Improvement Program (CEIP).

Vulnerability details: CVE-2021-22005 (CVSS score of 9.8) – It is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.

Observation: Since it can upload telemetry data by analytics service. So, attacker might do the following:

Unauthenticated OVA File Upload RCE – Exploits an unauthenticated OVA file upload and path traversal in vCenter Server to write a JSP payload to a web-accessible directory.

Official announcement – VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround. For more details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Closer look – CVE-2021-25751 (21-09-2021)

Preface: As we know that Kubernetes (K8s) is a container orchestration tool and Docker helps to create a container that is managed by us using Kubernetes.

Background: What is subPath in volume mount?
Subpath references files or directories that are controlled by the user, not the system. Volumes can be shared by containers that are brought up at different times in the Pod lifecycle, including by different Pods.
Kubernetes passes host paths to the container runtime to bind mount into the container.

Vulnerability details: A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

The root cause of the problem: K8S doesn’t use the mount syscall directly but it uses the mount command, and the default behavior of utils-linux mount is to resolve symlink.

Highlight: Don’t canonicalize paths. The mount command canonicalizes all paths (from command line or fstab) by default.

Remediation: To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature. Please refer to the attached picture for details.

Reference: Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the –feature-gates command line flag on each Kubernetes component.

Security Focus on Microsoft windows CMD Stack Buffer Overflow (19-09-2021)

Preface: Twenty years ago, content filter firewalls were not popular. A quick way to harden the Microsoft Internet Information server is to delete all cmd commands to avoid network attacks.

Background: If you would like to run cmd in privileged mode. You have to do the following:

  1. type “CMD” you can hit Ctrl+Shift+Enter to open as administration
  2. Explorer – Hold Shift and right click on a folder, and choose “Open command window here”

To use multiple commands for , separate them by the command separator && and enclose them in quotation marks.

Vulnerability details: Expert found that special crafted payload will trigger a Stack Buffer Overflow in the NT Windows “cmd[.]exe” commandline interpreter. Furthermore, running file type especially [dot]cmd or [bot]bat will be risky. However, when cmd[.]exe accepts arguments using /c /k flags which execute commands specified by string, that will trigger the buffer overflow condition.

Above attack only exploit in local workstation. Do you think it can do it remotely? As far as I remember, if the situation is available. For example, Windows OS server encounter zero day or not patched.The netcat tool can do a remote command execution by CMD. Refer to attached diagram, if the stack buffer overflow run by tool to exploit by concept. Therefore this vulnerability will become more risky.

Observation: If your are using application firewall. It will drop the malicious traffic including netcat command automatically. Since this idea is still in concept stage. So, no need to worries.

CVE-2021-22941 – May be it is not related, or else was getting the User Enumeration incident waiting to happen (17-09-2021)

Preface: With storage zones controllers, the ShareFile Software-as-a-Service (SaaS) cloud storage also offers private storage for ShareFile data, which is known as storage zones.

What is the difference between Dropbox and ShareFile?
The goal of ShareFile is to help your team easily share, sync and store large files from any device without compromising important data. And unlike Dropbox, ShareFile provides the security, visibility and access your business needs from a single cloud-based dashboard.

Background: What is user enumeration?

User enumeration allows attackers to conduct dictionary attacks against systems and reveals information about who has access to them.

Since below services are commonly accessible from the Internet, and often use the organisation’s internal Active Directory (AD) for authentication, this creates a situation where an attacker on the Internet can easily identify usernames from an internal Windows domain.

  • Office 365 ActiveSync
  • Active Directory Federated Services (ADFS) single sign-on

Without a user enumeration flaw to receive a list of users, these attacks become difficult. Attacker make use of nmap in common way (e.g. $ nmap -p139,445 –script smb-enum-users )

Additional: Other than that, CVE-2021-22941 is the hottest matter this week . A security issue has been identified in Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. The official announcement can be find in this link – https://support.citrix.com/article/CTX328123

Ref: The flaws (user enumeration) have been exposing internal corporate networks to attacks for years, yet are undetected by leading vulnerability scanners.

IS there any related security matter of session (CVE-2021-37535)?

Preface: Did you check your JMS Security Authorization, fix your JMS application immediately.

Background: The basic building blocks of a JMS application are:

  • Administered objects: connection factories and destinations
  • Connections
  • Sessions
  • Message producers
  • Message consumers
  • Messages

The JMS Connector Service is an enterprise messaging system that provides a way for business applications to exchange data
without needing to be directly connected to each other. The communication is obtained using messages. It allows different
message models like Point-to-Point Messaging or Publish-Subscribe scenarios.

Vulnerability details: Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
The JMS Security Mechanism can helps you to protect your JMS application. By defining JMS actions for some API methods (such as createProducer(), createConsumer(), and so on) and assign permission to different user roles. In fact, it can minimize the risk.
In order to avoid unforseen issue happen in future. It is highly recommended to following vendor instruction to do the patching as early as possible.

Affected products – SAP NetWeaver Application Server Java (JMS Connector Service) , Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405