Preface: Quite a lot of UEFI vulnerabilities and hardware misconfigurations have been found in past. This is an alert signal. As a matter of fact, the problem is that it’s very difficult to get malicious code into UEFI systems.
Background: Reading the first sector from a disk and loading it to 0x7C00 is a BIOS specific booting protocol. But it never been use. It is a old technology. UEFI bootloaders are loaded from a filesystem. UEFI requires the firmware and operating system loader (or kernel) to be size-matched; for example, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel.
Synopsis: A local attacker with access to system memory may exploit the UEFI vulnerability attack. Perhaps this is not the only way.
Synopsis: What is a Reparse Point? According to official information by Microsoft, In NTFS Filesystem, there is a concept called “reparse point. The traditional NTFS junctions and Win10 “Unix-like” symlinks are two different kinds of reparse points. Starting in Windows 10, version 1607, for the unicode version of this function (FindFirstFileW), you can opt-in to remove the MAX_PATH character limitation without prepending “\\?\”.
Vulnerability details: The existing design weakness affects the function File.getCanonicalPath of the component NTFS File System Handler. The manipulation with an unknown input leads to source code disclosure vulnerability. For details, see attached diagram
Preface:ASLR, NX Zones, and Stack Canaries is hard to avoid such memory design weakness exploit by malware authors.
Background: EIP is a register in x86 architectures (32bit). It is a register that points to the next instruction. In order to avoid malware infiltration. How to keep track of memory location when instructions that are being executed is very important.The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack.
Potential cyber attack: Refer to diagram,the malware listens on TCP port 80, sending an HTTP GET request with 300 or more bytes will trigger buffer overflow overwriting EIP. When malware reach the EIP and overwrite it with a new address that points to his shell code, then it will add something called NOP (No Operation) , then finally the shellcode. And breakdown everything espcially access control of priviliges.
Preface: If nine different balls are running on a circular orbit. They always have chance to meet up.
Synopsis: The order of magnitude of the nine planets is Jupiter, Saturn, Uranus, Neptune, Earth, Venus, Mars, Mercury, and Pluto. The moon orbits the Earth once every 27.322 days. It also takes approximately 27 days for the moon to rotate once on its axis. The moon’s rate of rotation nearly matches its orbital period, which keep the same side facing Earth. As a result, the moon does not seem to be spinning but appears to observers from Earth to be keeping almost perfectly still. This is synchronous rotation.
The above shows the moon actual state. Moon running is a synchronous rotation (only one face is visible from the Earth). The moon’s rate of rotation nearly matches its orbital period, which keep the same side facing Earth. Therefore we are not feeling that moon is rotating.
The moon is the Earth’s only satellite,the moon rotation and revolution synchronization affect the Earth’s tides,the moon is located at Lagrange point.So it can be parked and fixed in a certain location.
Reference: Lagrange point – a planet’s small mass can operate in a constant mode, and the gravity of two large masses is exactly equal to the centripetal force required for a small object to move with it.So it can be parked and fixed in a certain location.
A great conjunction
Great conjunctions occur approximately every 20 years when Jupiter “overtakes” Saturn in its orbit. According to NASA, the Jupiter-Saturn phenomenon in 2020 will occur at night for the first time nearly 800 years apart, and it is the closest double star in the past 400 years.
Including the blue moon,13 full moons appear in 2020. In addition, at least three full moons are considered supermoons (it appear larger and brighter than usual). Perhaps of above issues, let people feeling that 2020 is a special year.
Let’s take a review astronomical phenomenon of 2020 (see below):
What will be the astronomical phenomenon in 2021?
What is triple conjunction? A triple conjunction is an astronomical event where two planets or a planet and a star meet each other three times in a short period, either in opposition or at the time of inferior conjunction, if an inferior planet is involved.
On 8th Jan, 2021, rare three-planet conjunction of Mercury, Jupiter and Saturn to illuminate the sky. What’s the next?
Since ancient age, the witch and foretellers will exploit astronomical phenomenon to do prediction. It is hard to say it is correct or not correct. My idea is that the genesis of earth looks mystery. For instance, the location of moon looks special. It looks that it is artificial.
Preface: However, obsolete TLS configurations are still in use in U.S. Government systems. Perhaps it is being change. According to the Office of Management and Budget (OMB) memorandum M-15-13 all public accessible federal websites and web services are require to only provide through secure connections.
Synopsis: The Internet Engineering Task Force (IETF) published TLS 1.3 in August 2018. TLS 1.2, the version it replaced, was standardized a decade previous, in 2008. Attached diagram shown the examples of TLS Vulnerabilities and Attacks.
Consequent: Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected. Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption.
Recommendation: NSA recommends that only TLS 1.2 or 1.3 be used. As a result, SSL 2.0,3.0,TLS 1.1 not be used anymore.If additional interoperability support is need, configurations should use non-deprecated options from NIST SP 800-52r2 as necessary.
Background: Linux pam originated from the open source implementation of the software DCE-RFC of Sun, a well-known manufacturer later acquired by Oracle. PAM is called Pluggable Authentication Modules, which can be inserted into authentication modules. Various authentication modules and plug-ins can be dynamically introduced for authentication without reloading the system, very flexible.
Vulnerability details: When the user doesn’t exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.
Reason: The default options set on pam_pwquality above include local_users_only, which tells pam_pwquality to ignore users that are not in the local [/]etc[/]passwd file. However, the blank check could return 1 if root had empty password because in the second case (refer to diagram) the password hash of root was used.
Background: In November 2020, lots of DeFi platforms in Ethereum encounters a security incident, such as Pickle Finance, 88mph.
What Is Decentralized Finance (DeFi)? By deploying immutable smart contracts on Ethereum, DeFi developers can launch financial protocols and platforms that run exactly as programmed and that are available to anyone with an Internet connection.
What Are Flash Loans in DeFi? A loan from strangers is possible in DeFi. In order to fulfill this request. The individuals should repay the lender in the same transaction that issued the funds.
Vulnerability details: The Farm contract is deployed in every Seal pool and the function breed() in the contract is used to issue new Seal tokens.However there is no access control designed for the breed() function, anyone can calls the breed() function of the Farm contract.
Preface: Neither shellcode or shellcode injection have anything to do with shell scripting. It is a sophisticated way of finding a vulnerable spot on the cyber security layer of an organization and exploiting it for malicious purposes.
Background: Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. The platform consists of the integration of hardware built around a secured silicon chip; the Azure Sphere OS (operating system), a custom high-level Linux-based operating system; and the Azure Sphere Security Service, a cloud-based security service….
About “PACKET_MMAP” function: From official article, it illustrated below: PACKET_MMAP provides a size configurable circular buffer mapped in user space that can be used to either send or receive packets. However a design weakness has occured! The mmap‘ed memory buffer will be filled by the kernel when using PACKET_RX_RING. As a result, the user’s process, it’s enough to mmap a buffer with PROT_READ|PROT_EXEC permissions flags, and let the kernel fill the buffer.
Preface: Do you have doubt? For example: Mimikatz tool & Psexec.exe will detected by antivirus. How ransomware disable antivirus?
Technical Reference: Malware can no longer disable Microsoft Defender via the Registry.So it increase the difficulties to evade the defense mechanism. But it still cause great damage. A ransomware wreaked havoc on the digital world.
The most common ransomware attack vectors are:
Remote desktop protocol (RDP).
Email phishing.
Software vulnerabilities.
Malicious code hidden on the site
Malicious Email Links
How ransomware disable antivirus?
According to the vulnerability in operating system, software application,..etc. For more details, please refer to attached diagram. In additional, hackers exploit a vulnerability in a legitimate (.SYS) driver to gain kernel access will be an additional way. As a result, ransomware installs legitimate driver kill antivirus services.
Preface: Today’s web design tools are quite mature, and you can complete large websites without even touching HTML syntax. Maybe the vulnerability can happen in this way!
What is the difference between GET and POST? In HTTP GET Method, it is not allowed to pass data in message-body, because it is GET. The original POST is to send the form data in the message-body. In addition, multi-part encoding will be used when sending files, and the files and other form fields will be placed in the message-body for sending.
Vulnerability details: It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application’s responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. For more details, please refer below url: https://nvd.nist.gov/vuln/detail/CVE-2020-25494
.jpg?width=1920&height=1080&fit=bounds)
.jpg?width=1920&height=1080&fit=bounds)
.jpg?width=1920&height=1080&fit=bounds)
.jpg?width=1920&height=1080&fit=bounds)
