All posts by admin

Public safety, Under our observation, Virus & Malware

Remote Access Trojan: BLINDINGCAN – 19th Aug 2020

Leave a comment

Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.

Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.

Official announcement: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

Recommendation: Check your MS office Patch – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance?
No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.

Potential Risk of CVE, Under our observation

Do not use insecure deserializer BinaryFormatter – 19th Aug 2020

Leave a comment

Preface: SharePoint is a web-based collaborative platform that integrates with Microsoft Office.So called WebParts”gadgets” that provide new functionality when added to a page.

Background: On July 14, 2020, Microsoft released a security update to fix the vulnerabilities found in the .NET Framework, Microsoft SharePoint and Visual Studio. A proof of concept shown that attacker can use tool so called “YSOSERIAL” . This tool can generating payloads that exploit unsafe Java object deserialization. In the sense that when attack make use of tool find the class contains no interface members. From technical point of view, the attacker will use the tool in the first step to find classes that do not contain interface members.The way is to generate a base64 payload of a serialized ObjectStateFormatter gadget chain.As a result, attacker can plug the payload into the following DataSet gadget and trigger remote code execution against the target SharePoint Server.

Example: xxxxxxxxx[.]xxx -g TypeConfuseDelegate -f LosFormatter -c mspaint

Remark: ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects.

Reference: A specially crafted method sequence needs to be created by the attacker. Each method in the sequence is called a “gadget” and the malicious sequence of method calls is known as a “gadget chain”.

Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

2020, cyber security incident news highlight

Ransomware hits Jack Daniel’s, said Bloomberg News – August 15, 2020

Leave a comment

Preface: Whiskey production involves multiple procedures carried out in potentially hazardous atmospheres. LB Remote I/O System connects sensors and actuators to the DCS via PROFIBUS. In terms of application, DCS is suitable for whisky production and complex control processes.

Incident background: Brown-Forman Corp., a manufacturer of alcoholic beverages including Jack Daniel’s and Finlandia, said it was hit by a cyber-attack in which some information, including employee data, may have been impacted. Please refer to the link for more details – https://www.bloomberg.com/news/articles/2020-08-14/brown-forman-was-target-of-apparent-ransomware-attack

Technical details of ransomware: A message sent anonymously to Bloomberg claimed to have hacked Brown-Forman and compromised its internal network. Ransomware aka REvil. The infection mechanism of this ransomware relies Microsoft design weakness (CVE-2018-8453).

As usual, ransomware will copy the data then write data to the registry. The ransomware process will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot. Finally, it encrypts files in all logical units and network shares, and displays the ransom notice on the screen.

Recommendation: In order to avoid ransomware attack. We should follow the patch management by vendor. And maintain update of antivirus program.

Potential Risk of CVE

Apache release security advisory for struts 2 (aug 2020)

Leave a comment

Preface: Struts2 OGNL is the expression language. OGNL is tightly coupled in Struts2 and used to store form parameters as java bean variables in ValueStack and to retrieve the values from ValueStack in result pages. ActionForm has the following responsibilities:Perform data security verification to prevent malicious data from entering the application.

Vulnerability details: However, it hit the design weakness this time. It let attacker modify an specify attribute (skillName) in a request such that a raw OGNL expression gets passed to the skillName property without further validation.

Remedy: upgrading to Struts 2.5.22

Official recommendation: Don’t use forced evaluation of an attribute other than value using %{…} or ${…} syntax unless really needed for a valid use-case.

Recommendation (2): It is recommend to install the application firewall to enhance the preventive control. It can reduce opportunity let hacker conduct the OGNL expression injection attacks.

Reference:http://mail-archives.us.apache.org/mod_mbox/www-announce/202008.mbox/%3C66006167-999e-a1e5-4a3a-5f1c75a1e8a2%40apache.org%3E

Cyber War, Public safety

New Linux malware – aka Drovorub (13th Aug 2020)

Leave a comment

Preface: New Linux malware silently conducting the attack. The FBI and NSA issue joint security alert.

Official announcement – https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Remedy: To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

Reference: On older versions of Linux, two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer’s metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls free() on the first buffer it will attempt to merge these two buffers into a single buffer.

Impact: Heap overflows to gain arbitrary code execution.

Headline News: https://www.zdnet.com/article/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers/?ftag=TREc64629f&bhid=22308921349725635516834735786487&mid=12982564&cid=717383279

Potential Risk of CVE

SAP completes the remediation – Let’s review the flaw – CVE-2020-6286

Leave a comment

Preface: Path traversal vulnerability perhaps will be ignore by some people. But this design weakness similar provide a channel to attacker conduct a search. The vulnerability described in SAP security notes 2934135 contains with two different vulnerabilities.

Background: SAP NetWeaver is a software stack for many of SAP SE’s applications.It can be used for custom development and integration with other applications and systems, and is built primarily using the ABAP programming language, but also uses C, C++, and Java. AS Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.

Vulnerability details:

CVE-2020-6287 – Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
– Additional CVE – CVE-2020-6286
– Affected Product – SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions – 7.30, 7.31, 7.40, 7.50

Impact: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to relies on path traversal vulnerability reach EJB Environment and download zip files. After the attack is successful, it can also create user IDs and administrator roles. If you are interested to learn more. Please refer to the diagram.

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345

Potential Risk of CVE

Cyber security Focus – IE Scripting Engine Memory Corruption Vulnerability (11th Aug 2020)

1 Comment

Preface: In Windows 10, there are two ways to uninstall Internet Explorer.

Option 1:Turn Windows features on or off option
Option 2: Disable IE11 using PowerShell commands

Open PowerShell and Run as administrator. Execute the following command:
Disable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 –Online

Security Focus: CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability

Even you turn off the Internet Explorer, there still have way let the ongoing works involves related system component of Internet Explorer. The fact is that mshtml.dll is the major component of Internet Explorer. This component manage the HTML, CSS parsing and rendering functionality. For example, when a user browses from an HTML page to a Word document, mshtml. dll is swapped out for the DLL provided by Word, which then renders that document type. In the sense that if vulnerability occurs in Internet Explorer. Perhaps you do not use, but still require to do the patching. Should you have interest to know the details, please refer to attached diagram.

Vulnerability Details: CVE-2020-1380 is a remote code execution vulnerability affecting Internet Explorer 11. According to the official information issued by Microsoft on 12th Feb 2020. The technical details of CVE-2020-0674 explicitly same as design weakness for this vulnerability. Since the official details did not describe the actual technical problem of this matter. I believe that it will let the attacker exploit use-after-free vulnerability.

Official announcement : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380

Potential Risk of CVE

CVE-2020-5413: vmware (kryo_codec) – Deserialization of Untrusted Data (Aug 2020)

Leave a comment

Preface: Serialization in Java is a mechanism of writing the state of an object into a byte-stream. It is mainly used in Hibernate, RMI, JPA, EJB and JMS technologies. The reverse operation of serialization is called deserialization where byte-stream is converted into an object.

Product background: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. About 11 years ago. VMWare has announced the acquisition of SpringSource, a provider of Web application development and management services.

Vulnerability details: When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the “deserialization gadgets” exploit when provided data contains malicious code for execution during deserialization.

Remedy: Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown “deserialization gadgets” when configuring Kryo in code. For more details, please refer to the link – https://spring.io/blog/2020/07/22/spring-integration-4-3-23-5-1-12-5-2-8-5-3-2-available-cve-2020-5413

Under our observation

c-ares 1.16.0 (Use-After-Free) – 9th Aug 2020

Leave a comment

Preface: c-ares 1.16.0: ares_destroy() with pending ares_getaddrinfo() leads to use-after-free

Background: Google added support for a feature known as asynchronous DNS to Google Chrome, which aims to speed up page loading times by resolving the IP address of a website before you click the link.
Recent versions of Google Chrome employ a feature called Async DNS. This feature bypasses the normal operating system mechanisms for resolving domain names and uses the browser directly. In this mode, DNS requests will uses SSL to communicate directly with Googles own DNS servers and some third party providers.
DNS features no only for domain lookup. Modern world technology can exploit DNS activities to do monitoring. (The word surveillance perhaps not suitable in this matter).

What is c-ares?
c-ares is a C library for asynchronous DNS requests (including name resolves).

Vulnerability details: PendingResolutions get destroyed when complete or when c-ares sent ARES_EDESTRUCTION. Refer to attached diagram, ARES_EDESTRUCTION only happened when the resolver was destroyed. Meanwhile, PendingResolutions can be destroyed, without the callback target being aware. This leads to potential use after free issues.

Additional: The recommendation remedy method posted on Feb 2020. If you want to do additional protection., please refer to information shown on bottom of the diagram.

Under our observation

DLL Hijacking vulnerability and the Remedy solution – 7th Aug 2020

Leave a comment

Preface: Software application could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Vulnerability details: If workstation install Python, by default it will install on the C Driver :\directory instead of the C Drive:\Program Files. Therefore the authenticated users will have write access in that directory. If user compromised by phishing attack. This give a way to conducting the privilege escalation because the attacker can share the authenticated user permission write a malicious DLL in Python program directory. When the computer reboot in next time the process will restart with the permission of that process. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. Or, it is a programming technique misused? Whether, it is a unknown matter?

Scenario of attack:

  • An attacker could plant a DLL with the same name earlier in the import resolution search path, such as the application directory. Protected directories are more difficult – but not impossible – for an attacker to change.
  • If the DLL is missing from the application, %windows%\system32, and %windows% directories, import resolution falls through to the current directory. An attacker could plant a DLL there.

Microsoft’s remedy: If you specify the link option /DEPENDENTLOADFLAG:0x800 (the value of the flag LOAD_LIBRARY_SEARCH_SYSTEM32), then the module search path is limited to the %windows%\system32 directory. It offers some protection from planting attacks on the other directories.