All posts by admin

Vulnerability in SCADA CODESYS Web Server CVE-2018-5440

To be honest, it make surprise to me this month. An abnormal situation causes SCADA system in high risk. CVE-2018-5440 focusing vulnerability on COdesys web server.This product deployment use mainly in the critical manufacturing and energy sectors. Perhaps this is a Microsoft product and hard to avoid vulnerability occurs. The accusation of NotPetya ransomware attack last week bring the world focusing to SCADA system in the world. Meanwhile this vulnerability add unknown factor to SCADA control system environment. The official announcement suggest to do the following:

1. Use controllers and devices only in a protected environment to minimize network exposure and ensure they are not accessible from outside
2. Use firewalls to protect and separate the control system network from other networks
3. Use VPN (Virtual Private Networks) tunnels if remote access is required
4. Protect both development and control systems from unauthorized access (e.g., by means of the operating system)
5. Protect both development and control system by using up-to-date virus detecting solutions

For CVE details, please refer below url for reference.


IoT World and Smart City must staying wide-awake!

SmartCity project wide spreading implement in the world. The framework transform existing IT world domain includes Cloud computing, virtual machine, router and network infrastructure. Meanwhile it carry the design flaw so called vulnerability simultaneously. As we know, Microsoft product has famous activities patch Tuesday to do the mitigation of critical risk occurs on their product. Since IoT technology cope with smartCity project.  It is hard to avoid to evade not to chosen a product which must doing the patching in frequent way. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. A question has been queries to the world. SmartCity items involves public safety regulations. If the smartCity facilities become the main trend of the society. However the major facilities encountered denial of service through heap corruption. Do you think how worst is the situation will be?

In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

Official announcement for reference.



City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

Sounds horrible!

A heist occurred from SWIFT payment system again? Chief Executive Officer N. Kamakodi called it a “conspiracy” involving multiple countries, and added the lender was still investigating how it had happened. But the statement seems not precise to describe.

A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.


When to use the MT 202 COV?

It must only be used to order the movement of funds related to an underlying customer credit transfer that was sent with the cover method.

The MT 202 COV must not be used for any other interbank transfer.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

City Union Bank in India victim of cyber hack through SWIFT system (19th Feb 2018) – See following URL (Reuters Headline News) for reference.

Heists last year – SWIFT defense solution

Reuters news told that a heist occurred in Russia Bank last year. Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system. Perhaps we are not going speculating the reason to delaying the public announcemnt. Yes, it may be for forensic investigation and trace the hacker silently or protect the reputation. But the design weakness will be replace by new solution soon. For more details, please see below:

Defense solution given by SWIFT:

  • Conventional FIN messages (e.g. MT202) can be used until 16 November 2018. Communication takes place through the SWIFTNet, and the SWIFT FIN service will be used until 16 November 2018.
  • As of 17 November 2018, all participants must use ISO 20022 and the SWIFT InterAct service will be used for communication.

Headline News by Reuters (16th Feb 2018)

ISO 20022 for US wire transfer systems Timeline

Remediation step – Saturn Ransomware


Can we saying this? it is Google Adwords design flaw? It lure the threat actors go through this service to spread malware from Google search engine.

Quick note:

Saturn ransomware found this month (Feb 2018). It looks strange that attack victim only on physical machine instead of Virtual Machine. Why? Does the threat actor concern about VMware or HyperV have quick data recovery by Snap shot backup? Security expert found the following hints:

Saturn will execute the following commands to delete shadow volume copies, disable Windows startup repair, and to clear the Windows backup catalog.

cmd.exe /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Perhaps hacker understand that doing ransomware targeting home user will be easier. May be enpterprise firm or cloud services provider contains full scope of SIEM system. As such, forensic investigator can be tracing them. Or this is a prototype may be there is another round of attack later on.

Status updated – 19th Feb 2018

20 antivirus engines detected this ransomware. Hash shown as below:


Anyway IT world do not have key words so called permanent solution. In the mean time. The action we can execute is doing the remediation.

Step 1: Start PC in Safe Mode

Through the F8 key (for Windows 7/Vista)

  1. Once the computer is restarted (usually after you hear the first computer beep), continuously tap the F8 key in 1 second intervals. If successful, the Advanced Boot Options menu will appear.
  2. Use the arrow keys to select Safe Mode and press ENTER.

For windows 10

Use the “Shift + Restart” combination. Another way of getting into Safe Mode in Windows 10 is to use the Shift + Restart combination. Open the Start menu and click or tap on the Power button. Then, while keeping the Shift key pressed, click or tap on Restart.

Step 2: Stop Saturn Processes From Windows Task Manager

Step 3: Remove Saturn Ransomware from Control Panel

Procedure 1:

Procedure 2:

Procedure 3:

Main body of the Saturn Ransomware relies browser to work and hide himself in web browser. So we require to uninstall the web browser:

Remark: We are not allow to uninstall or delete Internet Explorer from Windows 7, 8 and 10 and therefore we are going to delete the additional web browser. Since Saturn ransomware relies on web browser for operation.

Step 4: remove Malicious Registry Entries Created by Saturn Ransomware

Step 5: Remove Saturn Ransomware From Infected Internet Explorer

Take Down Saturn Ransomware From Internet Explorer. Open IE and click on Gear Icon from right-top corner in order to open the Tools. Tap on Manage Add-ons option.

Step 6: Reset Internet Explorer Settings

Open IE and click on Tools menu and then select Internet options.

Step 7: Download decryption tool

The decryption tool will not run if:

  • It can’t find a valid ransom note
  • It cannot find a valid encrypted file (i.e a file that is not corrupted)
  • It can’t decrypt the User ID field in the ransom note

End, Thank you.

Additional comment: New ransomware nickname Saturn was born this month. This ransomware provides a hints to me that it is the 1st phase of attack. Or it is a prototype. Perhaps we seen cyber attack, virus, malware and ransomware daily. The cyber world added one more member of bad guy we could not surprised!

UK blames Russia for NotPetya cyber-attack on June 2017

UK blames Russia for NotPetya cyber-attack last year (details shown below url for reference)

MeDoc is widely used among tax accountants in Ukraine, and the software was the main option for accounting for other Ukrainian businesses. Threat actors using email scam counterfeit MeDoc lure victims goal suspend the services of Nuclear power supply facilities operations. Perhaps my observation in June last year found that cyber attacks will turn into military weapons. Should you have interested to collect the details. Below articles will provide hints to you in this regard.

21st century kill chain (logic bomb, cyber bomb and ransomware)

21st century kill chain (logic bomb, cyber bomb and ransomware)

The other side of the story on cyber attack (Electronic war between countries)

The other side of the story on cyber attack (Electronic war between countries)

Potential black force – digitize Godzilla

Potential black force – digitize Godzilla

End session. Thank you.

Status update on 17th Feb 2018

Canada’s Communications Security Establishment, Australia’s Minister for Law Enforcement and Cybersecurity, and New Zealand’s Government Communications Security Bureau followed suit with similar press releases after UK announcement.

Canada CSE announcement (see below url for reference)

Australia government announcement (see below url for reference)

New Zealand government announcement (see below url for reference)




Adobe Acrobat and Reader CVE-2018-4872 Privilege Escalation

When I was young, I watch the ali baba movie a unforgettable mystery slogan. Yes, it is open sesame. A magic master come out. Perhaps my life journey told me that this is not true. We now living in electronic world. Open electronic file daily like habit forming sequence. It looks that my dream come true today. A PDF document embedded with Privilege Escalation function valid in Adobe reader. But I did not said open sesame slogan!

The similar type of Privilege Escalation vulnerability occurred in 2015 (CVE-2015-4438). The privilege escalation vulnerability repeat this week. IT guy, Life is not easy!


A privilege escalation vulnerability has been reported in Adobe Acrobat and Reader. The vulnerability is due to an error in Adobe Acrobat or Reader while parsing a specially crafted PDF file. A remote attacker can exploit this issue by enticing a victim to open a specially crafted PDF file.

Below url is the official announcement provides by Adobe.

Special Edition – HIDDEN COBRA – Malicious Cyber Activity

Special Edition: Information security focus

US Homeland security (DHS) urge the world to staying alert with HIDDEN COBRA Malicious Cyber Activity. It looks that the cyber attack wreak havoc to the world. And therefore DHS suggest to add below Yara rule into your IDS or malware detector (For instance RSA ECAT).

The following YARA rule may be used to detect the proxy tools:

Author = "US-CERT Code Analysis Team"
Date = "2018/01/09"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
Info= "Detects NK SSL PROXY"
$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
$s2 = {4775401F713435747975366867766869375E2524736466}
$s3 = {67686667686A75797566676467667472}
$s4 = {6D2A5E265E676866676534776572}
$s5 = {3171617A5853444332337765}
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)

There are total 2 items of malware would like to draw your considerations.

  • Trojan: HARDRAIN (Backdoor – Remote Access Tool)
  • Trojan: BADCALL (data thief and surveillance)

In order to avoid unforeseen data breach happens to enterprise firm and personal data privacy protection. We better to consider the suggestion by DHS.

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to run unwanted software applications
  • Enforce a strong password policy and
  • implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date.
  • Enable a personal firewall on agency workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g.,
  • USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

Threat actor transform Vehicle GSM GPRS GPS Tracker Car Vehicle Tracking Locator technology

Since the mobile phone usage volume bigger than personal computer today. Perhaps digital e-wallet function and BYOD concept let people keep their confidential data on mobile phone. And therefore it lure the hacker focusing the mobile phone device especially Android. This round hacker relies on GRPS TCP/UDP connection (see below diagram for reference) create Trojan (BADCALL) to listen for incoming connections to a compromised Android device, on port 60000. Meanwhile it awaken the security concern on GPRS gateway.

Since this is a special edition of article so we summarize the technical details as below:


  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

3dae0dc356c2b217a452b477c4b1db06 (3DAE0DC356C2B217A452B477C4B1DB06)

746cfecfd348b0751ce36c8f504d2c76 (746CFECFD348B0751CE36C8F504D2C76)

  • Executable Linkable Format (ELF) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

9ce9a0b3876aacbf0e8023c97fd0a21d (9CE9A0B3876AACBF0E8023C97FD0A21D)

DHS report for reference:

Trojan: BADCALL (data thief and surveillance)

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

c01dc42f65acaf1c917c0cc29ba63adc (C01DC42F65ACAF1C917C0CC29BA63ADC)

c6f78ad187c365d117cacbee140f6230 (C6F78AD187C365D117CACBEE140F6230)

  • run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

d93b6a5c04d392fc8ed30375be17beb4 (D93B6A5C04D392FC8ED30375BE17BEB4)

DHS report for reference:

End discussion, thak you for your attention.

Happy valentines day.

Staying alert – vulnerability found on ABRT in 2015 – CVE-2015-1862

As times go by, Linux especially Fedora replace the position of microsoft windows. This status no popular in personal PC however investment bank environement especially broker and forex exchange trading firm might using intensively. A vulnerabiity found on 2015 but the status of fedora bugzilla display that this is not a bug. My idea is that we must staying alert. Bugzilla status shown as below url:

Mew Trend 2018 – Exfiltrating Data via DNS

New Trend 2018 – Exfiltrating data via DNS (see below url for reference)

Comments: A popular discussion on cyber attack topic this year focusing on DNS attack. Security expert found that threat actor transform DNS topology as a hack tool assists their goal. It show small data set with frequent connections. But the new generation of malware found today looks like a prototype. Why? The fact is that malware relies on executable file instead of hide himself in memory.