All posts by admin

Archaeologist & Artificial intelligence – 14th Jun 2020

Preface: The traditional workforce faces the challenge of automation.

Myth and Science: Archeologist don’t understand why Pyramids of Giza directions to Orion’s belt in the sky.
Archeologist do not understand why Pyramids of Giza directions to Orion’s belt in the sky. So far, it has quite a lot of assumptions. The Myth mentioned that it let Pharaoh return to Orion. On the other hand, scientist found two different chemical inside pyramid ventilation shaft. When both chemical mixed, it will generate hydrogen. Thus make hydrogen atoms get energy, and then generate microwave energy beam.

The premise of science is the assumption:
Refer to attached diagram, I assumed technology structure especially smart city, industrial automation, cryptocurrency are the major elements driven artificial intelligence. Then put those elements to pyramid. Authority and decision-making power (Artificial Intelligence) are concentrated at the top of an organizational pyramid. When AI technology become mature. Do you think AI also want to communicate with Orion. Or, it could spell the end of the human race.

Perhaps we all know the disadvantage of artificial intelligence, but we cannot stop. This is the destiny of mankind.

Perhaps this way come true – VMware horizon client for windows vulnerability (cve-2020-3961) 12th Jun 2020

Preface: In order to avoid the impact of the vulnerability. VMware do not provide the details for CVE-2020-3961.

Synopsis: This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Vulnerability details: VMware Horizon Client for Windows contains a privilege escalation vulnerability due to folder permission configuration and unsafe loading of libraries.

My observation: Perhaps the idea displayed on attached diagram may also have the way to do the same thing.

Reference: A local dll injection vulnerability has been discovered in the official Notepad++ software.The issue allows local attackers to inject code to vulnerable libraries to compromise the process or to gain higher access privileges.

Official announcement – please refer following link https://www.vmware.com/security/advisories/VMSA-2020-0013.html

us homeland security alert – design weakness of universal plug and play – 9th jun 2020

Preface: Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi …

Review historical event: Mirai is an IoT botnet that was designed to exploit vulnerabilities in IoT devices for use in large-scale DDoS attacks.In September 2016, the Mirai malware launched a DDoS attack. A massive attack causes the domain registration services provider (Dyn) interrupted the services in October 2016.

Design weakness on universal plug and play: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Concerns by security expert: The attacker can send a specially crafted HTTP SUBSCRIBE request to the vulnerable devices. Meanwhile, An it could utilize this vulnerability to conduct a DDoS attack. For more details, please refer offical articles in the following url – https://www.kb.cert.org/vuls/id/339275

machine learning vulnerability – vu#425163 (4th Jun 2020)

Preface: Artificial Intelligence applied machine learning and other techniques to solve problems. Will AI impact human?

Background: You can use the Machine Learning model to get predictions on new data for which you do not know the target. For instance, AWS developing AI technology to predict cyber attack especially email spam, email phishing , etc. Amazon ML supports three types of ML models: binary classification, multiclass classification, and regression. The type of model you should choose depends on the type of target that you want to predict.
The learning rate is a constant value used in the Stochastic Gradient Descent (SGD) algorithm. If stochastic gradient descent is used to find a global minimizer, for the broadly defined set of representing neural networks, then the fitted neural network approximation will be vulnerable to adversarial manipulation.

What is an adversarial attack?
Adversarial examples are inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake; they’re like optical illusions for machines.

Official article, please refer to following linkhttps://kb.cert.org/vuls/id/425163

US homeland security alert – unpatched MS system vulnerability to cve-2020-0796 (5th Jun 2020)

Preface: Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3) on 11th Mar 2020.

Synopsis: The proof of concept code vulnerability has been made public. Attacker do the exploit is that send a specially crafted packet to a targeted SMBv3 server. (refer to attached diagram). The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.

Workarounds: Disabling SMBv3 Compression – refer to attached diagram. The solution display in the bottom .

Remedy solution by Microsoft – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

CISA urge to public – Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports. CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.

if not require to use, it is better turn off bluetooth function before your hardware vendor patch – 26th May 2020

Preface: Bluetooth enabled consumer electronics such as mobile phones, cameras simplify data sharing between devices. For instance, smartphone can wirelessly connect to a headset to make hands-free calling easier or can send pictures to another.

Background: The Bluetooth market has changed dramatically in the past three to four years. Perhaps is the potential power of smarthome concept.If you are moving a lot of data or streaming media, then you should go with a Bluetooth BR/EDR solution.

Vulnerability details: An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. That is your neighbor might conduct similar type of man-in-the-middle attack from the opposite side of the wall. With reference to existing attack method. In order to conduct the attack successfully, attacker must relies on 3rd party hardware and Linux machine (refer to attached diagram). So, if you are not in frequent to use Bluetooth function. I would recommend that turn off your Bluetooth (BR/EDR) function before patch.

Official announcement – please refer to following link https://kb.cert.org/vuls/id/647177

do you know the weaknesses of IP-in-IP design? 2nd jun 2020.

Background: IPIP tunnel is typically used to connect two internal IPv4 subnets through public IPv4 internet. It has the lowest overhead but can only transmit IPv4 unicast traffic.

Vulnerability details: The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. Should you have interested of the actual impact, please refer attached diagram.

Remedy: Users can block IP-in-IP packets by filtering IP protocol number 4 (IPv4 encapsulation – RFC 2003).

For official announcement, please refer to following link – https://kb.cert.org/vuls/id/636397

data breach spread to banking enterprise. no exception to bank of America – 28th may 2020.

Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.

Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.

Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.

Accessing E-TranE-Tran Options
•loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database
•A Web page where lenders can enter loan information on individual loans

One of the ways: XML injection attacks typically occur in this way: An attacker injects malicious JavaScript markup code as escaped text in an XML document. The XML document is then parsed by an XML application. Later, content of the XML element that contains malicious JavaScript markup code is used as input data for a website.

Official announcement – Please refer follow link : https://oag.ca.gov/system/files/2020-3523_Privacy_Notification_Final_Template%20%28P%29.pdf

weekly security focus – memory leak vulnerability in vmci module (cve-2020-3959)

Preface: TCP / IP design restrictions have introduced security vulnerabilities to transport protocols.

Security focus: Memory leak vulnerability in VMCI module (CVE-2020-3959) – VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. It lets local non-administrative user send a malformed packet to a virtual machine. Such action may be able to crash the virtual machine’s vmx process leading to a partial denial of service.

Possible root cause: Attacker send malform packets containing null value in protocol field. The Virtual Machine Communication Interface will let such a packet in as an unclassified one. Though nowadays the null value in the Protocol field is reserved for IPv6 Hop-by-Hop Option (HOPOPT), not every server can receive and correctly process such a packet. And if such packets come in large quantities, their analysis will consume a large percentage of system resources, or exhaust them entirely and cause a server failure.

Remark: According to the RFC rules, the IP packet header should contain information on its transport level protocol in the Protocol field.

Official details please find follow link: https://www.vmware.com/security/advisories/VMSA-2020-0011.html

NSA preemptive curb threats factor – an exploitation of exim design weakness – 29th May 2020

Preface: The severity depends on your configuration, said vendor. It depends on how close to the standard configuration your Exim runtime configuration is. Jun 2019

Headline news on 28th May 2020 – The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability—CVE-2019-10149—in Exim Mail Transfer Agent (MTA) software. Exim is growing in popularity because it is open source. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.

The design weakness origin: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).

Action: Apply Exim Updates Immediately

NSA official announcement – https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf