All posts by admin

Phishing email compromised the reputation of company, Microsoft take legal action

Preface: Microsoft products cover a wide range. Perhaps quite a lot of people queries design weakness of their products. But they have capabilities to protect it own.

Background: The cyber criminal exploit Microsoft official domain name to made phishing email and goal to increase the possibility to open the email. Meanwhile the malicious infection technique has proprietary evading antivirus technique.
Remark: According to my observation, the evolution of this cyber attack technique found in 2013. Perhaps we remember HWP (Hangul Word Processor). HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government. Should you have interested to review the details, plese refer to following URL: http://www.antihackingonline.com/network-protocol-topology-standard/vulnerabilities-in-the-old-ole2-based-hwp-file-format-engages-apt-attacks-to-south-korea/

Cyber security focus: Such matter reminds cybersecurity world of cyber criminal infiltration technique. Expert found that the North Korea cyber attack suspect make a new way. Attack mainly using the API hooking technique to hide the behaviors of the first-stage backdoor which is the second payload in this operation. Since this attack landing page most likely is a MS document. The Fallout Exploit Kit is Back with adobe Vulnerabilities and Payloads (see attached diagram) So, it generate a interference to business and government sector.

Reference: Microsoft Sues North Korea-Linked Hackers for Impersonation (1) – https://news.bloomberglaw.com/ip-law/microsoft-sues-north-korea-linked-hackers-for-targeting-users

IoT zone staying alert! HomeAutomation 3.3.2 design weakness exposed (Authentication Bypass, CSRF / Code Execution & Cross Site Request Forgery) – 1-1-2020

Preface: Sometimes lighting can become a security safeguard. Perhaps the lighting system will help you figure out whether intruder jump to your garden at night.

Synopsis: It is hard to avoid the digital transformation trend integrate to your daily life. As the matter of fact, they are on board already. For instance the remote controlled outdoor outlets with on/off function, Z-Wave outlets that measure energy consumption for connected lamps and appliances.

Remark: ZWave is a wireless communications protocol used primarily for home automation.

Vulnerability details:

HomeAutomation is an open-source web interface and scheduling solution. Quite a lot of IoT manufacturer are do the product integration to HomeAutomation (see attached diagram). Expert found design weakness occured in HomeAutomation software.
From technical aspect. Use the cURL_init function, implemented with PHP, to open a connection and the links includes reference’s to the other two functions (curl_setopt & curl_exec) to be able to potentially reuse an existing handle (conncetion).
The HomeAutomation suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. For details, please refer to diagram.

Status: No official announcement for the remediation by software vendor and manufacturer in the moment.

Closer look for OpenBSD Dynamic Loader chpass Privilege Escalation 31st Dec 2019

Preface: Referring to the statistic posted by w3techs. The websites using OpenBSD as operating system less than 0.1 percentage. Perhaps OpenBSD footprints are in industry manufacturing. For instance, heard that oil industry is the heavy duty users of OpenBSD.

Vulnerability details: The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution.

Impact: This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Causes: This vulnerability is in the OpenBSD dynamic link library (ld.so). The reason for the vulnerability is that ld.so cannot properly delete the LD_LIBRARY_PATH environment variable that sets the user ID and group ID programs under insufficient memory conditions. Commands such as chpass and passwd for privilege elevation.

Remedy: After downloading the source code, switch to the old version before patching the vulnerability.

$git clone https://github.com/openbsd/src.git 
$git checkout d2ce55dbd7845b33dafe44529e6ceb6b1c8ec6d5

about ransomware attack on Maastricht University – 24th Dec 2019

Preface: Maastricht University (UM) encountered serious cyber attack,” the university announced on Christmas Eve, December 24, 2019.

Synopsis: Not known the root cause but if ransomware can spread out in a quick way most likely it exploit of the Microsoft SMB Protocol.
Perhaps it is affected by RYUK Ransomware !
Other than that Maastricht University relies on Github with technology programs development. Meanwhile, it similar create a pathway let the cybercriminals fork other projects, which on Github means producing a copy of someone else’s project, to build upon the project or to use as a starting point and subsequently push a new commit with the malware to the project. Such malware can connecting to a GitHub account to obtain the exact location of its C&C servers. Then activate ransomware infection.

Observation: Has any personal information leaked? Therefore, this will be relevant to GDPR regulations.
It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack.

Headline News: Please refer to https://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/

CVE 2019-19492 (FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml) Remote command execution – Last update: 26th Dec 2019

Preface: FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware.

Background: FreeSWITCH listens on port 8021 by default and will accept and run commands sent to it after authenticating. By default commands are not accepted from remote hosts.

Design weakness: FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. How do hackers exploit vulnerabilities: Since the design weakness shown the default password in event_socket.conf.xml. By default commands are not accepted from remote hosts. If an attacker do python socket programming. It can use the default password and excute the command remotely.

Remedy: It is recommended to block all untrusted python socket connections with a firewall on this device until the vendor provides an official patch.

Wish you a Merry Christmas 2019 (cyberX’mas).

I believe that the most annoying cyber security attack is the ransomware. We known that unplug or power off is one of the way to suspend the attack spread out. Yes, agree.

Another way to avoid the infection of ransomware is think it over before open unknown email. Yes, During Xmas time you defense idea will be reduced since you will join the ball and parties. So, please be alert of phishing email during Xmas.

By the way, remember to turn off your workstation before you leave the office today.

Merry Xmas and Happy New Year.

Not a serious mistake and could cause more trouble! (21st Dec, 2019)

Preface: Computer technology especially software application is the soul of digital world.

Background: Pingbacks (also known as trackbacks) are a form of automated comment for a page or post, created when another WordPress blog links to that page or post. When you publish a new blog post, WordPress attempts to ‘ping‘ all the sites that were linked to in your post. i.e. Your WordPress website is informing other websites that you’ve linked to them.

Design weakness: Trackbacks and Pingbacks were meant to help inter-blog conversation when the specification was created years ago. These days almost 100% of Trackbacks and Pingbacks are spam, said Akismet. May cause more trouble!

Comments: WordPress release ver 5.3.1 on December 2019. However above concerns seem not been addressed in the moment. Heard that attacker can exploit the weakness of pingback. And work together with XML-RPC. As a result, it will consume system resources causes a denial of service. So we must staying alert!

Remedy: Refer to diagram

5.3.1 Official announcementhttps://wordpress.org/support/wordpress-version/version-5-3-1/

Closer look of CVE-2019-1491 | Microsoft SharePoint Server Information Disclosure Vulnerability

Preface: Tip – Any system that supports Single-Sign On SSO is affected by the pass the hash attack.

Background: Windows keeps hashes in LSASS memory, making it available for Single Sign On.

Vulnerability details: An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server.An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.The security update addresses the vulnerability by correcting how SharePoint checks file content., aka ‘Microsoft SharePoint Information Disclosure Vulnerability’.

Remedy: Please refer to the official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491

Logon authentication integrate to AD can make your life easy. But sometimes it doesn’t (1st Dec 2019)

Preface: Modern world favor single sing-on function, SAML & application system authentication integrate with Microsoft active directory. Everybody might know such setup contain risk, but theoretically computer aim to make human life comfortable!

Background: The Alcatel-Lucent OmniVista® 8770 Network Management System (NMS) is an all-in-one graphical management application that offers a unified view of your ALE communication network.

Vulnerability details: No CVE reference number has been assigned to these vulnerabilities yet. But it shown that programming flaws made the loopholes happen.

– 4760 suffers an unauthenticated remote code execution as SYSTEM. No special configuration is required

– 8770 and 4760 both suffer a remote administrative password disclosure. No special configuration required

– 8770 suffer an authenticated remote code execution vulnerability. When chained with the disclosure vulnerability, it becomes an unauth RCE. In this case access to the port 389 and a directory license are required

Should you have any doubt of this matter, please contact vendor to find out the details.

Black Friday was happened in New Orleans on 13th Dec 2019

Preface: Once upon a time, without internet. The Black Friday virus through floppy disk infected to your MS-DOS and make a trouble to your personal computer.

Background: New Orleans declared a state of emergency and shut down its computers after a cyber security event. During a press conference on 14th Dec 2019, Mayor Cantrell confirmed that this was a ransomware attack.

Security expert findings: Based on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely done by the Ryuk Ransomware threat actors, said cyber security expert.

Personal comment: Ransomware looks horrible! Are you interested in how national supercomputers can defend against cyber attacks, especially ransomware? Have you heard about docker and container technology? May be we do a discussion in coming future.

Headline News – See the link for more details: https://www.forbes.com/sites/daveywinder/2019/12/14/new-orleans-declares-state-of-emergency-following-cyber-attack/#3a12987c6a05