All posts by admin

Potential Risk of CVE

One of the possibilities causes CVE-2021-22928 (14th Jul, 2021)

Leave a comment

Preface: (DLL) side-loading is an increasingly popular cyber attack method that takes advantage of how Microsoft Windows applications handle DLL files.

Background:

Where is the Citrix VDA?
By default, the supportability MSI is installed in C:\Program Files (x86)\Citrix\Supportability Tools\ . You can change this location on the Components page of the VDA installer’s graphical interface, or with the /installdir command-line option.

Vulnerability Details: A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

One of the possibilities: What if the C:\Program File\Citrix\ICA Client directory is configured with incorrect permissions and allows any user add file? A malicious version of the DLL file could be planted in this directory, allowing a local attacker to execute arbitrary code in the context of any other user who would run this application. Although that’s DLL searh order hijacking, the first variant is also sometimes rightly or wrongly called DLL Sideloading. It is mostly used by malwares but it cab also be used for privileges escalation.

Official details: https://support.citrix.com/article/CTX319750

Potential Risk of CVE

Staying alert ! Critical ForgeRock Access Management Vulnerability (CVE-2021-35464) 12th JUL 2021

Leave a comment

Preface: As a digital identity decision maker in your organization, you already know that in today’s new reality are the cyber security challenges. Centrally manage access permissions to meet best practices in identity management.

Product Background: ForgeRock Access Manager/OpenAM supports a wide range of authentication modules (see diagram) that can be configured together using authentication chains, and authentication nodes that can be configured together using authentication trees. After you configure AM authentication, users can authenticate to AM using a browser or a REST API.

Vulnerability details: A pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. Exploit a single GET/POST request can execute a code execution. The design weakness cause by unsafe Java object deserialization. The proof-of-concept tool can generating payloads that exploit unsafe Java object deserialization to shown the design weakness of ForgeRock Access Manager product. This vulnerability was patched in ForgeRock AM version 7.0 by entirely removing the “/ccvesion” endpoint, along with other legacy endpoints that use Jato. Furthermore Jato framework has not been updated for many years, so all other products that rely on it may still be affected. ForgeRock have provided a workaround for people still running 6.X.

AM Security Advisory #202104 – https://backstage.forgerock.com/knowledge/kb/article/a47894244

Potential Risk of CVE, Public safety

Is the CVE process late? Esri has managed and remedy those vulnerabilities in May 2021.

Leave a comment

Preface: When smartphones and Google Maps were born. The GIS function determines these two functions in a silent manner.

Background: Geographic Information System (GIS) plays a key role in military operations. The military uses GIS in various applications, including cartography, intelligence, battlefield management, terrain analysis, remote sensing, etc.

– Use of geospatial intelligence:The role of machine learning and GEOINT in disaster response
– Open geospatial data platform and food shortage
– Interoperability of GEOINT applications and military data
– The role of data management in crisis mapping

Vulnerability details: There are vulnerabilities announcement of GIS server on 11th Jul, 2021. Whereby those vulnerability has been addressed by ESRI on May, 2021. Seems the details of two announcement are similar and believed that both are describe the same matters. In fact, designated vulnerabilities are common vulnerabilities in OWASP Top 10. However, the applicability of GIS is becoming more and more important for human life and daily use. So we should seriously consider it.

Official announcement – https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch/

2021, cyber security incident news highlight, Ransomware, Under our observation

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

Leave a comment

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Potential Risk of CVE

CVE-2021-34527 & CVE-2021-1675, no nightmare. Go to sleep well. (7th,JUl 2021)

Leave a comment

Preface: Microsoft has assigned CVE-2021-34527 to PrintNightmare. CVE-2021-1675 is similar but distinct from CVE-2021-34527.

Background: There is a vulnerability nickname PrintNightmare. PrintNightmare is not the same as CVE-2021-1675, which was fixed in the patch in June. there is currently no patch available for PrintNightmare.

Technical Details: The vulnerability numbered CVE-2021-34527 is the same RCE vulnerability in Print Spooler as CVE-2021-1675 that has attracted attention this week. Microsoft explained that it was caused by improper execution of the file by the Print Spooler service. To exploit this vulnerability, the attacker must be an authenticated user and execute RpcAddPrinterDriverEx(). Successful miners can execute arbitrary code with SYSTEM privileges.

Microsoft has addressed this issue in the updates for CVE-2021-34527. However, the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1. For this reason, please consider the workarounds before Microsoft release the patch.

Workaround: Microsoft has listed several workarounds in their advisory for CVE-2021-34527. For more details, please refer to link.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Potential Risk of CVE, Public safety

If the design defect cannot be remedied in time. Prevention and detection control is one of them. (Philips Vue PACS) [7-7-2021]

Leave a comment

Preface: In theory, if your software application design trusts multiple vendors. Repairing takes more time. Because you need to do more verification.

Technology background: Digital Imaging and Communications in Medicine (DICOM) is the standard for the communication and management of medical imaging information and related data. DICOM is most commonly used for storing and transmitting medical images enabling the integration of medical imaging devices such as scanners, servers, workstations, printers, network hardware, and picture archiving and communication systems (PACS) from multiple manufacturers. It has been widely adopted by hospitals and is making inroads into smaller applications like dentists’ and doctors’ offices.

What is Vue PACS Philips?

Philips Vue Picture Archiving and Communication System (PACS), formerly known as CARESTREAM Vue PACS, is an image-management software that provides scalable local
and wide area PACS solutions for hospitals and related institutions.

Philips Vue PACS communications are based on the Digital Imaging and Communications in Medicine (DICOM) 3.0 standard. This enables the server to communicate with any DICOM 3.0 compliant products (such as scanners, workstations, hardcopy units). The server acts as a DICOM Provider, thus other stations can retrieve and send images to and from the server.

Vulnerability details: Philips Vue PACS design require to work with Redis and Oracle. This technology utilizes an Oracle Database and its servers are stored on VA premises. DICOM image data from the modalities is stored on image cache on the PACS server attached to Storage Area Network/Network Attached Storage (SAN/NAS)-type storage technology. However it was discovered design limitation in both software. Meanwhile the software application itself also discovered different vulnerabilities.

My observation: If exisitng vulnerabilities cannot fixed immediately. It is recommended to monitoring the network connectivitiy. It is better to install a IPS to monitoring inbound and outbound network traffics in this segment. If this philips web server and DN are mistaken install to a flat LAN. Perhaps you require to install a proxy server in front of this device.

US-Cert recommendation: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01

Potential Risk of CVE

If your querying and updating RDF models using the SPARQL standards, please aware of this design weakness. (5th JUl 2021)

Leave a comment

Preface: Artificial intelligence (AI) has the potential to overcome the physical limitations of capital and labor and open up new sources of value and growth.

Background: Apache Jena is a free and open source Java framework for building semantic web and Linked Data applications. The framework is composed of different APIs interacting together to process RDF data. Apache Jena Fuseki – SPARQL server which can present RDF data and answer SPARQL queries over HTTP.

Apache Jena Fuseki is a SPARQL server. It can run as a operating system service, as a Java web application (WAR file), and as a standalone server.

RDF is a standard for data interchange that is used for representing highly interconnected data. Each RDF statement is a three-part structure consisting of resources where every resource is identified by a URI. Representing data in RDF allows information to be easily identified. And interconnected by AI systems.

Vulnerability details: A vulnerability classified as problematic has been found in Apache Jena Fuseki up to 4.0.0. Affected is an unknown code block of the component HTML Page Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability.

Remediation: Users are advised to upgrade to Apache Jena 4.1.0 or later.

Ransomware, Under our observation, Virus & Malware

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

Leave a comment

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

  • Malware tricks you into installing software, allowing scammers to access your files and track your actions.
  • Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Ransomware

The Thirty-six stratagems – Know yourself and the ransomware, never lost in cyber war. 30-06-2021

Leave a comment

Preface: The Thirty-six stratagems is a Chinese essay use to illustrate a series of stratagems used in war. It also applies to cyber warfare.

Background: Kernel-based Virtual Machine (KVM) is an open source virtualization technology built into Linux®. Specifically, KVM lets you turn Linux into a hypervisor that allows a host machine to run multiple, isolated virtual environments called guests or virtual machines (VMs).
KVM is part of Linux. VMware relied on Linux during its early history. The early version of its hypervisor, called ESX, included a Linux kernel
(the central part of an OS that manages the computer hardware). When VMware released ESXi, it replaced the Linux kernel with its own.

Security Focus: Security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.

Ransomware, menacing! Experts observe that ransomware is not limited to Windows operating system attacks. The evidence proves that they can run on Linux. Other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty
have also created Linux encryptors to target ESXi virtual machines.

Reference:

  • HelloKitty targeted a UK Healthcare organisation
  • DarkSide target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
  • GoGoogle is a malicious program designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals’ email address and the “.google” extension.
  • Mespinoza TheMespinozaransomware was first used in October 2018 at least. The first versions produced encrypted filescarrying the «.locked» extension, common to many ransomwares. Since December 2019, a new version ofMespinozais documented in open sources. This version is often calledPysabecause it produces encrypted fileswith the «.pysa» extension.

Staying alert!

Science, System

Who makes supercomputers faster and faster (CPU, fibre interconnect, parallel processing or virtual machine)? 29th June, 2021.

1 Comment

Preface: In Japanese mythology, the Namazu (鯰) or Ōnamazu (大鯰) is a giant underground catfish who causes earthquakes. This giant not caused disaster, he is the fastest supercomputer in the world. His name is FUGAKU.

Background: Riken and Fujitsu started developing the system in 2014, working closely with ARM to design the A64FX processor. Each of these ships has 48 CPU cores based on the ARM architecture version 8.2A, making it the first such chip in the world. Furthermore, more than 94.2% of supercomputers are based on Linux. In addition, supercomputers can run Windows operating systems.

Do you think today’s supercomputers only rely on a few sets of multi-core processors and standalone operating systems?

When using two virtual machines, VMware found that the overall benchmark results using an 8 TB data set were almost as fast as native hardware, while when using 4 virtual machines, the virtualization method was actually 2% faster. If the system architecture is constructed by many virtual machines. In order to achieve parallel computing to improve efficiency. The supercomputer also apply similar concept.

Base on design goals. HPC workload manager focuses on running distributed memory jobs and supporting high throughput scenarios, and Kubernetes is mainly used to orchestrate containerized microservice applications. If the system architecture is constructed by many virtual machines. Realize parallel computing to improve efficiency. So when the above concepts are implemented on a supercomputer, the processing power will be improved.

The fastest supercomputer this month is FUGAKU. But who can guarantee that FUGAKU will always be number one?