All posts by admin

Strangers read your data silently, Smart City infrastructure no exception (VU#799380) 27thMay2021

June 2, 2021 admin Leave a comment

Preface: Open data indeed is a foundation base of smart City. Since it is not only provide function. Meanwhile it also analyses the daily activities make the IoT function more efficiency. If no hacker in the world. We can living in world more comfortable because we do not need to concern about cyber security. As we know, the electronic & digital products objective is the function instead of defense.

Background: As time goes by, IoT in smart city not only relies on WiFi network. It also includes Bluetooth communication function. Compare with WiFi 802.11, Bluetooth power consumption is less. So the IoT can operate in a capillary network environment. A capillary network is a local network that uses short-range radio-access technologies to provide local connectivity to things and devices.

Vulnerability details: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure. For more detail, please refer url – https://kb.cert.org/vuls/id/799380

Workaround: Devices should not accept their own public key from a peer during a pairing session. The pairing procedure should be terminated with a failure status if this occurs. This is because the specifics events will be activate the SIEM correlation firing rule.

Potential Risk of CVE

CVE-2021-23017 – Nginx DNS Resolver Off-by-One Heap Write Vulnerability (27-05-2021)

June 1, 2021 admin Leave a comment

Synopsis: Retrospectively of 2019 Apache load balancer setup – Install Apache on the Load Balancer Server. Enable Proxy Server Modules. Configure Apache Load Balancing. The Apache server architecture includes the Apache Core and modules. Nginx found 2004, it is a performance-oriented HTTP server. Compared with Apache and lighttpd, it has the advantages of less memory and higher stability.
NGINX performs 2.5 times faster than Apache according to a benchmark test performed by running up to 1,000 simultaneous connections. Apache runs on all operating systems such as UNIX, Linux or BSD and has full support for Microsoft Windows. Nginx had equivalent capability. However the performance on Windows is not as stable as that on UNIX platforms.

Vulnerability details: On May 26, Nginx issued a security announcement to fix a DNS resolver vulnerability in the nginx resolver (CVE-2021-23017). Due to an error in ngx_resolver_copy() processing DNS responses, when the “resolver” is used in the nginx configuration file During the command, an unauthenticated attacker can forge a UDP packet from a DNS server, construct a specially crafted DNS response and cause 1 byte of memory to be overwritten, resulting in a denial of service or arbitrary code execution.

Vendor Reference: http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html

Ransomware

Ransomware hard to hunt because they are doing the Guerrilla warfare! 31st May,2021

May 31, 2021 admin Leave a comment

Preface: A Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support, New York Times said.

My observation: My observation: Perhaps cyber criminals learn from practice. They know the system infrastructure weakness of industrial especially oil, powers supply facilities even logistic industry.

Since Java has large capability. The test developer sometimes will use the JavaScript to test their remote application. For instance (jj[.]js – JavaScript Testing Framework). Java provides a number of method calls to check and change the permission of a file, such as a read-only file can be changed to have permissions to write. If ransomware criminals have luck. They can rely on this ways to implant a foothold see whether they can exploit the vulnerability on victim workstation. As mentioned above, jj.js sometime can evade the defense mechanism if there is no application defense function in place. Furthermore, ransomware criminals can do a re-engineering of the file.

Remark: ransomware criminal will select dynamic cloud computing as a base. If victim web server is using IaaS service, it is most likely is their target.

NYTimes headline – https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html

2021, cyber security incident news highlight, Public safety

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

May 28, 2021 admin Leave a comment

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

Potential Risk of CVE

VMware Releases Security Updates (CVE-2021-21985 & CVE-2021-21986) – May 26, 2021

May 27, 2021 admin Leave a comment

Preface: There are plenty of astronomical events every year.
In the evenings of 26 May 2021, it was total lunar eclipse. Do you believe rumours of super moon (astronomical phenomenon)?

Background: Virtual SAN Health check plugin checks all aspects of a Virtual SAN configuration. It implements a number of checks on hardware compatibility, networking configuration and operations,
advanced Virtual SAN configuration options, storage device health as well as virtual machine object health. The Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

Vulnerability details: The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CVE-2021-21985 – VMSA-2021-0010 (Virtual SAN Health Check Plugin)

CVE-2021-21986 – VMSA-2021-0010 (Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability Plugins)

Workaround: Plugins must be set to “incompatible.” On vCenter Linux and Windows platforms, simply disabling plugins from within the UI will not prevent exploitation.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2021-0010.html

Ransomware

The Chronicle of Ransomware – 26th May 2021

May 26, 2021 admin Leave a comment

Preface: The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the ‘father of ransomware’). It was called the AIDS Trojan, also known as the PC Cyborg.

Synopsis: Perhaps mankind cannot imagine that in our modern world. We still impact by viral infection. The situation looks like we are replaying the seen in 1346 – 1353 (plague). But the digital world is the same. In past few weeks we heard ransomware wreak havoc. As far as we know, ransomware not only appears today. Since 2013, CryptoLocker attack found. But what is the standpoint by public began to focusing “WannaCry” ransomware in 2017. Unlike crypto-ransomware (WannaCry), Locker ransomware does not encrypt files. Instead goes one step further, and it locks the victim out of their device.

What is the countermeasure after the ransomware attack?
– Changed passwords for all end-users and privileged users.
– Changed access keys for all service accounts.
– Enhanced malware/ransomware protection on endpoints and servers.
– Enhanced monitoring and logging to identify malicious activities.

The objective of this topic is only for information base. Perhaps when you read below article posted in 2017. You will have resonance.

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/

2021, cyber security incident news highlight, Data privacy, Ransomware

Aforementioned – Insurance company infected by ransomware – 25th May 2021

May 25, 2021 admin Leave a comment

News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.

Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own.
The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.

What is the consequence if AXA underestimate this matter? Or it is just a bluff!

A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Latest news: https://www.thestandard.com.hk/section-news/section/2/230327/Axa-HK-unaffected-by-cyberattack

Potential Risk of CVE

Exposes ring 0 code execution in the context of the driver, defense software perhaps will encounter this mistake (CVE-2021-31728 MalwareFox AntiMalware)

May 24, 2021 admin Leave a comment

24^th May, 2021

Preface: It let you avoid malware infection in your computer. MalwareFox can detect and remove malware in precise way. MalwareFox Antimalware at low cost comparing to other competitors.

Background: In a computer, ioctl is a system call dedicated to the input and output operations of the device. The call receives a request code related to the device. The function of the system call depends entirely on the request code.

Remark: The ioctl system call first appeared in Version 7 of Unix under that name. Microsoft Windows provides a similar function, named “DeviceIoControl”, in its Win32 API.

Vulnerability details: IOCTL 0x80002040 exposes kernel memory allocation in the NonPagedPool where a user-mode string is copied into the target buffer, this buffer can be used for shellcode by forcing the input data to be larger than 0x1000 bytes, a buffer larger than 0x834 will cause a STATUS_ACCESS_VIOLATION. Hacker must trick the IOCTL into failing and forgetting to free the buffer, you can then search SystemBigPoolInformation for the newly allocated buffer with the shellcode.

* When writing to a file Microsoft sets the bufferSize to 4096 bytes, but when reading they are using [0x1000].

Official details: As of today, vendor does not provide update related to this matter. Their homepage can be found in the following link – https://www.malwarefox.com/

Public safety, Ransomware, Under our observation

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

May 20, 2021 admin Leave a comment

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Potential Risk of CVE

Cyber Security Focus – use a Raspberry Pi for Windows 10 (17th May 2021)

May 18, 2021 admin Leave a comment

Preface: Windows 10 IoT Core is a version of Windows 10 that is optimized for smaller devices with or without a display, and that runs on the Raspberry Pi 2 and 3.

Background: ASP.NET Core is one of the best frameworks available to make cross-platform web applications. The free Windows 10 IoT Core along with ASP.NET 3.0 allows one to build applications or background run services on an IoT device. Since Windows 10 requires greater amounts of RAM than most Linux distributions, only a Raspberry Pi 4, 3, or 2 with at least 1 GB of RAM can run the ARM edition through the WoR project.

Vulnerability details: An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

Reminder: If you plan to run Windows 10 IoT Core on Raspberry Pi. Don’t forget to fix it.

Remedy: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166