All posts by admin

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

December 2017 published – Vmware vulnerabilities

Watch TV noticed that the brokers work in New York Stock Exchange are busy. However who else can say he will be busy than IT guy. Each week 0-day announcement. Perhaps the individual vulnerability happen on different vendor daily.
Staging, testing, backup and patch implementation all the job task will be implement earlier morning. All we are fall asleep. This month VMware looks like a vulnerability champion winner. The vulnerability happen in computer end looks like apply quantum computing theory. It is multi angle (quantum superposition).

For more details, see below url for reference: VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2017-0021.html

 

Merry X’mas 2017

Christmas evolved over two millennia into a worldwide religious and secular celebration. We sing the song (Silent night, holy night) tonight. Let’s celebrate Christmas honoring the birth of Jesus Christ. Our friend computer system also say celebration but it is a hex code (48 61 70 70 79 42 69 72 74 68 64 61 79 4a 65 73 75 73 20 21 ). That’s is Happy Birthday Jesus. We wish you Merry X’mas and Happy new Year.

About DHS Malware Analysis Report (MAR) – 10135536-B

Preface:

There are books of which the backs and covers are by far the best parts!

― Charles Dickens, Oliver Twist

Discussion details:

Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.

DHS malware report (10135536-B) technical findings

There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:

  1. PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB

Antivirus vendor capable to detect checklist

  • K7 – Trojan ( 700000041 )
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent

2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC

Antivirus vendor capable to detect checklist

  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent
3. PE file name checksum (MD5): 0137F688436C468D43B3E50878EC1A1F 
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
4.  PE file name checksum (MD5): 114D8DB4843748D79861B49343C8B7CA
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Variant.Graftor.373993
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda  – BScope.Trojan.Agent
  • BitDefender – Gen:Variant.Graftor.373993
  • Emsisoft – Gen:Variant.Graftor.373993 (B)

5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141

Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
6. PE file name checksum (MD5)
2950E3741D7AF69E0CA0C5013ABC4209
Antivirus vendor capable to detect checklist
  • F-secure – Trojan.Inject.RO
  • VirusBlokAda – BScope.Trojan.Agent
  • Ahnlab – Trojan/Win32.Akdoor
7.  PE file name checksum (MD5)
964B291AD9BAFA471DA3F80FB262DBE7
Antivirus vendor capable to detect checklist
  • nProtect – Trojan/W64.Agent.95232
  • McAfee – Trojan-FLDA!964B291AD9BA
  • ClamAV – Win.Trojan.Agent-6319549-0
  • Ahnlab – Trojan/Win64.Dllbot
  • Quick Heal – Trojan.Generic
My observation:
It was strange and surprise to me that the total checksum provided by homeland security malware report only 1 item can find the record on virustotal database. It was not usual from technical stand point. The item 7 PE checksum can found on virustotal database. The earlier malware detected period fall back to 2014.  Apart from that  PE file checksum item from 1 to 5 only acknowledge by few antivirus vendor.
As we know, Kapersky pay an important role of APT cyber attack investigation analysis so far. But this time it did shown on report. We understand that there is a lawsuit in between US government and Kapersky.  May be this is the reason. However we couldn’t find any details on virustotal repository. It is very rare! It looks that  F-secure virus vendor done well in this matter since their detection rate is 3 out of 7. On the other hand, the body guard for South Korea government (AhnLab) is the antivirus detect the attack earlier in 2014. However the overall detection performance only maintain on 2 out of 7.
From general point of view, no matter Lazarus Group or Hidden Cobra their design goal looks is their natural enemy if the attack was engaged by North Korean government. However it looks that the major cyber attacks given by Hidden Cobra went to cross bother countries especially USA or European countries. The virus vendor F-Secure hometown in Finland. Their business market coverage in APAC country looks significant reduce in PC market recently. But they are aggressive in mobile phone devices. Perhaps the alert given by Homeland security malware attack target machines are on windows base. And therefore it such away bypass their focus.
It looks confused with managed security services vendor especially APAC country of this cyber alert!
The report given by US homeland security awaken our general opinion for antivirus vendor. Apart of my favor Kapersky  there are potential antivirus contain powerful capability to  detect and quarantine the unknown APT activities and malware. For example on the report we seen the brand name of K7,  Cyren, VirusBlokAda, Emsisoft  and BitDefender.
Anyway  I still have hesitation or hiccups of this report since some information not disclose in normal way. For example, I could not found the history record on virustotal repository. But place safe that following the recommendation provide by DHS is the best practice (Yara rule shown as below):

 

rule Unauthorized_Proxy_Server_RAT

{

meta:

Author="US-CERT Code Analysis Team"

Incident="10135536"

MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"

MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:

$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}

$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}

$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}

$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}

$s4 = {B91A7900008A140780F29A8810404975F4}

$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F

D19CA59F7E9F539CEF9F

029F969C6C9E5C9D949FC99F}

$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}



$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}

$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}

$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}

$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}

$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}

$s12 = {448BE8B84FEC

C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}

$s13 = {8A0A80F9627C2380F9797F1E80F9647C

0A80F96D7F0580C10BEB

0D80F96F7C0A80F9787F05}

condition:

any of them

}

Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

Summary:

In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!

Winter solstice blessing 2017

The sun shines directly on the Tropic of the Capricorn in the southern Hemisphere. The Northern hemisphere is tilted away from the sun. Whereby a festival hand down thousand years in galaxy especially the earth. This is the winter solstice. The IT guy especially security operation center requires working in 24 hours. Perhaps you must take a rest and enjoy the dinner with your family tonight. This is the space to balance your life. Enjoy!

The stronger encryption power you have. The greater the risk being attacks.

A new mantra , some people quit the bitcoin business whereby some people catch up immediately! Such statement precisely describe current situation of bitcoin industry. A South Korean bitcoin exchange has filed for bankruptcy after being hacked again. They are decide to quit. It surprise to us with advanced secure platform causes such tragedy. But malware infection and DDoS attack not green to IT world today. Be brave to facing difficulties. Your new era is coming. A visible hints to re-engineering your cyber defense model in according  of  Lockheed Martin the Seven Ways (Cyber Kill Chain). You can figure out existing weakness of bitcoin technology architecture model. Perhaps sad feeling bring to bitcoin world is that they did not paid the attention on end-point wallet security management and manged security services. The trend is on the way, even though we are not belongs to this industry. Let’s you and me become the witness of this age!

More details of Youbit Bitcoin exchange quits operation see below url:

https://qz.com/1160573/bitcoin-exchange-youbit-files-for-bankruptcy-in-south-korea-after-latest-hack/

Dig out more in regards to e-wallet security information see below url:

Perspective of e-Wallet Vulnerability

Potential black force – digitize Godzilla

Preface

Can you remember that Science fiction movies Godzilla. The sea monster dubbed Godzilla, his body empowered by nuclear radiation then become huge. However his target is attack the Tokai Nuclear Power Plant and feeding on the nuclear reactor. The Japanese government concluded that nuclear power was what attracted Godzilla.

The World in demand of electricity power

The electricity power generation scheme, like plants that burn coal, oil and natural gas, produce electricity by boiling water into steam. This steam then turns turbines to produce electricity. Nuclear power plants obtain the heat needed to produce steam through a physical process. Apart of environmental pollution and Harmful radiation. Nuclear power looks is the quick and dirty way to resolve the natural resources supply limitation in the earth.

Example: Water energy reactor located in Ukraine

Stuxnet malware ages evolute the function to the new generation of malware

Cyber attacker follow Stuxnet objective, the group re-engineering a powerful DDOS tool on 2016. The attack target are the media outlets and electric companies in Ukraine. The new version of BlackEnergy does not contains destroy feature. It oppositely able to download and execute a binary or shell command, uninstall itself, modify internal settings, or load additional modules. The conceptual idea of the design is evade the defense mechanism detection. In short to summarize such design is that new version of black energy combined spear phishing email with embedded link file contains path to the module (.dll) .

The functionality of BlackEnergy can be extended with additional modules. These modules are stored in encrypted form in a separate file, which can be referred to as a plug-in-container. The attacker will be executed and download payload afterwards (see below diagram for reference)

We known the vulnerability known as CVE-2010-2568 and used by the Stuxnet computer worm can be weaponized to remotely execute code over a Windows computer without the user’s knowledge. It target the Siemens WinCC SCADA systems.

DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems especially electric and water supply facilities. The distributed network protocol (DNP3) play a major control role in SCADA system especially used by SCADA Master Stations (Control Center). A hints in below diagram shown that programmable logic controller responsible centrifuge status control and monitoring.

How Iran’s nuclear centrifuges facilities work?

As times go by, more and more manufacturer involves to nuclear facilities hardware re-engineering and installations. The well known vendor not limit to Siemens, it now have Schneider Electric, Allen-Bradley, General Electric (GE)…. But another 0-day vulnerability found few months ago.

The Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). The Modbus protocol is the major communication protocol communicates with programmable logic controller. However it is a UN-encrypted data traffic. And therefore sensitive information is run in clear text (see below diagram for reference).

Remark: Both DCS and SCADA are monitoring and control systems used in industrial applications. The systems monitor equipment and processes to ensure all processes and equipment are performing within the required tolerances and specifications.

A design weakness was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download (CVE-2017-6034). Besides, the Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.

Quote:

UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system said CTO and founder of CRITIFENCE.

* It may not be entirely patched within the coming years, since it affects a wide range of hardware and vendors.”

December 14, 2017 announcement by FireEye – Found Triton Malware

It looks critical that Schneider programming logical controller could soft patch not issue yet. The expertise by FireEye found security alert on Triconex cotroller. The expert believe that Fireye believe that this masqueraded trilog application was deployed by Sandworm Team. This team engage cyber attack to Ukraine nuclear power facilities in 2016.

 

Information Supplement

Supervisory control and data acquisition (SCADA) is a control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management. How does this function to operate? Below diagram provides hints for reference.

Conclusion:

The suspicious attack found on Schneider Electric brand this time. It is hard to tell that similar attack will be happen on other brand name soon.

Information appending on 3rd Feb 2018 : related SCADA information for your reference

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Is Quantum technology an existential threat to blockchain?

The world are obsessed with Bitcoin.We heard Quantum Computing earlier this year.Quantum computing found quantum bit theory. Boolean Algebra base on ‘AND’, ‘OR’ And ‘NOT’ condition. Therefore implementing to Quantum bit might have problem(attach picture can provide hints)! Blockchain theory empower cryptocurrency powerful features.But blockchain technology work with tradition computer. So, Quantum technology is blockchain technology enemy! The quantum computing is the traditional currency bodyguard.Following url can provide the hints.

https://singularityhub.com/2017/11/05/is-quantum-computing-an-existential-threat-to-blockchain-technology/

Information security perspective -Hyperledger (Blockchain Technology) article shown as below:

Overview of hyperledger (Blockchain Technology) security design

 

Overview of hyperledger (Blockchain Technology) security design

Preface

The deluge push the earth to next generation. The scientists found Noah’s Ark fingerprint on top of the hill in India. The tremendous trend of the cryptocurrency (Bitcoins) like deluge. It such a way change the financial industry framework.

The fundamental technology concept

What is the difference in between blockchain and hyperledger?

A consensus of the blockchain technology foundation have the following idea. The blockchain technology feature better implement in public ledger that is crypto currencies. Hyerledger should have benefits to business industries. Since the fundemental of the cryptocurrencies concept is a direct electronic payment.The specific technology objectives encryption and integrity of the record (it cannot counterfeit), once the block is use it cannot be use reuse anymore.

 

As times go by, the cyber attack incidents on IT technology world bring the enhancement idea to blockchain technology. In order to cope with on-going technology and business perspective. Blockchain technology transform the technology focus to enhance its framework structure. And therefore hyperledger was born.The most popular hyperledger framework models are the following models.

Refer to the Hyperledger Modular Umbrella approach. Each Hyperledger framework empower different advanced function in order to cope with business industry requirements.

There are total 5 different framework of approach.

Burrow Framework

Provides a modular blockchain client with permissioned smart contract interpreter partially developed to the ethereum virtual machine (EVM) specification.

From security point of view: Eris makes use of Docker containers for its services and much of the Eris and Tendermint tooling is written in Go.You’ll need to have at least as many EC2 instances available as you want nodes. Again, you’ll need at least four nodes for the network to operate. If you don’t want to use AWS to host your nodes, you’ll need to have access to hosts that have Go version 1.4.x and Docker version 1.8.x installed. The programming language is Go. This development language not popular but it is secure. But it is hard to find programmer familiar with GO programming background.

Observation: (CVE-2016-3958/CVE-2016-3959) Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function (CVE-2016-3958).

Iroha

An blockchain framework designed for simple and easy incorporation into infrastructure projects requiring distributed ledger technology.

From security point of view: Since Iroha framework contains the following features:

  • Creation and management of custom complex assets, such as currencies or indivisible rights, serial numbers, patents, etc.
  • Management of user accounts
  • Taxonomy of accounts based on domains — or sub-ledgers in the system
  • The system of rights and verification of user permissions for the execution of transactions and queries in the system
  • Validation of business rules for transactions and queries in the system

Comparing the actual functions (see below diagram). My comment is that the integrity check looks run in precise way on each transaction. Iroha try to improve the anti-tamper solution of the data. The fundamental design concept of Iroha focuses on Blockchain-based Data Management.

Observation: Since Iroha focuses on blockchain based data management. How about the end point protection? It looks the design did not provide a clear visibility on the end point.

Remark: The Iroha project is a bit of an outlier within Hyperledger. It originated with some developers in Japan who had built their own blockchain technology for a couple of mobile use cases. It’s implemented in C++ which can be more high performance for small data.

A modular platform designed for building, deploying and running versatile and scalable distributed ledgers. Heard that the Sawtooth consensus software targets large distributed validator populations with minimal resource consumption. “It may give us the ability to build very broad and flat networks of hundreds to thousands of nodes,” said Behlendorf. “It’s harder to do with traditional consensus mechanisms without having the CPU burden of cryptocurrencies.”

From security point of view: No conclusion at this moment.

Fabric Framework

An implementation of block chain technology intended as a foundation for developing blockchain application or solutions. Fabric is Hyperledger’s most active project to date. Hyperledger Fabric intends to offer a number of SDKs for a wide variety of programming languages. The first two delivered are the Node.js and Java SDKs.

From security point of view: Since the first two delivered are the Node.js and Java SDKs. In order to avoid the denial of service or avoid unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. It is better to make use of GO for application development in future.

Below details are the recently vulnerabilities occurred on above 2 programming languages for reference.

http://www.cvedetails.com/cve/CVE-2017-10388/

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

Indy

Sovrin is a specific deployment of the Hyperledger Indy codebase. Sovrin developed the Indy code base as part of its mission to build a global public utility for self-sovereign identity. Sovrin Foundation contributed the code to Hyperledger under the Hyperledger Indy brand to expand the developer community and allow greater participation. But Sovrin and Indy are distinct. Sovrin is a specific, operating instance of the Hyperledger Indy code that contains identities that are interoperable at the global scale.

Remark: The best way to start develop Sovrin would be with the Indy SDK. (Indy is the technology under Sovrin, and its SDK provides a C-callable library.

From security point of view: Vulnerability (Slow nodes can be stalled after a view change)

Description – The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number

Detail explanation: What if A is malicious, and C and D during a catch up get inconsistent catchup messages from A and B? Perhaps the PRIMARY declaration message needs a root hash, and f+1 consistent responses for both Last Ordered Batch number AND Txn Root Hash

Remedy: The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number.

Summary:

IT security from 90’s encountered virus infection till today malware infection causes data breach. The appearance of blockchain (hyperledger technology) goal to mitigation the data leakage issue. The design objective of the data encryption is going to protect your data. As of today, an advanced technology enhanced server side and data storage. Block chain technology breakthrough traditional key algorithm encryption. The hash encryption technique and blockchain (accumulate) (N+1) data encryption scheme awaken the world. However the product design limitation let hacker exploit the vulnerabilities and such away expand the risk to application layer including programming language. On the other hand a hidden factor in client side (end point) looks without significant improvement. Apart from that the smartphone geometric level of growth . So, I forseen that information technology world requires a new revolution to end point platform. See whether there is a new concept of client platform technology announces tomorrow?

Note: AWS, Azure and Office 365 are ready for Blockchain (hyperledger) services (see above diagram). Be a innovative IT management. Don’t wait. Now please try to jump to Blockchain (hyperledger) services. You will love it!

Status update 19th Feb 2018 – The deluge push the earth to next generation.Bitcoin and hyperledger technologies such a way transform their new generation to the financial business world. Dubai a former big brother leading the natural resources supply to the world especially petroleum. Now they are keen to leads bitcoin and hypledger technologies. I wishes of their success. See whether what is the new technique can be renovate the blockchain and hyperledger world.

 

 

Another Force Awakens – Bleichenbacher Attack on TLS

X’mas is coming soon! I am waiting to watch the movie “Star War – The last Jedi” coming Friday. The cyber attack so called ROBOT (Return of Bleichenbacher’s Oracle Attack) looks doing the celebration. looks doing the celebration coming Star War movie. TLS base attack type hottest recent year.. Vendors remediation details shown as below:

Cisco https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher

Citrix https://support.citrix.com/article/CTX230238

F5 https://support.f5.com/csp/article/K21905460

Oracle – https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html