Preface: NVD published date on 09/03/2020. Strongly believe that technical matter was resolved by vendor completely. However we should recording this issue in notes. As we know, hacker jump to client network will hide himself for a period of time. Sometimes such action cater for their data exfiltration activities or ….
Techincal background: Slogan of Thomson Reuters Eikon. Access an incredible depth and breadth of financial analysis data to make smarter decisions. Reuters Eikon is a financial data platform which includes data on financial markets, companies’ (especially listed companies’) financial data, financial news, macro data etc. The product is analogous to the Bloomberg Terminal aka “Open Bloomberg”. It allow client install the Eikon software on their company workstation.
Vulnerability details: The current file permissions of the directory C[:]\Program Files (x86)\Thomson Reuters)\Eikon allow users of the group Authenticated Users to modify files in the folder. As these files are executed by the service that runs with SYSTEM privileges, it is possible to escalate privileges and create a new user with administrator privileges.
If a user has write permission in a folder used by a service, he can replace the binary with a malicious one. When the service is restarted the malicious binary is executed with higher privileges. Please refer to the attached picture for details.
Since Reuters and related terminal will be installed in Investment bank or broker firm dealing room. Perhaps this is the area which lure the hacker interest. And is a typical example of insider threats. For my point of view, apply advanced cyber security filter and scanning function in this area not a possible solution. It was because it will encounter false alarm and therefore interrupt the services. In order to avoid unknown incident happen in this place, SIEM + (Predictive analysis tools like Darktrace) are the appropriate solution.
Preface: The current Linux desktop market share is between 1.74 – 2.18%, according to the usage share of operating systems. In April 2019, Linux’s desktop market share was estimated to be 1.63%. Of all Linux users, 38.2% use Ubuntu as of May 2019. 21.5% of users rely on Debian.
Background: PPA – Personal Package Archives allow you to upload Ubuntu source packages to be built and published as an apt repository by Launchpad.
Vulnerability details: Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20.10, and 0.92.37.8ubuntu0.1~esm1, printed a PPA (personal package archive) description to the terminal as-is, which allowed PPA owners to provide ANSI terminal escapes to modify terminal contents in unexpected ways.
Design limitation: A terminal escape sequence is a special sequence of characters that is printed. If the terminal understands the sequence, it won’t display the character-sequence, but will perform some action. Please refer to the attached drawings for details.
Preface: In line with its Industrie 4.0 effort, Google Cloud will use the OPC UA open standard to incorporate machine data into analytics and AI solutions.
The existing atmosphere of the Internet world – According to the network attack statistics report. Different types of attacks are involved. Nowadays, receiving personal or confidential data illegally is one of the way run aggressive by attackers. In the future, we foreseen that many vendors will be planned to phase out basic authentication using passwords and cookie-based authentication.
Business needs drive the implementation of new technologies – Integrated with IT. OT-BASE allows IT applications to pull asset information via a powerful REST API. This way you can easily leverage OT asset details in SIEM, data analysis and custom built applications.
Genesis of new concept: Cloud collaboration enables people to work simultaneously on documents that live ‘in the cloud’. Consolidation of OT configuration details in a central platform, accessible by web browser and REST API. System details are no longer known to individual engineers only, but are instantly available to every team member, making the team more efficient.
OPC Unified Architecture (OPC UA) is one of the most important communication protocols for Industry 4.0 and the IoT. Let do a quick review of OPC UA security features.
Unlike OPC Classic, OPC UA design is able to working with firewall technology because it support TCP/IP communication protocol. Whereby, it can be managed and governance through standard network technologies.
Remark: OPC Classic using DCOM as a communication protocol. Due to the DCOM technology used, cross-network communication via OPC Classic is very difficult.
In general practice, the OPC UA software application development will using Simple Object Access Protocol (SOAP). SOAP is a simple XML-based protocol that enables applications to exchange information via HTTP. Meanwhile, OPC UA uses a certificate exchange for further security, so that each client has to authenticate with a certificate. In this way it can be controlled which client is allowed to connect to the server. In the sense that it has access control implement.
Advanced System Integration – Data exchange between PLC and REST interface
To create or modify objects using data from a PLC, the PLC can be connected via OPC UA and the OPC Client plug-in. Which objects can be addressed in the target system can be queried and browsed via the OpenAPI / Swagger function by the OPC router. If, for example, a batch can be created via REST, the PLC must provide all data in OPC data points when the batch is created and trigger the REST call. The data points are then transferred as a JSON packet by REST call and the batch is created as an object.
Technical Background: REST or RESTful API design (Representational State Transfer) is designed to take advantage of existing protocols. While REST can be used over nearly any protocol, it usually takes advantage of HTTP when used for Web APIs. This means that developers do not need to install libraries or additional software in order to take advantage of a REST API design. It includes four types most-commonly-used HTTP verbs (see below):
“GET” to retrieve a resource.
“PUT” to change the state of or update a resource, which can be an object, file or block.
“POST” to create that resource;
“DELETE” to remove it.
Additional: “PATCH” applies a partial update to the resource. This means that you are only required to send the data that you want to update, and it won’t affect or change anything else.
Even the flexibility of the design allowed to use a “curl” command. Curl Options shown as below:
Consolidation of OT configuration details in a central platform, accessible by web browser and REST API. System details are no longer known to individual engineers only, but are instantly available to every team member, making the team more efficient.
Security Focus: REST API has emerged as the most versatile and useful web service API. The major trend in data management today is the move toward cloud integration. REST APIs are most commonly used with SaaS (software as a solution) platforms. Fundamentally speaking, REST focuses on the transferability and consumption of data, rather than providing built-in measures to ensure data security during transmission. Perhaps today it has been enhanced using the HTTPS method. But is this enough to prevent today’s cyber attacks? Below list are some of the known cyber attack. Let take a quick look.
The attacker could be at the client side. Attacker can creates a rogue. It aim to consuming resources from destination server.
For resources exposed by RESTful web services, attacker can exploit application vulnerability (Cross Site Request Forgery) to execute PUT, POST, and DELETE functions.
The attack scenario will be according of the architecture set up. If four types most-commonly-used HTTP verbs do not have access control. As a result, the impact will be included server side and related infrastructure.
How to secure industrial communications with OPC UA (see below):
At least the “Basic256Sha256” security policy should be selected.
Never store private keys or the corresponding certificate files on an unencrypted file system. Use the dedicated certificate stores of your operating system and use operating system capabilities for setting the access rights.
Because Java components sometimes find vulnerabilities. Thereby affecting customized Java applications. Therefore, patch and vulnerability management should follow best practices.
Summary: Since HTTPS is suggest to used to call REST endpoints, the authentications available in the standard system can also be used OAuth1 and OAuth2.Besides the standard authentication options, a so-called AppKey is often exchanged. This key is a secret code created for the client, which is transferred with every call to get the authorization for the call. In General point of view, REST is considered secure due to the use of widely used methods.
Preface: On October 15, 2019, Tesla discovered, and responsibly disclosed, a vulnerability within Akamai’s Enterprise Application Access (EAA) client that allows privilege escalation and remote code execution (RCE) when an attacker is within privileged locations on a network.
Vulnerability details: Enterprise Access Client Auto-Updater allows for Remote Code Execution prior to version 2.0.1.
Possible ways: Perhaps attacker can mimic a email to inform client to update their software. Meanwhile the update server will be connected to attacker compromised host. If user not aware that it is a fake IdP portal. They will download EAAClient and install it locally. Since this software run in privileges level. As a result, attacker can compromise this device.
Impact: Attacker may understand vendor cloud collaboration security service have sensor and alarm. They can take another way round. Steal the data in compromised workstation and or on going activities. Backdoor[.]Win32[.]Mokes was spread via the same campaign earlier in January.
Preface: uWSGI is a very active project with a fast release cycle. For this reason the code and the documentation maynot always be in sync.
Background: Currently there are three uwsgi-protocol related apache2 modules available. They are mod_uwsgi,mod_proxy_uwsgi and mod_Ruwsgi. uWSGI is often used for serving Python web applications in conjunction with web servers such as Cherokee and Nginx, which offer direct support for uWSGI’s native uwsgi protocol.
Vulnerability details: By sending a small amount of headers (length close to the LimitRequestFieldSize default value of 8190) through uWSGI open port.RCE against a standard UWSGI config is possible if an attacker can put a controlled name or value into “subprocess_env” that is longer than 0xFFFF bytes. Remark: If UWSGI is explicitly configured in persistent mode (puwsgi), this can also be used to smuggle a second UWSGI request leading to remote code execution.(In its standard configuration UWSGI only supports a single request per connection, making request smuggling impossible).
Official announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-11984
Preface: IP multicast is commonly used today to deliver stock quotes from stock exchanges to financial service providers and then to the stock analysts or brokerages.
Background: The multicast addresses are in the range 224.0.0.0 through 239.255.255.255. Multicast traffic is blocked in the Layer-3 mode by default or by blocking PIM and IGMP under the security rule. The most important multicast routing protocol for the Internet today is PIM sparse mode, defined in RFC 2362.
Vulnerability details:Cisco Releases Security Advisory for DVMRP Vulnerability in IOS XR Software. This design weakness due to insufficient queue management for IGMP packets. As a result attacker could exploit this vulnerability by sending craft IGMP traffic to the vulnerable device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Perhaps the drawings can provide an overview for reference.
Remark: IOS XR is a train of Cisco Systems’ widely deployed Internetworking Operating System (IOS), used on their high-end Network Converging System (NCS), carrier-grade routers such as the CRS series, 12000 series, and ASR9000 series.
Preface: Geometric progression up growth in net meeting software product recently because of COVID-19 effect.
Background: We are all concerning of privileges escalation vulnerability. Recap OS vulnerability in past impact Zoom product. The GHOST vulnerability trigger “buffer overflow” bug that affects the gethostbyname () and gethostbyname2 () function calls in the glibc library. The vulnerability could allow remote attackers who could execute arbitrary code with the privileges of the user running the application to invoke any of these functions.
Which components of Zoom may be affected? You have installed a meeting connector, virtual room connector, or phone connector / gateway that is running. CentOS Linux versions 5.x, 6.x and 7.x
Remedy: yum update glibc
Recently News: In June 10, 2020 (about 4 months ago). Found that Zoom Sharing Service (Cptservice[.]exe) contains insufficient signature checks of dynamic loaded DLLs and EXEs when loading a signed executable. Such design weakness allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. NVD Published this vulnerability on 14th Aug 2020. Perhaps quite a lot of users already received alert. For those who do not know. You should upgrade the software immediately.
Preface: Modern Cyber Defense solution without difficulties detect malicious activities. For instance, applications need approved permissions before installation; and security software can scan files to be written, read, and/or executed to check for known signatures. But we still heard data breach incident occurred. Why?
Detail description: On 26th Aug, 2020, US Homeland security published articles to urge public that at least three different types of malware on the way to approaching banking finance, business and computer end user. By this chance, we are going to focus a malware named “BeagleBoyhz”. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems. Quite a lot of cyber security services vendor observe that Fileless Malware Execution with PowerShell Is Easier to evade antivirus and firewall. In order to avoid their activities detected by defense mechanism. Attacker will abuse Command and Scripting Interpreter technique to executing arbitrary commands.Meanwhile, this is the security focus highlighted by the Department of Homeland Security. As a large number of articles describe different types of malware. If you want to read the details, please refer to the website link.
Remedy: If your current cyber defense solution capable to support regular expression filter function. You can create generic policies to deny the unknown PowerShell script. For example:
.\bi[“’]*e[“’]x\b.* blocks Invoke-Expression. At the end, I would like to thanks for McAfee providing this effective solution.
Preface: A few years ago, ATM attackers might have the opportunity to compromise ATM machines through this method (Raspberry Pi + Python + Wifi). It looks that it is not possible right now.
Study Road Map: From a security perspective, the design weaknesses disclosed by the vendor this time are divided by 3 types. – Insufficient encryption strength (CVE-2020-10125), – Main weaknesses in authentication bypass (CVE-2020-10126) – Lack of data protection (CVE-2020-10124)
Before reading the details of the vulnerability note (VU#815655). We should know the main product specifications. 1. What is XFS? eXtensions for Financial Services, or XFS, is an open systems middleware international standard promoted by the European Committee for Standardization (CEN) that allows software from multiple vendors to run on different manufacturers’ATMs and other types of payment terminals.
2. What is BNA? BNA (Bunched Note Acceptor) – Depository that accepts many varied notes without an envelope.
3. Read the vulnerability description (see URL below). Increase your imagination through attached diagram. Maybe you will dig more details, not just the official announcement.
Preface: Data allows organizations to more effectively determine the cause of problems. Data allows organizations to visualize relationships between what is happening in different locations, departments, and systems.
Background: Perhaps of the Big Data powerful functions. On July 3, 2020, the Standing Committee of the National People’s Congress (NPC) published the draft Data Security Law (Draft Law) for public comment through August 16, 2020.
Even though the public comment period has passed. But let’s review the history of development: The Cyber security Law of the People’s Republic of China (中华人民共和国网络安全法) was adopted at the 24th meeting of the Standing Committee of the 12th National People’s Congress of the People’s Republic of China on November 7, 2016, and is hereby promulgated as of June 1, 2017 Implement.
In accordance with the “National Security Law of the People’s Republic of China (中华人民共和国国家安全法)” and the “Network Security Law of the People’s Republic of China (中华人民共和国网络安全法)”, formulate cyber security review measures. The new cyber security review measures will take effect on June 1, 2020. The “Network Product and Service Security Review Measures (Trial) (网络产品和服务安全审查办法(试行))” was repealed simultaneously. If you want to learn more about the “China Cybersecurity Review Measures (网络安全审查办法)”. Please read the following URL:
The Network Security Law of the People’s Republic of China has been implemented for more than two years. Maybe you have query? Refer to attached diagram. As far as we know, the National Security Law and Cyber security Law has defined its own review system. In the moment, Data Security Law of the People’s Republic of China (Draft) looks that do not have relevant information provided. Do you think Data Security Law will be integrated into the existing review structure?
.jpg?width=1920&height=1080&fit=bounds)
