Category Archives: cyber security incident news highlight

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url: https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6

ABout MasterCard data breach – Aug 2019

Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.

Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?

Bloomberg headline news https://smg.photobucket.com/user/chanpicco/media/chanpicco001/MasterCard-leak-Aug-2019-1_zps35cvwtvc.jpg.html?sort=3&o=0

Have you heard of the “Capital one” data leak! July 2019

Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.

Security Focus : Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Technical guy may known that there is a design limitation occurs on AWS. The metadata service provides temporary credentials. There is no authentication and no authorization to access the service. A mis-configure firewall policy will causes untrusted source establish connection to meta service. For more details, please refer to attach diagram.

Headline News – A hacker gained access to 100 million Capital One credit card applications and accounts

https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

CVE-2019-1579 VPN solution impacts Uber, other enterprises may be at risk Jul 2019

Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.

Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.

Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.

Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?

Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.

Orvibo smart home devices leak billions of user records – customer must staying alert – Jul 2019

Preface: If victim is not negligence. Can we give an excuse to him?

Company background: Orvibo, a Chinese smart home solutions provider.

Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world.
Does the admin using easy to guess password or………

Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.

If you are aware your personal information has been stolen by above incident. What should You do?

Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.

Headline News – https://www.dailymail.co.uk/sciencetech/article-7202675/Maker-smart-home-software-continues-leave-database-containing-users-passwords-OPEN-online.html

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

  • Volume Shadow Server & Backup Kill
  • Installed lang check:
    SYSTEM\CurrentControlSet\Control\Nls\Language\
    InstallLanguage
    0419 (Russia)
    0422 (Ukrainian)
    0423 (Belarusian)
  • Arp Blaclklist check
  • GetComputerName check
  • Process kill

Advisory report for download – https://www.ncsc.gov.uk/news/ryuk-advisory

Microsoft Exchange server 2013 and new version of product are vulnerable to NTLM relay attacks (2019)

Preface: A privilege escalation is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain.

Vulnerability details: A tool capable for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTP Listener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the target, an NTLM negociation occurs and is relayed to the target EWS server.

Hints: Do not contempt the vulnerability on workstation. It is one of the way which assists the hacker to do the privileges escalation. If the compromised workstation is the domain member. Hacker relies on NTLM vulnerability to do the priviliges escalation. That is, they remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA). For instance, the Exchange server and ADFS (Active Directory Federation Services).

Official announcement:

Apply an update – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

Disable EWS push/pull subscriptions – In an Exchange Management console, execute the following commands:

  • New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope
  • Organization -EwsMaxSubscriptions 0
  • Restart-WebAppPool -Name MSExchangeServicesAppPool

It is hard to judge it was a self defense or attack. New York Times cyber attack news – 16th Jun 2019

Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.

Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….

However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.

Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-584286.pdf

What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?

Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?

Headline news https://www.nytimes.com/2019/06/17/world/europe/russia-us-cyberwar-grid.html

Astra Linux features:

– Compatibility with the Komrad SIEM system
– FSTEC certificates of the Russian Federation and FSB of the Russian Federation on Astra Linux of SE (release Smolensk)
– Compatibility with the Simatic IPC427D workstation
– Compatibility with Videoselektor
– Minobona’s certificate of the Russian Federation and FSB on Astra Linux of SE (release Leningrad)
– Compatibility with Mellanox Spectrum
– Compatibility with TerraLink xDE
– Tests of BLOK computers running SE 1.6 Astra Linux OS
– Availability of an official mirror of a repository of Astra Linux OS on mirrors.kernel.org
– Compatibility with JaCarta
– Compatibility with CryptoPro CSP on Elbrus and Baikal processors
– Compatibility with Linter DBMS

It will jeopardizing 400,000 Linux system in the world – Exim Releases Security Patches (alert issued in Jun 2019)

Preface: Exim is growing in popularity because it is open source.

Background:It’s the default mail transport agent installed on some Linux systems.It contain feature likes:
Lookups in LDAP servers, MySQL and PostgreSQL databases, and NIS or NIS+ services.

Vulnerability details: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).

Remark: Deliver_drop_privilege is set to false by default.

Attack synopsis: If the “verify = recipient” ACL is manually deleted then remote attack will be occurred. Attacker can reuse our local-exploitation method with an RCPT TO “xxx+${run{…}} @ localhost”. Where “xxx” is the name of the local user .

For official details, please click on the link – https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Did you have trouble accessing internet on Sat (8th Jun 2019 GMT+8)

Synopsis: The users were temporarily unable to reach adjacent countries internet web sites for short period of time (less than 1 – 3 minutes) due to an issue of Internet BGP backbone.

Description: On Sat, I was surprise that some internet web site looks unstable. It is not only happens on a single web site.

What do you think about or do you aware?
There are likely to be similar problems that you can find below:

  1. The ABC ISP (AS __xx) configured a static route 66.220.144.0/24 pointing to null in order to block Facebook access for ABC ISP customers. However, the ISP started to announce the prefix 66.220.144.0/20 towards its upstream provider CDEF (AS xxxx) that propagated the announcement to its peers. Meanwhile Facebook (AS32934) that had been announcing prefix 66.220.144.0/20 so far, started to fight back. Facebook began to announce more specific prefix 66.220.144.0/24. They kept announcing 66.220.145.0/24, however the service would still not be available for a large part of Facebook users. Those were the users whose traffic took a path towards ABC ISP (AS__xx), thus it could not reach Facebook. The traffic was being backhauled by a static route configured on ABC (AS__xx) edge router.
  2. Bogus AS Path