Category Archives: cyber security incident news highlight

Microsoft Exchange server 2013 and new version of product are vulnerable to NTLM relay attacks (2019)

Preface: A privilege escalation is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain.

Vulnerability details: A tool capable for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTP Listener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the target, an NTLM negociation occurs and is relayed to the target EWS server.

Hints: Do not contempt the vulnerability on workstation. It is one of the way which assists the hacker to do the privileges escalation. If the compromised workstation is the domain member. Hacker relies on NTLM vulnerability to do the priviliges escalation. That is, they remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA). For instance, the Exchange server and ADFS (Active Directory Federation Services).

Official announcement:

Apply an update – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

Disable EWS push/pull subscriptions – In an Exchange Management console, execute the following commands:

  • New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope
  • Organization -EwsMaxSubscriptions 0
  • Restart-WebAppPool -Name MSExchangeServicesAppPool

It is hard to judge it was a self defense or attack. New York Times cyber attack news – 16th Jun 2019

Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.

Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….

However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.

Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-584286.pdf

What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?

Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?

Headline news https://www.nytimes.com/2019/06/17/world/europe/russia-us-cyberwar-grid.html

Astra Linux features:

– Compatibility with the Komrad SIEM system
– FSTEC certificates of the Russian Federation and FSB of the Russian Federation on Astra Linux of SE (release Smolensk)
– Compatibility with the Simatic IPC427D workstation
– Compatibility with Videoselektor
– Minobona’s certificate of the Russian Federation and FSB on Astra Linux of SE (release Leningrad)
– Compatibility with Mellanox Spectrum
– Compatibility with TerraLink xDE
– Tests of BLOK computers running SE 1.6 Astra Linux OS
– Availability of an official mirror of a repository of Astra Linux OS on mirrors.kernel.org
– Compatibility with JaCarta
– Compatibility with CryptoPro CSP on Elbrus and Baikal processors
– Compatibility with Linter DBMS

It will jeopardizing 400,000 Linux system in the world – Exim Releases Security Patches (alert issued in Jun 2019)

Preface: Exim is growing in popularity because it is open source.

Background:It’s the default mail transport agent installed on some Linux systems.It contain feature likes:
Lookups in LDAP servers, MySQL and PostgreSQL databases, and NIS or NIS+ services.

Vulnerability details: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).

Remark: Deliver_drop_privilege is set to false by default.

Attack synopsis: If the “verify = recipient” ACL is manually deleted then remote attack will be occurred. Attacker can reuse our local-exploitation method with an RCPT TO “xxx+${run{…}} @ localhost”. Where “xxx” is the name of the local user .

For official details, please click on the link – https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Did you have trouble accessing internet on Sat (8th Jun 2019 GMT+8)

Synopsis: The users were temporarily unable to reach adjacent countries internet web sites for short period of time (less than 1 – 3 minutes) due to an issue of Internet BGP backbone.

Description: On Sat, I was surprise that some internet web site looks unstable. It is not only happens on a single web site.

What do you think about or do you aware?
There are likely to be similar problems that you can find below:

  1. The ABC ISP (AS __xx) configured a static route 66.220.144.0/24 pointing to null in order to block Facebook access for ABC ISP customers. However, the ISP started to announce the prefix 66.220.144.0/20 towards its upstream provider CDEF (AS xxxx) that propagated the announcement to its peers. Meanwhile Facebook (AS32934) that had been announcing prefix 66.220.144.0/20 so far, started to fight back. Facebook began to announce more specific prefix 66.220.144.0/24. They kept announcing 66.220.145.0/24, however the service would still not be available for a large part of Facebook users. Those were the users whose traffic took a path towards ABC ISP (AS__xx), thus it could not reach Facebook. The traffic was being backhauled by a static route configured on ABC (AS__xx) edge router.
  2. Bogus AS Path

As of May 9, 2019, even “Virustotal” did not have his record! where is he from?

Preface: The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified a malware variant— so called ELECTRICFISH.

Technical details: The malware implements a custom protocol like “Tor browser”. The aim to allows traffic by-pass defense mechanism in between source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.

Comment: Seems malware designer aware that their operation will be terminated by malware detector especially company which installed “FireEye”. The successful factor of the infection all depends on thier infection path. May be it is a phishing, or hide himself in a 3rd party software drivers. From technical point of view, their activities is not easy discovered by antivirus program once malware successful install. But it is rare that even “Virustotal” do not have their information till now.

Headline News via following link : https://www.washingtonexaminer.com/news/us-government-unveils-new-north-korean-hacking-tool-as-tensions-continue-to-rise

2nd May 2019 – Don’t let you SAP facility become a cyber attack target

Preface: Heard that estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked.

Technical details:
When you configure sap router (saprouter) to allow remote (from the Internet) connections via the SAP GUI. The original design will add entries to the route tables for TCP port 3300, 3301, and 3303 the external application they are using (a gateway connection on these ports).

Default TCP gateway port exploit by hacker:
Since a default pathway built, so the hacker might have a channel to compromise the system. For example, send the malicious code try to conduct remote code execution. As a matter of fact, a proof of concept shown that SAP backend response with malicious code.

Remedy: If you outsource your cyber security watch guard responsibility to managed security services provider. They will create the yara rules to deny such malicious activities.
If not, you are require to create yara rules by yourself on IDS system. For more details, please refer to diagram.

Docker Hub hack! 25th Apri, 2019

Preface: Docker Hub hack exposed data of 190,000 users

Incident details: On Thursday, 25th April, 2019 Docker Hub discovered unauthorized access to a single Hub database storing a subset of non-financial user data.

Impact: Data breach includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.

Doubt: Since Docker provides mirror service for Docker users especially Greater China area. Is there any problem found in this place?

Headline News: https://www.zdnet.com/article/docker-hub-hack-exposed-data-of-190000-users/

Client negligence (misconfiguration), AWS reputation suffer! 3rd Apr 2019

Preface: 540 Million Facebook Records Leaked

Who bare the responsibility? Misconfiguration

Headline News: Hundreds of millions of Facebook records exposed on Amazon S3 cloud!
See the link below for details:
https://www.forbes.com/sites/kateoflahertyuk/2019/04/03/facebook-exposes-540-million-user-records-what-you-need-to-know/#35a8f7043fd7

Observation: The incident shown that it is not difficult to keep track our web activities. A webhook (HTTP push API) is a way for an app to provide other applications with real-time information. As a result, what you are doing is that what thrid party get!
I believe that all related informations over there will be found on Dark Web?

Why APT attack changing their shape?

Preface: We known so far that APT attack aim to lockdown specify attack target. The target will be specifics government regime and the their revenue. This is the modern way not require engage the traditional war.

Synopsis: APT attack lure people attention is that they form a structure attack and exploit with malware attacking major public facilities. For instance, Nuclear power station, water supply and Gas system. No matter it is a Botnet DDoS or implant malware conducting sabotage activities. It is a time consuming action. Perhaps above action didn’t fully exploit metamorphic definition. On my seen that a new generation of attack mechanism will be frequently exploit by APT group in future. The design will be similar LockerGoga Ransomware.

LockerGoga Ransomware:
Expert found that LockerGoga does not have any self-propagation mechanisms (needs to be manually deployed). But later on found that it relies SMB protocol (manually copy files from computer to computer). They are jeopardizing in supply chain industry now. But I believe that it the a pilot run now.

For more details, please refer url below: https://www.jdsupra.com/legalnews/lockergoga-ransomware-hits-manufacturer-94292/

Specifications: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.lockergoga.aa

Headline News: ASUS Live Update software encounter Advanced Persistent Threat (APT) groups implant backdoor – 26th Mar 2019

Preface (Attack roadmap): Asus Live Update software installed on laptops and PCs encounter cyber attack in between June and November 2018. Hacker implant a backdoor into the live update software!

Observation: ASUS, it configures the network using dynamic host configuration protocol and then makes a plain HTTP request to a remote server to check if a newer version of the UEFI BIOS firmware is available than the version currently running in the system. Thus, there’s no SSL protection nor verification that it’s actually talking to the correct remote server.

Official announcement: ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups (below URL for reference): https://www.asus.com/News/hqfgVUyZ6uyAyJe1