Category Archives: cyber security incident news highlight

Client negligence (misconfiguration), AWS reputation suffer! 3rd Apr 2019

Preface: 540 Million Facebook Records Leaked

Who bare the responsibility? Misconfiguration

Headline News: Hundreds of millions of Facebook records exposed on Amazon S3 cloud!
See the link below for details:
https://www.forbes.com/sites/kateoflahertyuk/2019/04/03/facebook-exposes-540-million-user-records-what-you-need-to-know/#35a8f7043fd7

Observation: The incident shown that it is not difficult to keep track our web activities. A webhook (HTTP push API) is a way for an app to provide other applications with real-time information. As a result, what you are doing is that what thrid party get!
I believe that all related informations over there will be found on Dark Web?

Why APT attack changing their shape?

Preface: We known so far that APT attack aim to lockdown specify attack target. The target will be specifics government regime and the their revenue. This is the modern way not require engage the traditional war.

Synopsis: APT attack lure people attention is that they form a structure attack and exploit with malware attacking major public facilities. For instance, Nuclear power station, water supply and Gas system. No matter it is a Botnet DDoS or implant malware conducting sabotage activities. It is a time consuming action. Perhaps above action didn’t fully exploit metamorphic definition. On my seen that a new generation of attack mechanism will be frequently exploit by APT group in future. The design will be similar LockerGoga Ransomware.

LockerGoga Ransomware:
Expert found that LockerGoga does not have any self-propagation mechanisms (needs to be manually deployed). But later on found that it relies SMB protocol (manually copy files from computer to computer). They are jeopardizing in supply chain industry now. But I believe that it the a pilot run now.

For more details, please refer url below: https://www.jdsupra.com/legalnews/lockergoga-ransomware-hits-manufacturer-94292/

Specifications: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.lockergoga.aa

Headline News: ASUS Live Update software encounter Advanced Persistent Threat (APT) groups implant backdoor – 26th Mar 2019

Preface (Attack roadmap): Asus Live Update software installed on laptops and PCs encounter cyber attack in between June and November 2018. Hacker implant a backdoor into the live update software!

Observation: ASUS, it configures the network using dynamic host configuration protocol and then makes a plain HTTP request to a remote server to check if a newer version of the UEFI BIOS firmware is available than the version currently running in the system. Thus, there’s no SSL protection nor verification that it’s actually talking to the correct remote server.

Official announcement: ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups (below URL for reference): https://www.asus.com/News/hqfgVUyZ6uyAyJe1

Citrix Internal Network Hacked – Press release on Mar 2019

Preface: Citrix Systems, Inc. is an American multinational software company that provides server, application and desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies.

About data breach occurred on Dec 2018:
Citrix says that the late 2018 attack appears to be distinct from the likely password-spraying attack that was the focus of the FBI’s Wednesday warning to the technology firm.

Doubt? Believe that enterprise firm should have SIEM deployment. If SIEM has in placed, could it be something wrong of their correlation rules? Or there is another reasons behind?

What do you think?

Headline news: https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/

Moody’s point of view – cyber attack

Preface:
For companies that are experiencing cyber attacks. Moody said it has the potential to weaken its credit profile.

Analytic result by Moody’s:
About Moody’s findings. Ransomware attack against FedEx and Merck & Co in 2017. The total financial impact of all affected entities reached $10 billion.

Question: Does Moody’s rating only focus on financial losses?

Answer: The key factors for Moody’s do the analysis is based on the following ideas.
To develop a framework for understanding inherent cyber risk at the sector level, Moody’s focuses on the following:
1) vulnerability to the type of attack or event to which entities in a given sector are exposed.
2) potential impact of cyber events via disruption of critical businesses processes or negative reputational effects that lead to a loss of revenue as a result of customer attrition.

For more details on above, please refer below url: https://www.moodys.com/research/Moodys-Credit-implications-of-cyberattacks-will-hinge-on-long-term–PBC_1161216

UK-based Metro Bank has suffered an SS7 attack – Jan 2019

Preface: The phrase “old wine in new bottles”! Cyber security world has similar things all the time!

About SS7 design weakness:

Business impact: A U.K. bank says no customers lost money after cyber attackers attempted account takeovers by rerouting one-time passcodes, Motherboard reports. The National Cyber Security Centre (NCSC) also confirmed.
Such attacks involve tampering with Signaling System #7, the protocol used to route mobile phone calls worldwide.

Security advice: A one-time passcode may be sent over SMS, but the safer way is to use an authenticator app,
such as Authy, Cisco’s Duo or Google Authenticator, to generate the code.

Reference: https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

CISA Releases Blog on Emergency Directive: January 24, 2019

Preface: Cyber security experts predict that global DNS hijacking activities are underway. However, it is not certain who is the attacker (the cyber attack group), FireEye said on January 9, 2019.

Background information:
This cybersecurity incident caught the attention of the Network Security and Infrastructure Security Agency (CISA). Whereby, CISA released their first emergency order on January 22, 2019. They urge the world to understand the current situation (global DNS hijacking campaign). At the same time, they released a mitigation solution for mitigating DNS system.
For more details, please see below: https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive

My observation:
While DNS software is specially designed to fulfill one specific role, applications like Bind are incredibly flexible and can be used as hybrid solutions. However there are plenty of vulnerabilities ( high severity of risk) found on Bind system software.Please refer following url for reference:

http://www.antihackingonline.com/potential-risk-of-cve/bind-9-flaw-krb5-subdomain-and-ms-subdomain-update-policy-rules-ineffective/

By the way, your in house SIEM system can fight against cyber crime.

Is this a careless mistake? BlackRock Exposes Confidential Data on Thousands of Advisers on iShares Site!

Preface: Excel spreadsheets are used all the time in high-risk financial data analysis, and sometimes this is a silent way to dig out the data.

BlackRock data leakage synopsis:

Bloomberg found three spreadsheets contains BlackRock’s iShares ETF business confidential information included thousands of financial advisors were given ratings based on how much business they bring BlackRock. For more details, please refer below url:
https://www.bloomberg.com/news/articles/2019-01-19/blackrock-exposes-data-on-thousands-of-advisers-on-ishares-site

Is it a careless mistake?
It is hard to tell. From technical point of view, Blackrock is easy to figure out the problem though their spreadsheet management system.

Prediction:
If it didn’t find related suspicious activity in the spreadsheet management system and security incident event management? What is the next step? Do the dark web research may find out some hints. If the final confirmation is a user negligence. In a nutshell, user negligence shown the design weakness of awareness training program.

Celebration 2019! Coming Soon! But…? The most serious data breach in 2018… So far, do you know where they are?

Preface: The internet contains at least 4.5 billion websites that have been indexed by search engines. But may be more data not shown there?

Technical background – Dark Web Synopsis:
What is dark web? It is the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.The dark web is a huge marketplace for stolen data and personal information.

Attack surface:

So far, social media companies have often experienced data breaches. However, the healthcare industry is the priority attack target.

Data theft action:Once the company has been hacked. the situation will be as follow

  1. the data will be posted to dark web immediately
  2. if company management not intend to pay for ransom. they will sell the data in dark market.

Expert findings:
Please refer below url for reference: https://www.network-box.com/front_newsletter