Category Archives: cyber security incident news highlight

City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

Sounds horrible!

A heist occurred from SWIFT payment system again? Chief Executive Officer N. Kamakodi called it a “conspiracy” involving multiple countries, and added the lender was still investigating how it had happened. But the statement seems not precise to describe.

A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.

Quote:

When to use the MT 202 COV?

It must only be used to order the movement of funds related to an underlying customer credit transfer that was sent with the cover method.

The MT 202 COV must not be used for any other interbank transfer.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

City Union Bank in India victim of cyber hack through SWIFT system (19th Feb 2018) – See following URL (Reuters Headline News) for reference.

https://www.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-idUSKCN1G20AF?feedType=RSS&feedName=technologyNews

Special Edition – HIDDEN COBRA – Malicious Cyber Activity

Special Edition: Information security focus

US Homeland security (DHS) urge the world to staying alert with HIDDEN COBRA Malicious Cyber Activity. It looks that the cyber attack wreak havoc to the world. And therefore DHS suggest to add below Yara rule into your IDS or malware detector (For instance RSA ECAT).

The following YARA rule may be used to detect the proxy tools:

rule NK_SSL_PROXY{
meta:
Author = "US-CERT Code Analysis Team"
Date = "2018/01/09"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
Info= "Detects NK SSL PROXY"
strings:
$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
$s2 = {4775401F713435747975366867766869375E2524736466}
$s3 = {67686667686A75797566676467667472}
$s4 = {6D2A5E265E676866676534776572}
$s5 = {3171617A5853444332337765}
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
condition:
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

There are total 2 items of malware would like to draw your considerations.

  • Trojan: HARDRAIN (Backdoor – Remote Access Tool)
  • Trojan: BADCALL (data thief and surveillance)

In order to avoid unforeseen data breach happens to enterprise firm and personal data privacy protection. We better to consider the suggestion by DHS.

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to run unwanted software applications
  • Enforce a strong password policy and
  • implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date.
  • Enable a personal firewall on agency workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g.,
  • USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

Threat actor transform Vehicle GSM GPRS GPS Tracker Car Vehicle Tracking Locator technology

Since the mobile phone usage volume bigger than personal computer today. Perhaps digital e-wallet function and BYOD concept let people keep their confidential data on mobile phone. And therefore it lure the hacker focusing the mobile phone device especially Android. This round hacker relies on GRPS TCP/UDP connection (see below diagram for reference) create Trojan (BADCALL) to listen for incoming connections to a compromised Android device, on port 60000. Meanwhile it awaken the security concern on GPRS gateway.

Since this is a special edition of article so we summarize the technical details as below:

Trojan: HARDRAIN

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

3dae0dc356c2b217a452b477c4b1db06 (3DAE0DC356C2B217A452B477C4B1DB06)

746cfecfd348b0751ce36c8f504d2c76 (746CFECFD348B0751CE36C8F504D2C76)

  • Executable Linkable Format (ELF) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

9ce9a0b3876aacbf0e8023c97fd0a21d (9CE9A0B3876AACBF0E8023C97FD0A21D)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Trojan: BADCALL (data thief and surveillance)

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

c01dc42f65acaf1c917c0cc29ba63adc (C01DC42F65ACAF1C917C0CC29BA63ADC)

c6f78ad187c365d117cacbee140f6230 (C6F78AD187C365D117CACBEE140F6230)

  • run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

d93b6a5c04d392fc8ed30375be17beb4 (D93B6A5C04D392FC8ED30375BE17BEB4)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

End discussion, thak you for your attention.

Happy valentines day.

My imagination – New way of money laundry evade regulations

We heard turmedous crypto currency heist this year (see below). Do you  think is it a trick? Let’s think it over. The refund of the fees after heist is a grey area of regulator custodian.Since the money is a new sources far away from criminal activities revenue.How to using legal regulation forfeiting their money.Let’s think it over. How to dick out the money on a secure platform. Is it luck or counterfeit message with phishing technique. I believe that this is a old technique. How to evade the legal enforcement proceed legal action to forfeiting their money. End of Jan 2018 – Coincheck $530 million cryptocurrency heist may be biggest ever 2nd week of Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million.

Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million:

https://www.youtube.com/watch?v=Sb2_ZBcS7NE

Jan 2018 – Coincheck heist discussion:

Doubt – $530 million cryptocurrency heist

CVE-2018-4878 against South Korean Targets. See whether is it true?

In July 2017, Adobe announced that it would end support for Flash Player in 2020, and continued to encourage the use of open HTML5 standards in place of Flash. The announcement was coordinated with Apple, Facebook,Google,Microsoft,and Mozilla. If you would like to know what is the flash vulnerability actual destructive power. Let review the suggestion by Antivirus big brother Kaspersky (Jul 2017). Kaspersky recommends disabling Flash Player, in order to stay protected. Perhaps you may not have interest to read below url. But on-line games and on-line casino still requires Adobe Flash in the moment. We all known South Korea is the leader in the gaming section. And therefore The South Korean Computer Emergency Response Team (KR-CERT) has issued a security alert warning of a zero-day vulnerability affecting Adobe’s Flash Player.

CVE-2018-4878

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets

Be aware of RTMFP protocol

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

Let keep our eye open , see whether such vulnerability will be occurs this year. If this nightmare come true. A unforeseen destruction of the reputation to the company includes vendor and customer!

Doubt – $530 million cryptocurrency heist

As we know the most common cryptocurrencies are Bitcoin, Ethereum,Ethereum Classic, Monero, Litecoin, OmiseGO, Ripple & Zcash. Fundamentally NEM Smart Asset System more secure than bitcoin. The NEM Blockchain utilizes a Proof-of-Importance calculation (rather than Bitcoin’s Proof-of-Work or PIVX’s Proof-of-Stake) to accomplish accord through a procedure that boosts dynamic support in the system. NEM is a peer-to-peercryptocurrency and blockchain platform launched on March 31, 2015. But the value of each coin is underestimation. Why hacker target to NEM. Do you think hacker willing to engage hacking in difficult way ?

Information update on 29th Jan 2018 – CNN claimed that this cryptocurrency heist is the biggest amount. Such huge value of financial lost wasn’t happened before! See below url for reference.

http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html

Another reference:

My speculation – How’s coincheck loses ¥58 billion dollars value of cryptocurrency

Staying alert with CSRF and XSS vulnerabilities

Perhaps there are a lot of vulnerabilities sometimes will be ignored. Why? For instance cross-site scripting will be occurred on client or server side. If there is a cross-site scripting (XSS) vulnerability in the web application, it is not possible to prevent CSRF (cross site request forgery) since the cross site scripting will allow the attacker to grab the token and include the token with a forged request. However cross-site scripting (XSS) and CSRF are only the medium risk rating vulnerability in app scan definitions. As a result it couldn’t draw the software developers attention. OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers. A security expert found that Oneplus exploiting Magento eCommerce platform. Magento found XSS and CSRF vulnerabilities last year on May 2017. The patch released on Sep 2017. Do you think XSS and CSRF are the culprit  of this credit card data breach incident? For more details about OnePlus credit card data breach incident status update. Please refer below url for reference.

OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers

Remark: Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop.

CPU vulnerability remediation status update – especially Spectre

Intel has a quartet of lawsuits vying for the attention of its lawyers. Heard that AMD might have lawsuits. However so called install the remediation CPU patch looks amazed the windows OS user. I am using window 7 instead of windows 10. Perhaps I just did the windows update this morning. It behind my seen that CPU vulnerability still valid on my PC. The cache-misses as compared to missed-branches data collected from Spectre is possible on my PC (see attached screen-shot for reference). As far as I know, spectre vulnerability not easy to mitigate. Did you aware of your IT appliances (WAN accelerator, IDS, firewall, malware detector and SIEM system. Those devices did not install updated CPU unit. It looks there will be more difficulties to mitigate the CPU design flaw. Friendly speaking, do you want to know how does hacker exploit this flaw for their benefits? Time will tell.

For more details about AMD Gets Hit With Two Class Action Lawsuits For Spectre Vulnerabilities, Intel Hit With Four For Meltdown & Spectre. Please refer to below url for reference.

https://wccftech.com/amd-class-action-law-suits-for-spectre-vulnerabilities-intel-four-meltdown/

 

The hunt for red october – Nautilus and Neuron by Turla Group

The ncsc.gov.uk advisory urge UK citizen and business enterprise staying alert for Turla group malware. The similar of alert announced 2 months ago. Per alert subject provided by NCSC the malware changed it shape already. But the attack target remain unchanged, the malware target Microsoft products especially Exchange mail server and IIS web server. Perhaps this incident contains the similarity of APT attack. As said I can’t predict who is the perpetrator.  Let’s me echo my observation which posted 2 months ago.  The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. Meanwhile the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference).

https://www.microsoft.com/en-us/wdsi/products/scanner

Should you have interest of this incident. Please find the details in below url:

https://www.ncsc.gov.uk/alerts/turla-group-malware

The “retpoline” x86 mitigation technique for variant # 2

We heard that vendor recommend install the patch into your server, workstation and notebook within this month. In regards to meltdown and Spectre technical white paper. We known the design weakness are divided into 3 parts. This variant 2 – branch target injection flaw might the easy one to resolve in comparing the remains 2 items of vulnerabilities. That is Bounds check bypass and Rogue data cache load, memory access permission check performed after kernel memory read. Retpoline as a mitigation strategy which control indirect branches for returns, to avoid using predictions which come from the BTB (Branch Target Buffer). But Spectre vulnerability contained bounds check bypass vulnerability. In reality, security researchers comments that the vulnerabilities are difficult to exploit in practice. Perhaps big team might spend resources to re-engineering this flaw in future then transform as a APT attack tool. Since hacker is silent at this moment. At least no one exploit those vulnerability.However US Democratic looks with interest of this incident.

U.S. lawmaker asks Intel, others for briefing on chip flaws (see url below):

https://www.cnbc.com/2018/01/16/rep-jerry-mcnerney-probes-intel-arm-and-amd-on-spectre-and-meltdown.html

A replay attack capable detected by Microsoft event ID

Perhaps Meltdown and Spectre CPU design weakness headache the IT guy this month. Sounds like the overall environment covered with mist! But the sunrise will be raised finally to get rid the dark. Can you remember that replay attack on WPA2 Wifi network last year? You did OS version upgrade and change the authentication method because of this incident. No matter hardware and software, the IT product life cycle is short today. In the meantime, Microsoft can help you to do the detection of this attack if your Wi-Fi network authentication integrate with Active Directory. You are able to verify the details on event viewer or make use of your SIEM Dashboard to review the details.  For more details, please see below url provided by Microsoft for reference.

4649(S): A replay attack was detected:

https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4649