Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020
Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.
Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.
Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.
Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.
Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.
Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.
Accessing E-TranE-Tran Options •loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database •A Web page where lenders can enter loan information on individual loans
Preface: Once upon a time, without internet. The Black Friday virus through floppy disk infected to your MS-DOS and make a trouble to your personal computer.
Background: New Orleans declared a state of emergency and shut down its computers after a cyber security event. During a press conference on 14th Dec 2019, Mayor Cantrell confirmed that this was a ransomware attack.
Security expert findings: Based on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely done by the Ryuk Ransomware threat actors, said cyber security expert.
Personal comment: Ransomware looks horrible! Are you interested in how national supercomputers can defend against cyber attacks, especially ransomware? Have you heard about docker and container technology? May be we do a discussion in coming future.
Preface: Starting from around 2012 the use of ransomware scams has grown internationally.
Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.
Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.
Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.
Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.
About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.
Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).
Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.
Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?
Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.
Security Focus : Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Technical guy may known that there is a design limitation occurs on AWS. The metadata service provides temporary credentials. There is no authentication and no authorization to access the service. A mis-configure firewall policy will causes untrusted source establish connection to meta service. For more details, please refer to attach diagram.
Headline News – A hacker gained access to 100 million Capital One credit card applications and accounts
Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.
Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.
Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.
Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?
Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.
Preface: If victim is not negligence. Can we give an excuse to him?
Company background: Orvibo, a Chinese smart home solutions provider.
Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world. Does the admin using easy to guess password or………
Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.
If you are aware your personal information has been stolen by above incident. What should You do?
Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.
Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.
Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans. – The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans. – Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft. The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.
Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.
The pre-operation of Ryuk ransomware on infected computers: