Category Archives: 2017

Believe it or not? Homeland security twin brother!

Chinese people mantra, your face may similar to other people. This theory also apply to everything. I agree and believe the US government homeland security web site are unique. Believe it or not , the web site naming convention and contents looks similar to homeland security. However the web site not protected by Akamai network . They do not belongs to US government. To be honest, it make you confused! URL shown as below:

http://www.homelandsecurity.com

The picture diagram can provides the details to you for reference.

The Force Awakens – but it is Apache struts vulnerability!

Apache struts seems a instigator on Equifax data breach incident. An announced by US Homeland security this week to urge IT guy staying alert on New found Apache Struts vulnerability again (see below URL). My comments on this vulnerability is that it expand the attack space or vector . Why? Are you familiar with REST client. It reproduce a new playground for hacker since it is allow to start the attack to Apache Strust product on mobile phone.  We noticed that Cisco products are also the Struts users (see below)

Vulnerability detail (see below):

https://tools.cisco.com/security/center/viewAlert.x?alertId=56116&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20Struts%20REST%20Plugin%20JSON%20Library%20Denial%20of%20Service%20Vulnerability&vs_k=1

Cisco products are also the Struts users (see below)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Would you mind someone sharing your CPU power during your site visit?

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

https://hk.news.appledaily.com/local/daily/article/20171203/20233090

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.

 

Nautilus & Neuron

The hostile country collect the government confidential information and business economic details not similar 70’s. A group of people so called spy infiltrated to foreign country. It reduces the overall injury. The conceptual idea of malware implement to computer world equivalent the task of spy. National cyber security center urge the IT admin around the world staying alert to current suspicious network activities issued by Turla Group. Read few technical articles, the overall comments is that they are support by country. The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. The new tools primary focusing on two microsoft products (Exchange and IIS server). However the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference). 

https://www.microsoft.com/en-us/wdsi/products/scanner

NECURS BOTNET – Alert

Heard that NECURS BOTNET activities growth rapidly.Their major goal is deliver ransomware through email spam or email scam. A announcement broadcast by SANS on 1st Nov 2017 alert that Necurs Botnet malspam pushes Locky using DDE attack. Necurs bot relies on MSword document embedded malware compromise your machine. For instance a Word document embedded objects that call Powershell to compromise your machine. Apart from that they will make use of DDE. NEcurus botnet has a brilliant history. Since his design feature can protect itself to bypass the current detection mechanism. Even through DNS protection is a popular defense mechanism today. But he is not afraid. His program design looks like a assembly so it enhance his infection feature. Should you have interest to know more details, the attach picture can tell. For more details about the status update. Please refer below url for reference.

https://threatpost.com/necurs-based-dde-attacks-now-spreading-locky-ransomware/128554/

There are more windows OS components did not included ASLR protection feature

Seems heard a vulnerability occurs on microsoft product did not trigger your interest. The easy way for IT guy to mitigate the risk is conduct a patch update. But CVE-2017-11882 heads up the world that there are more windows OS components did not included ASLR protection feature. May be you could say Microsoft product do not relies on ASLR since they has Data Execution Prevention (DEP). We known Data Execution Prevention (DEP) is a system-level memory protection feature. However a practical example of CVE-2017-11882 occured on Microsoft office product could compromised your machine. Hacker more focus to dig out vulnerability on word processing product since human relies on electronic documentation daily.  Microsoft release the patch to mitigate this risk (see below). But a reminder to the world there are more MS components do not enable randomizes address function. Yes, no randomizes address function will be benefits to hacker. Which industry on demand to use MS equation editor function. Scientist, high tech industry especially military and nuclear power facilities management.

https://portal.msrc.microsoft.com/en-US/security-guidance

Windows Junction Points looks like malware helper – AvGator

A tremendous news exposed that malware relies on Microsoft design limitation (Windows Junction Points) recovered itself after quarantine. A related flaw found on following antivirus vendor. They areTrend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software. Now vendors released patches for affected products.

Do you still remember that American government Allegation Kaspersky that a spy tool embedded in their product. My personal opinion is that Kapersky is the victim of this allegation.However do you think this is part of the spy method? What is the name of this attack. His name is AVGater. For more details, please refer below url:

https://forum.kaspersky.com/index.php?/topic/382512-exploit-avgater/

Doubt? See whether similar problem will be happen in future?

Heard that in Infineon chip set has vulnerability occurs. Since security expert found the vulnerability in new German national ID card since 2010. However a technical article (ZdNet) report last week that a chip crypto flaws vulnerability occured in Spain ID card. Per announcement by NIST, this vulnerability file to CVE database (CVE-2017-15361). A security vulnerability was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The product is also integrated in authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012. Any doubts? For more details about this vulnerability. Please see below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

Reference: Hong Kong Government to Use Infineon’s Chip Card Technology in Smart Identification Card Project – announcement June 2002 (see below url for reference)

https://www.infineon.com/cms/en/about-infineon/press/market-news/2002/129155.html

To usher the wolf into the S3 Cloud

CNN interview a research Friday (17th Nov 2017) in discussion of US government Pentagon exposed huge amounts of web-monitoring data in a security failure which given by Amazon S3 buckets. I was wondering the similar data breaches not only happened in Pentagon. As far as we know ,a consulting firm found data breach few month ago on S3 bucket. But the scalability of Amazon Cloud are huge. How does bad guy or people who carry with interest find out the details? It looks that the culprit is Amazon itself. A useful tool open to public so called (ip-ranges.json). You relies on this tool can locate the IP address range of Amazon S3 bucket. Since IP address and service package expose to public. It such away increasing the attack surface. Should you have interest of CNN news. Please refer to below url for reference. Reminded that CNN did not provide those json script.Maybe you dig out the hints of my picture.

http://money.cnn.com/2017/11/17/technology/centcom-data-exposed/index.html

Oct 2017 – Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server(see below url):

http://www.crn.com/news/security/300093646/accenture-latest-company-to-leave-critical-data-exposed-on-amazon-web-services-server.htm

Updated on November 28, 2017 – Top Secret NSA and Army Data Leaked Online:

https://www.upguard.com/breaches/cloud-leak-inscom

1st Dec 2017 – Over 100GB of Secret Consumer Credit Data Leaked Online. Claimed that misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.

https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data/?es_p=5544850

 

New trend – Botnet infection technique empowered Ransomware infection

Preface:

We known that botneck infection technique popular last few year. The objective of the botneck infection more on DDOS attack. But the status now has been change.

Below sample of code on how botnet operation.

using System.Threading.Tasks;

using log4net;

using Loki.Bot;

using Loki.Common;

using Loki.Game;

 

namespace MapBuddy.Tasks

{

    public class MapExplorationCompleteTask : ITask

    {

        private static readonly ILog Log = Logger.GetLoggerInstanceForType();

 

        public async Task<bool> Logic(string type, params dynamic[] param)

        {

            if (type != "task_execute") return false;

            if (LokiPoe.Me.IsDead || !LokiPoe.CurrentWorldArea.IsMap) return false;

 

            if (CurrentMap.HasBossRoom)

            {

                if (!TrackMobTask.MapBossFound && !TrackMobTask.MapBossDead)

                {

                    Log.Warn("[MapExplorationCompleteTask] insci_test dont allow finish map until boss is alive.");

                    return false;

                }

            }

 

            Log.Warn("[MapExplorationCompleteTask] Now finishing the map run.");

            MapBuddy.EventInvocators.RaiseMapExplorationCompletedEvent();

            await CommunityLib.LibCoroutines.CreateAndTakePortalToTown();

 

            //Second portal if we are

            //if (MapBuddySettings.Instance.Mode == OpenMethod.Laboratory)

            //{

            //    var currentBot = BotManager.CurrentBot;

            //    currentBot.Settings.SetProperty("NeedsTownRun", 2);

            //}

 

            return true;

        }

 

        public string Name => "MapExplorationCompleteTask";

 

        public string Description => "Task for leaving the map.";

 

        public string Author => "ExVault";

 

        public void Start()

        {

        }

 

        public void Tick()

        {

        }

 

        public void Stop()

        {

        }

 

        public string Version

        {

            get { return "1.0"; }

        }

 

        public object Execute(string name, params dynamic[] param)

        {

            return null;

        }

    }

}

Current status:

It looks that an alert shown that an unknown attack counterfeit HSBC email to widespread the infection.  This round of attacks seems focusing on banking industry. Sample counterfeit email display below: Guys be careful!