Category Archives: 2018

An attack on media platform causes exposed nearly 50 million user informations – Sep 2018

In 80’s our daily life without any electronic type social media involves. But we understood that we are avoid to talk to the stranger. As time goes by, internet social media fine tune our mind. As a result we make friend and relies on this communication platform.

Since this is a popular open platform. It is hard to avoid scam activities. As a result, the risk factor will growth in such circumstances. Even though you have security awareness . But who can garantee the threat actor only focus to attack the indiviual instead of the social media vendor.

Back in October 2016, the memcached developers fixed three remote code execution vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706). The flaws affected memcached’s binary protocol for storing and retrieving data and one of them was in the Simple Authentication and Security Layer (SASL) implementation.

Remark: CVE-2016-8704 – An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Do you think the data breaches announced by Facebook yesterday whether it happen earlier last year but nobody know?

Related news – https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#74855f792033

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.

Aug 2018 – Malware (KEYMARBLE)

My friend informed that a new malware wreak havoc. Meanwhile US-Cert issued the technical articles described the details and let’s the world staying alert! US-CERT also provides the Indicator of compromise (IOC) file for reference. I am interested and therefore I put the this file into the sandbox see whether what exact issue will be happened. The facts is that threat actor embedded malicious code lure victim to open this document. The overall procedure similar word document ask you to excecute a XML contents. The whole procedure may not be trigger the antivirus alert (antivirus may detect this issue now, but not absolute sure) till the infection stage go to phase two. Yes, download a malicious executable file. If similar scenario happen in your company, sounds like you IT campus has a cat doing the monitoring. The cat will catch the mouse once he appears. How does your cat know this Rat appear. All relies on Yara rule (see attached diagram for reference). May be people will be scared of the web page contains hyperlink on top. And therefore this time not provided.

–End–

Verge Is Forced to Fork After Suffering a 51% Attack

Blockchain technology contains advanced security features fundamentally. However the heist occurs in such secure platform are in frequent. The questions of a retrospective and why was hacked? It proof that the problem not given by blockchain technology design flaw. Most likely the root causes are given by end point (client side), operation management (show the privilesge credential in the system event log). Rumors happened yesterday, verge user feared the attacker might use his dominant network position to siphon funds from their accounts. Verge technical team announce that it is a hash attack and it only some blocks were affected during a 3 hour period, not 13 hours. But what do you think? Do you think there is a zero day happens in e-wallet? Headline News can be found in following url.

https://news.bitcoin.com/verge-is-forced-to-fork-after-suffering-a-51-attack/

Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

Easter holiday make me lazy. Seen cyber incident alert posted by my friend Enoch yesterday. However I just ignore until awaken this evening. The details of this incident was that the crooks use falsified SWIFT Messages try to achieve their goal. The news told that they haven’t successful. As far as I remember, on February this year City Union Bank in India victim of cyber hack through SWIFT system. My speculation is that it is the flaw of MT202. A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. But the MT 202 COV must not be used for any other interbank transfer. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

Below url is the press release (Cybersecurity Incident Involving the Use of Falsified SWIFT Messages)

http://www.bnm.gov.my/index.php?ch=en_press&pg=en_press&ac=4651

Reference:

City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

 

How much is your personal data worth?

Microsoft windows defender make the world safe. The threat actor masquerading a legitimate file goal to doing bitcoin mining. Windows defender just kill it within seconds. It is very powerful. It hints to the world that there will be formed different countries will have their own operation system. Why? Nobody want that all the time under monitoring.

For more details, about this news, please refer below url for reference.

https://www.forbes.com/sites/leemathews/2018/03/08/microsoft-saves-400000-windows-users-from-a-malicious-cryptocoin-miner/#5cc0f2b046a6

City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

Sounds horrible!

A heist occurred from SWIFT payment system again? Chief Executive Officer N. Kamakodi called it a “conspiracy” involving multiple countries, and added the lender was still investigating how it had happened. But the statement seems not precise to describe.

A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.

Quote:

When to use the MT 202 COV?

It must only be used to order the movement of funds related to an underlying customer credit transfer that was sent with the cover method.

The MT 202 COV must not be used for any other interbank transfer.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

City Union Bank in India victim of cyber hack through SWIFT system (19th Feb 2018) – See following URL (Reuters Headline News) for reference.

https://www.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-idUSKCN1G20AF?feedType=RSS&feedName=technologyNews

Special Edition – HIDDEN COBRA – Malicious Cyber Activity

Special Edition: Information security focus

US Homeland security (DHS) urge the world to staying alert with HIDDEN COBRA Malicious Cyber Activity. It looks that the cyber attack wreak havoc to the world. And therefore DHS suggest to add below Yara rule into your IDS or malware detector (For instance RSA ECAT).

The following YARA rule may be used to detect the proxy tools:

rule NK_SSL_PROXY{
meta:
Author = "US-CERT Code Analysis Team"
Date = "2018/01/09"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
Info= "Detects NK SSL PROXY"
strings:
$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
$s2 = {4775401F713435747975366867766869375E2524736466}
$s3 = {67686667686A75797566676467667472}
$s4 = {6D2A5E265E676866676534776572}
$s5 = {3171617A5853444332337765}
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
condition:
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

There are total 2 items of malware would like to draw your considerations.

  • Trojan: HARDRAIN (Backdoor – Remote Access Tool)
  • Trojan: BADCALL (data thief and surveillance)

In order to avoid unforeseen data breach happens to enterprise firm and personal data privacy protection. We better to consider the suggestion by DHS.

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to run unwanted software applications
  • Enforce a strong password policy and
  • implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date.
  • Enable a personal firewall on agency workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g.,
  • USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

Threat actor transform Vehicle GSM GPRS GPS Tracker Car Vehicle Tracking Locator technology

Since the mobile phone usage volume bigger than personal computer today. Perhaps digital e-wallet function and BYOD concept let people keep their confidential data on mobile phone. And therefore it lure the hacker focusing the mobile phone device especially Android. This round hacker relies on GRPS TCP/UDP connection (see below diagram for reference) create Trojan (BADCALL) to listen for incoming connections to a compromised Android device, on port 60000. Meanwhile it awaken the security concern on GPRS gateway.

Since this is a special edition of article so we summarize the technical details as below:

Trojan: HARDRAIN

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

3dae0dc356c2b217a452b477c4b1db06 (3DAE0DC356C2B217A452B477C4B1DB06)

746cfecfd348b0751ce36c8f504d2c76 (746CFECFD348B0751CE36C8F504D2C76)

  • Executable Linkable Format (ELF) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

9ce9a0b3876aacbf0e8023c97fd0a21d (9CE9A0B3876AACBF0E8023C97FD0A21D)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Trojan: BADCALL (data thief and surveillance)

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

c01dc42f65acaf1c917c0cc29ba63adc (C01DC42F65ACAF1C917C0CC29BA63ADC)

c6f78ad187c365d117cacbee140f6230 (C6F78AD187C365D117CACBEE140F6230)

  • run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

d93b6a5c04d392fc8ed30375be17beb4 (D93B6A5C04D392FC8ED30375BE17BEB4)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

End discussion, thak you for your attention.

Happy valentines day.

My imagination – New way of money laundry evade regulations

We heard turmedous crypto currency heist this year (see below). Do you  think is it a trick? Let’s think it over. The refund of the fees after heist is a grey area of regulator custodian.Since the money is a new sources far away from criminal activities revenue.How to using legal regulation forfeiting their money.Let’s think it over. How to dick out the money on a secure platform. Is it luck or counterfeit message with phishing technique. I believe that this is a old technique. How to evade the legal enforcement proceed legal action to forfeiting their money. End of Jan 2018 – Coincheck $530 million cryptocurrency heist may be biggest ever 2nd week of Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million.

Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million:

https://www.youtube.com/watch?v=Sb2_ZBcS7NE

Jan 2018 – Coincheck heist discussion:

Doubt – $530 million cryptocurrency heist

CVE-2018-4878 against South Korean Targets. See whether is it true?

In July 2017, Adobe announced that it would end support for Flash Player in 2020, and continued to encourage the use of open HTML5 standards in place of Flash. The announcement was coordinated with Apple, Facebook,Google,Microsoft,and Mozilla. If you would like to know what is the flash vulnerability actual destructive power. Let review the suggestion by Antivirus big brother Kaspersky (Jul 2017). Kaspersky recommends disabling Flash Player, in order to stay protected. Perhaps you may not have interest to read below url. But on-line games and on-line casino still requires Adobe Flash in the moment. We all known South Korea is the leader in the gaming section. And therefore The South Korean Computer Emergency Response Team (KR-CERT) has issued a security alert warning of a zero-day vulnerability affecting Adobe’s Flash Player.

CVE-2018-4878

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets

Be aware of RTMFP protocol

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

Let keep our eye open , see whether such vulnerability will be occurs this year. If this nightmare come true. A unforeseen destruction of the reputation to the company includes vendor and customer!