Category Archives: 2019

Black Friday was happened in New Orleans on 13th Dec 2019

Preface: Once upon a time, without internet. The Black Friday virus through floppy disk infected to your MS-DOS and make a trouble to your personal computer.

Background: New Orleans declared a state of emergency and shut down its computers after a cyber security event. During a press conference on 14th Dec 2019, Mayor Cantrell confirmed that this was a ransomware attack.

Security expert findings: Based on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely done by the Ryuk Ransomware threat actors, said cyber security expert.

Personal comment: Ransomware looks horrible! Are you interested in how national supercomputers can defend against cyber attacks, especially ransomware? Have you heard about docker and container technology? May be we do a discussion in coming future.

Headline News – See the link for more details: https://www.forbes.com/sites/daveywinder/2019/12/14/new-orleans-declares-state-of-emergency-following-cyber-attack/#3a12987c6a05

Gun and bullet – SMBV1 and Ransomware (Nov 2019)

Preface: Starting from around 2012 the use of ransomware scams has grown internationally.

Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.

Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.

Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.

For more information on headline news, please refer – https://www.bloomberg.com/news/articles/2019-11-13/a-hacker-wants-about-5-million-from-pemex-by-end-of-november

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url: https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6

ABout MasterCard data breach – Aug 2019

Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.

Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?

Bloomberg headline news https://smg.photobucket.com/user/chanpicco/media/chanpicco001/MasterCard-leak-Aug-2019-1_zps35cvwtvc.jpg.html?sort=3&o=0

Have you heard of the “Capital one” data leak! July 2019

Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.

Security Focus : Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Technical guy may known that there is a design limitation occurs on AWS. The metadata service provides temporary credentials. There is no authentication and no authorization to access the service. A mis-configure firewall policy will causes untrusted source establish connection to meta service. For more details, please refer to attach diagram.

Headline News – A hacker gained access to 100 million Capital One credit card applications and accounts

https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

CVE-2019-1579 VPN solution impacts Uber, other enterprises may be at risk Jul 2019

Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.

Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.

Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.

Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?

Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.

Orvibo smart home devices leak billions of user records – customer must staying alert – Jul 2019

Preface: If victim is not negligence. Can we give an excuse to him?

Company background: Orvibo, a Chinese smart home solutions provider.

Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world.
Does the admin using easy to guess password or………

Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.

If you are aware your personal information has been stolen by above incident. What should You do?

Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.

Headline News – https://www.dailymail.co.uk/sciencetech/article-7202675/Maker-smart-home-software-continues-leave-database-containing-users-passwords-OPEN-online.html

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

  • Volume Shadow Server & Backup Kill
  • Installed lang check:
    SYSTEM\CurrentControlSet\Control\Nls\Language\
    InstallLanguage
    0419 (Russia)
    0422 (Ukrainian)
    0423 (Belarusian)
  • Arp Blaclklist check
  • GetComputerName check
  • Process kill

Advisory report for download – https://www.ncsc.gov.uk/news/ryuk-advisory

Microsoft Exchange server 2013 and new version of product are vulnerable to NTLM relay attacks (2019)

Preface: A privilege escalation is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain.

Vulnerability details: A tool capable for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTP Listener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the target, an NTLM negociation occurs and is relayed to the target EWS server.

Hints: Do not contempt the vulnerability on workstation. It is one of the way which assists the hacker to do the privileges escalation. If the compromised workstation is the domain member. Hacker relies on NTLM vulnerability to do the priviliges escalation. That is, they remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA). For instance, the Exchange server and ADFS (Active Directory Federation Services).

Official announcement:

Apply an update – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

Disable EWS push/pull subscriptions – In an Exchange Management console, execute the following commands:

  • New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope
  • Organization -EwsMaxSubscriptions 0
  • Restart-WebAppPool -Name MSExchangeServicesAppPool

It is hard to judge it was a self defense or attack. New York Times cyber attack news – 16th Jun 2019

Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.

Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….

However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.

Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-584286.pdf

What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?

Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?

Headline news https://www.nytimes.com/2019/06/17/world/europe/russia-us-cyberwar-grid.html

Astra Linux features:

– Compatibility with the Komrad SIEM system
– FSTEC certificates of the Russian Federation and FSB of the Russian Federation on Astra Linux of SE (release Smolensk)
– Compatibility with the Simatic IPC427D workstation
– Compatibility with Videoselektor
– Minobona’s certificate of the Russian Federation and FSB on Astra Linux of SE (release Leningrad)
– Compatibility with Mellanox Spectrum
– Compatibility with TerraLink xDE
– Tests of BLOK computers running SE 1.6 Astra Linux OS
– Availability of an official mirror of a repository of Astra Linux OS on mirrors.kernel.org
– Compatibility with JaCarta
– Compatibility with CryptoPro CSP on Elbrus and Baikal processors
– Compatibility with Linter DBMS