Category Archives: cyber security incident news highlight

Nautilus & Neuron

The hostile country collect the government confidential information and business economic details not similar 70’s. A group of people so called spy infiltrated to foreign country. It reduces the overall injury. The conceptual idea of malware implement to computer world equivalent the task of spy. National cyber security center urge the IT admin around the world staying alert to current suspicious network activities issued by Turla Group. Read few technical articles, the overall comments is that they are support by country. The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. The new tools primary focusing on two microsoft products (Exchange and IIS server). However the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference). 

https://www.microsoft.com/en-us/wdsi/products/scanner

NECURS BOTNET – Alert

Heard that NECURS BOTNET activities growth rapidly.Their major goal is deliver ransomware through email spam or email scam. A announcement broadcast by SANS on 1st Nov 2017 alert that Necurs Botnet malspam pushes Locky using DDE attack. Necurs bot relies on MSword document embedded malware compromise your machine. For instance a Word document embedded objects that call Powershell to compromise your machine. Apart from that they will make use of DDE. NEcurus botnet has a brilliant history. Since his design feature can protect itself to bypass the current detection mechanism. Even through DNS protection is a popular defense mechanism today. But he is not afraid. His program design looks like a assembly so it enhance his infection feature. Should you have interest to know more details, the attach picture can tell. For more details about the status update. Please refer below url for reference.

https://threatpost.com/necurs-based-dde-attacks-now-spreading-locky-ransomware/128554/

There are more windows OS components did not included ASLR protection feature

Seems heard a vulnerability occurs on microsoft product did not trigger your interest. The easy way for IT guy to mitigate the risk is conduct a patch update. But CVE-2017-11882 heads up the world that there are more windows OS components did not included ASLR protection feature. May be you could say Microsoft product do not relies on ASLR since they has Data Execution Prevention (DEP). We known Data Execution Prevention (DEP) is a system-level memory protection feature. However a practical example of CVE-2017-11882 occured on Microsoft office product could compromised your machine. Hacker more focus to dig out vulnerability on word processing product since human relies on electronic documentation daily.  Microsoft release the patch to mitigate this risk (see below). But a reminder to the world there are more MS components do not enable randomizes address function. Yes, no randomizes address function will be benefits to hacker. Which industry on demand to use MS equation editor function. Scientist, high tech industry especially military and nuclear power facilities management.

https://portal.msrc.microsoft.com/en-US/security-guidance

Windows Junction Points looks like malware helper – AvGator

A tremendous news exposed that malware relies on Microsoft design limitation (Windows Junction Points) recovered itself after quarantine. A related flaw found on following antivirus vendor. They areTrend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software. Now vendors released patches for affected products.

Do you still remember that American government Allegation Kaspersky that a spy tool embedded in their product. My personal opinion is that Kapersky is the victim of this allegation.However do you think this is part of the spy method? What is the name of this attack. His name is AVGater. For more details, please refer below url:

https://forum.kaspersky.com/index.php?/topic/382512-exploit-avgater/

Doubt? See whether similar problem will be happen in future?

Heard that in Infineon chip set has vulnerability occurs. Since security expert found the vulnerability in new German national ID card since 2010. However a technical article (ZdNet) report last week that a chip crypto flaws vulnerability occured in Spain ID card. Per announcement by NIST, this vulnerability file to CVE database (CVE-2017-15361). A security vulnerability was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The product is also integrated in authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012. Any doubts? For more details about this vulnerability. Please see below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

Reference: Hong Kong Government to Use Infineon’s Chip Card Technology in Smart Identification Card Project – announcement June 2002 (see below url for reference)

https://www.infineon.com/cms/en/about-infineon/press/market-news/2002/129155.html

To usher the wolf into the S3 Cloud

CNN interview a research Friday (17th Nov 2017) in discussion of US government Pentagon exposed huge amounts of web-monitoring data in a security failure which given by Amazon S3 buckets. I was wondering the similar data breaches not only happened in Pentagon. As far as we know ,a consulting firm found data breach few month ago on S3 bucket. But the scalability of Amazon Cloud are huge. How does bad guy or people who carry with interest find out the details? It looks that the culprit is Amazon itself. A useful tool open to public so called (ip-ranges.json). You relies on this tool can locate the IP address range of Amazon S3 bucket. Since IP address and service package expose to public. It such away increasing the attack surface. Should you have interest of CNN news. Please refer to below url for reference. Reminded that CNN did not provide those json script.Maybe you dig out the hints of my picture.

http://money.cnn.com/2017/11/17/technology/centcom-data-exposed/index.html

Oct 2017 – Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server(see below url):

http://www.crn.com/news/security/300093646/accenture-latest-company-to-leave-critical-data-exposed-on-amazon-web-services-server.htm

Updated on November 28, 2017 – Top Secret NSA and Army Data Leaked Online:

https://www.upguard.com/breaches/cloud-leak-inscom

1st Dec 2017 – Over 100GB of Secret Consumer Credit Data Leaked Online. Claimed that misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.

https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data/?es_p=5544850

 

New trend – Botnet infection technique empowered Ransomware infection

Preface:

We known that botneck infection technique popular last few year. The objective of the botneck infection more on DDOS attack. But the status now has been change.

Below sample of code on how botnet operation.

using System.Threading.Tasks;

using log4net;

using Loki.Bot;

using Loki.Common;

using Loki.Game;

 

namespace MapBuddy.Tasks

{

    public class MapExplorationCompleteTask : ITask

    {

        private static readonly ILog Log = Logger.GetLoggerInstanceForType();

 

        public async Task<bool> Logic(string type, params dynamic[] param)

        {

            if (type != "task_execute") return false;

            if (LokiPoe.Me.IsDead || !LokiPoe.CurrentWorldArea.IsMap) return false;

 

            if (CurrentMap.HasBossRoom)

            {

                if (!TrackMobTask.MapBossFound && !TrackMobTask.MapBossDead)

                {

                    Log.Warn("[MapExplorationCompleteTask] insci_test dont allow finish map until boss is alive.");

                    return false;

                }

            }

 

            Log.Warn("[MapExplorationCompleteTask] Now finishing the map run.");

            MapBuddy.EventInvocators.RaiseMapExplorationCompletedEvent();

            await CommunityLib.LibCoroutines.CreateAndTakePortalToTown();

 

            //Second portal if we are

            //if (MapBuddySettings.Instance.Mode == OpenMethod.Laboratory)

            //{

            //    var currentBot = BotManager.CurrentBot;

            //    currentBot.Settings.SetProperty("NeedsTownRun", 2);

            //}

 

            return true;

        }

 

        public string Name => "MapExplorationCompleteTask";

 

        public string Description => "Task for leaving the map.";

 

        public string Author => "ExVault";

 

        public void Start()

        {

        }

 

        public void Tick()

        {

        }

 

        public void Stop()

        {

        }

 

        public string Version

        {

            get { return "1.0"; }

        }

 

        public object Execute(string name, params dynamic[] param)

        {

            return null;

        }

    }

}

Current status:

It looks that an alert shown that an unknown attack counterfeit HSBC email to widespread the infection.  This round of attacks seems focusing on banking industry. Sample counterfeit email display below: Guys be careful!

 

Tax heaven is also a hacker playground – Bermuda

Perhaps the legal firm Mossack Fonseca data breaches incident is a history. However headline news reveal another similar case which was happened on November last year.I was shock that Mossack Fonseca encountered data breach which astonish the world since Tycoon and famous people like President of Russia Putin virama was included in their customer list.  A slogan told that a Tax heaven is also a hacker playground. It looks that legal firm only know how to use law regulations to protect their client. On the other hand, former cyber security incident shown that they are ignore the technology risks. In the meantime, we receive the news on newspaper that a cyber attack encountered on their database November last year (2016). But sounds like another important factor might bring to their attentions. For instance, it is easy to find the lawyer public email address because of their business operation model. Such business running model let hacker easy to obtained the email address. A easy way to make use of email phishing techniques let receiver become a victim. Hacker will receive the credential after compromised the email account. As a result, it is easy to drawout the data. About the detail, please refer below url for reference. 

Another story of offshore law firm data leakage. The firm encountered cyber attack on Nov 2016.
The information released the news this month.

http://www.independent.co.uk/news/business/news/appleby-offshore-law-firm-hack-data-super-rich-financial-details-bermuda-a8018451.html

Existing encryption scheme looks have space to enhance – X.931security breach

The implementation of existing encryption scheme looks have space to enhance. Another bug has been found on X.931. It looks that the vulnerability found on encryption machanism last few months reveal the bottleneck in IT environment. Can you still remember that our Hero Edward Snowden alert. He was told that cyber espionage or government will relies ob backdoor of device or application to execute their task. A scandal reveal security vendor use the weak crypto scheme benefits to NSA to receive government contract.  Perhaps we did not focus on encryption mechanism since we believed that we are secure once we make it. However the design limitation is the cache. No matter  it is a hardware or software. Hacker relies on temporary cache retrieve the SSL key then execute man-in-the middle attack in antivirus software. A private key found on chipset which make more than million of mobile devices in security breach. My imagination of conspiracy theory, it looks that Hero Snowden and wikileak reveal how  NSA doing the surveillance program.  Since secret expose and therefore they are not going to use anymore. As a result more and more scandal or unknown bug will be open to public.  Below url will provides hints to you for reference.

https://threatpost.com/duhk-attack-exposes-gaps-in-fips-certification/128582/

RTOS(real-time operating system) is under attack. Do you think it is the 2nd round of test?

The terms IoT (Internet of things) looks a messed transformation of specifics definition. The suitable criteria to define a IoT component is that for a device demand data be processed without buffering delays. If you have habits read technology post daily. We known that IT security vendor (checkpoint) alert the world that a new IoT botneck is going to jeopardizing the world. Since the case is under their investigation. My personal opinion is that the specifics attacks focus on RTOS(real-time operating system). For instance, web cam, router, smart city facilities. I strongly believed that Microsoft not the major target. Since RTOS devices has large coverage on simplified linux base OS platform.  Keep your eye open, you might seen the result of reaper IoT attack relies on shellshock vulnerabilities and bruteforce attacks.In additional, if the device found vulnerabilities on the kernel. The malicious code will relies on it. Below url can provides the details to you in this regard. Perhaps we have more and more electronic computing devices supporting to our life daily. The hostile country engage the attack to suspend the daily operations of the enemy looks better than a bomb or military threatening.

https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/