Category Archives: cyber security incident news highlight

CISA urge to public that to aware of Codecov software vulnerability – 30th Apr, 2021

Preface: CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021.

Background: A Supply Chain Attack Gone Undetected for 2 Months.Codecov has over 29,000 enterprise customers, including reputed names like Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble.

Vulnerability details: Regarding to this cyber security incident, Through vendor investigation, they are now have additional information concerning what environment variables may have been obtained without authorization and how they may have been used. The issue occurred due to an error in Codecov’s Docker image creation process that enabled the actors to extract sensitive credentials and modify the Bash Uploader script. Meanwhile it let the attacker exfiltrate sensitive information. For more details, please refer to link – https://about.codecov.io/security-update/

NSA releases urgent Guidance (ORN U/OO/800922-17), thus urge to public that not to use obsolete TLS configurations (6th Jan,2020)

Preface: However, obsolete TLS configurations are still in use in U.S. Government systems. Perhaps it is being change. According to the Office of Management and Budget (OMB) memorandum M-15-13 all public accessible federal websites and web services are require to only provide through secure connections.

Synopsis: The Internet Engineering Task Force (IETF) published TLS 1.3 in August 2018. TLS 1.2, the version it replaced, was standardized a decade previous, in 2008. Attached diagram shown the examples of TLS Vulnerabilities and Attacks.

Consequent: Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected.
Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption.

Recommendation: NSA recommends that only TLS 1.2 or 1.3 be used. As a result, SSL 2.0,3.0,TLS 1.1 not be used anymore.If additional interoperability support is need, configurations should use non-deprecated options from NIST SP 800-52r2 as necessary.

Official announcement (NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations): https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF

Visa proactively urge public aware of Baka Skimmer attack. (Baka credit card skimmer bundles stealth, anti-detection capabilities) – Sep 2020

Preface: Visa identified a previously unknown eCommerce skimmer, and named the skimmer ‘Baka’.

Synopsis: The malicious JavaScript code aimed to avoid detection for modern defense system. Baka is stealth, anti-detection capabilities.
According to an alert from Visa’s Payment Fraud Disruption (PFD) division, the skimmer also attempts to avoid detection and analysis by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated”.

Reference: Visa security alert – https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf

Additional: Briefly describe the concept of attack. The attacker sneaks some malicious JavaScript (usually via a <script> tag) into your html which is then executed.

How to protect against this attack?
– Sanitizing at the url param layer
– Sanitizing at the templating layer

Ransomware hits Jack Daniel’s, said Bloomberg News – August 15, 2020

Preface: Whiskey production involves multiple procedures carried out in potentially hazardous atmospheres. LB Remote I/O System connects sensors and actuators to the DCS via PROFIBUS. In terms of application, DCS is suitable for whisky production and complex control processes.

Incident background: Brown-Forman Corp., a manufacturer of alcoholic beverages including Jack Daniel’s and Finlandia, said it was hit by a cyber-attack in which some information, including employee data, may have been impacted. Please refer to the link for more details – https://www.bloomberg.com/news/articles/2020-08-14/brown-forman-was-target-of-apparent-ransomware-attack

Technical details of ransomware: A message sent anonymously to Bloomberg claimed to have hacked Brown-Forman and compromised its internal network. Ransomware aka REvil. The infection mechanism of this ransomware relies Microsoft design weakness (CVE-2018-8453).

As usual, ransomware will copy the data then write data to the registry. The ransomware process will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot. Finally, it encrypts files in all logical units and network shares, and displays the ransom notice on the screen.

Recommendation: In order to avoid ransomware attack. We should follow the patch management by vendor. And maintain update of antivirus program.

Australia (ACSC) urges local citizens to be vigilant against cyber attacks. The so-called copy-paste compromises – 18th June 2020

Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020

Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.

Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.

data breach spread to banking enterprise. no exception to bank of America – 28th may 2020.

Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.

Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.

Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.

Accessing E-TranE-Tran Options
•loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database
•A Web page where lenders can enter loan information on individual loans

One of the ways: XML injection attacks typically occur in this way: An attacker injects malicious JavaScript markup code as escaped text in an XML document. The XML document is then parsed by an XML application. Later, content of the XML element that contains malicious JavaScript markup code is used as input data for a website.

Official announcement – Please refer follow link : https://oag.ca.gov/system/files/2020-3523_Privacy_Notification_Final_Template%20%28P%29.pdf

Black Friday was happened in New Orleans on 13th Dec 2019

Preface: Once upon a time, without internet. The Black Friday virus through floppy disk infected to your MS-DOS and make a trouble to your personal computer.

Background: New Orleans declared a state of emergency and shut down its computers after a cyber security event. During a press conference on 14th Dec 2019, Mayor Cantrell confirmed that this was a ransomware attack.

Security expert findings: Based on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely done by the Ryuk Ransomware threat actors, said cyber security expert.

Personal comment: Ransomware looks horrible! Are you interested in how national supercomputers can defend against cyber attacks, especially ransomware? Have you heard about docker and container technology? May be we do a discussion in coming future.

Headline News – See the link for more details: https://www.forbes.com/sites/daveywinder/2019/12/14/new-orleans-declares-state-of-emergency-following-cyber-attack/#3a12987c6a05

Gun and bullet – SMBV1 and Ransomware (Nov 2019)

Preface: Starting from around 2012 the use of ransomware scams has grown internationally.

Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.

Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.

Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.

For more information on headline news, please refer – https://www.bloomberg.com/news/articles/2019-11-13/a-hacker-wants-about-5-million-from-pemex-by-end-of-november

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url: https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6

ABout MasterCard data breach – Aug 2019

Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.

Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?

Bloomberg headline news https://smg.photobucket.com/user/chanpicco/media/chanpicco001/MasterCard-leak-Aug-2019-1_zps35cvwtvc.jpg.html?sort=3&o=0