Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.
Security Focus : Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Technical guy may known that there is a design limitation occurs on AWS. The metadata service provides temporary credentials. There is no authentication and no authorization to access the service. A mis-configure firewall policy will causes untrusted source establish connection to meta service. For more details, please refer to attach diagram.
Headline News – A hacker gained access to 100 million Capital One credit card applications and accounts
Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.
Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.
Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.
Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?
Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.
Preface: If victim is not negligence. Can we give an excuse to him?
Company background: Orvibo, a Chinese smart home solutions provider.
Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world. Does the admin using easy to guess password or………
Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.
If you are aware your personal information has been stolen by above incident. What should You do?
Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.
Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.
Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans. – The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans. – Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft. The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.
Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.
The pre-operation of Ryuk ransomware on infected computers:
Preface: A privilege escalation is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain.
Vulnerability details: A tool capable for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTP Listener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the target, an NTLM negociation occurs and is relayed to the target EWS server.
Hints: Do not contempt the vulnerability on workstation. It is one of the way which assists the hacker to do the privileges escalation. If the compromised workstation is the domain member. Hacker relies on NTLM vulnerability to do the priviliges escalation. That is, they remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA). For instance, the Exchange server and ADFS (Active Directory Federation Services).
Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.
Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….
However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.
Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.
What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?
Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.” The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?
– Compatibility with the Komrad SIEM
system – FSTEC certificates of the Russian Federation and FSB of
the Russian Federation on Astra Linux of SE (release Smolensk) –
Compatibility with the Simatic IPC427D workstation – Compatibility
with Videoselektor – Minobona’s certificate of the Russian
Federation and FSB on Astra Linux of SE (release Leningrad) –
Compatibility with Mellanox Spectrum – Compatibility with
TerraLink xDE – Tests of BLOK computers running SE 1.6 Astra Linux
OS – Availability of an official mirror of a repository of Astra
Linux OS on mirrors.kernel.org – Compatibility with JaCarta –
Compatibility with CryptoPro CSP on Elbrus and Baikal processors –
Compatibility with Linter DBMS
Preface: Exim is growing in popularity because it is open source.
Background:It’s the default mail transport agent installed on some Linux systems.It contain feature likes: Lookups in LDAP servers, MySQL and PostgreSQL databases, and NIS or NIS+ services.
Vulnerability details: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).
Remark: Deliver_drop_privilege is set to false by default.
Attack synopsis: If the “verify = recipient” ACL is manually deleted then remote attack will be occurred. Attacker can reuse our local-exploitation method with an RCPT TO “xxx+${run{…}} @ localhost”. Where “xxx” is the name of the local user .
Synopsis: The users were temporarily unable to reach adjacent countries internet web sites for short period of time (less than 1 – 3 minutes) due to an issue of Internet BGP backbone.
Description: On Sat, I was surprise that some internet web site looks unstable. It is not only happens on a single web site.
What do you think about or do you aware? There are likely to be similar problems that you can find below:
The ABC ISP (AS __xx) configured a static route 66.220.144.0/24 pointing to null in order to block Facebook access for ABC ISP customers. However, the ISP started to announce the prefix 66.220.144.0/20 towards its upstream provider CDEF (AS xxxx) that propagated the announcement to its peers. Meanwhile Facebook (AS32934) that had been announcing prefix 66.220.144.0/20 so far, started to fight back. Facebook began to announce more specific prefix 66.220.144.0/24. They kept announcing 66.220.145.0/24, however the service would still not be available for a large part of Facebook users. Those were the users whose traffic took a path towards ABC ISP (AS__xx), thus it could not reach Facebook. The traffic was being backhauled by a static route configured on ABC (AS__xx) edge router.
Preface: The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified a malware variant— so called ELECTRICFISH.
Technical details: The malware implements a custom protocol like “Tor browser”. The aim to allows traffic by-pass defense mechanism in between source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.
Comment: Seems malware designer aware that their operation will be terminated by malware detector especially company which installed “FireEye”. The successful factor of the infection all depends on thier infection path. May be it is a phishing, or hide himself in a 3rd party software drivers. From technical point of view, their activities is not easy discovered by antivirus program once malware successful install. But it is rare that even “Virustotal” do not have their information till now.
Preface: Heard that estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked.
Technical details: When you configure sap router (saprouter) to allow remote (from the Internet) connections via the SAP GUI. The original design will add entries to the route tables for TCP port 3300, 3301, and 3303 the external application they are using (a gateway connection on these ports).
Default TCP gateway port exploit by hacker: Since a default pathway built, so the hacker might have a channel to compromise the system. For example, send the malicious code try to conduct remote code execution. As a matter of fact, a proof of concept shown that SAP backend response with malicious code.
Remedy: If you outsource your cyber security watch guard responsibility to managed security services provider. They will create the yara rules to deny such malicious activities. If not, you are require to create yara rules by yourself on IDS system. For more details, please refer to diagram.
