Category Archives: cyber security incident news highlight

Forever 21 retail shop data breach – official announcement

Credit Card POS malware wreak havoc. Read the headline news notice that  Forever 21 confirm that data breach occurred. The breach exposed card numbers, expiration dates and verification codes, but not cardholder names. Regarding to the information reported by engadget.com. Chipotle and GameStop suffered similar breaches this year (2017). Hotel giant HEI similar data breach occurred 2016. An announcement on 27th June 2017 told that Forever 21 Partners With Toshiba GCS on New POS. Found that hardware vendor announce that a potential vulnerability in Infineon TPN used in Toshiba notebook products. Do you think POS and notebook will be using similar TPM? Since POS and workstation can run on top of Windows OS. World not safe especially technology world!

Forever 21 breach exposed customer credit card info for months URL for reference – https://www.engadget.com/2017/12/29/forever-21-breach-exposed-credit-card-info-months/

Potential vulnerability in Infineon TPM (Trusted Platform Module) used in Toshiba notebook products URL for reference – http://www.toshiba.co.uk/generic/potential-vulnerability-in-Infineon-TPM/

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

December 2017 published – Vmware vulnerabilities

Watch TV noticed that the brokers work in New York Stock Exchange are busy. However who else can say he will be busy than IT guy. Each week 0-day announcement. Perhaps the individual vulnerability happen on different vendor daily.
Staging, testing, backup and patch implementation all the job task will be implement earlier morning. All we are fall asleep. This month VMware looks like a vulnerability champion winner. The vulnerability happen in computer end looks like apply quantum computing theory. It is multi angle (quantum superposition).

For more details, see below url for reference: VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2017-0021.html

 

Winter solstice blessing 2017

The sun shines directly on the Tropic of the Capricorn in the southern Hemisphere. The Northern hemisphere is tilted away from the sun. Whereby a festival hand down thousand years in galaxy especially the earth. This is the winter solstice. The IT guy especially security operation center requires working in 24 hours. Perhaps you must take a rest and enjoy the dinner with your family tonight. This is the space to balance your life. Enjoy!

The stronger encryption power you have. The greater the risk being attacks.

A new mantra , some people quit the bitcoin business whereby some people catch up immediately! Such statement precisely describe current situation of bitcoin industry. A South Korean bitcoin exchange has filed for bankruptcy after being hacked again. They are decide to quit. It surprise to us with advanced secure platform causes such tragedy. But malware infection and DDoS attack not green to IT world today. Be brave to facing difficulties. Your new era is coming. A visible hints to re-engineering your cyber defense model in according  of  Lockheed Martin the Seven Ways (Cyber Kill Chain). You can figure out existing weakness of bitcoin technology architecture model. Perhaps sad feeling bring to bitcoin world is that they did not paid the attention on end-point wallet security management and manged security services. The trend is on the way, even though we are not belongs to this industry. Let’s you and me become the witness of this age!

More details of Youbit Bitcoin exchange quits operation see below url:

https://qz.com/1160573/bitcoin-exchange-youbit-files-for-bankruptcy-in-south-korea-after-latest-hack/

Dig out more in regards to e-wallet security information see below url:

Perspective of e-Wallet Vulnerability

Potential black force – digitize Godzilla

Preface

Can you remember that Science fiction movies Godzilla. The sea monster dubbed Godzilla, his body empowered by nuclear radiation then become huge. However his target is attack the Tokai Nuclear Power Plant and feeding on the nuclear reactor. The Japanese government concluded that nuclear power was what attracted Godzilla.

The World in demand of electricity power

The electricity power generation scheme, like plants that burn coal, oil and natural gas, produce electricity by boiling water into steam. This steam then turns turbines to produce electricity. Nuclear power plants obtain the heat needed to produce steam through a physical process. Apart of environmental pollution and Harmful radiation. Nuclear power looks is the quick and dirty way to resolve the natural resources supply limitation in the earth.

Example: Water energy reactor located in Ukraine

Stuxnet malware ages evolute the function to the new generation of malware

Cyber attacker follow Stuxnet objective, the group re-engineering a powerful DDOS tool on 2016. The attack target are the media outlets and electric companies in Ukraine. The new version of BlackEnergy does not contains destroy feature. It oppositely able to download and execute a binary or shell command, uninstall itself, modify internal settings, or load additional modules. The conceptual idea of the design is evade the defense mechanism detection. In short to summarize such design is that new version of black energy combined spear phishing email with embedded link file contains path to the module (.dll) .

The functionality of BlackEnergy can be extended with additional modules. These modules are stored in encrypted form in a separate file, which can be referred to as a plug-in-container. The attacker will be executed and download payload afterwards (see below diagram for reference)

We known the vulnerability known as CVE-2010-2568 and used by the Stuxnet computer worm can be weaponized to remotely execute code over a Windows computer without the user’s knowledge. It target the Siemens WinCC SCADA systems.

DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems especially electric and water supply facilities. The distributed network protocol (DNP3) play a major control role in SCADA system especially used by SCADA Master Stations (Control Center). A hints in below diagram shown that programmable logic controller responsible centrifuge status control and monitoring.

How Iran’s nuclear centrifuges facilities work?

As times go by, more and more manufacturer involves to nuclear facilities hardware re-engineering and installations. The well known vendor not limit to Siemens, it now have Schneider Electric, Allen-Bradley, General Electric (GE)…. But another 0-day vulnerability found few months ago.

The Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). The Modbus protocol is the major communication protocol communicates with programmable logic controller. However it is a UN-encrypted data traffic. And therefore sensitive information is run in clear text (see below diagram for reference).

Remark: Both DCS and SCADA are monitoring and control systems used in industrial applications. The systems monitor equipment and processes to ensure all processes and equipment are performing within the required tolerances and specifications.

A design weakness was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download (CVE-2017-6034). Besides, the Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.

Quote:

UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system said CTO and founder of CRITIFENCE.

* It may not be entirely patched within the coming years, since it affects a wide range of hardware and vendors.”

December 14, 2017 announcement by FireEye – Found Triton Malware

It looks critical that Schneider programming logical controller could soft patch not issue yet. The expertise by FireEye found security alert on Triconex cotroller. The expert believe that Fireye believe that this masqueraded trilog application was deployed by Sandworm Team. This team engage cyber attack to Ukraine nuclear power facilities in 2016.

 

Information Supplement

Supervisory control and data acquisition (SCADA) is a control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management. How does this function to operate? Below diagram provides hints for reference.

Conclusion:

The suspicious attack found on Schneider Electric brand this time. It is hard to tell that similar attack will be happen on other brand name soon.

Information appending on 3rd Feb 2018 : related SCADA information for your reference

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Another Force Awakens – Bleichenbacher Attack on TLS

X’mas is coming soon! I am waiting to watch the movie “Star War – The last Jedi” coming Friday. The cyber attack so called ROBOT (Return of Bleichenbacher’s Oracle Attack) looks doing the celebration. looks doing the celebration coming Star War movie. TLS base attack type hottest recent year.. Vendors remediation details shown as below:

Cisco https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher

Citrix https://support.citrix.com/article/CTX230238

F5 https://support.f5.com/csp/article/K21905460

Oracle – https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Believe it or not? Homeland security twin brother!

Chinese people mantra, your face may similar to other people. This theory also apply to everything. I agree and believe the US government homeland security web site are unique. Believe it or not , the web site naming convention and contents looks similar to homeland security. However the web site not protected by Akamai network . They do not belongs to US government. To be honest, it make you confused! URL shown as below:

http://www.homelandsecurity.com

The picture diagram can provides the details to you for reference.

The Force Awakens – but it is Apache struts vulnerability!

Apache struts seems a instigator on Equifax data breach incident. An announced by US Homeland security this week to urge IT guy staying alert on New found Apache Struts vulnerability again (see below URL). My comments on this vulnerability is that it expand the attack space or vector . Why? Are you familiar with REST client. It reproduce a new playground for hacker since it is allow to start the attack to Apache Strust product on mobile phone.  We noticed that Cisco products are also the Struts users (see below)

Vulnerability detail (see below):

https://tools.cisco.com/security/center/viewAlert.x?alertId=56116&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20Struts%20REST%20Plugin%20JSON%20Library%20Denial%20of%20Service%20Vulnerability&vs_k=1

Cisco products are also the Struts users (see below)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Would you mind someone sharing your CPU power during your site visit?

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

https://hk.news.appledaily.com/local/daily/article/20171203/20233090

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.