Category Archives: Cyber War

New Linux malware – aka Drovorub (13th Aug 2020)

Preface: New Linux malware silently conducting the attack. The FBI and NSA issue joint security alert.

Official announcement – https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Remedy: To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

Reference: On older versions of Linux, two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer’s metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls free() on the first buffer it will attempt to merge these two buffers into a single buffer.

Impact: Heap overflows to gain arbitrary code execution.

Headline News: https://www.zdnet.com/article/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers/?ftag=TREc64629f&bhid=22308921349725635516834735786487&mid=12982564&cid=717383279

NSA preemptive curb threats factor – an exploitation of exim design weakness – 29th May 2020

Preface: The severity depends on your configuration, said vendor. It depends on how close to the standard configuration your Exim runtime configuration is. Jun 2019

Headline news on 28th May 2020 – The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability—CVE-2019-10149—in Exim Mail Transfer Agent (MTA) software. Exim is growing in popularity because it is open source. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.

The design weakness origin: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).

Action: Apply Exim Updates Immediately

NSA official announcement – https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf

Is it a cyber attack or a design change? (Sunday, May 17, 2020 (EDT))

Preface: High-level state-backed APT groups wreak havoc on cyber world. Does this attack only in short time or it will become a constant activities?

Security focus: Information technology professional will relies on DHS (US Homeland security) news update as a standard security alert indicator. For example, I am the follower. Found by tonight that the cyber security main page has changes. To be honest, my observation feedback to me that it is not normal. Regarding to the web page design, it shown that it do not use iFrame. However, the web site layout looks strange. I do not want to use the key term broken to describe. Because of this matter, I just take a look of the header information. It show to me that it is running Drupal.

Anyway it is recommend to remove this disclosure information. Perhaps the method is straight forward. The simplest method is to remove the header in a custom EventSubscriber. Please refer to diagram. The official information shown in follow URL. https://drupal.stackexchange.com/a/201297/47547

The problem now fixed by homeland security – 18th May 2020 – HKT

Little-Known Linux Exploits is being weaponize – 15th May 2020

Preface: The following information will continue the theme released yesterday. For review the details by yesterday, please follow this link – www.antihackingonline.com/cyber-war/high-level-state-backed-apt-groups-entrenched-in-plenty-of-servers-for-nearly-a-decade-using-little-known-linux-exploits-14th-may-2020/

About the theme: Sound can tell, according to statistic provided by Microsoft. Cyber security attack is rapidly growth especially in education area within past 30 days. Perhaps Healthcare and pharmaceuticals area cyber attack volume not as high as education area. However the details found by Microsoft has similarity with security expert observe in past. There are more and more attacker focus to Linux environment.

Security focus: Backdoor code in the popular Bootstrap. To launch the action, the backdoor must be embedded in a “bootstrap” application (a dropper) that is written in C and called xxx.c. Once compiled and started, the dropper program must infect the first Linux ELF executable that it finds in the current directory. Then, when this newly infected file is executed, your virus code is supposed to run.

The myth said that Linux will be secure than Windows. It will be not correct anymore.

High-level state-backed APT groups entrenched in plenty of servers for nearly a decade Using Little-Known Linux Exploits – 14th May 2020

Preface: According to statistical data, most organizations store data in cloud platforms operating in Linux based environment. Statistics show that, compared with the Windows operating system, Linux coverage rate exceeds 75%.

Background: Linux system commonly using drive by downloads on an infected website. For instance you install program on Linux sometimes require specify library file (.so). Perhaps your sense of defensive will be downgrade during software installation because you aim to achieve completed the milestone and therefore unintended let the rootkit implant to you Linux system. The rootkit is considered to be a type of Trojan horse. Many Trojan horses exhibit the characteristics of a rootkit. The main difference is that rootkits actively conceal themselves in a system and also typically provide the hacker with administrator rights.

RootKit specifications:

  • Kernel mode rootkits (Ring 0)
  • User mode rootkit (Ring 3)

What can we do now? Actively monitor web applications for unauthorized access, modification, or anomalous activities. But stay alert when you download the library file.

For Malicious Cyber Activity, US Homeland Security provides visibility to the world – 13th May 2020

Preface: It is impossible to rely on small group of expert to track malicious activities on the Internet. In fact, it needs strong financial support. This is reality, maybe this is a long-running game.

Background: US Homeland Security issue an evaluation article on hostile country malware and phishing attacks motion. Perhaps you may ask? Can it be relies on SIEM do this monitoring. My opinion is that we should say thanks to DNS Sinkhole.A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. But it require DNS lookup service. By using the DNS sinkhole technique it is also possible to deny access to any of malicious C&C websites. Besides, the queries will be written down to DNS Sinkhole record.

Security focus of specifics malware:
COPPERHEDGE, is described as a Remote Access Tool (RAT).
TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator.
PEBBLEDASH is yet another trojan acting like a full-featured beaconing implant and used by hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

For more information about the report, please click this link – https://www.us-cert.gov/northkorea

Apocalypse: Unknown secret plan – project citing Mirai malware and intend to exploit IoT design weakness triggers cyber attack (29th Mar 2020)

Preface: The Greece Myth – During the war against Cronus, the Cyclops gave Lightning Fire to Zeus as weapon. Meanwhile Poseidon received Trident, and Hades achieve Invisible Helmet.

Background: The strategic outsourced concept of IT services not limited to commercial In-house IT team. It is also practiced in intelligence circles.

The group claimed that it is inspired by Mirai. The primary approach of attack is exploit factory default logins and common username/password combinations for IoT devices. Once a password attack was successful, the device would be integrated into the botnet.

Mirai DDoS attack capabilities include SYN flooding, User Datagram Protocol flooding, ACK flooding and HTTP GET, POST and HEAD attacks. Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search.

Details: In past decade, even though how was the attack technique you has. Perhaps the destructive power will be limited by society situation. Comparing today, all the people at least has a mobile phone and wireless router at home. The threat actors can conduct a DDoS to web hosting or collaboration service cloud within an hour. The headline news uncovers the contractors of the Russian national secret service FSB was hack which let the world know this conspiracy.

Perhaps this is a alert signal to smart city.

You may be interested of article shown below:

APT Group attack major focus: time window before release and patched (19th Feb 2020)


Preface: In normal circumstance, the remediation of vulnerabilities is time consumption. Even though Software-based vulnerabilities policy allow up to 90 days for the vendor to provide a patch.

Background: It looks that existing period of time can be happen plenty of matters. So far APT Group have talented and knowledge to discover the defect of the I.T product. Refer to cyber security evaluation report found that the new round of cyber attack for specify APT group will be focusing the SSL VPN products vulnerability. Refer to attached diagram, it shown that at least 3 different products of SSL VPN service encountered vulnerabilities last year (2019).

Our Focus: Perhaps vendor will based on the severity level priority the remedy schedule. This gap can provide such a space to hacker engage cyber attack.

The suspected defect like Sonicwall SSL-VPN. APT Group not difficult to conduct this attack.The memcpy function can be overflow the local buffer. So overwriting EIP and using a rop chain to execute commands is simple.

*Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

About Emotet malware (2019)

Preface: Emotet malware found in 2015. But he is still aggressive nowadays. It shown that it is a long life cyber attack product .

Details: Australian Cyber Security Centre (ACSC) released an advisory that Emotet malware widespread in rapidly. The Emotet malware is distributed mostly by means of phishing email that contains either links to malicious sites, or malicious attachments.
Since Emotet is a polymorphic design.Emotet is a polymorphic engine to mutate different values and operations. From observation, it now link with ransomware.
The change in shape of Emotet more or less proof that his design is equivalent as a cyber weapon. It provide the functions for infiltration. Meanwhile, after finished the mission. It can link to ransomware. Such design can avoid forensic investigator conduct the validations.

For more details, please refer to ACSC announcement. https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign

Oct 2019 – When hostile countries are prepared to take military action. They took cyber attacks as a 1st step.

Preface: Both ransomware and malware are powerful cyber attack tools. This is equivalent to the army entering a hostile country.

Background: On yesterday 21st Oct 2019, NSA and NCSC release joint advisory on Turla Group Activities article. The attack target is the aspx shell. It appeared to use these ASPX shells to preparing 2nd round of cyber attack.

We seen the trend for cyber attack in future will be target to the web API. The hacker still maintain interest on Microsoft product especially .Net framework. Traditionally, ASP.NET Web API does not utilize the request validation feature to sanitize user input. You will need to add this protection manually if any input will be used in HTML output. Apart from that, there are more and more Microsoft SharePoint deployment is also one of the factor.

Quite a lot of web programming feature lure the cyber attacker put their interest into software programming side (see below).

  • User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. And therefore it does not require elevation of privileges.
  • A ring 0 rootkit in this instance would be a kernel mode driver (*.sys file) that also requires administrator privileges when installing.
  • Query parameter text is not checked before saving in user cookie NameValueCollection request = Request.QueryString
  • Adding cookies to the response Response.Cookies[“userName”] Value = request [“text”]

Here comes along with the cyber attack in continuous way.

Technical article for reference: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-%20COPY.PDF