Category Archives: Cyber War

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

2nd Oct 2018 – Homeland security alert (Retail payment system security advisory)

US Homeland security urge banking industry especially payment gateway services provider staying alert of new round of malicious cyber attack of their system. Similar of cyber attack was happened in Taiwan. The heist draw the cash equal to $2.6m (£2.1m). Homeland security reveal how the technique let ATM machine like human vomiting. But this is the bank note. You and me like it.

The key item of this attack is prioritize to compromise the switching application server.  Then malicious applications generate a counterfeit response message using GenerateResponseTransaction1() or GenerateResponseTransaction2() function to response to the acquire with a counterfeit response message and drops the request before the payment switch application processes the message. As a result it fool the issuer with no knowledge of the transaction. Should you have interest of above details, please refer to below URL:

https://www.us-cert.gov/ncas/alerts/TA18-275A

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

Preface:

Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)

https://blog.talosintelligence.com/2018/05/VPNFilter.html

However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is  an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four items of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).

Summary:

In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

24th May 2018 – status update:

FBI take control of APT28’s. They are the suspect threat actor of this attack.

The US Federal Bureau of Investigation (FBI) has obtained court orders and has taken control of the command and control servers of a massive botnet of over 500,000 devices, known as the VPNFilter botnet.

Headline news article for reference.

http://www.scmp.com/news/world/united-states-canada/article/2147561/us-disrupts-botnet-500000-hacked-routers-suspected?edition=hong-kong

Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

 

The next page of cyber attack – After European allies did the justice action (bombard Syria chemical facilities).

Preface

I can’t hold the tears back!

Rest in peace to victims who were killed in a suspected chemical attack on the rebel-held town of Khan Sheikhoun in north-western Syria on 4 April, 2018.

 International Law

About Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction

Reference :

  • Australia Group of countries and the European Commission that helps member nations identify exports which need to be controlled so as not to contribute to the spread of chemical and biological weapons
  • 1990 US-Soviet Arms Control Agreement
  • General-purpose criterion, a concept in international law that broadly governs international agreements with respect to chemical weapons
  • Geneva Protocol, a treaty prohibiting the first use of chemical and biological weapons

Prelude

United state of America is the leader keen to fight against of the evils. As a result their country possibly will be receive high volume of cyber attack after completed the justice military action.

UK a member of the alliance. As a result the situation will be similar.

Predict the target (Healthcare and clinic)

Per observation so far, the ransomware activities are wreak havoc in between 2017 to present. Retrospective that the UK healthcare and clinical areas suffered such attack last  year.  Below table of chart showing the (Ransomware) attack vector to specific industry.

In additional of UK joined the military action. The terrorist will spend the efford to find out the weakness of the healtcare system infrastructre. In logic point of view the healthcare and clinic will become the attack target because the terrorist will buy out the details from the criminal group. As a result a complete understanding of the design weakness on those area. Whereby it have high possibilities to engage the 2nd round of attack similar a revenge action.

Earlier last week an article issued by US-CERT with subject. Protecting Your Networks from Ransomware. Their aim is going to provide a guidance to fight against ransomware. Before you read the articles. There are few slogans are able to enhance your data protection framework. For instance:

1. Ransomware and Phishing Work Together

2. For whom who visiting online Gaming zone and Pornography web site in frequent are easy for encounter ransomware attack.

In order to avoid similar of cyber attack, enhance your awareness is the first priority. For more details, please refer below url for reference.

Protecting Your Networks from Ransomware

Predict the target – Pathway (router and network switch)

Since the market share of Cisco in both network switch and router are in big portion (see below diagram)

From technical point of view,  it is not easy to identify the product design in perfect way in modern technology business market. And therefore the threat actors will be make use of vulnerabilities to engage the cyber attack. In regards to the view point of security expert , hacker now keen to compromise the network switch nowadays. As a matter of fact hacker will prefer to compromise a hardware switch or router because he can control the traffic and retrieve the information. So the Cisco end users must be stay alert of security update announce by Cisco in this period of time. Below informative diagram will provides hints to you in this regards.

Cisco IOS is a monolithic operating system running directly on the hardware while IOS XE is a combination of a linux kernel and a (monolithic) application (IOSd) that runs on top of this kernel. Attacker executing code remotely using system vulnerabilities. It is common type of attack and hard to avoid.

Perhaps a medium vulnerability found on IT product not a shock. However the medium vulnerability co-exists with known critical vulnerabilities created multiple vulnerabilities are unable to foreseen what is the level of damage. Cisco IOS XE fundamental design integrate to open system. The severity of vulnerability CVE-2018-0196 is medium level. End user is allow to disable the http services to avoid the vulnerability. But the default state of the HTTP Server feature is version-dependent. A significant signal alert Cisco customer that corrective control is not enough. The efficient way is enhance your preventive and detective control. That is the implementation of managed security services.

The design objective of the Command Line Parser is used to parse the command line arguments. The parser parsing a string and returns an object representing the values extracted. This is the the regular expression design objective. The Cisco IOS XE is a train of Cisco Systems’ widely deployed Internetworking Operating System (IOS), introduced with the ASR 1000 series. IOS XE is a combination of a linux kernel and a (monolithic) application (IOSd) that runs on top of this kernel. The goal of IOS SE aim to integrate the IOS feature set for routing and switching cope with modern business critical applications. The CLI command injection vulnerability has been found on CISCO IOS XE. Stay alert.

US-cert encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates. For more details, please see below:

Predict the target – Electricity power facility, water supply and Gas supply facilities

SCADA system are popular and pay a major role in modern industrial automation including manufacturing production control, building facilities electricity devices control, etc. I believe that these areas do not lure the hacker interest. As usual, threat actors will remain unchanged focusing in the following critical public faciliteis.

Electricity power facility, water supply and Gas supply facilities.

In regards to vendor announcement last few month. The popular brand name of SCADA major supplier has vulnerabilities occured. Perhaps the SCADA owner applied the patch and completed the remediation. However the SCADA kernel more relies on Microsoft product based operating system. So we must consider is there any new security announcement by vendor. Below details are the vulnerabilities encountered last few months.

Allen Bradley – The design flaw of the programmable logic controller – system vulnerability

Oil refinery industry security alert! CVE-2018-4841

SCADA manufacturer security awareness awaken – ABB

Vulnerability in SCADA CODESYS Web Server CVE-2018-5440

Predict the target – logistic delivery (marine)

Hacker might interrupt the maritime bandwidth management system relies on vulnerabilities if it did not complete the patch. The specify vulnerability causes shipping traffic jam or suspend the logistic delivery. Whereby the marine industry especially container shipping company must stayed alert.

Navarino Infinity web interface is affected by multiple vulnerabilities

About situation of France

France under terrorist attack in frequent. The terrorist attack on 2017 are happened 8 times. The most recent of attack causes 5 people dead. Perhaps there is less hit rate of cyber attack shown on top of newspaper. Even though the overall situation is unkown. However the similar cirtical level of cyber attack will be happened in that place.

At the end, I wishing that justice will be win the battle. “In God We Trust“.

— End —

The unknown warfare – weaponize of electronics

Preface:

Called “Henosis,” from the Greek word for unity, Lockheed Martin’s new digital dashboard is meant to give commanders a single interface to organize cyber defense and offense in real time against land, sea, air, and space targets.

Who is the culprit deploying cyber techniques for warfare?

The Gulf War has demonstrated yet again the central importance of electronic warfare to the conduct of a modern air war. It awaken countries including United States, considering the importance of cyber warfare in current International Crises. As times goes by, information technology has become an increasingly critical component in modern life. And therefore the fundamental of cyberspace bring attention to the CIA, the NSA, and the Russian government. Except the Gulf War, the most famous electronic warfare are involved hostile countries regime Interference. Perhaps the overall life cycle of malware not intend for long run. However a legendary cyber weapon expose to the world in 2007. The prologue to the electronic warfare tool revolution. The tool so called black energy.

Technical background

During the Russia-Georgia conflict period. The strategy of Russia intend to suspended all the communication channel in Georgia in order to isolate this area. This is the 1st time to expose black energy to the world.The BlackEnergy is a DDoS Tool which embedded with Trojan.The (BlackEnergy HTTP) C&C is built on PHP and MySQL. In order to boost up the power of attack, black energy back end C&C server contained command and botnet configuration on DB server (mysql).

Below screenshot shown how’s the attack will do.

Black energy technical summary:

  • BOTNETS • 300-400 sessions per IP per server
  • SQL INJECTION of more than 100 sites
  • Attempts of BGP hijacking
  • SPamming

In 2010, the scandal of Stuxnet found by the IT world. Coincidentally new functional feature of black energy disclosed simultaneously. The security experts append a nickname with black energy. So called version 2.

Black Energy (2010)

The version 2 of black energy re-engineering the original design of black energy. It uses modern rootkit/process-injection techniques, strong encryption and a modular architecture. Perhaps a Microsoft design flaw found by threat actors. And therefore version 2 of black energy intend to attack microsoft user account control (UAC) function. The attack mainly share this vulnerability to execute a privileges escalation. Apart from that an advanced function append to the attack framework in 2013. It support of 64-bit drivers.

Below technical description for Microsoft user account control vulnerability

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems. The security know the weakness of UAC design not easy to resolve. And therefore the designer of black energy embed UAC bypass function in black energy.

Findings: Microsoft Windows supports end-user-defined characters (EUDC) to allow users to define custom unicode characters. The Windows kernel (win32k.sys) graphics device interface (GDI) reads the EUDC registry key for font information. More specifically, GreEnableEudc() uses RtlQueryRegistryValues() to read HKCU\EUDC\{codepage}\SystemDefaultEUDCFont. In this case RtlQueryRegistryValues() expects to read a REG_SZ (string) value into a buffer whose length and contents are determined by the type and value of SystemDefaultEUDCFont.

By default, an unprivileged user has access to modify the EUDC registry key. Furthermore, RtlQueryRegistryValues() does not validate the data read from SystemDefaultEUDCFont.By changing the type and data of SystemDefaultEUDCFont and enabling EUDC, an attacker can overwrite kernel memory.

Descendants Of The Black Energy (see below)

Remark: The plugins and update features of Black Energy 2 make itself more protective.If the attack task force requires longer survival time implant on compromised systems. It will be sabotage the program body once detected by antivirus software.

Cyber attack happened on 2010 with suspect BlackEnergy task force engagement

Date: 2010-01-16 18:00:01 – 2010-01-20 06:00:02

Symptom: flood http www.ingushetiyaru.org

Description: The website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.

Date: 2010-01-22 12:00:01 – 2010-01-26 15:00:02

Symptom: flood http angusht.com

Description: angusht.com, is also related to Ingushetia and reported DDoS attacks

Date: 2010-01-25 08:00:02 – 2010-01-27 02:00:01

Symptom: flood http kadyrov2012.com

Description: The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

Attack strategy Development pathway

 

The final round (2014 – Dec 2015)

On April 2014, security expert found that hacker embedded a malware on MS Word document. The microsoft office and word processing products includes Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 are allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Rich Text Format data file. Microsoft immediately do the remediation (announce software update). This is the CVE-2014-1761. However one month later, in May, security expert spotted another file crafted to install a Trojan. It looks strange that the malicious file name was saved in Ukrainian word “список паролiв ” (means password list) .Such attack relies on a executable file with MS Word icon. It download another malicious file finally. This is so called blackenergy Lite version. The Lite version has different build ID format, different plugin interface and has much lighter footprint. Unlike the earlier version of black energy, Lite version does not use a driver for loading the main DLL but instead uses more standard way for loading DLLs (e.g.,rundll32.exe). The configuration data of Lite version is stored as X.509 certificates unlike other BlackEnergy variants which store in XML files.

The objective of blackenergy exploit in 2014 mainly destroy Ukraine and Poland power facilities. As such, it infect the victim machines into two catalogues. The Lite version focus power facilities operation department. The complete version of blackenergy goal to doing the infection for Ukraine and Poland general citizen workstations. Such infection form another bot net DDoS army. It targeted government and telecom services provider.

In mid of 2015, a hybrid attack was formed. It mixture with spear phishing email carry with malicious marco Excel spreadsheet attack the target network. This time lite version blackenergy appears (see below diagram A). The target victim shown as below:

  • ICS, energy, government and media in Ukraine
  • ICS/SCADA companies worldwide
  • Energy companies worldwide

On December 2015: BlackEnergy receive an order to start another round of attack on Ukrainian energy utilities.

Perhaps the above date of attack records not precise. The actual status is that every day has victim workstation unintentionally joined to the vampire army (BotNet).

Diagram A:

Summary:

In conventional warfare, the modern army will be deployed drone and carry missile. The military army lock down the location of enemy then can destroy the target. But for the cyber warfare attack, it will use blackenergy to interfre the enemy daily life. Even though water supply control system using SCADA. Blackenergy can suspend the operation of the water supply facilities. Don’t be forget blackenergy will be appear in the world any time. Be aware of it.

How to protect public facilities which installed SCADA control system?

Only the anti-malware solution is not enough.In order to avoid unforseen incident happens. Following item of solution can reduce the overall risk rating.

  • Install SIEM system
  • Cybersecurity awareness training
  • vulnerability management
  • Application control
  • Stay alert of the email-based spear-phishing

— END —

 

 

 

 

New detection of technology. Will it be let Antivirus firm embarrassing?

Retrospectively, the IT technology defense mechanism especially behavior analysis and cloud machine learning model are powerful. The threat actors looks difficult to masquerade themselves to start the infiltration. In order to fight against crime. The law enforcement might have to doing the surveillance or scrutiny the suspects. Since it is not a secret, a professional software house assists law enforce to doing the surveillance. Yes, it is FinFisher. Heard a rumors that Turkish government is going to enforce the cyber security in their country. Perhaps Finfisher is expensive and therefore they are chosen the other way. They deployed Sandvine PacketLogic middleboxes in five regions across the country. It is a man-in-the-middle. A question you will be ask. If anti-virus vendor found the malicious activities which handle by law enforcement. Do you know how they can do? Does it take quarantine action or remaining silent? It looks that a contradiction will be happened more and more in future! Or the law enforcement will be deployed advance technique to masquerade themselves evade the detection?

Information warfare and arsenal

Preface:

There are different countries located in the world, meanwhile so called regime has different governance concept and strategic task force in different area.

A simple introduction of regimes around the planet

Our story begin with Bear

Bear group views electronic warfare as an essential tool for gaining and maintaining information superiority over its adversaries. Therefore the bear group electronic warfare forces support denial and deception operations. Meanwhile their arsenal keen to developing the interception tools set and disruption equipment. Perhaps the war especially land to land, sea to sea combat does not happen in frequent.In order to control the communications of the enemy. The bear group break through the traditional concept. They weaponizing computer technique become a cyber weapon. As a result a series of cyber weapons was born.

The first cyber weapons aim to show to the world

On 20 July 2008, weeks before the Bear Group invasion of Georgia, the cyber attack vectors being growth. The website of the Georgian president was targeted, resulting in overloading the site.

Remark: This is the beginning phase of APT attack. However there is no such key words APT at that period time. From security point of view, this is the APT prototype. As a result such attack reform the victim workstation as a zombies. The attacks relies on the following attack criteria: OS design weakness especially zero day of attack and social engineering (spear-phishing).

Bear Group was blocking Georgian “internet portals” to supplement its military aggression. It suspend their external communications. The Internet has become a battleground at that time.

Such action provides an idea to the regime. The cyber attack will become a main trend in future since the digital world has been came. A cyber attack tool exploit so called “Black Energy”. This is a well know DDoS attack tool. A tool weaponized a computer software to fulfill the objective of military engagement.

Below picture shown the portable version of black energy

Black energy botnet infection path shown as below:

A cyber attack targeting nuclear facilities on 2010 from Eagle group. It strengthen the concept of bear group electronic warfare unintentionally. Meanwhile the developing team of bear group restructure of their arsenal. They are looking for a new model of attack method which completely suspended the hostile country operation. Thus a new cyber weapon born. It relies on Microsoft vulnerabilities found by Eagle Group security agency. A wannca cry was born and promoted to a arms sales. The preliminary objective of the tool originated South Korean nuclear power plant. But the task force looks not very smooth. And therefore the code free offer to criminal group to use.

Few months later, a enhance version of WannaCry ransomware appears in the cyber world which goal to sabotage nuclear power facilities. What is the advance feature of Not-Petya.

NotPetya spreads on its own. The original Petya required the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that’s used by almost every company Ukraine.

Below table show the specifications of wannacry and Petya for reference.

….the attack task force spread it out and become a main trend of hostile countries cyber attack.

End of story….

Bear Group intelligence agency overview:

The Iron Curtain was the name for the boundary dividing Europe into two separate areas from the end of World War II in 1945 until the end of the Cold War in 1991. And therefore people only focusing  former KGB.  Simple because they are not so much aware of GRU (Glavnoe Razvedytalnoe Upravlenie – Russian Military Intelligence). In the world that there is no key word “KGB” anymore. However the GRU substitute KGR original functions. But they more prefer deploy malware ,  malicious code implant to target engage the surveillance.

GRU strategic functions displayed as below:

  1. Political Intelligence
  2. Scientific and Technical Intelligence ( industrial espionage)
  3. Illegal Intelligence (Root kit, malware and ransomware)

This is a fiction. Any similarity is mere coincidence.

 

——- END ——-

 

About APT37

A cyber security company (FireEye) so bold to accuse a country. As a matter of fact the APT threat actor make a mistake. It inadvertently show their location. Regarding to the details provided by FireEye. The APT 37 develop total 10 different types of malware to satisfy their goal. Regarding to my observation. I would suggest that staying alert to a backdoor function malware. His nickname is SHUTTERSPEED. The overall specification equivalent to a Trojan spyware. It so called Trojan-Spy.Win32.Agent.jkvl.

Since this spyware is not a new design and therefore window defender and antivirus have capability to kill it. However a multiple types of malware attack might have opportunities let this trojan implant to workstation.

Should you have interest to understand their full picture of attack for APT 37. Please refer below url for reference.

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

 

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

About DHS Malware Analysis Report (MAR) – 10135536-B

Preface:

There are books of which the backs and covers are by far the best parts!

― Charles Dickens, Oliver Twist

Discussion details:

Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.

DHS malware report (10135536-B) technical findings

There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:

  1. PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB

Antivirus vendor capable to detect checklist

  • K7 – Trojan ( 700000041 )
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent

2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC

Antivirus vendor capable to detect checklist

  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent
3. PE file name checksum (MD5): 0137F688436C468D43B3E50878EC1A1F 
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
4.  PE file name checksum (MD5): 114D8DB4843748D79861B49343C8B7CA
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Variant.Graftor.373993
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda  – BScope.Trojan.Agent
  • BitDefender – Gen:Variant.Graftor.373993
  • Emsisoft – Gen:Variant.Graftor.373993 (B)

5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141

Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
6. PE file name checksum (MD5)
2950E3741D7AF69E0CA0C5013ABC4209
Antivirus vendor capable to detect checklist
  • F-secure – Trojan.Inject.RO
  • VirusBlokAda – BScope.Trojan.Agent
  • Ahnlab – Trojan/Win32.Akdoor
7.  PE file name checksum (MD5)
964B291AD9BAFA471DA3F80FB262DBE7
Antivirus vendor capable to detect checklist
  • nProtect – Trojan/W64.Agent.95232
  • McAfee – Trojan-FLDA!964B291AD9BA
  • ClamAV – Win.Trojan.Agent-6319549-0
  • Ahnlab – Trojan/Win64.Dllbot
  • Quick Heal – Trojan.Generic
My observation:
It was strange and surprise to me that the total checksum provided by homeland security malware report only 1 item can find the record on virustotal database. It was not usual from technical stand point. The item 7 PE checksum can found on virustotal database. The earlier malware detected period fall back to 2014.  Apart from that  PE file checksum item from 1 to 5 only acknowledge by few antivirus vendor.
As we know, Kapersky pay an important role of APT cyber attack investigation analysis so far. But this time it did shown on report. We understand that there is a lawsuit in between US government and Kapersky.  May be this is the reason. However we couldn’t find any details on virustotal repository. It is very rare! It looks that  F-secure virus vendor done well in this matter since their detection rate is 3 out of 7. On the other hand, the body guard for South Korea government (AhnLab) is the antivirus detect the attack earlier in 2014. However the overall detection performance only maintain on 2 out of 7.
From general point of view, no matter Lazarus Group or Hidden Cobra their design goal looks is their natural enemy if the attack was engaged by North Korean government. However it looks that the major cyber attacks given by Hidden Cobra went to cross bother countries especially USA or European countries. The virus vendor F-Secure hometown in Finland. Their business market coverage in APAC country looks significant reduce in PC market recently. But they are aggressive in mobile phone devices. Perhaps the alert given by Homeland security malware attack target machines are on windows base. And therefore it such away bypass their focus.
It looks confused with managed security services vendor especially APAC country of this cyber alert!
The report given by US homeland security awaken our general opinion for antivirus vendor. Apart of my favor Kapersky  there are potential antivirus contain powerful capability to  detect and quarantine the unknown APT activities and malware. For example on the report we seen the brand name of K7,  Cyren, VirusBlokAda, Emsisoft  and BitDefender.
Anyway  I still have hesitation or hiccups of this report since some information not disclose in normal way. For example, I could not found the history record on virustotal repository. But place safe that following the recommendation provide by DHS is the best practice (Yara rule shown as below):

 

rule Unauthorized_Proxy_Server_RAT

{

meta:

Author="US-CERT Code Analysis Team"

Incident="10135536"

MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"

MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:

$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}

$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}

$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}

$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}

$s4 = {B91A7900008A140780F29A8810404975F4}

$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F

D19CA59F7E9F539CEF9F

029F969C6C9E5C9D949FC99F}

$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}



$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}

$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}

$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}

$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}

$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}

$s12 = {448BE8B84FEC

C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}

$s13 = {8A0A80F9627C2380F9797F1E80F9647C

0A80F96D7F0580C10BEB

0D80F96F7C0A80F9787F05}

condition:

any of them

}

Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

Summary:

In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!