Category Archives: Cyber War

Country to country APT attack mechanism not complex, believe that it exploit design flaw instead of backdoor – Jun 2019

Preface: It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, …

Synopsis: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker). Since the footprint is small and capable to enables any Internet-connected device to function as a web server. Whereby, the temperature, weather monitoring device and Smart City sensor will make use of it. Most nuclear reactors use water as a moderator, which can also act as a coolant. So IoT temperate is the major component in this area.

Reference: When temperature senor sense the temperature exceed safety level. It will apply graphite to slows neutrons fission.
So the logarithmic reduction of neutron energy per collision.

Vulnerability details: A vulnerability in Cesanta Mongoose could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Remedy: At the time this alert was first released, the vendor has not issued a security advisory.

It is hard to judge it was a self defense or attack. New York Times cyber attack news – 16th Jun 2019

Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.

Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….

However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.

Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-584286.pdf

What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?

Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?

Headline news https://www.nytimes.com/2019/06/17/world/europe/russia-us-cyberwar-grid.html

Astra Linux features:

– Compatibility with the Komrad SIEM system
– FSTEC certificates of the Russian Federation and FSB of the Russian Federation on Astra Linux of SE (release Smolensk)
– Compatibility with the Simatic IPC427D workstation
– Compatibility with Videoselektor
– Minobona’s certificate of the Russian Federation and FSB on Astra Linux of SE (release Leningrad)
– Compatibility with Mellanox Spectrum
– Compatibility with TerraLink xDE
– Tests of BLOK computers running SE 1.6 Astra Linux OS
– Availability of an official mirror of a repository of Astra Linux OS on mirrors.kernel.org
– Compatibility with JaCarta
– Compatibility with CryptoPro CSP on Elbrus and Baikal processors
– Compatibility with Linter DBMS

As of May 9, 2019, even “Virustotal” did not have his record! where is he from?

Preface: The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified a malware variant— so called ELECTRICFISH.

Technical details: The malware implements a custom protocol like “Tor browser”. The aim to allows traffic by-pass defense mechanism in between source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.

Comment: Seems malware designer aware that their operation will be terminated by malware detector especially company which installed “FireEye”. The successful factor of the infection all depends on thier infection path. May be it is a phishing, or hide himself in a 3rd party software drivers. From technical point of view, their activities is not easy discovered by antivirus program once malware successful install. But it is rare that even “Virustotal” do not have their information till now.

Headline News via following link : https://www.washingtonexaminer.com/news/us-government-unveils-new-north-korean-hacking-tool-as-tensions-continue-to-rise

Analysis Reports by US Homeland Security – Legitimate open source remote administration tool re-engineer by threat actor as APT way of attack – Dec 2018

Preface: Quasar, a legitimate open-source remote administration tool. It is a fast and light-weight remote administration tool coded in C#.

Background: APT actors have adapted Quasar and created modified minor (1.3.4.0) and major (2.0.0.0 and 2.0.0.1) versions. Since the re-engineering Quasar client will be mimics a Mozilla Firefox 48 browser running on Windows 8.1 or mimics an Apple Safari 7.0.3 browser running on Mac OS X 10.9.3 in order to evade IDS monitoring. However there are way lets security operation center find their fingerprint. The distinctive first 4 bytes of the payload can be used to identify Quasar traffic.

As a result, below analytic way can be enforce the detective control:
Signature 1: TCP Payload Size Tracking

Signature 2: IP Lookup User-Agent String, HyperText Transfer Protocol Header Host, and HyperText Transfer Protocol Header URI

Signature 3: Hidden HTTP Request User-Agent String and Time-to-Live

More details can be found below url: https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/

Fake apps embedded ultimate spyware are being infect smartphones especially Android – Dec 2018

Preface: Blackhat conference held 3rd to 6th December 2018 in London. A topic awaken people bring attention to the smartphone security awareness especially Android OS.

Technical details:
Cyber security expert observe that a malform type of counterfeit apps spreading via watering hole websites and phishing emails. Targets were likely approached directly and encouraged to visit the malicious websites to download the counterfeit apps.

My comments:
Regarding to the Android Security Bulletin announce on December 2018. It looks that there are more vulnerabilities found. The Critical vulnerability found could let local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. For my personal point of view, the variant of surveillance malware so called Silverhawk. It will embedded with existing Android vulnerabilities engage the cyber attack. For more details, please refer to attached diagram for reference.

Reference: Blackhat conference presentation – Electronic Army’s Mobile Tooling :  https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-DelRosso-Under-the-SEA.pdf

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

2nd Oct 2018 – Homeland security alert (Retail payment system security advisory)

US Homeland security urge banking industry especially payment gateway services provider staying alert of new round of malicious cyber attack of their system. Similar of cyber attack was happened in Taiwan. The heist draw the cash equal to $2.6m (£2.1m). Homeland security reveal how the technique let ATM machine like human vomiting. But this is the bank note. You and me like it.

The key item of this attack is prioritize to compromise the switching application server.  Then malicious applications generate a counterfeit response message using GenerateResponseTransaction1() or GenerateResponseTransaction2() function to response to the acquire with a counterfeit response message and drops the request before the payment switch application processes the message. As a result it fool the issuer with no knowledge of the transaction. Should you have interest of above details, please refer to below URL:

https://www.us-cert.gov/ncas/alerts/TA18-275A

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

Preface:

Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)

https://blog.talosintelligence.com/2018/05/VPNFilter.html

However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is  an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four items of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).

Summary:

In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

24th May 2018 – status update:

FBI take control of APT28’s. They are the suspect threat actor of this attack.

The US Federal Bureau of Investigation (FBI) has obtained court orders and has taken control of the command and control servers of a massive botnet of over 500,000 devices, known as the VPNFilter botnet.

Headline news article for reference.

http://www.scmp.com/news/world/united-states-canada/article/2147561/us-disrupts-botnet-500000-hacked-routers-suspected?edition=hong-kong

Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

 

The next page of cyber attack – After European allies did the justice action (bombard Syria chemical facilities).

Preface

I can’t hold the tears back!

Rest in peace to victims who were killed in a suspected chemical attack on the rebel-held town of Khan Sheikhoun in north-western Syria on 4 April, 2018.

 International Law

About Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction

Reference :

  • Australia Group of countries and the European Commission that helps member nations identify exports which need to be controlled so as not to contribute to the spread of chemical and biological weapons
  • 1990 US-Soviet Arms Control Agreement
  • General-purpose criterion, a concept in international law that broadly governs international agreements with respect to chemical weapons
  • Geneva Protocol, a treaty prohibiting the first use of chemical and biological weapons

Prelude

United state of America is the leader keen to fight against of the evils. As a result their country possibly will be receive high volume of cyber attack after completed the justice military action.

UK a member of the alliance. As a result the situation will be similar.

Predict the target (Healthcare and clinic)

Per observation so far, the ransomware activities are wreak havoc in between 2017 to present. Retrospective that the UK healthcare and clinical areas suffered such attack last  year.  Below table of chart showing the (Ransomware) attack vector to specific industry.

In additional of UK joined the military action. The terrorist will spend the efford to find out the weakness of the healtcare system infrastructre. In logic point of view the healthcare and clinic will become the attack target because the terrorist will buy out the details from the criminal group. As a result a complete understanding of the design weakness on those area. Whereby it have high possibilities to engage the 2nd round of attack similar a revenge action.

Earlier last week an article issued by US-CERT with subject. Protecting Your Networks from Ransomware. Their aim is going to provide a guidance to fight against ransomware. Before you read the articles. There are few slogans are able to enhance your data protection framework. For instance:

1. Ransomware and Phishing Work Together

2. For whom who visiting online Gaming zone and Pornography web site in frequent are easy for encounter ransomware attack.

In order to avoid similar of cyber attack, enhance your awareness is the first priority. For more details, please refer below url for reference.

Protecting Your Networks from Ransomware

Predict the target – Pathway (router and network switch)

Since the market share of Cisco in both network switch and router are in big portion (see below diagram)

From technical point of view,  it is not easy to identify the product design in perfect way in modern technology business market. And therefore the threat actors will be make use of vulnerabilities to engage the cyber attack. In regards to the view point of security expert , hacker now keen to compromise the network switch nowadays. As a matter of fact hacker will prefer to compromise a hardware switch or router because he can control the traffic and retrieve the information. So the Cisco end users must be stay alert of security update announce by Cisco in this period of time. Below informative diagram will provides hints to you in this regards.

Cisco IOS is a monolithic operating system running directly on the hardware while IOS XE is a combination of a linux kernel and a (monolithic) application (IOSd) that runs on top of this kernel. Attacker executing code remotely using system vulnerabilities. It is common type of attack and hard to avoid.

Perhaps a medium vulnerability found on IT product not a shock. However the medium vulnerability co-exists with known critical vulnerabilities created multiple vulnerabilities are unable to foreseen what is the level of damage. Cisco IOS XE fundamental design integrate to open system. The severity of vulnerability CVE-2018-0196 is medium level. End user is allow to disable the http services to avoid the vulnerability. But the default state of the HTTP Server feature is version-dependent. A significant signal alert Cisco customer that corrective control is not enough. The efficient way is enhance your preventive and detective control. That is the implementation of managed security services.

The design objective of the Command Line Parser is used to parse the command line arguments. The parser parsing a string and returns an object representing the values extracted. This is the the regular expression design objective. The Cisco IOS XE is a train of Cisco Systems’ widely deployed Internetworking Operating System (IOS), introduced with the ASR 1000 series. IOS XE is a combination of a linux kernel and a (monolithic) application (IOSd) that runs on top of this kernel. The goal of IOS SE aim to integrate the IOS feature set for routing and switching cope with modern business critical applications. The CLI command injection vulnerability has been found on CISCO IOS XE. Stay alert.

US-cert encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates. For more details, please see below:

Predict the target – Electricity power facility, water supply and Gas supply facilities

SCADA system are popular and pay a major role in modern industrial automation including manufacturing production control, building facilities electricity devices control, etc. I believe that these areas do not lure the hacker interest. As usual, threat actors will remain unchanged focusing in the following critical public faciliteis.

Electricity power facility, water supply and Gas supply facilities.

In regards to vendor announcement last few month. The popular brand name of SCADA major supplier has vulnerabilities occured. Perhaps the SCADA owner applied the patch and completed the remediation. However the SCADA kernel more relies on Microsoft product based operating system. So we must consider is there any new security announcement by vendor. Below details are the vulnerabilities encountered last few months.

Allen Bradley – The design flaw of the programmable logic controller – system vulnerability

Oil refinery industry security alert! CVE-2018-4841

SCADA manufacturer security awareness awaken – ABB

Vulnerability in SCADA CODESYS Web Server CVE-2018-5440

Predict the target – logistic delivery (marine)

Hacker might interrupt the maritime bandwidth management system relies on vulnerabilities if it did not complete the patch. The specify vulnerability causes shipping traffic jam or suspend the logistic delivery. Whereby the marine industry especially container shipping company must stayed alert.

Navarino Infinity web interface is affected by multiple vulnerabilities

About situation of France

France under terrorist attack in frequent. The terrorist attack on 2017 are happened 8 times. The most recent of attack causes 5 people dead. Perhaps there is less hit rate of cyber attack shown on top of newspaper. Even though the overall situation is unkown. However the similar cirtical level of cyber attack will be happened in that place.

At the end, I wishing that justice will be win the battle. “In God We Trust“.

— End —

The unknown warfare – weaponize of electronics

Preface:

Called “Henosis,” from the Greek word for unity, Lockheed Martin’s new digital dashboard is meant to give commanders a single interface to organize cyber defense and offense in real time against land, sea, air, and space targets.

Who is the culprit deploying cyber techniques for warfare?

The Gulf War has demonstrated yet again the central importance of electronic warfare to the conduct of a modern air war. It awaken countries including United States, considering the importance of cyber warfare in current International Crises. As times goes by, information technology has become an increasingly critical component in modern life. And therefore the fundamental of cyberspace bring attention to the CIA, the NSA, and the Russian government. Except the Gulf War, the most famous electronic warfare are involved hostile countries regime Interference. Perhaps the overall life cycle of malware not intend for long run. However a legendary cyber weapon expose to the world in 2007. The prologue to the electronic warfare tool revolution. The tool so called black energy.

Technical background

During the Russia-Georgia conflict period. The strategy of Russia intend to suspended all the communication channel in Georgia in order to isolate this area. This is the 1st time to expose black energy to the world.The BlackEnergy is a DDoS Tool which embedded with Trojan.The (BlackEnergy HTTP) C&C is built on PHP and MySQL. In order to boost up the power of attack, black energy back end C&C server contained command and botnet configuration on DB server (mysql).

Below screenshot shown how’s the attack will do.

Black energy technical summary:

  • BOTNETS • 300-400 sessions per IP per server
  • SQL INJECTION of more than 100 sites
  • Attempts of BGP hijacking
  • SPamming

In 2010, the scandal of Stuxnet found by the IT world. Coincidentally new functional feature of black energy disclosed simultaneously. The security experts append a nickname with black energy. So called version 2.

Black Energy (2010)

The version 2 of black energy re-engineering the original design of black energy. It uses modern rootkit/process-injection techniques, strong encryption and a modular architecture. Perhaps a Microsoft design flaw found by threat actors. And therefore version 2 of black energy intend to attack microsoft user account control (UAC) function. The attack mainly share this vulnerability to execute a privileges escalation. Apart from that an advanced function append to the attack framework in 2013. It support of 64-bit drivers.

Below technical description for Microsoft user account control vulnerability

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems. The security know the weakness of UAC design not easy to resolve. And therefore the designer of black energy embed UAC bypass function in black energy.

Findings: Microsoft Windows supports end-user-defined characters (EUDC) to allow users to define custom unicode characters. The Windows kernel (win32k.sys) graphics device interface (GDI) reads the EUDC registry key for font information. More specifically, GreEnableEudc() uses RtlQueryRegistryValues() to read HKCU\EUDC\{codepage}\SystemDefaultEUDCFont. In this case RtlQueryRegistryValues() expects to read a REG_SZ (string) value into a buffer whose length and contents are determined by the type and value of SystemDefaultEUDCFont.

By default, an unprivileged user has access to modify the EUDC registry key. Furthermore, RtlQueryRegistryValues() does not validate the data read from SystemDefaultEUDCFont.By changing the type and data of SystemDefaultEUDCFont and enabling EUDC, an attacker can overwrite kernel memory.

Descendants Of The Black Energy (see below)

Remark: The plugins and update features of Black Energy 2 make itself more protective.If the attack task force requires longer survival time implant on compromised systems. It will be sabotage the program body once detected by antivirus software.

Cyber attack happened on 2010 with suspect BlackEnergy task force engagement

Date: 2010-01-16 18:00:01 – 2010-01-20 06:00:02

Symptom: flood http www.ingushetiyaru.org

Description: The website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.

Date: 2010-01-22 12:00:01 – 2010-01-26 15:00:02

Symptom: flood http angusht.com

Description: angusht.com, is also related to Ingushetia and reported DDoS attacks

Date: 2010-01-25 08:00:02 – 2010-01-27 02:00:01

Symptom: flood http kadyrov2012.com

Description: The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

Attack strategy Development pathway

 

The final round (2014 – Dec 2015)

On April 2014, security expert found that hacker embedded a malware on MS Word document. The microsoft office and word processing products includes Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 are allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Rich Text Format data file. Microsoft immediately do the remediation (announce software update). This is the CVE-2014-1761. However one month later, in May, security expert spotted another file crafted to install a Trojan. It looks strange that the malicious file name was saved in Ukrainian word “список паролiв ” (means password list) .Such attack relies on a executable file with MS Word icon. It download another malicious file finally. This is so called blackenergy Lite version. The Lite version has different build ID format, different plugin interface and has much lighter footprint. Unlike the earlier version of black energy, Lite version does not use a driver for loading the main DLL but instead uses more standard way for loading DLLs (e.g.,rundll32.exe). The configuration data of Lite version is stored as X.509 certificates unlike other BlackEnergy variants which store in XML files.

The objective of blackenergy exploit in 2014 mainly destroy Ukraine and Poland power facilities. As such, it infect the victim machines into two catalogues. The Lite version focus power facilities operation department. The complete version of blackenergy goal to doing the infection for Ukraine and Poland general citizen workstations. Such infection form another bot net DDoS army. It targeted government and telecom services provider.

In mid of 2015, a hybrid attack was formed. It mixture with spear phishing email carry with malicious marco Excel spreadsheet attack the target network. This time lite version blackenergy appears (see below diagram A). The target victim shown as below:

  • ICS, energy, government and media in Ukraine
  • ICS/SCADA companies worldwide
  • Energy companies worldwide

On December 2015: BlackEnergy receive an order to start another round of attack on Ukrainian energy utilities.

Perhaps the above date of attack records not precise. The actual status is that every day has victim workstation unintentionally joined to the vampire army (BotNet).

Diagram A:

Summary:

In conventional warfare, the modern army will be deployed drone and carry missile. The military army lock down the location of enemy then can destroy the target. But for the cyber warfare attack, it will use blackenergy to interfre the enemy daily life. Even though water supply control system using SCADA. Blackenergy can suspend the operation of the water supply facilities. Don’t be forget blackenergy will be appear in the world any time. Be aware of it.

How to protect public facilities which installed SCADA control system?

Only the anti-malware solution is not enough.In order to avoid unforseen incident happens. Following item of solution can reduce the overall risk rating.

  • Install SIEM system
  • Cybersecurity awareness training
  • vulnerability management
  • Application control
  • Stay alert of the email-based spear-phishing

— END —