Category Archives: Cyber War

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

About DHS Malware Analysis Report (MAR) – 10135536-B

Preface:

There are books of which the backs and covers are by far the best parts!

― Charles Dickens, Oliver Twist

Discussion details:

Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.

DHS malware report (10135536-B) technical findings

There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:

  1. PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB

Antivirus vendor capable to detect checklist

  • K7 – Trojan ( 700000041 )
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent

2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC

Antivirus vendor capable to detect checklist

  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent
3. PE file name checksum (MD5): 0137F688436C468D43B3E50878EC1A1F 
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
4.  PE file name checksum (MD5): 114D8DB4843748D79861B49343C8B7CA
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Variant.Graftor.373993
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda  – BScope.Trojan.Agent
  • BitDefender – Gen:Variant.Graftor.373993
  • Emsisoft – Gen:Variant.Graftor.373993 (B)

5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141

Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
6. PE file name checksum (MD5)
2950E3741D7AF69E0CA0C5013ABC4209
Antivirus vendor capable to detect checklist
  • F-secure – Trojan.Inject.RO
  • VirusBlokAda – BScope.Trojan.Agent
  • Ahnlab – Trojan/Win32.Akdoor
7.  PE file name checksum (MD5)
964B291AD9BAFA471DA3F80FB262DBE7
Antivirus vendor capable to detect checklist
  • nProtect – Trojan/W64.Agent.95232
  • McAfee – Trojan-FLDA!964B291AD9BA
  • ClamAV – Win.Trojan.Agent-6319549-0
  • Ahnlab – Trojan/Win64.Dllbot
  • Quick Heal – Trojan.Generic
My observation:
It was strange and surprise to me that the total checksum provided by homeland security malware report only 1 item can find the record on virustotal database. It was not usual from technical stand point. The item 7 PE checksum can found on virustotal database. The earlier malware detected period fall back to 2014.  Apart from that  PE file checksum item from 1 to 5 only acknowledge by few antivirus vendor.
As we know, Kapersky pay an important role of APT cyber attack investigation analysis so far. But this time it did shown on report. We understand that there is a lawsuit in between US government and Kapersky.  May be this is the reason. However we couldn’t find any details on virustotal repository. It is very rare! It looks that  F-secure virus vendor done well in this matter since their detection rate is 3 out of 7. On the other hand, the body guard for South Korea government (AhnLab) is the antivirus detect the attack earlier in 2014. However the overall detection performance only maintain on 2 out of 7.
From general point of view, no matter Lazarus Group or Hidden Cobra their design goal looks is their natural enemy if the attack was engaged by North Korean government. However it looks that the major cyber attacks given by Hidden Cobra went to cross bother countries especially USA or European countries. The virus vendor F-Secure hometown in Finland. Their business market coverage in APAC country looks significant reduce in PC market recently. But they are aggressive in mobile phone devices. Perhaps the alert given by Homeland security malware attack target machines are on windows base. And therefore it such away bypass their focus.
It looks confused with managed security services vendor especially APAC country of this cyber alert!
The report given by US homeland security awaken our general opinion for antivirus vendor. Apart of my favor Kapersky  there are potential antivirus contain powerful capability to  detect and quarantine the unknown APT activities and malware. For example on the report we seen the brand name of K7,  Cyren, VirusBlokAda, Emsisoft  and BitDefender.
Anyway  I still have hesitation or hiccups of this report since some information not disclose in normal way. For example, I could not found the history record on virustotal repository. But place safe that following the recommendation provide by DHS is the best practice (Yara rule shown as below):

 

rule Unauthorized_Proxy_Server_RAT

{

meta:

Author="US-CERT Code Analysis Team"

Incident="10135536"

MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"

MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:

$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}

$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}

$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}

$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}

$s4 = {B91A7900008A140780F29A8810404975F4}

$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F

D19CA59F7E9F539CEF9F

029F969C6C9E5C9D949FC99F}

$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}



$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}

$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}

$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}

$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}

$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}

$s12 = {448BE8B84FEC

C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}

$s13 = {8A0A80F9627C2380F9797F1E80F9647C

0A80F96D7F0580C10BEB

0D80F96F7C0A80F9787F05}

condition:

any of them

}

Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

Summary:

In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!

Military or Business Industry, Windows OS peripheral control bring to attention.

 

Preface:

Since the version of Windows XP, the Windows operating system feature embedded functionality of industrial applications.  However the motivation of factor on re-engineering of system depends on customer demand.

Case study details:

The US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015 

Information Background – According to SPAWAR official announcement on Jun 2015. The renewal process will buy the Navy time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities.

* The Space and Naval Warfare Systems Command (SPAWAR), based in San Diego, is an Echelon II organization within the United States Navy and is the Navy’s technical authority and acquisition command for C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), business information technology and space systems.

Doubt – known design limitations

a. Windows OS system – The re-engineering schedule instead of Windows XP operating system.

  1. US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015. As of today, we believed that the operating system update has been done. However a valid design weakness on Windows operation system found on 2014 till today. It found by security expert that a kernel flaw appears to all version on Microsoft operating system platform since end of 2014 (see below picture diagram for references). From my personal point of view. I agree with Microsoft official comment on their announcement, this is not a security issue (device driver inject rootkit). My stand point is that the Windows operating system fundamental design objective does not catering for mission critical industries especially Nuclear power facility and military industry.  However the modern technology industries deploying in formal fashion of manner. Yes, I agree that the manufacture industry and business automation not shown the side effect of design limitation. But on mission critical industries, the design capability limitation similar a technology kill chain! Information security is a continuous program. Microsoft operation system  don’t have exception. A group of security expert re-open this flaw recently (Inside NT’s Asynchronous Procedure Call).  Asynchronous Procedure Calls (APCs) are a fundamental building block in NT’s asynchronous processing architecture. This architecture still valid till today.

The security expert highlight the flaw in regards to the following items. 

If you are not interested in technical descriptions detail, you can skip and jump to below item 2.

As a device driver writer, you can rely on APCs to execute a routine in a particular thread context without that thread’s intervention or consent whenever no guarantee of its address space’s availability can be made.  Since APC mechanism not on Ring 3 and therefore the fundamental of design not enforce protect this mechanism. As a result, a weakness was found in this place. The PsSetLoadImageNotifyRoutine function registers a notification function that is called when the image is loaded or the image is mapped to memory. The operating system calls the registered callback function after displaying the image executed in the user space or in the kernel space (just what we need, because the drivers are just loaded into the kernel), before the execution of the image. The main weakness of software driver integration with operating system is given by PsSetLoadImageNotifyRoutine.

* The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

As we know, antivirus software using kernel driver to inject code into all all running processes. The antivirus software register for image creation notification and then queue some APCs that will execute in user mode and do the injection. Since the security level of protection of device driver on Windows OS all depends on 3rd party developer design.  A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring.

Device driver rootkit code (sample)

mov eax, [ebp+ImageInfo]
push dword ptr [eax+4]

Question:

Do you think the developer alert this issue on their design phase? From logical point of view, this unknown threat not announce to the world. Most of the protection mechanisms are implement falls under File, Registry, Process, DLL Load. Microsoft don’t allow anyone to hook the SSDT. For my comments, the system development cycle is division of job and therefore this protection mechanism will be fall into cyber security team job scope. As are result, the protection mechanism will be relies on antivirus and malware detection software. But the specific threat might evade malware scanner custodian.

It looks that remediation step on critical industries especially Nuclear Power facilities and Military Dept might do a audit.  As soon as possible to develop the protection mechanism through SSDT hooking.

2. Satellite communication systems design limitation

Since this topic has been discuss previous.  For more details of related article. Please see below url for reference.

Perhaps military battleship can destroy everything, but it could not win in the digital war!

 

Summary:

As of today (12th Sep 2017), my comments in regards to mission critical industries remain unchanged.  That is please re-confirm existing operating system peripherals issue before next action.

Scientific versus Prejudice – Cyber war Part II

Preface

The scandal of NSA let the world know large scale survillence program over the world. Perhaps the objective of the NSA not only this matter. We known that a vulnerability happened on VSAT satellite system. It allow malicious SMS signal obfuscate the system operation. For more details, please refer to below URL.
The war happens today hard to avoid to involve cyber technology battle. This is the prelude of the discussion today. What if, my imagination comes true, what will happen in this battle?

NSA’s backdoor catalog (OS system and Network) exposed:

On exposed information, a group list of vendors name are included in their target list. As we know, we believed that Microsoft, Cisco products hidden their backdoor. However CEO of Cisco tell the world that their products did not have embedded backdoor. Microsoft president Brad Smith blamed the NSA spy agency tarnished their system design. Do you think those two big head is a actor or they are really don’t  know?
Conspiracy theory point of view on OS system ( merely personal opinion )

In conspiracy theory point of view, what is the reason for operation system vendor maintain SMB version 1 until NSA scandal exposed to the world then take the patching action. Perhaps if not WannaCry ransomware attack outbreak tarnished SMB 1 design limitation. Meanwhile hacker claimed that they are appreciate for NSA found this secret! Since nobody aware this issue until secret leak to the world! But who know what is the true factor let OS vendor delay SMB version 1 patching schedule till incident happen afterwards? (Microsoft released patches for all supported versions of Windows on the March 2017).

Conspiracy theory point of view on Network system ( merely personal opinion )

Based on the Shadow Brokers disclosed. The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall products. A vulnerability exploited by one of the tools was patched in 2011 but the other exploit’s vulnerability is entirely new. From logical point of view, it is hard to imagine that such big technology company did not know the design weakness of their product? Maybe they are trustworthy. Or Who know, God know?

Who dare say there is no unknown backdoor in hardware unit including CPU

Information Update on 31st Aug 2017 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Headline news today report that CPU vendor design computer according the requirement by customer , sometimes the client is a government. For instance, US government might compliance to their security standard (High Assurance Platform program so called HAP). However a design limitation was found. An official announcement by Intel in regards to this vulnerabilities on May 2017. Furthermore security experts found a unknown backdoor on Intel ME Chip. From technical point of view, this is not coincidence and speculated that both vulnerabilities has relationship.

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

From safety view point, it is impossible to use hostile national science and technology products

 

In defense and protective prospective, it was not possible to use hostile national science and technology products in military zone. Even though the hardware and operation system vendor are trustworthy. However the hostile country will try different to implant malware or infiltrate techniques to related system. For instance, Network equipment vendor (router, switch and firewall) do not know the design weakness will trigger such critical level of destructive result.  Below is a simple example to proof this concept.

Picture A is the reference of normal network operating scenario. We understand that internet world coexists with BGP network protocols.  The zoning driven by AS number (autonomous system number). The AS Using BGP to Distribute Routes. For instance, on picture B. The ISP D network equipment hits SNMP design flaw and encountered core OS buffer overflow causes privileges escalation. As a result the core router has been compromised. Base on BGP protocol hijack concept, the compromised router might obfuscate the network. It might have way to control the network routing path. I am not going to explain into details since it is a very long discussion. However if you base on above techincal terms and concept do a google search. You will be able to find the details. Yes, internet world is the big data. It  is free. 

Put above concept to the realistic world

Since above example is my imagination, however it will bring a solid idea to you. How serious level of destruction will be occurs in similar circumstances. So to protect yourself in cyber war battle seems better do not let your enemy know what type of equipment you are in use. Even though they are using CVE attack or Zero day attack. You equipment will be ignore those kind of cyber attack.

The focus of the discussion

I can’t written down a term of summary or conclusion right now. Since there are more and more information coming. However I need to study the details before continues this discussion. Ok, have a nice weekend. We discuss next time, Thank you! Bye!

Picture A – Normal scenario (request to reach adjacent side IP address)

Picture B – Telecommunication service provider network equipment compromised by hostile national.(As a result, the network traffic will route to their area and under their control)

 

Electronic War reference:

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/