Category Archives: Cyber War

About Emotet malware (2019)

Preface: Emotet malware found in 2015. But he is still aggressive nowadays. It shown that it is a long life cyber attack product .

Details: Australian Cyber Security Centre (ACSC) released an advisory that Emotet malware widespread in rapidly. The Emotet malware is distributed mostly by means of phishing email that contains either links to malicious sites, or malicious attachments.
Since Emotet is a polymorphic design.Emotet is a polymorphic engine to mutate different values and operations. From observation, it now link with ransomware.
The change in shape of Emotet more or less proof that his design is equivalent as a cyber weapon. It provide the functions for infiltration. Meanwhile, after finished the mission. It can link to ransomware. Such design can avoid forensic investigator conduct the validations.

For more details, please refer to ACSC announcement. https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign

Oct 2019 – When hostile countries are prepared to take military action. They took cyber attacks as a 1st step.

Preface: Both ransomware and malware are powerful cyber attack tools. This is equivalent to the army entering a hostile country.

Background: On yesterday 21st Oct 2019, NSA and NCSC release joint advisory on Turla Group Activities article. The attack target is the aspx shell. It appeared to use these ASPX shells to preparing 2nd round of cyber attack.

We seen the trend for cyber attack in future will be target to the web API. The hacker still maintain interest on Microsoft product especially .Net framework. Traditionally, ASP.NET Web API does not utilize the request validation feature to sanitize user input. You will need to add this protection manually if any input will be used in HTML output. Apart from that, there are more and more Microsoft SharePoint deployment is also one of the factor.

Quite a lot of web programming feature lure the cyber attacker put their interest into software programming side (see below).

  • User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. And therefore it does not require elevation of privileges.
  • A ring 0 rootkit in this instance would be a kernel mode driver (*.sys file) that also requires administrator privileges when installing.
  • Query parameter text is not checked before saving in user cookie NameValueCollection request = Request.QueryString
  • Adding cookies to the response Response.Cookies[“userName”] Value = request [“text”]

Here comes along with the cyber attack in continuous way.

Technical article for reference: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-%20COPY.PDF

Country to country APT attack mechanism not complex, believe that it exploit design flaw instead of backdoor – Jun 2019

Preface: It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, …

Synopsis: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker). Since the footprint is small and capable to enables any Internet-connected device to function as a web server. Whereby, the temperature, weather monitoring device and Smart City sensor will make use of it. Most nuclear reactors use water as a moderator, which can also act as a coolant. So IoT temperate is the major component in this area.

Reference: When temperature senor sense the temperature exceed safety level. It will apply graphite to slows neutrons fission.
So the logarithmic reduction of neutron energy per collision.

Vulnerability details: A vulnerability in Cesanta Mongoose could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Remedy: At the time this alert was first released, the vendor has not issued a security advisory.

It is hard to judge it was a self defense or attack. New York Times cyber attack news – 16th Jun 2019

Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.

Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….

However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.

Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-584286.pdf

What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?

Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?

Headline news https://www.nytimes.com/2019/06/17/world/europe/russia-us-cyberwar-grid.html

Astra Linux features:

– Compatibility with the Komrad SIEM system
– FSTEC certificates of the Russian Federation and FSB of the Russian Federation on Astra Linux of SE (release Smolensk)
– Compatibility with the Simatic IPC427D workstation
– Compatibility with Videoselektor
– Minobona’s certificate of the Russian Federation and FSB on Astra Linux of SE (release Leningrad)
– Compatibility with Mellanox Spectrum
– Compatibility with TerraLink xDE
– Tests of BLOK computers running SE 1.6 Astra Linux OS
– Availability of an official mirror of a repository of Astra Linux OS on mirrors.kernel.org
– Compatibility with JaCarta
– Compatibility with CryptoPro CSP on Elbrus and Baikal processors
– Compatibility with Linter DBMS

As of May 9, 2019, even “Virustotal” did not have his record! where is he from?

Preface: The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified a malware variant— so called ELECTRICFISH.

Technical details: The malware implements a custom protocol like “Tor browser”. The aim to allows traffic by-pass defense mechanism in between source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.

Comment: Seems malware designer aware that their operation will be terminated by malware detector especially company which installed “FireEye”. The successful factor of the infection all depends on thier infection path. May be it is a phishing, or hide himself in a 3rd party software drivers. From technical point of view, their activities is not easy discovered by antivirus program once malware successful install. But it is rare that even “Virustotal” do not have their information till now.

Headline News via following link : https://www.washingtonexaminer.com/news/us-government-unveils-new-north-korean-hacking-tool-as-tensions-continue-to-rise

Analysis Reports by US Homeland Security – Legitimate open source remote administration tool re-engineer by threat actor as APT way of attack – Dec 2018

Preface: Quasar, a legitimate open-source remote administration tool. It is a fast and light-weight remote administration tool coded in C#.

Background: APT actors have adapted Quasar and created modified minor (1.3.4.0) and major (2.0.0.0 and 2.0.0.1) versions. Since the re-engineering Quasar client will be mimics a Mozilla Firefox 48 browser running on Windows 8.1 or mimics an Apple Safari 7.0.3 browser running on Mac OS X 10.9.3 in order to evade IDS monitoring. However there are way lets security operation center find their fingerprint. The distinctive first 4 bytes of the payload can be used to identify Quasar traffic.

As a result, below analytic way can be enforce the detective control:
Signature 1: TCP Payload Size Tracking

Signature 2: IP Lookup User-Agent String, HyperText Transfer Protocol Header Host, and HyperText Transfer Protocol Header URI

Signature 3: Hidden HTTP Request User-Agent String and Time-to-Live

More details can be found below url: https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/

Fake apps embedded ultimate spyware are being infect smartphones especially Android – Dec 2018

Preface: Blackhat conference held 3rd to 6th December 2018 in London. A topic awaken people bring attention to the smartphone security awareness especially Android OS.

Technical details:
Cyber security expert observe that a malform type of counterfeit apps spreading via watering hole websites and phishing emails. Targets were likely approached directly and encouraged to visit the malicious websites to download the counterfeit apps.

My comments:
Regarding to the Android Security Bulletin announce on December 2018. It looks that there are more vulnerabilities found. The Critical vulnerability found could let local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. For my personal point of view, the variant of surveillance malware so called Silverhawk. It will embedded with existing Android vulnerabilities engage the cyber attack. For more details, please refer to attached diagram for reference.

Reference: Blackhat conference presentation – Electronic Army’s Mobile Tooling :  https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-DelRosso-Under-the-SEA.pdf

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

2nd Oct 2018 – Homeland security alert (Retail payment system security advisory)

US Homeland security urge banking industry especially payment gateway services provider staying alert of new round of malicious cyber attack of their system. Similar of cyber attack was happened in Taiwan. The heist draw the cash equal to $2.6m (£2.1m). Homeland security reveal how the technique let ATM machine like human vomiting. But this is the bank note. You and me like it.

The key item of this attack is prioritize to compromise the switching application server.  Then malicious applications generate a counterfeit response message using GenerateResponseTransaction1() or GenerateResponseTransaction2() function to response to the acquire with a counterfeit response message and drops the request before the payment switch application processes the message. As a result it fool the issuer with no knowledge of the transaction. Should you have interest of above details, please refer to below URL:

https://www.us-cert.gov/ncas/alerts/TA18-275A

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

Preface:

Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)

https://blog.talosintelligence.com/2018/05/VPNFilter.html

However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is  an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four items of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).

Summary:

In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

24th May 2018 – status update:

FBI take control of APT28’s. They are the suspect threat actor of this attack.

The US Federal Bureau of Investigation (FBI) has obtained court orders and has taken control of the command and control servers of a massive botnet of over 500,000 devices, known as the VPNFilter botnet.

Headline news article for reference.

http://www.scmp.com/news/world/united-states-canada/article/2147561/us-disrupts-botnet-500000-hacked-routers-suspected?edition=hong-kong

Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected