Category Archives: Public safety

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Zerologon vulnerability note – last revised (23rd Mar, 2021)

Preface: “Logic 0” and “logic 1” represent binary digits (0 and 1) or Boolean logic conditions (true and false).  A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers.

Background: The algorithm originally used to encrypt the logon process in Windows NT was 2DES. Thus design weakness found in this place. MS-NRPC uses an obscure setting known as AES-CFB8 (Advanced Encryption Standard – Cipher Feed Back 8 bit). However use of AES-CFB8 within MS-NRPC has an issue with the Initialisation Vector (IV) which should be a random number, but MS-NRPC has it fixed at a value of 16 bytes of zeros.

Impact: Tom Tervoort from Secura, he discovered there is a likelihood of one of every 256 keys used will create cipher text that has a value of all zeros.  Whereby, a high possibility way to root AD server. To change the password, attackers use the message NetServerPasswordSet2 in MS-NRPC. It is possible to change a password by simply sending the frame with the preferred new password. The easiest approach is to remove the password or set it to a blank value –  the hacker can now log in through a normal process.

Since February 9, 2021 is the enforcement phase. And therefore, vendor will be enforce the following setttings.

  • Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

Official announcement: https://kb.cert.org/vuls/id/490028

Microsoft fixes actively exploited Exchange zero-day bugs attacks (2nd Mar 2021). When service you are not in used, you should disable immediately.

Preface: The Microsoft Exchange Unified Messaging service on the Mailbox server will accept connections from a Client Access server on SIP ports 5062 and 5063.

Technical background: Unified Messaging (UM) enables users to use voice mail and other features, including Outlook Voice Access and Call Answering Rules. UM combines voice messaging and email messaging into one mailbox that can be accessed from many different devices.

Security Focus – Vulnerability details: This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

Workaround: Restrict untrusted connections, or by setting up a VPN to separate the Exchange server from external access.

Reference: u’Buffer overflow can happen as part of SIP message packet processing while storing values in array due to lack of check to validate the index length’ in Snapdragon Auto, Snapdragon Compute, …….

Official announcement https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

To avoid malware misuse “PACKET_MMAP” function,from Linux environment. CISA Releases Free Detection Tool for Azure/M365 Environment (29th Dec 2020)

Preface: Neither shellcode or shellcode injection have anything to do with shell scripting. It is a sophisticated way of finding a vulnerable spot on the cyber security layer of an organization and exploiting it for malicious purposes.

Background: Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. The platform consists of the integration of hardware built around a secured silicon chip; the Azure Sphere OS (operating system), a custom high-level Linux-based operating system; and the Azure Sphere Security Service, a cloud-based security service….

About “PACKET_MMAP” function: From official article, it illustrated below:
PACKET_MMAP provides a size configurable circular buffer mapped in user space that can be used to either send or receive packets. However a design weakness has occured! The mmap‘ed memory buffer will be filled by the kernel when using PACKET_RX_RING. As a result, the user’s process, it’s enough to mmap a buffer with PROT_READ|PROT_EXEC permissions flags, and let the kernel fill the buffer.

Remedy: Perhaps shellcode injection sometimes can evade your malware protection mechanism. In certain point of view, use SIEM is one of the cost effective solution. Meanwhile, CISA Releases Free Detection Tool for Azure/M365 Environment. Reference link – https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Boeing, U.S. regulator made series of errors ahead of 737 Max crashes: congressional report (SeP 2020)

Preface: From logical point of view, if input only relies on a standalone source (sensor). The integrity of the result all relies on the total amount of variable factors. Perhaps sensor install on airplane is a IoT device. So it lure my interest.

Background: Traditionally the older (NG) 737 variants did not have fly-by-wire technology, and autopilot could be overridden and turned off simply by putting manual pressure on the yoke.

Software that talks to computer like airplanes equipment is often written in a programming language called C. The names of files written in C code usually have .c at the end. This assumes that the MCAS software is contained a file called mcas.c. But this time there was no cyber attack. This is a problem caused by human error.

For the 737 Max crashes (congressional report). Please refer to headline news – https://www.cbc.ca/news/world/us-congress-boeing-crash-report-1.5725876

Cause of incident: In the case of the Lion Air crash, the sensor malfunctioned and caused the flight computer to push the nose down when the flight was level.

From technical point of view, the sensor is IoT device. There are facilities can avoid such disaster happen. Conceptually, even a simple xor gate with two input. Or the combination of NAND gates equivalent a XOR gate setup. The essential of objectives is the suitable logic apply to the Logic Circuit. Whereby, the output is dependant at all times on the combination of its inputs. It simple to say it is the logic design.

APT developing new evasion technique to conducting cyber attack – 23rd Sep 2020

Preface: The APT organization provides a hard-to-detect malware to attack other hostile campus.

Synopsis: The evasion technique found recently by security expert team is that APT 29 exploit the design weakness of detection machanism. They do a re-engineering to covert a zip file to JPEG.
“This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front,” the researchers explain.

Perhaps APT 28 and 29 using different evasion technique aim to delivery the malicious resources to landing. Whereby, the final executor is the power shell.

So called Zebrocy. Its function is mainly Downloader. The evasion effect is better than the technique use by APT 29. After running, it will perform a persistence operation and pop up an error message box to confuse the user. When it is started with specific parameters, a screenshot will be taken. Through the timer callback function, send data to the remote server and wait for the subsequent payload to be downloaded.

Should you disable PowerShell?
No, minimize the risks with PowerShell Constrained Language mode.

Enabling Constrained Language mode ^
PS C:\Users\xxxx> $ExecutionContext.SessionState.LanguageMode = “ConstrainedLanguage”

This could be configured in registry HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment__PSLockdownPolicy .

Running PS as Admin you can simple remove this property
Remove-ItemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\” -name __PSLockdownPolicy

Recommended article: PSLockDownPolicy and PowerShell Constrained Language Mode – https://docs.microsoft.com/en-us/archive/blogs/kfalde/pslockdownpolicy-and-powershell-constrained-language-mode

Remote Access Trojan: BLINDINGCAN – 19th Aug 2020

Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.

Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.

Official announcement: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

Recommendation: Check your MS office Patch – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance?
No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.

New Linux malware – aka Drovorub (13th Aug 2020)

Preface: New Linux malware silently conducting the attack. The FBI and NSA issue joint security alert.

Official announcement – https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Remedy: To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

Reference: On older versions of Linux, two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer’s metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls free() on the first buffer it will attempt to merge these two buffers into a single buffer.

Impact: Heap overflows to gain arbitrary code execution.

Headline News: https://www.zdnet.com/article/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers/?ftag=TREc64629f&bhid=22308921349725635516834735786487&mid=12982564&cid=717383279