Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020
Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.
Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.
Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.
Preface: Baxter US, Caterpillar, Digi International, Hewlett Packard Enterprise, Intel, Rockwell Automation, Schneider Electric and Trek are impact by this vulnerability. There are more vendor which do not know the actual status.
Vulnerability details: An attacker from outside the network taking control over a device within the network, if internet facing. There are more ways to exploit this vulnerability, please refer below link for reference.
Root causes: The attacker exploit of the IP protocol flexibility. That is the incoming IPv4 fragments over an IP-in-IP tunnel. As we know, IPv4 found early than Internet services. At that period of time the most serious incident is merely virus infection to local machine. Machine to Machine communication will be make use of serial cable or Novell network. In short, it is a simple architecture. But the attacker can be exploit the design weakness engaging the cyber attack to digital world.
Preface: Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi …
Review historical event: Mirai is an IoT botnet that was designed to exploit vulnerabilities in IoT devices for use in large-scale DDoS attacks.In September 2016, the Mirai malware launched a DDoS attack. A massive attack causes the domain registration services provider (Dyn) interrupted the services in October 2016.
Design weakness on universal plug and play: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Concerns by security expert: The attacker can send a specially crafted HTTP SUBSCRIBE request to the vulnerable devices. Meanwhile, An it could utilize this vulnerability to conduct a DDoS attack. For more details, please refer offical articles in the following url – https://www.kb.cert.org/vuls/id/339275
Preface: It is impossible to rely on small group of expert to track malicious activities on the Internet. In fact, it needs strong financial support. This is reality, maybe this is a long-running game.
Background: US Homeland Security issue an evaluation article on hostile country malware and phishing attacks motion. Perhaps you may ask? Can it be relies on SIEM do this monitoring. My opinion is that we should say thanks to DNS Sinkhole.A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. But it require DNS lookup service. By using the DNS sinkhole technique it is also possible to deny access to any of malicious C&C websites. Besides, the queries will be written down to DNS Sinkhole record.
Security focus of specifics malware: COPPERHEDGE, is described as a Remote Access Tool (RAT). TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator. PEBBLEDASH is yet another trojan acting like a full-featured beaconing implant and used by hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
Preface: New Kaiji malware targets IoT devices via SSH brute-force.
Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.
Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.
What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.
Facts: So it benefits to attacker when he written a malware.
Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.
The things you can do right now: Implement effective passwords on all IoT devices when possible.
Preface: A conspiracy was leaked this week, someone ambitious to spying the world.
Details: The espionage activities will be exploit computer technology as 1st approach in today. It is merely relies on design weakness. Yes, it is the vulnerability. When I read the conspiracy details, I was wonder that if the formulation of this design (see attached diagram) goals to do a DDoS. Perhaps this is no a perfect way. However when US Homeland security urge to US citizen staying alert of the vulnerability found in DrayTek Devices. As everyone knows, today’s Tor network cannot perfectly hide the whereabouts of hackers. Because law enforcement already shutdown the proxy servers on the network. Besides, attacker also worries that does the proxy server has monitoring function. From attacker view point, they should perfectly hide itself. Refer to attached diagram, the new formulation of botnet technique will be exploited the new vulnerability found on IoT as a component. It looks like a plug-in module.
There are two types of operating system that sit under the SDK. Low cost and lower specification routers will select the RTOS. Since low end router cannot fulfill their requirement. Perhaps the VPN Router is the correct target because when compromised VPN router form a bot net group can compensate the current resources outage in Tor network.
Preface: Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015.
Synopsis: Why does Kwampirs fall into the “Advanced Persistent Threat (APT)” category?
For tradition malware “click and action” attacks. APT attack not condct the similar action. Instead, APT merely do the infiltration on network and communicate with C&C peer daily. asking for updates.
The APT malware rare to do the destructive action especially encrypting data. Ask victim to pay the ransome.
About Kwampirs : FBI alert that Kwampirs goal to implant the remote-access Trojan (RAT). His target include organizations that run industrial control systems (ICS), financial services firms, energy companies and healthcare institutions. As a matter of fact, The Kwampirs was used by Orangeworm group as a backdoor Trojan. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines in past. So it was not suprising with Cyber security Guru that he return to healthcare industry.
How did Kwampirs infiltrate my computer? There are several ways to distribute Kwampirs. For instance, by using email campaigns, fake software updates, untrustworthy third party software download channels and unofficial software activation tools. So only relies on Yara rules in IDS not a effective solution to avoid this attack. The observation proves that the internal access control of the 3rd party device is one of the effective channel.
Somewhere in time. This is 2015 – BlackEnergy2 exists in the form of a kernel-mode driver, which makes it harder for network administrators to discover the compromise. Black energy Group will mimics their custom tool(driver) thus made to look like a normal Windows component. They are interested in infecting Windows servers especially OPC server. But Microsoft implemented a driver signing policy in order to avoid loading unsigned driver. This feature is enabled on 64 bits versions of Windows systems.
Synopsis: In normal circumstances, activate the function of the cyber espionage and information destruction attack features needed to be rebooted in order to start the mimics driver. Even though black energy do not have exception.This unplanned reboot of the Windows server could raise suspicion. To solve the reboot issue, the attackers started to use a tool called DSEFix (an open-source tool that exploits CVE-2008-3431, a vulnerability in the legitimate VirtualBox driver), in order to disable the driver signature check. The attackers will made a custom version of DSEFix that also modifies boot configuration data (BCD) in order to enable TESTSIGNING mode.
What is TESTSIGNING mode: By default, Windows does not load test-signed kernel-mode drivers. To change this behavior and enable test-signed drivers to load, use the boot configuration data editor, BCDEdit.exe, to enable or disable TESTSIGNING, a boot configuration option. You must have Administrator rights to enable this option.
Those cyber criminal will focusing the OPC server.Because the OPC client uses the OPC server to get data from or send commands to the hardware.
Will it happen today? The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection.