Category Archives: Public safety

MS CryptoAPI spoofing flaw – 15th Jan 2020

Preface: We are all scared of Ransomware!

Background: crypt32.dll is a type of DLL file, with extension of .dll. It is associated with Crypto API32 and is used to run Crypto API32 based applications. Certain sophisticated video games and software applications use crypt32.dll to get access to certain API functionality, as provided by Windows.

Vulnerability details: The bug exploits crypt32.dll signature verification on elliptic curve. crypt32.dll only checks for matching public key and parameters, but not the generator G. An attacker could use your public certificate without owning its private key, combined with some other code-signing certificate issued to someone else, to bypass a publisher check this way.

Special comment: Do you think this vulnerability has relationship with surveillance program?

NSA Official announcementhttps://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

In order to avoid MS ‘.Group’ file handling RCE vulnerability. Think it before click – Jan 2020

Preface: Perhaps you would say the ‘.group’ file handling is the design defect. So hacker exploit social engineer trigger this vulnerability (GROUP FILE URL FIELD CODE EXECUTION). Do you agree?

What is a GROUP file? The file is located inside this location: C:\Program Files\Windows Mail.

Vulnerability details: Microsoft Windows is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.

Former 0-day record: About eleven months ago, Microsoft ‘.contact’ File vulnerability found. It allow Arbitrary Code Execution. Less than 1 year, there is another vulnerability occurs on ‘.group’ file handling. Perhaps the WAB.exe features could be do a re-engineering.

Reference url: https://www.symantec.com/security-center/vulnerabilities/writeup/111355?om_rssid=sr-advisories

Phishing email compromised the reputation of company, Microsoft take legal action

Preface: Microsoft products cover a wide range. Perhaps quite a lot of people queries design weakness of their products. But they have capabilities to protect it own.

Background: The cyber criminal exploit Microsoft official domain name to made phishing email and goal to increase the possibility to open the email. Meanwhile the malicious infection technique has proprietary evading antivirus technique.
Remark: According to my observation, the evolution of this cyber attack technique found in 2013. Perhaps we remember HWP (Hangul Word Processor). HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government. Should you have interested to review the details, plese refer to following URL: http://www.antihackingonline.com/network-protocol-topology-standard/vulnerabilities-in-the-old-ole2-based-hwp-file-format-engages-apt-attacks-to-south-korea/

Cyber security focus: Such matter reminds cybersecurity world of cyber criminal infiltration technique. Expert found that the North Korea cyber attack suspect make a new way. Attack mainly using the API hooking technique to hide the behaviors of the first-stage backdoor which is the second payload in this operation. Since this attack landing page most likely is a MS document. The Fallout Exploit Kit is Back with adobe Vulnerabilities and Payloads (see attached diagram) So, it generate a interference to business and government sector.

Reference: Microsoft Sues North Korea-Linked Hackers for Impersonation (1) – https://news.bloomberglaw.com/ip-law/microsoft-sues-north-korea-linked-hackers-for-targeting-users

IoT zone staying alert! HomeAutomation 3.3.2 design weakness exposed (Authentication Bypass, CSRF / Code Execution & Cross Site Request Forgery) – 1-1-2020

Preface: Sometimes lighting can become a security safeguard. Perhaps the lighting system will help you figure out whether intruder jump to your garden at night.

Synopsis: It is hard to avoid the digital transformation trend integrate to your daily life. As the matter of fact, they are on board already. For instance the remote controlled outdoor outlets with on/off function, Z-Wave outlets that measure energy consumption for connected lamps and appliances.

Remark: ZWave is a wireless communications protocol used primarily for home automation.

Vulnerability details:

HomeAutomation is an open-source web interface and scheduling solution. Quite a lot of IoT manufacturer are do the product integration to HomeAutomation (see attached diagram). Expert found design weakness occured in HomeAutomation software.
From technical aspect. Use the cURL_init function, implemented with PHP, to open a connection and the links includes reference’s to the other two functions (curl_setopt & curl_exec) to be able to potentially reuse an existing handle (conncetion).
The HomeAutomation suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. For details, please refer to diagram.

Status: No official announcement for the remediation by software vendor and manufacturer in the moment.

Wish you a Merry Christmas 2019 (cyberX’mas).

I believe that the most annoying cyber security attack is the ransomware. We known that unplug or power off is one of the way to suspend the attack spread out. Yes, agree.

Another way to avoid the infection of ransomware is think it over before open unknown email. Yes, During Xmas time you defense idea will be reduced since you will join the ball and parties. So, please be alert of phishing email during Xmas.

By the way, remember to turn off your workstation before you leave the office today.

Merry Xmas and Happy New Year.

Python will be replaced Excel in banking environment. But do not contempt the bug in excel? Nov 2019

Preface: When you walk through trading floor area, you can see trader writing Python code, said chief digital officer at Nomura.

Background: Perhaps the popularity of the excel usage in trading floors are coincidence. I believe that DDE and Marco functions driven this trend in in past. Audit team found out that a data handling risk of the usage excel spreadsheet in trading floor. A technical term so called excel spreadsheet risk. You may say, that this is an old story!

Current finding on Excel spreadsheet design weakness: Excel query from file feature is vulnerable to “Error” based XML External Entity attacks, if the user chooses the “Import as Html page” functionality upon receiving errors importing a specially crafted XML file. Above scenario will cause unauthorized access control to remote server. Perhaps this is not the external hacker. It is a insider threat. This vulnerability just found, the impact not have official confirmation yet. But we must staying alert!

Nov 2019 – malware samples, staying alert!

Preface: The Trojan mostly arrive via email or spread from infected websites that users visit.

Background: U.S. Cyber Command has released seven malware samples. The malware hash shown as below: a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442 fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32

Our observation: VC++ method of injecting code into other programs is popular (see below):

  1. Put your code into a DLL; then use the windows hook to map it to the remote program.
  2. Put your code into a DLL; then use CreateRemoteThread and LoadLibrary to map it to the remote program.
  3. Copy your code directly to the remote program without using a DLL (using WriteProcessMemory)

So, how can you protect yourself against malicious code? Staying alert!

When you receive a word document. Perhaps document contained evasion technique. But you can do a basic health check by yourself. Nov 2019

Preface: Hot topic in the city this week perhaps is uncover the secret of surveillance power.

My focus: Perhaps quite a lot of reader are interested of the program code of the surveillance program ( sigs.py ). As far as we know, similar of surveillance program infection technique will be relied on email attachment (especially MS word document).

This underground cyber attack method was exposed by Kaspersky on November 5, 2019, and named Dark Universe, literally translating the Dark Universe.
Since this kind of surveillance program sometimes focus on evadsion technique. And therefore the earlier phase of infection do not insists to use the Malicious code . From technical point of view, when you open the word document you can do a health check by yourself on unknown word document.

MS Word document validation method (DIY) – Remove an embedded file or object

1.Open MS word document
2.Select the chart area and press Ctrl+C.
3.Select the location where you want to paste a picture of the chart, press Ctrl+Alt+V, and pick a Picture format.
4.Select the original embedded chart and press Delete.

— End —

Security focus -malicious cyber activity 1 st November 2019

Preface: U.S Homeland security released a report that urge the public to protect computer facilities to avoid Trojan attack. The Trojan found on 2014 which continuous upgrade itself in last half decade.

Background: Trojan.Hoplight is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.

Security focus: We found quite a lot of malware target 32-bit machine in past.In most cases 32-bit code cannot access the memory of a 64-bit process.
In addition, malware which wishes to run malicious code inside a 64-bit process must, in most cases, be written as a 64- bit application. The HOPLIGHT variant capable to 64-bit machine.This malware artifact a malicious 64bit Windows dynamic library. From technical point of view, such change enhance his capability in modern system platform. Meanwhile, in order to evade antivirus vendor detection through secure gateway (HTTPS-man-in-the middle), they encodes it’s data with XOR Ox47 SUB Ox28 prior to being TLS encrypted. The goal is make it seal and nobody can crack this cipher. As far as we seen, this malware growth up with advanced technique.

Should you have interested to know the details, please refer url. https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url: https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6