Category Archives: Public safety

Kubernetes Hardening Guidance by NSA & CISA (3rd Aug 2021)

Preface: Docker helps to “create” containers, and Kubernetes allows you to “manage” them at runtime. What is Kubernetes Security? That is Cloud, Cluster, Container and code.

Background: Kubernetes is commonly targeted for three reasons observing by NSA and CISA. They are data theft, computational power theft, or denial of service. Cyber attacks encountered in the Kubernetes environment in 2020. Details are as follow:

Capital One – Occurring in 2019, this breach saw 30GB of credit application data affecting about 106 million people being exfiltrated.
A mis-configured firewall that allowed an attacker to query internal metadata and gain credentials of an Amazon Web Services
Docker hub – Attackers managed to plant malicious images in the Docker hub. unknowingly deployed cryptocurrency miners in the form of Docker
containers that then diverted compute resources toward mining cryptocurrency for the attacker.
Microsoft Azure – Microsoft is another organization that’s been seeing a lot of cryptojacking woes of its own. After disclosing that there was a large-scale cryptomining attack against Kubernetes cluster in Azure in April 2020.
Telsa – Automaker Tesla was one of the earlier victims of cryptojacking when a Kubernetes cluster was compromised due to an administrative
console not being password protected.(Mis-configuration)
Jenkins – Hackers managed to exploit a vulnerability in Jenkins to cryptomine to the tune of about $3.5 million, or 10,800 Monero in 18 months. In Docker’s operation environment, it was discovered that six malicious images had been collectively pulled over 2 million times, that’s 2 million users potentially mining Monero for the attacker.

To avoid similar incidents from happening – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” Primary actions include the scanning of containers and Pods for vulnerabilities or mis-configurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. Please refer to the link for details – https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

32-bit design limitation (0x7ffffffff). Another episode of Y2K. (23-07-2021)

Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.

Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.

Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.

IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.

Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.

Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t.
Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.

Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.

Is the CVE process late? Esri has managed and remedy those vulnerabilities in May 2021.

Preface: When smartphones and Google Maps were born. The GIS function determines these two functions in a silent manner.

Background: Geographic Information System (GIS) plays a key role in military operations. The military uses GIS in various applications, including cartography, intelligence, battlefield management, terrain analysis, remote sensing, etc.

– Use of geospatial intelligence:The role of machine learning and GEOINT in disaster response
– Open geospatial data platform and food shortage
– Interoperability of GEOINT applications and military data
– The role of data management in crisis mapping

Vulnerability details: There are vulnerabilities announcement of GIS server on 11th Jul, 2021. Whereby those vulnerability has been addressed by ESRI on May, 2021. Seems the details of two announcement are similar and believed that both are describe the same matters. In fact, designated vulnerabilities are common vulnerabilities in OWASP Top 10. However, the applicability of GIS is becoming more and more important for human life and daily use. So we should seriously consider it.

Official announcement – https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch/

If the design defect cannot be remedied in time. Prevention and detection control is one of them. (Philips Vue PACS) [7-7-2021]

Preface: In theory, if your software application design trusts multiple vendors. Repairing takes more time. Because you need to do more verification.

Technology background: Digital Imaging and Communications in Medicine (DICOM) is the standard for the communication and management of medical imaging information and related data. DICOM is most commonly used for storing and transmitting medical images enabling the integration of medical imaging devices such as scanners, servers, workstations, printers, network hardware, and picture archiving and communication systems (PACS) from multiple manufacturers. It has been widely adopted by hospitals and is making inroads into smaller applications like dentists’ and doctors’ offices.

What is Vue PACS Philips?

Philips Vue Picture Archiving and Communication System (PACS), formerly known as CARESTREAM Vue PACS, is an image-management software that provides scalable local
and wide area PACS solutions for hospitals and related institutions.

Philips Vue PACS communications are based on the Digital Imaging and Communications in Medicine (DICOM) 3.0 standard. This enables the server to communicate with any DICOM 3.0 compliant products (such as scanners, workstations, hardcopy units). The server acts as a DICOM Provider, thus other stations can retrieve and send images to and from the server.

Vulnerability details: Philips Vue PACS design require to work with Redis and Oracle. This technology utilizes an Oracle Database and its servers are stored on VA premises. DICOM image data from the modalities is stored on image cache on the PACS server attached to Storage Area Network/Network Attached Storage (SAN/NAS)-type storage technology. However it was discovered design limitation in both software. Meanwhile the software application itself also discovered different vulnerabilities.

My observation: If exisitng vulnerabilities cannot fixed immediately. It is recommended to monitoring the network connectivitiy. It is better to install a IPS to monitoring inbound and outbound network traffics in this segment. If this philips web server and DN are mistaken install to a flat LAN. Perhaps you require to install a proxy server in front of this device.

US-Cert recommendation: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Zerologon vulnerability note – last revised (23rd Mar, 2021)

Preface: “Logic 0” and “logic 1” represent binary digits (0 and 1) or Boolean logic conditions (true and false).  A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers.

Background: The algorithm originally used to encrypt the logon process in Windows NT was 2DES. Thus design weakness found in this place. MS-NRPC uses an obscure setting known as AES-CFB8 (Advanced Encryption Standard – Cipher Feed Back 8 bit). However use of AES-CFB8 within MS-NRPC has an issue with the Initialisation Vector (IV) which should be a random number, but MS-NRPC has it fixed at a value of 16 bytes of zeros.

Impact: Tom Tervoort from Secura, he discovered there is a likelihood of one of every 256 keys used will create cipher text that has a value of all zeros.  Whereby, a high possibility way to root AD server. To change the password, attackers use the message NetServerPasswordSet2 in MS-NRPC. It is possible to change a password by simply sending the frame with the preferred new password. The easiest approach is to remove the password or set it to a blank value –  the hacker can now log in through a normal process.

Since February 9, 2021 is the enforcement phase. And therefore, vendor will be enforce the following setttings.

  • Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

Official announcement: https://kb.cert.org/vuls/id/490028

Microsoft fixes actively exploited Exchange zero-day bugs attacks (2nd Mar 2021). When service you are not in used, you should disable immediately.

Preface: The Microsoft Exchange Unified Messaging service on the Mailbox server will accept connections from a Client Access server on SIP ports 5062 and 5063.

Technical background: Unified Messaging (UM) enables users to use voice mail and other features, including Outlook Voice Access and Call Answering Rules. UM combines voice messaging and email messaging into one mailbox that can be accessed from many different devices.

Security Focus – Vulnerability details: This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

Workaround: Restrict untrusted connections, or by setting up a VPN to separate the Exchange server from external access.

Reference: u’Buffer overflow can happen as part of SIP message packet processing while storing values in array due to lack of check to validate the index length’ in Snapdragon Auto, Snapdragon Compute, …….

Official announcement https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

To avoid malware misuse “PACKET_MMAP” function,from Linux environment. CISA Releases Free Detection Tool for Azure/M365 Environment (29th Dec 2020)

Preface: Neither shellcode or shellcode injection have anything to do with shell scripting. It is a sophisticated way of finding a vulnerable spot on the cyber security layer of an organization and exploiting it for malicious purposes.

Background: Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. The platform consists of the integration of hardware built around a secured silicon chip; the Azure Sphere OS (operating system), a custom high-level Linux-based operating system; and the Azure Sphere Security Service, a cloud-based security service….

About “PACKET_MMAP” function: From official article, it illustrated below:
PACKET_MMAP provides a size configurable circular buffer mapped in user space that can be used to either send or receive packets. However a design weakness has occured! The mmap‘ed memory buffer will be filled by the kernel when using PACKET_RX_RING. As a result, the user’s process, it’s enough to mmap a buffer with PROT_READ|PROT_EXEC permissions flags, and let the kernel fill the buffer.

Remedy: Perhaps shellcode injection sometimes can evade your malware protection mechanism. In certain point of view, use SIEM is one of the cost effective solution. Meanwhile, CISA Releases Free Detection Tool for Azure/M365 Environment. Reference link – https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b