Category Archives: Public safety

A vulnerability has been identified in IEC 61850 system configurator – CVE-2018-4858

When a lot of cyber security Guru focusing the nuclear power and critical facilities. It looks they also requires to includes the power substation. From techincal point of view, control central will be hardening both console and network environment. But how about the configuration console for substation? Does it allow install the configuration software (IEC 61850 system configurator) on notebook for outdoor work? Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions. Cyber security attack will be exploited different channels. But the major pathway is the product vulnerabilities.

Official announcement by Siemens shown as below:

https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

Status update: 30th Jul 2018

A vulnerability confirm by vendor that a Denial-of-Service occurs in EN100 Ethernet Communication Module and SIPROTEC 5 relays.

Official announcement by Siemens shown as below:

https://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf

Defending the Power Grid From Hackers – Jul 2018

Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?

The Next Cyber Battleground

Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.

Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.

We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?

The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.

The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.

Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.

Quote:

Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.

On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.

722154A36F32BA10E98020A8AD758A7A MD5 FILENAME:CV Controls Engineer.docx
243511A51088D57E6DF08D5EF52D5499 MD5 FILENAME:CV Control Engeneer.docx
277256F905D7CB07CDCD096CECC27E76 MD5 FILENAME:CV Jon Patrick.docx
4909DB36F71106379832C8CA57BA5BE8 MD5 FILENAME:Controls Engineer.docx
4E4E9AAC289F1C55E50227E2DE66463B MD5 FILENAME:Controls Engineer.docx
5C6A887A91B18289A70BDD29CC86EBDB MD5 FILENAME:High R-Value Energy.docx
6C3C58F168E883AF1294BBCEA33B03E6 MD5 FILENAME:CV_Jon_Patrick.docx
78E90308FF107CE38089DFF16A929431 MD5 FILENAME:CV Jon Patrick.docx
90514DEE65CAF923E829F1E0094D2585 MD5 FILENAME:CV_Jon_Patrick.docx
C1529353E33FD3C0D2802BB558414F11 MD5 FILENAME:Build Hydroelectric Turbine.docx
CDA0B7FBDBDCEF1777657182A504283D MD5 FILENAME:Resume_Key_And_Personal.docx
DDE2A6AC540643E2428976B778C43D39 MD5 FILENAME:CV_Jon_Patrick.docx
E9A906082DF6383AA8D5DE60F6EF830E MD5 FILENAME:CV_Jon_Patrick.docx
038A97B4E2F37F34B255F0643E49FC9D MD5 FILENAME:Controls Engineer (2).docx
31008DE622CA9526F5F4A1DD3F16F4EA MD5 FILENAME:Controls Engineer (4).docx
5ACC56C93C5BA1318DD2FA9C3509D60B MD5 FILENAME:Controls Engineer (7).docx
65A1A73253F04354886F375B59550B46 MD5 FILENAME:Controls Engineer (3).docx
8341E48A6B91750D99A8295C97FD55D5 MD5 FILENAME:Controls Engineer (5).docx
99AA0D0ECEEFCE4C0856532181B449B1 MD5 FILENAME:Controls Engineer (8).docx
A6D36749EEBBBC51B552E5803ED1FD58 MD5 FILENAME:Controls Engineeer.docx
3C432A21CFD05F976AF8C47A007928F7 MD5 FILENAME:Report03-23-2017.docx
34A11F3D68FD6CDEF04B6DF17BBE8F4D MD5 FILENAME:corp_rules(2016).docx
141E78D16456A072C9697454FC6D5F58 MD5 FILENAME:corp_rules(2016).docx
BFA54CCC770DCCE8FD4929B7C1176470 MD5 FILENAME:invite.docx
848775BAB0801E5BB15B33FA4FCA573C MD5 FILENAME:Controls Engineer.docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:invite.docx

Happy hunting – bye!

New version of black energy cyber attack target Microsoft OLE product design weakness

Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).

However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!

Reference:

Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/

My speculation on how Cisco (Talos) found the malware (VPNFilter malware)

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

 

The world cup 2018 – malicious game website and phishing email also involved in this competition. This like malware transformation of football shooting.

THE 2018 WORLD CUP lure hacker interest, a breeding ground for hackers. The phishing campaign linked to the start of the FIFA World Cup where cyber-criminals attempt to lure would-be victims into downloading. For instance, Games, email and related information. Such download contain malware and let the downloader become cyber attack victim.

How do you defend against this football (malware)? 1. Use and maintain antivirus software. 2. Keep software and operating systems up-to-date. 3. Be wary of downloading files from websites. 4. Think before you Click!

Headline News :

https://www.independent.co.uk/sport/football/world-cup/world-cup-live-streaming-free-streams-fifa-2018-football-matches-risk-fans-watch-a8419266.html

The book of Revelation – OPC UA will be the target for next phase of SCADA system attack.

 

Preface

A fascinating, unusual story which creates an eerie atmosphere. The security report issued by Kaspersky on 10th May 2018 driven my interest to do this study. So the report equivalent to enlightenment my conception.

Background

A tremendous potential cyber attack found by Cisco. Thereby it announced to public last week. They reveal this unknown story to the world. And therefore the major security focus shift to a new malware. As a result, we know the technical specifications of malware so called “VPNFilter”. However, similar cyber attacks was encountered in past. A similarity of those cyber attacks are focusing the public facilities especially nuclear power facility , gas and water supply system as the major target. We bring your attentions today for OPC UA (Object Linking and Embedding for Process Control Unified Automation) to OPC Unified Architecture (OPC UA) system vulnerabilities. Those vulnerabilities are not running in high profile. But it requires technical people for attention.

About OPC & OPC Unified Architecture

OPC is an industry standard, it defines methods for exchanging realtime automation data between PC-based clients using Microsoft operating systems. The organization that manages this standard is the OPC Foundation. OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.

Overview of OPC Unified Architecture

Kaspersky technical findings

Referring to technical report announced by Kaspersky on 10th May 2018. The key critical design flaws are shown as below:

  1. Quote: OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.

………………………….

It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”. ………

…………After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges.

Hints –  See whether below assembly language source code (call OpcUa-memory_Alloc@4) can provides any idea to you in this regard.

2. In the process of analyzing the application, found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier.

Hints: What is XXE attack? Below picture shown traditional XXE attack for reference.This XXE attack so called billion laughs attack .

Remark: By disabling DTDs, application developers are also able to strengthen the parser’s ability to protect itself against DoS (denial of service) attacks.

My observation:

Upon inspection, the OPC UA requires the following library files.

libeay32.dll, ssleay32.dll, and uastack.dll

The above library file (ssleay32.dll) belongs to OpenSSL 1.0.2j. It was configured and built with the options no-idea, no-mdc2, no-ntt, and no-rc5 to avoid patent issues. If bugs are found in the version of OpenSSL. You may compile and use your own version because this is a open source program.

Reminder: Kaspersky Labs identified 17 zero-day vulnerabilities in OPC Foundation open source code. For more details about the report, please refer below url for reference.

Review of Kaspersky Labs Report Confirms OPC Foundation’s Transparent, Open Source OPC UA Implementations Strategy Improves Security

— End —

Vulnerabilities – Waiting for vendor response – 23rd May 2018

The cyber attacks are wreak havoc today. In order to protect the power facility, water supply, Gas supply and petroleum industry daily operations. The SCADA control system vendor implemented security control in their system infrastructure. However when vulnerabilities encounter on their products. The remediation step of the vendor response sometimes not in effecient. For instance, Advantech one of the key player of SCADA WebAccess. But it lack of motivation to drive the remedation solution on their products. There is no official announcement how to do the remedation on their products so far. Vulnerabilities are shown as below:

CVE-2018-7499 – buffer overflow vulnerabilities which may allow an attacker to execute arbitrary code
CVE-2018-7503 – a path transversal vulnerability which may allow an attacker to disclose sensitive
CVE-2018-7505 – information on the target TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-10591 – allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
CVE-2018-10590 – exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.
CVE-2018-10589 – WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7497 – several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-8845 – a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7495 – an external control of file name or path vulnerability has been identified, which may
CVE-2018-8841- allow an attacker to delete files.
an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.
CVE-2018-7501 – several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

Siemens – (CVE-2018-4832): Siemens Security Advisory by Siemens Product 18th Apr 2018

The Gas and Petroleum industries requires automation to enhance their overall operation in last decade. And therefore the automation system setup requires Supervisory control and data acquisition (SCADA). We noticed that hackers targeted SCADA system installed in nuclear power facilities. We are living in digital age and therefore electricity power supply similar air and water. So system automation hardware vendor has responsibility to hardening their system design. Siemens found vulnerability in their Automation Technology Process control systems (PCS 7) on April last month. For more details, please refer below url for reference.

Vulnerability details

https://cert-portal.siemens.com/productcert/pdf/ssa-348629.pdf

My Speculation:

1. A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.

2. GetMachineName ( ) copies machine name to a fixed 32 byte buffer causes problem occurs.

Attention: Stay Alert – Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

Preface:

PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Security concern by security experts

The security issues are typically exposed when PHP code makes use of system-level calls.

Found critical security problem today! – Original release date: April 27, 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review MS-ISAC Advisory 2018-046 and the PHP Downloads page and apply the necessary updates.

See whether any short term remediation can take before upgrade?

1.Restrict PHP Information Leakage

expose_php=Off

2.Disable Remote Code Execution

Allow_url_fopen=Off

allow_url_include=Off

3.Not show errors to the visitors

(/etc/php.d/security.ini file)

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

4.Disable Dangerous PHP Functions (php.ini)

disable_functions =exec,passthru,

shell_exec,system,proc_open,popen,curl_exec,

curl_multi_exec,parse_ini_file,show_source

5.Upload Files (/etc/php.d/ directory)

file_uploads=Off

6.Control File System Access

always keep the open_basedir directive set to the /var/www/html directory.

open_basedir=”/var/www/html/”

7.Control the POST Size (/etc/php.d/security.ini)

post_max_size=1k

— End —

Nuclear headache – It is better stores the older warheads (old plutonium) on moon or other planet.

As a world justice leader it is hard to avoid to enhance the military setup. From the cold war till today, international atmosphere not significant change the protection definition. This circumstances match the logic since that man kind will be protect himself and his belongs. However a problem encountered was that how to despose or handle the big power killer weapons especially outdate nuclear bomb. Headline news (REUTERS) yesterday said that America’s has nuclear headache. For more details, please refer below url for reference.

https://www.reuters.com/article/us-usa-nukes-plutonium-specialreport/americas-nuclear-headache-old-plutonium-with-nowhere-to-go-idUSKBN1HR1KC

Remark: Send that radioactive stuffs to moon and other planet looks a possible solution. However it is hard to avoid incident occurs during transportation. A reminder is that Plutonium has a radioactive half-life of 24,000 years. So where can they go?