Category Archives: Public safety

Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks

Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.

Details: Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks (refer below url):
Such activities has been observed by U.S. Homeland security for long time. Consolidate their evaluation results, summary shown as below:

Part A: Commonly used ports are used when password spraying.

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

Part B: Cyber Attack Group & Commonly used malware

Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla

Malware types:
Chaos (malware)
Linux Rabbit(malware)
SpeakUp (Trojan backdoor)
Xbash (malware)
PoshC2 is an open source remote (written in powershell)
Emotet (malware)

SIEM Definition – Firing Rules criteria (see below):
1. Failed attempts over a period of time
2. Large numbers of bad usernames
3. High number of account lockouts over a defined period of time
4. Unknown “appDisplayName” – Active Directory PowerShell
5. Ratio of login success verses login failure per IP address

Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.

If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.

Fileless Malware Advisory – 17 JUl 2019

Preface: Stolen account information of nearly 750 million users was available for sale on the dark web after hackers breached 24 popular websites. The stolen data, released in two batches, includes names, email addresses and hashed passwords.

Description: Spear phishing email with URL to an archive file containing a .lnk file can misleading receiver to become a cyber victim. The receiving end not aware and let the data thief steal the data in silent mode.

Fileless Malware Advisory: MICROSOFT alerting that a new type of fileless malware found ( Astaroth). This malware can be installed on victims’ PCs without an executable. The Microsoft Defender ATP Research Team lock down Astaroth in May and June 2019. The Canadian Centre for Cyber Security issue a report this week and provide a guidance to do the prevention. This malware has capability to evade the defenses mechanism. Should you have interested of this report. Please refer to the following url –

Multiple high vulnerabilities in Advantech WebAccess/SCADA -CVE-2019-10989,CVE-2019-10991 & CVE-2019-10993

Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.

Background: Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.

Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.

CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.

CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.

Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.

Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block.
So attacker can leverage this vulnerability to execute code under the context of Administrator.

Advantech has issued an update to correct this vulnerability –

Our Future especially Smart City is waiting for 5G mobile communication. Does your body ready for 5G signal?

Preface: When mobile phone was born. Some of the people had concerning about the impact of electronic device to human health. As time goes by, seems we forget about it because we need smartphone now!

Historical background: The FCC has established a policy for human exposure to radio frequency electromagnetic fields. Seems it looks fine, the specifics policy defined, right? However if you review related policy (see below url). You might have doubt? Does our existing policy synchronize with modern technology?

About vulnerability: The medical industry not specify such technology will be potentially harmful to human body. But brain cancer, salivary cancer, acoustic neuromas and two other types of cancer go up with cell phone use. It was strange that European countries are the leader to promoting healthcare. However it looks that they are also the technology supporter. Regarding to strategic project plan especially infrastructure of the country. The major elements should be included in design phase but I did not seen the renewal policy of Human Exposure to Radio Frequency Electromagnetic Fields.

Highly vulnerable – Moxa customer must be vigilant!

Preface: The MoxaEDS405A/408A are entry-level 5 and 8-port managed Ethernet switches designed especially for industrial applications.

Technical background: Turbo Ring is a self-healing technology that enables fast fault recovery under 20 ms. Moxa’s Turbo Ring and Turbo Chain Ethernet technologies maximize railway network availability with ideal redundancy technology.

Security focus: CVE-2019-6563 (CVSS:10) – Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator’s password, which could lead to a full compromise of the device.

What is Predictable cookie ? For example: Cookie: JSESSIONID=USER1. A predictable cookie calculated with an MD5 hash bring our attention because MD5 produces a 128-bit hash as an output; only 3 bytes of the hash value are used in the cookie value.

Observation: Moxa products are used in the Korean subway network on 2010. Not sure whether it is still remain usage. But believe that a remedy solution has been taken if it is still in used. Otherwise it will create a cyber security risk in the operations.

Vulnerabilities details please refer to url:

Unknown vulnerability Found Affecting Intel CPUs – 5th Mar 2019

Preface: So called Spoilter, a vulnerability given by Intel CPU design limitation. If hacker successful exploit such vulnerability. They can conduct “Rowhammer” attack for privileges escalation.

Vulnerability detail: The speculative execution function of Intel’s processors aim to increase the performance of a CPU. Meanwhile it caused Intel CPU vulnerability issues in the past. A new found technique is able to determine how virtual and physical memory is related to each other. By discovering time differences, an attacker can determine the memory layout and then know which area to attack. For more details, please refer attached diagram for reference.

Remedy: There is no mitigation plan that can completely erase this problem.

Headline news:

Conclusion: Perhaps “rowhammer” is hard to detect.. Be remind that a predictive defense solution will be reduce the risk. For example you have 360 degree cyber protection includes spam and DNS filter, SIEM, malware protection and managed security services. The impact cause by this vulnerabilities will be under control.

Security Focus – CVE-2018-13888

Preface: This design flaw has attracted me. Perhaps the supplier has no formal remediation solution yet. But the impact of this vulnerability seems to be broad!

Vulnerability detail: There is potential for memory corruption in the RIL daemon due to the following reason.
The location of dereference of memory is outside the allocated array length in RIL.

Meaning of “dereference” (common criteria):
The dereference operator or indirection operator, sometimes denoted by “*” (i.e. an asterisk), is a unary operator (i.e. one with a single operand) found in C-like languages that include pointer variables.

Affected products: Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in versions MDM9206, MDM9607, MDM9635M, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, ZZ_QCS605.

Official announcement – Not found in the bulletins yet :

Romance scams

The Valentine’s Day is coming soon and the romantic atmosphere will always on you mind. You may think you spend a lot on flowers or chocolate, but losing money in a romance scam would cost you even more.
From cyber security point of view, it is a great time for cyber criminals to conducting their action. They are not only a data theft. Their target is the Enterprise firm CEO, politician, military department staff and important persons.
Perhaps hackers can take this opportunity infiltrate to your network infrastructure.

Stay alert!

What is the situation of Edward Snowden (whistle blower)? Do you still remember him?

The samurai (or bushi) were the warriors of premodern Japan.Lone Wolf and Cub is a manga created by Japanese comics writer.Samurai respected justice.

Justice is the legal or philosophical theory by which fairness is administered. It is the fundamental of human nature. But the concept of justice differs in every countries and culture.

Who is he?
Edward Snowden, an American contract employee at the National Security Agency, is the whistleblower behind significant revelations that surfaced in June 2013 about the US government’s top secret, extensive domestic surveillance programmes. Snowden flew to Hong Kong from Hawaii in May 2013, and supplied confidential US government documents to media outlets including the Guardian.

What’s the situation now?
He is on exile. His most recent interview in Moscow Russia on September 2018. (Refer below url)

Why Edward Snowden should be pardoned?(Refer below url)


Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer


Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

So, It is possible to make people predict the attack may targeting Advantech customer.

In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445