Category Archives: Public safety

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Boeing, U.S. regulator made series of errors ahead of 737 Max crashes: congressional report (SeP 2020)

Preface: From logical point of view, if input only relies on a standalone source (sensor). The integrity of the result all relies on the total amount of variable factors. Perhaps sensor install on airplane is a IoT device. So it lure my interest.

Background: Traditionally the older (NG) 737 variants did not have fly-by-wire technology, and autopilot could be overridden and turned off simply by putting manual pressure on the yoke.

Software that talks to computer like airplanes equipment is often written in a programming language called C. The names of files written in C code usually have .c at the end. This assumes that the MCAS software is contained a file called mcas.c. But this time there was no cyber attack. This is a problem caused by human error.

For the 737 Max crashes (congressional report). Please refer to headline news – https://www.cbc.ca/news/world/us-congress-boeing-crash-report-1.5725876

Cause of incident: In the case of the Lion Air crash, the sensor malfunctioned and caused the flight computer to push the nose down when the flight was level.

From technical point of view, the sensor is IoT device. There are facilities can avoid such disaster happen. Conceptually, even a simple xor gate with two input. Or the combination of NAND gates equivalent a XOR gate setup. The essential of objectives is the suitable logic apply to the Logic Circuit. Whereby, the output is dependant at all times on the combination of its inputs. It simple to say it is the logic design.

APT developing new evasion technique to conducting cyber attack – 23rd Sep 2020

Preface: The APT organization provides a hard-to-detect malware to attack other hostile campus.

Synopsis: The evasion technique found recently by security expert team is that APT 29 exploit the design weakness of detection machanism. They do a re-engineering to covert a zip file to JPEG.
“This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front,” the researchers explain.

Perhaps APT 28 and 29 using different evasion technique aim to delivery the malicious resources to landing. Whereby, the final executor is the power shell.

So called Zebrocy. Its function is mainly Downloader. The evasion effect is better than the technique use by APT 29. After running, it will perform a persistence operation and pop up an error message box to confuse the user. When it is started with specific parameters, a screenshot will be taken. Through the timer callback function, send data to the remote server and wait for the subsequent payload to be downloaded.

Should you disable PowerShell?
No, minimize the risks with PowerShell Constrained Language mode.

Enabling Constrained Language mode ^
PS C:\Users\xxxx> $ExecutionContext.SessionState.LanguageMode = “ConstrainedLanguage”

This could be configured in registry HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment__PSLockdownPolicy .

Running PS as Admin you can simple remove this property
Remove-ItemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\” -name __PSLockdownPolicy

Recommended article: PSLockDownPolicy and PowerShell Constrained Language Mode – https://docs.microsoft.com/en-us/archive/blogs/kfalde/pslockdownpolicy-and-powershell-constrained-language-mode

Remote Access Trojan: BLINDINGCAN – 19th Aug 2020

Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.

Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.

Official announcement: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

Recommendation: Check your MS office Patch – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance?
No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.

New Linux malware – aka Drovorub (13th Aug 2020)

Preface: New Linux malware silently conducting the attack. The FBI and NSA issue joint security alert.

Official announcement – https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Remedy: To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

Reference: On older versions of Linux, two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer’s metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls free() on the first buffer it will attempt to merge these two buffers into a single buffer.

Impact: Heap overflows to gain arbitrary code execution.

Headline News: https://www.zdnet.com/article/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers/?ftag=TREc64629f&bhid=22308921349725635516834735786487&mid=12982564&cid=717383279

Currently, only a few antivirus vendors can successfully detect it. Preventive control should be apply. (03-08-2020)

Preface: In 2017, Honeypot detected that malware spread a new payload targeting 60001 TCP port. The ultimate goal is the JAWS Web Server & MVPower DVR. It turns out that there will be a Shell Command Execution vulnerability. Security expert has doubt on IoT device especially DVR which make use of TCP 60001 port.

Observation: There is an unknown malware ultimate goal to spread the remote access Trojan to IT world. Even though the authority Virus Total shows that only one vendor can correctly detect and isolate this malware (see attached picture). What’s going on?

Since there are many versions of Media Feature Pack nowadays. The fact is that the Media Feature Pack version that corresponds to your Windows OS build. So a lot of time the installer won’t copy ml.dll in place. As a result cyber criminal relies above matter to do a distribution a free copy of crafted ml.dll file on Internet for download.

After the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of Taidoor, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize.

Advises:
– Maintain up-to-date antivirus signatures and engines.
– Keep operating system patches up-to-date.
– Scan all software downloaded from the Internet prior to executing.

Sometimes he is a friend, but suddenly….(MAR-10296782-1.v1 – SOREFANG) – 29th Jul 2020 [Recently goal: Targeting COVID-19 Research, Vaccine Development ]

Preface: It looks that who have vaccine of COVID-19 will be grant the dominance of the world.

Reference: DVC APIs will help you to implement modules on the server and client side of a Remote Desktop Services connection that communicate with each other.A remote code execution vulnerability exists in Remote Desktop Services. When an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests,…… (CVE-2019-1182)

Description: Perhaps my research does not clearly reflect the actual status of the current malicious goal. However every people is looking for vaccine. My personal interest bring my attention to a malware so called “SOREFANG”. It looks that a vendor became a victim of this case. It was because attacker or APT group do a re-engineering their VPN software. As a matter of fact, their company footprint a large in China. The details of my observation and research are written down on attached diagram. For those who is interested. Please refer attached diagram for reference.

Highlight: Vendor announcement : The only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by attacker.

Australia (ACSC) urges local citizens to be vigilant against cyber attacks. The so-called copy-paste compromises – 18th June 2020

Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020

Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.

Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.

US Homeland security urge public alert on “Ripple20” Vulnerabilities (16th June 2020)

Preface: Baxter US, Caterpillar, Digi International, Hewlett Packard Enterprise, Intel, Rockwell Automation, Schneider Electric and Trek are impact by this vulnerability.
There are more vendor which do not know the actual status.

Vulnerability details:
An attacker from outside the network taking control over a device within the network, if internet facing. There are more ways to exploit this vulnerability, please refer below link for reference.

Root causes: The attacker exploit of the IP protocol flexibility. That is the incoming IPv4 fragments over an IP-in-IP tunnel. As we know, IPv4 found early than Internet services. At that period of time the most serious incident is merely virus infection to local machine. Machine to Machine communication will be make use of serial cable or Novell network. In short, it is a simple architecture. But the attacker can be exploit the design weakness engaging the cyber attack to digital world.

Remedy: You can follow cert.org recommendation install IDS (refer below url link) or refer to attached diagram. A quick and dirty solution.
https://kb.cert.org/vuls/id/257161

us homeland security alert – design weakness of universal plug and play – 9th jun 2020

Preface: Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi …

Review historical event: Mirai is an IoT botnet that was designed to exploit vulnerabilities in IoT devices for use in large-scale DDoS attacks.In September 2016, the Mirai malware launched a DDoS attack. A massive attack causes the domain registration services provider (Dyn) interrupted the services in October 2016.

Design weakness on universal plug and play: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Concerns by security expert: The attacker can send a specially crafted HTTP SUBSCRIBE request to the vulnerable devices. Meanwhile, An it could utilize this vulnerability to conduct a DDoS attack. For more details, please refer offical articles in the following url – https://www.kb.cert.org/vuls/id/339275