Category Archives: Public safety

Why US Homeland security urge to public stay alert of the vulnerability on DrayTek Devices? 3rd April 2020

Preface: A conspiracy was leaked this week, someone ambitious to spying the world.

Details: The espionage activities will be exploit computer technology as 1st approach in today. It is merely relies on design weakness. Yes, it is the vulnerability. When I read the conspiracy details, I was wonder that if the formulation of this design (see attached diagram) goals to do a DDoS. Perhaps this is no a perfect way. However when US Homeland security urge to US citizen staying alert of the vulnerability found in DrayTek Devices. As everyone knows, today’s Tor network cannot perfectly hide the whereabouts of hackers. Because law enforcement already shutdown the proxy servers on the network. Besides, attacker also worries that does the proxy server has monitoring function. From attacker view point, they should perfectly hide itself. Refer to attached diagram, the new formulation of botnet technique will be exploited the new vulnerability found on IoT as a component. It looks like a plug-in module.

There are two types of operating system that sit under the SDK. Low cost and lower specification routers will select the RTOS. Since low end router cannot fulfill their requirement. Perhaps the VPN Router is the correct target because when compromised VPN router form a bot net group can compensate the current resources outage in Tor network.

Immediate action: Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. If you are customer of DrayTek. Please do the upgrade immediately. https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)

Kwampirs Targeted Attacks Involving Healthcare Sector – (31st Mar 2020)

Preface: Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015.

Synopsis: Why does Kwampirs fall into the “Advanced Persistent Threat (APT)” category?

  • For tradition malware “click and action” attacks. APT attack not condct the similar action. Instead, APT merely do the infiltration on network and communicate with C&C peer daily. asking for updates.
  • The APT malware rare to do the destructive action especially encrypting data. Ask victim to pay the ransome.

About Kwampirs : FBI alert that Kwampirs goal to implant the remote-access Trojan (RAT). His target include organizations that run industrial control systems (ICS), financial services firms, energy companies and healthcare institutions. As a matter of fact, The Kwampirs was used by Orangeworm group as a backdoor Trojan. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines in past. So it was not suprising with Cyber security Guru that he return to healthcare industry.

How did Kwampirs infiltrate my computer? There are several ways to distribute Kwampirs. For instance, by using email campaigns, fake software updates, untrustworthy third party software download channels and unofficial software activation tools. So only relies on Yara rules in IDS not a effective solution to avoid this attack. The observation proves that the internal access control of the 3rd party device is one of the effective channel.

Should you have interested of this matter, please refer to URL – https://www.infragard-la.org/wp-content/uploads/2020/02/FLASH-CP-000118-MW-TLP-GREEN-YARA-Rules-to-Identify-Kwampirs-Malware-Employed-in-Ongoing-Cyber-Supply-Chain-Campaign-Targeting-Global-Industries.pdf

By the way, we hope that the corona-virus will disappear in the world as soon as possible.

A retrospective album of BlackEnergy – Feb 2020

Somewhere in time. This is 2015 – BlackEnergy2 exists in the form of a kernel-mode driver, which makes it harder for network administrators to discover the compromise. Black energy Group will mimics their custom tool(driver) thus made to look like a normal Windows component. They are interested in infecting Windows servers especially OPC server. But Microsoft implemented a driver signing policy in order to avoid loading unsigned driver. This feature is enabled on 64 bits versions of Windows systems.

Synopsis: In normal circumstances, activate the function of the cyber espionage and information destruction attack features needed to be rebooted in order to start the mimics driver. Even though black energy do not have exception.This unplanned reboot of the Windows server could raise suspicion. To solve the reboot issue, the attackers started to use a tool called DSEFix (an open-source tool that exploits CVE-2008-3431, a vulnerability in the legitimate VirtualBox driver), in order to disable the driver signature check. The attackers will made a custom version of DSEFix that also modifies boot configuration data (BCD) in order to enable TESTSIGNING mode.

What is TESTSIGNING mode: By default, Windows does not load test-signed kernel-mode drivers. To change this behavior and enable test-signed drivers to load, use the boot configuration data editor, BCDEdit.exe, to enable or disable TESTSIGNING, a boot configuration option. You must have Administrator rights to enable this option.

Those cyber criminal will focusing the OPC server.Because the OPC client uses the OPC server to get data from or send commands to the hardware.

Will it happen today? The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection.

Staying alert of Emotet infection, even though you are a Mac User. Feb 2020

Preface: Apple Mac OS as not as easy to compromised compare with other popular operation system.

Details (A): Emotet is malware originally engineered as a banking Trojan designed to steal sensitive information.
It is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. But their design presents challenges for traditional security tools, because it is designed specifically to bypass endpoint solutions. Even Mac computers are no exception.

Details (B): See attached diagram, Emotet keen to infect the computer by email. It traditionally will display several reasons require you to execute next action (clicks on it). As Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.

Official channel:
What can you do if your MacOS is infected by Emotet?
AppleCare does not provide support for removal of the malware. But customer can go to the Apple Online Store and the Mac App Store for antivirus software options.

Additional: Just do a google search, there are solution everywhere. So, you can make your decision.

Hacker exploit Coronavirus Crisis, send scam email to different industries – 18th Feb 2020

Synopsis:

a. Attackers disguise their scam email as an official (WHO) alert issued by the Centers for Disease Control Health Alert Network. (Targeting individuals from the United States and the United Kingdom)

b. Attackers disguise their scam email as an alert of Coronavirus status, they are target to shipping industry.

Description: About the attack to shipping industry – Hacker exploit the vulnerability of CVE 2017-11882, perhaps they found that the patch management on the boat not enforce in frequent. And therefore the attack explicitly target shipping industry. About the attack to individuals from the United States and the United Kingdom – WHO urge that if anyone see similar type of scam email. Report to WHO – https://www.who.int/about/report_scam/en/

The slogan – Do not rush to open a URL or open a email. Take care.

Hong Kong Broadband Network customer staying alert! 17th Feb 2020

Synopsis: The threat actors hidden their email phishing package anywhere. As common we know, email phishing scam foot print are wide in area. But the antivirus and malware solution vendor setup blacklist domain name and content filtering function has reduced the infection ratio of malware and ransomware. It looks that the similar of idea to hunting cyber victim still valid. In my observation, the attacker sometimes will be reuse their technique. This time they store the trap in social media web. Found that the scam activities which mimic Hong Kong Broadband luck draw online program activities is awaken again. I found similar activities on yesterday (16th Feb 2020). Even the VirusTotal repository has only one cybersecurity vendor detected a similar record type. In the sense that they can escape your defense solution.

For more detail, please refer to announcement by HKBN in past. https://www.hkbn.net/personal/dist/img/src/pdf/Warning-Against-Phishing-Website_en.pdf

MS CryptoAPI spoofing flaw – 15th Jan 2020

Preface: We are all scared of Ransomware!

Background: crypt32.dll is a type of DLL file, with extension of .dll. It is associated with Crypto API32 and is used to run Crypto API32 based applications. Certain sophisticated video games and software applications use crypt32.dll to get access to certain API functionality, as provided by Windows.

Vulnerability details: The bug exploits crypt32.dll signature verification on elliptic curve. crypt32.dll only checks for matching public key and parameters, but not the generator G. An attacker could use your public certificate without owning its private key, combined with some other code-signing certificate issued to someone else, to bypass a publisher check this way.

Special comment: Do you think this vulnerability has relationship with surveillance program?

NSA Official announcementhttps://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

In order to avoid MS ‘.Group’ file handling RCE vulnerability. Think it before click – Jan 2020

Preface: Perhaps you would say the ‘.group’ file handling is the design defect. So hacker exploit social engineer trigger this vulnerability (GROUP FILE URL FIELD CODE EXECUTION). Do you agree?

What is a GROUP file? The file is located inside this location: C:\Program Files\Windows Mail.

Vulnerability details: Microsoft Windows is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.

Former 0-day record: About eleven months ago, Microsoft ‘.contact’ File vulnerability found. It allow Arbitrary Code Execution. Less than 1 year, there is another vulnerability occurs on ‘.group’ file handling. Perhaps the WAB.exe features could be do a re-engineering.

Reference url: https://www.symantec.com/security-center/vulnerabilities/writeup/111355?om_rssid=sr-advisories

Phishing email compromised the reputation of company, Microsoft take legal action

Preface: Microsoft products cover a wide range. Perhaps quite a lot of people queries design weakness of their products. But they have capabilities to protect it own.

Background: The cyber criminal exploit Microsoft official domain name to made phishing email and goal to increase the possibility to open the email. Meanwhile the malicious infection technique has proprietary evading antivirus technique.
Remark: According to my observation, the evolution of this cyber attack technique found in 2013. Perhaps we remember HWP (Hangul Word Processor). HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government. Should you have interested to review the details, plese refer to following URL: http://www.antihackingonline.com/network-protocol-topology-standard/vulnerabilities-in-the-old-ole2-based-hwp-file-format-engages-apt-attacks-to-south-korea/

Cyber security focus: Such matter reminds cybersecurity world of cyber criminal infiltration technique. Expert found that the North Korea cyber attack suspect make a new way. Attack mainly using the API hooking technique to hide the behaviors of the first-stage backdoor which is the second payload in this operation. Since this attack landing page most likely is a MS document. The Fallout Exploit Kit is Back with adobe Vulnerabilities and Payloads (see attached diagram) So, it generate a interference to business and government sector.

Reference: Microsoft Sues North Korea-Linked Hackers for Impersonation (1) – https://news.bloomberglaw.com/ip-law/microsoft-sues-north-korea-linked-hackers-for-targeting-users

IoT zone staying alert! HomeAutomation 3.3.2 design weakness exposed (Authentication Bypass, CSRF / Code Execution & Cross Site Request Forgery) – 1-1-2020

Preface: Sometimes lighting can become a security safeguard. Perhaps the lighting system will help you figure out whether intruder jump to your garden at night.

Synopsis: It is hard to avoid the digital transformation trend integrate to your daily life. As the matter of fact, they are on board already. For instance the remote controlled outdoor outlets with on/off function, Z-Wave outlets that measure energy consumption for connected lamps and appliances.

Remark: ZWave is a wireless communications protocol used primarily for home automation.

Vulnerability details:

HomeAutomation is an open-source web interface and scheduling solution. Quite a lot of IoT manufacturer are do the product integration to HomeAutomation (see attached diagram). Expert found design weakness occured in HomeAutomation software.
From technical aspect. Use the cURL_init function, implemented with PHP, to open a connection and the links includes reference’s to the other two functions (curl_setopt & curl_exec) to be able to potentially reuse an existing handle (conncetion).
The HomeAutomation suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. For details, please refer to diagram.

Status: No official announcement for the remediation by software vendor and manufacturer in the moment.