Category Archives: Public safety

Nov 2019 – malware samples, staying alert!

Preface: The Trojan mostly arrive via email or spread from infected websites that users visit.

Background: U.S. Cyber Command has released seven malware samples. The malware hash shown as below: a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442 fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32

Our observation: VC++ method of injecting code into other programs is popular (see below):

  1. Put your code into a DLL; then use the windows hook to map it to the remote program.
  2. Put your code into a DLL; then use CreateRemoteThread and LoadLibrary to map it to the remote program.
  3. Copy your code directly to the remote program without using a DLL (using WriteProcessMemory)

So, how can you protect yourself against malicious code? Staying alert!

When you receive a word document. Perhaps document contained evasion technique. But you can do a basic health check by yourself. Nov 2019

Preface: Hot topic in the city this week perhaps is uncover the secret of surveillance power.

My focus: Perhaps quite a lot of reader are interested of the program code of the surveillance program ( sigs.py ). As far as we know, similar of surveillance program infection technique will be relied on email attachment (especially MS word document).

This underground cyber attack method was exposed by Kaspersky on November 5, 2019, and named Dark Universe, literally translating the Dark Universe.
Since this kind of surveillance program sometimes focus on evadsion technique. And therefore the earlier phase of infection do not insists to use the Malicious code . From technical point of view, when you open the word document you can do a health check by yourself on unknown word document.

MS Word document validation method (DIY) – Remove an embedded file or object

1.Open MS word document
2.Select the chart area and press Ctrl+C.
3.Select the location where you want to paste a picture of the chart, press Ctrl+Alt+V, and pick a Picture format.
4.Select the original embedded chart and press Delete.

— End —

Security focus -malicious cyber activity 1 st November 2019

Preface: U.S Homeland security released a report that urge the public to protect computer facilities to avoid Trojan attack. The Trojan found on 2014 which continuous upgrade itself in last half decade.

Background: Trojan.Hoplight is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.

Security focus: We found quite a lot of malware target 32-bit machine in past.In most cases 32-bit code cannot access the memory of a 64-bit process.
In addition, malware which wishes to run malicious code inside a 64-bit process must, in most cases, be written as a 64- bit application. The HOPLIGHT variant capable to 64-bit machine.This malware artifact a malicious 64bit Windows dynamic library. From technical point of view, such change enhance his capability in modern system platform. Meanwhile, in order to evade antivirus vendor detection through secure gateway (HTTPS-man-in-the middle), they encodes it’s data with XOR Ox47 SUB Ox28 prior to being TLS encrypted. The goal is make it seal and nobody can crack this cipher. As far as we seen, this malware growth up with advanced technique.

Should you have interested to know the details, please refer url. https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url: https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6

About Emotet malware (2019)

Preface: Emotet malware found in 2015. But he is still aggressive nowadays. It shown that it is a long life cyber attack product .

Details: Australian Cyber Security Centre (ACSC) released an advisory that Emotet malware widespread in rapidly. The Emotet malware is distributed mostly by means of phishing email that contains either links to malicious sites, or malicious attachments.
Since Emotet is a polymorphic design.Emotet is a polymorphic engine to mutate different values and operations. From observation, it now link with ransomware.
The change in shape of Emotet more or less proof that his design is equivalent as a cyber weapon. It provide the functions for infiltration. Meanwhile, after finished the mission. It can link to ransomware. Such design can avoid forensic investigator conduct the validations.

For more details, please refer to ACSC announcement. https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign

CVE-2019-12941 – AutoPi ( Wi-Fi/NB and 4G/LTE) devices wifi password vulnerability (Oct 2019)

Preface: Are you afraid of someone suddenly controlling your car?

Background: AutoPi is a small device that plugs into the OBD-II port of your car.

What is OBD-II port? OBD-II port of the car which gives the dongle access to the cars internal systems. AutoPi also provides a cloud service that lets you communicate with the dongle remotely over the Internet.

Vulnerability details: When user connected to the WiFi, it is also possible to SSH into the device. Both the web portal terminal and the SSH terminal grants root access, meaning that full access of the devices is given when connected through WiFi.

Since the wifi password mechanism design weakness. Attacker can use following method to receive the WPA2 authentication password. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID. So it only take few hours can be cracked. For more details, please refer to attached infographic for reference.

Should you have interested, please download the technical white paper to review. https://www.kth.se/polopoly_fs/1.931922.1571071632!/Burdzovic_Matsson_dongle_v2.pdf

How to know your infrastructure under APT attack? NSA provide hints to cyber world (7th oct 2019)

Preface: Before the earthquake, many special phenomena will awaken people. Does a similar situation apply to cybersecurity attacks, especially APT?

Security focus: NSA has announcement a day ago. They urge the company must be extra care of vulnerabilities in Multiple VPN Applications. Are you interested of this article? Following URL can provide the details. https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF

Additional information: UTM is a common firewall design by far. Different kind of services are all in one box. Since the device is a UTM device (all integrated). Therefore, security experts can rely on log events generated by the firewall (Any-Any-Drop Action) to do a prediction.
The modern built in firewall defense and application firewall mechanism can identify the know CVE and shown on the log event. So you can relies on SIEM correlate function send the alert.
If your UTM log event contains a reject operation with following CVE reference number (CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379). It tell you that your company is under APT attack.

What is the next action when above scenario occurs? You should activate the escalation procedure immediately.

New generation of weapon iot+lora+Drone (2019)

Preface: Traditionally, only big country can have military weapon. Computer technology especially IoT devices not only replace human power. As we seen, IoT 4.0 is going to replace routine man power resources. Perhaps IoT technology also infiltrate in military arsenal .

Details: On Sep, 2019. Drone attacks have set alight two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Refer to diagram, Drone integrate with Lora can increasing the control effective distance. If trouble maker is going to attack improtant facilties, they have more choices today. In last decade, APT cyber attack is the major channel to detroy the critical facilities. But APT attack rare to destroy the infrastructure. If enemy insists to destory the infrastructure. The setup of IoT, Lora and Drone can do it.

Can Drones be Detected by Radar? All newer radars are equipped and have the ability to locate even the smallest drones in the air. May be in future, all the critical facilities especially oil facilitiy, Power grid require to install Radar system.

Prediction: We heard APT cyber attack against critical facilities (especially power grid and oil facilities) by far. It looks that a hybrid attack (IoT+Lora+Drone) will be use in future.

CIS Center for Internet Security Urge PHP customer aware of Multiple Vulnerabilities in PHP. Because it could allow for Arbitrary Code Execution. Sep 2019

Preface: Network security experts may hesitate to answer a question. What is it? Which programming language is easy to write. But there are no loopholes.

CIS Center for Internet security announcement: Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

For more information, please refer URL – https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2019-087/

Our Observation: One of the component to Jeopardize your PHP website is the “arbitrary-php-extension”. An experimental has been proofed. After loading custom made PHP extension, each request will be able to execute a piece of your own PHP code. If you need to customize the request argument arbitrary_php to something else, you can modify the value of REQUEST_NAME in (arbitraryphp/extinitial/pre_request.h). Parameter can be find on attached picture.

CVE-2019-12256 The industrial, and medical devices has been affected by IPV 4 component design flaws in VxWorks 7 & VxWorks 6.9 (Aug 2019)

Background: Wind River’s VxWorks is widely used in communications, military, aerospace, industrial control and other fields for its high reliability and excellent real-time performance. For example, it is used in the US F-16, FA-18 fighters, B-2 stealth bombers and Patriot missiles. The most famous is the Mars probe that landed on the surface of Mars in April 1997 and landed in May 2008. The Phoenix, and the Curiosity Rover, which landed on Mars in August 2012, also used VxWorks 7.

Vulnerability details: Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. There is an IPNET security vulnerability: Stack overflow in the parsing of IPv4 packets? IP options.

Official announcement: CVE-2019-12256 Not affected by user-application code, this vulnerability resides in the IPv4 option parsing and may be triggered by IPv4 packets containing invalid options.The most likely outcome of triggering this defect is that the tNet0task crashes. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Remedy: Fixed in Vx7 SR620 .Customers are advised to contact Wind River Customer Support.