Category Archives: Public safety

Public safety

Security focus -malicious cyber activity 1 st November 2019

Preface: U.S Homeland security released a report that urge the public to protect computer facilities to avoid Trojan attack. The Trojan found on 2014 which continuous upgrade itself in last half decade.

Background: Trojan.Hoplight is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.

Security focus: We found quite a lot of malware target 32-bit machine in past.In most cases 32-bit code cannot access the memory of a 64-bit process.
In addition, malware which wishes to run malicious code inside a 64-bit process must, in most cases, be written as a 64- bit application. The HOPLIGHT variant capable to 64-bit machine.This malware artifact a malicious 64bit Windows dynamic library. From technical point of view, such change enhance his capability in modern system platform. Meanwhile, in order to evade antivirus vendor detection through secure gateway (HTTPS-man-in-the middle), they encodes it’s data with XOR Ox47 SUB Ox28 prior to being TLS encrypted. The goal is make it seal and nobody can crack this cipher. As far as we seen, this malware growth up with advanced technique.

Should you have interested to know the details, please refer url. https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

2019, cyber security incident news highlight, Public safety

Oct 2019 – The crisis of Indian nuclear power plant’s

Preface: In fact, of system design weakness, the chances of a hacker getting remote access to systems significantly intensifies.

About Indian nuclear power plant’s network was hacked -They have confirmed its newest nuclear power plant was the victim of a cyber attack, exposing the vulnerability of one of the country’s most critical sectors to cyber espionage, said the government of India.

Current status: As mentioned in the headline news, cyber attack happened in Indian nuclear power plant is unplanned. Perhaps it did not involve any hostile country conspiracy. However we found quite a lot of cyber defense vendor could not detect such malware. In reference to the status shown in VirusTotal on 31st Oct 2019 (Asia time).

For more details about this accident, please refer url: https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6

Cyber War, Public safety, Ransomware

About Emotet malware (2019)

Preface: Emotet malware found in 2015. But he is still aggressive nowadays. It shown that it is a long life cyber attack product .

Details: Australian Cyber Security Centre (ACSC) released an advisory that Emotet malware widespread in rapidly. The Emotet malware is distributed mostly by means of phishing email that contains either links to malicious sites, or malicious attachments.
Since Emotet is a polymorphic design.Emotet is a polymorphic engine to mutate different values and operations. From observation, it now link with ransomware.
The change in shape of Emotet more or less proof that his design is equivalent as a cyber weapon. It provide the functions for infiltration. Meanwhile, after finished the mission. It can link to ransomware. Such design can avoid forensic investigator conduct the validations.

For more details, please refer to ACSC announcement. https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign

IoT, Potential Risk of CVE, Public safety

CVE-2019-12941 – AutoPi ( Wi-Fi/NB and 4G/LTE) devices wifi password vulnerability (Oct 2019)

Preface: Are you afraid of someone suddenly controlling your car?

Background: AutoPi is a small device that plugs into the OBD-II port of your car.

What is OBD-II port? OBD-II port of the car which gives the dongle access to the cars internal systems. AutoPi also provides a cloud service that lets you communicate with the dongle remotely over the Internet.

Vulnerability details: When user connected to the WiFi, it is also possible to SSH into the device. Both the web portal terminal and the SSH terminal grants root access, meaning that full access of the devices is given when connected through WiFi.

Since the wifi password mechanism design weakness. Attacker can use following method to receive the WPA2 authentication password. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID. So it only take few hours can be cracked. For more details, please refer to attached infographic for reference.

Should you have interested, please download the technical white paper to review. https://www.kth.se/polopoly_fs/1.931922.1571071632!/Burdzovic_Matsson_dongle_v2.pdf

Public safety

How to know your infrastructure under APT attack? NSA provide hints to cyber world (7th oct 2019)

Preface: Before the earthquake, many special phenomena will awaken people. Does a similar situation apply to cybersecurity attacks, especially APT?

Security focus: NSA has announcement a day ago. They urge the company must be extra care of vulnerabilities in Multiple VPN Applications. Are you interested of this article? Following URL can provide the details. https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF

Additional information: UTM is a common firewall design by far. Different kind of services are all in one box. Since the device is a UTM device (all integrated). Therefore, security experts can rely on log events generated by the firewall (Any-Any-Drop Action) to do a prediction.
The modern built in firewall defense and application firewall mechanism can identify the know CVE and shown on the log event. So you can relies on SIEM correlate function send the alert.
If your UTM log event contains a reject operation with following CVE reference number (CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379). It tell you that your company is under APT attack.

What is the next action when above scenario occurs? You should activate the escalation procedure immediately.

IoT, Public safety

New generation of weapon iot+lora+Drone (2019)

Preface: Traditionally, only big country can have military weapon. Computer technology especially IoT devices not only replace human power. As we seen, IoT 4.0 is going to replace routine man power resources. Perhaps IoT technology also infiltrate in military arsenal .

Details: On Sep, 2019. Drone attacks have set alight two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Refer to diagram, Drone integrate with Lora can increasing the control effective distance. If trouble maker is going to attack improtant facilties, they have more choices today. In last decade, APT cyber attack is the major channel to detroy the critical facilities. But APT attack rare to destroy the infrastructure. If enemy insists to destory the infrastructure. The setup of IoT, Lora and Drone can do it.

Can Drones be Detected by Radar? All newer radars are equipped and have the ability to locate even the smallest drones in the air. May be in future, all the critical facilities especially oil facilitiy, Power grid require to install Radar system.

Prediction: We heard APT cyber attack against critical facilities (especially power grid and oil facilities) by far. It looks that a hybrid attack (IoT+Lora+Drone) will be use in future.

Potential Risk of CVE, Public safety

CIS Center for Internet Security Urge PHP customer aware of Multiple Vulnerabilities in PHP. Because it could allow for Arbitrary Code Execution. Sep 2019

Preface: Network security experts may hesitate to answer a question. What is it? Which programming language is easy to write. But there are no loopholes.

CIS Center for Internet security announcement: Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

For more information, please refer URL – https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2019-087/

Our Observation: One of the component to Jeopardize your PHP website is the “arbitrary-php-extension”. An experimental has been proofed. After loading custom made PHP extension, each request will be able to execute a piece of your own PHP code. If you need to customize the request argument arbitrary_php to something else, you can modify the value of REQUEST_NAME in (arbitraryphp/extinitial/pre_request.h). Parameter can be find on attached picture.

Potential Risk of CVE, Public safety

CVE-2019-12256 The industrial, and medical devices has been affected by IPV 4 component design flaws in VxWorks 7 & VxWorks 6.9 (Aug 2019)

Background: Wind River’s VxWorks is widely used in communications, military, aerospace, industrial control and other fields for its high reliability and excellent real-time performance. For example, it is used in the US F-16, FA-18 fighters, B-2 stealth bombers and Patriot missiles. The most famous is the Mars probe that landed on the surface of Mars in April 1997 and landed in May 2008. The Phoenix, and the Curiosity Rover, which landed on Mars in August 2012, also used VxWorks 7.

Vulnerability details: Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. There is an IPNET security vulnerability: Stack overflow in the parsing of IPv4 packets? IP options.

Official announcement: CVE-2019-12256 Not affected by user-application code, this vulnerability resides in the IPv4 option parsing and may be triggered by IPv4 packets containing invalid options.The most likely outcome of triggering this defect is that the tNet0task crashes. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Remedy: Fixed in Vx7 SR620 .Customers are advised to contact Wind River Customer Support.

Data privacy, Public safety

Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks

Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.

Details: Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks (refer below url): https://www.cyber.gov.au/sites/default/files/2019-08/2019-130_-_password_spray_attacks_detection_and_mitigation_strategies.pdf
Such activities has been observed by U.S. Homeland security for long time. Consolidate their evaluation results, summary shown as below:

Part A: Commonly used ports are used when password spraying.

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

Part B: Cyber Attack Group & Commonly used malware

Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla

Malware types:
Chaos (malware)
Linux Rabbit(malware)
SpeakUp (Trojan backdoor)
Xbash (malware)
PoshC2 is an open source remote (written in powershell)
Emotet (malware)

SIEM Definition – Firing Rules criteria (see below):
1. Failed attempts over a period of time
2. Large numbers of bad usernames
3. High number of account lockouts over a defined period of time
4. Unknown “appDisplayName” – Active Directory PowerShell
5. Ratio of login success verses login failure per IP address

Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.

If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.

Data privacy, Public safety

Fileless Malware Advisory – 17 JUl 2019

Leave a comment

Preface: Stolen account information of nearly 750 million users was available for sale on the dark web after hackers breached 24 popular websites. The stolen data, released in two batches, includes names, email addresses and hashed passwords.

Description: Spear phishing email with URL to an archive file containing a .lnk file can misleading receiver to become a cyber victim. The receiving end not aware and let the data thief steal the data in silent mode.

Fileless Malware Advisory: MICROSOFT alerting that a new type of fileless malware found ( Astaroth). This malware can be installed on victims’ PCs without an executable. The Microsoft Defender ATP Research Team lock down Astaroth in May and June 2019. The Canadian Centre for Cyber Security issue a report this week and provide a guidance to do the prevention. This malware has capability to evade the defenses mechanism. Should you have interested of this report. Please refer to the following url – https://cyber.gc.ca/en/alerts/fileless-malware-advisory