Category Archives: Public safety
Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer
Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.
IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.
https://www.eset.com/int/greyenergy-exposed/
So, It is possible to make people predict the attack may targeting Advantech customer.
Factor:
In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.
Synopsis:
Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).
Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.
Reflections – New 5G network edge server design
NSA Senior Cybersecurity Advisor questions Bloomberg Businessweek’s China iCloud spy chip claim (see below url)
Now we take a quick discussion but do not related to conspiracy. From technical point of view, if hardware is polluted (spy feature). It is hard to imagine what the impact was?
In the SD-branch, routing, firewall, and WAN optimization are provided as virtual functions in a cloud-like NaaS model, replacing expensive hardware. As a result, the telephone company will use SD-branch to provide virtual CPE and unversal CPE services.
Meanwhile uCPE consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. So uCPE in reposible of very import role in future technology. What if there is vulnerability occurs in this place. It make the problem worst, complicated!
Supermicro Designs New Open Software-Defined Networking (SDN) Platform Optimized for 5G and Telco Applications and Launches verified Intel® Select Solution for uCPE
Could ring 2 have the same momentum as a IoT backdoor?
Preface:
In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:
- 0 for kernel
- 3 for users
Hidden janitor living in your computer
SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.
Whether you remember the Intel chipsets for some years have included a Management Engine?
On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html
If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.
Why Ring 2 isn’t used?
Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.
An exploitation on Ring 2
We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.
Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.
Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.
SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.
Additional:
Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.
But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:
About cyber security threats in aero industry – Oct 2018
DHS has few critical cyber security announcement few days ago. Some technical articles may bring the practitioner attentions. Do you read technical article “Threats to Precision Agriculture” yet? My personal opinion is that the prediction of cyber attack scenario not only happen in agriculture. It may have happen in aero industry. Real-time kinematic (RTK) positioning is a technique used to enhance the precision of position data derived from satellite -based systems. The GPS system is now considered a “crosssector dependency” for the Department of Homeland Security’s (DHS) 16 designated critical infrastructure sectors. GNSS is vulnerable to jamming and natural interference. When GNSS is denied, PNT information can be seriously affected in ways that increase risks to the safety of navigation. It is hard to avoid Microsoft operating system integrate to critical system infrastructure nowadays. Microsoft formalized Patch Tuesday schedule and zero day are the concerns of the world includes airline industry. What do you think? It looks that virtual patching service is the first choice in all IT industry coming year.
SIEMENS Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) – Aug 2018
SIMATIC WinCC is a supervisory control and data acquisition (SCADA) and human-machine interface system from Siemens. Due to threats to actors’ interests, manufacturers have recently paid close attention to cybersecurity attacks. Hackers use Microsoft’s operating system entry point to become a channel for SCADA system facilities network attacks. Even Though Microsoft Office also pulled into SCADA security concerns! As far as we know, the new version of BLACKENERGY malware threat exploit an unpatched Office 2013 form the attack. From technical point of view, malware is hard to survival in 64 bit OS environment. However 32-bit operating system is common in SCADA related industries. So, it requires a longer time to do the design enhancement. The SCADA vendor found 2 items of Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) on Aug 2018 (see below diagram). So, Tenable and Siemens partner to secure critical infrastructure & reduce cybersecurity risks. Please refer to the following URL:
Are 64-bit OS malware proof?
Digital Defense – about social communication media or email communications
FBI Tech Tuesday: Building a Digital Defense Against Facebook Messenger Frauds
A vulnerability has been identified in IEC 61850 system configurator – CVE-2018-4858
When a lot of cyber security Guru focusing the nuclear power and critical facilities. It looks they also requires to includes the power substation. From techincal point of view, control central will be hardening both console and network environment. But how about the configuration console for substation? Does it allow install the configuration software (IEC 61850 system configurator) on notebook for outdoor work? Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions. Cyber security attack will be exploited different channels. But the major pathway is the product vulnerabilities.
Official announcement by Siemens shown as below:
https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
Status update: 30th Jul 2018
A vulnerability confirm by vendor that a Denial-of-Service occurs in EN100 Ethernet Communication Module and SIPROTEC 5 relays.
Official announcement by Siemens shown as below:
https://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf
Defending the Power Grid From Hackers – Jul 2018
Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?
The Next Cyber Battleground
Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.
Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.
We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?
The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.
The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.
Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.
Quote:
Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.
On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.
| 722154A36F32BA10E98020A8AD758A7A | MD5 | FILENAME:CV Controls Engineer.docx |
| 243511A51088D57E6DF08D5EF52D5499 | MD5 | FILENAME:CV Control Engeneer.docx |
| 277256F905D7CB07CDCD096CECC27E76 | MD5 | FILENAME:CV Jon Patrick.docx |
| 4909DB36F71106379832C8CA57BA5BE8 | MD5 | FILENAME:Controls Engineer.docx |
| 4E4E9AAC289F1C55E50227E2DE66463B | MD5 | FILENAME:Controls Engineer.docx |
| 5C6A887A91B18289A70BDD29CC86EBDB | MD5 | FILENAME:High R-Value Energy.docx |
| 6C3C58F168E883AF1294BBCEA33B03E6 | MD5 | FILENAME:CV_Jon_Patrick.docx |
| 78E90308FF107CE38089DFF16A929431 | MD5 | FILENAME:CV Jon Patrick.docx |
| 90514DEE65CAF923E829F1E0094D2585 | MD5 | FILENAME:CV_Jon_Patrick.docx |
| C1529353E33FD3C0D2802BB558414F11 | MD5 | FILENAME:Build Hydroelectric Turbine.docx |
| CDA0B7FBDBDCEF1777657182A504283D | MD5 | FILENAME:Resume_Key_And_Personal.docx |
| DDE2A6AC540643E2428976B778C43D39 | MD5 | FILENAME:CV_Jon_Patrick.docx |
| E9A906082DF6383AA8D5DE60F6EF830E | MD5 | FILENAME:CV_Jon_Patrick.docx |
| 038A97B4E2F37F34B255F0643E49FC9D | MD5 | FILENAME:Controls Engineer (2).docx |
| 31008DE622CA9526F5F4A1DD3F16F4EA | MD5 | FILENAME:Controls Engineer (4).docx |
| 5ACC56C93C5BA1318DD2FA9C3509D60B | MD5 | FILENAME:Controls Engineer (7).docx |
| 65A1A73253F04354886F375B59550B46 | MD5 | FILENAME:Controls Engineer (3).docx |
| 8341E48A6B91750D99A8295C97FD55D5 | MD5 | FILENAME:Controls Engineer (5).docx |
| 99AA0D0ECEEFCE4C0856532181B449B1 | MD5 | FILENAME:Controls Engineer (8).docx |
| A6D36749EEBBBC51B552E5803ED1FD58 | MD5 | FILENAME:Controls Engineeer.docx |
| 3C432A21CFD05F976AF8C47A007928F7 | MD5 | FILENAME:Report03-23-2017.docx |
| 34A11F3D68FD6CDEF04B6DF17BBE8F4D | MD5 | FILENAME:corp_rules(2016).docx |
| 141E78D16456A072C9697454FC6D5F58 | MD5 | FILENAME:corp_rules(2016).docx |
| BFA54CCC770DCCE8FD4929B7C1176470 | MD5 | FILENAME:invite.docx |
| 848775BAB0801E5BB15B33FA4FCA573C | MD5 | FILENAME:Controls Engineer.docx |
| MD5 | FILENAME:corp_rules(2016).docx | |
| MD5 | FILENAME:corp_rules(2016).docx | |
| MD5 | FILENAME:invite.docx |
Happy hunting – bye!
New version of black energy cyber attack target Microsoft OLE product design weakness
Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).
However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!
Reference:
Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/
My speculation on how Cisco (Talos) found the malware (VPNFilter malware)
My speculation on how Cisco (Talos) found the malware (VPNFilter malware).
Preface:
The samurai (or bushi) were the warriors of premodern Japan.Lone Wolf and Cub is a manga created by Japanese comics writer.Samurai respected justice.
Synopsis:
Justice is the legal or philosophical theory by which fairness is administered. It is the fundamental of human nature. But the concept of justice differs in every countries and culture.
Who is he?
Edward Snowden, an American contract employee at the National Security Agency, is the whistleblower behind significant revelations that surfaced in June 2013 about the US government’s top secret, extensive domestic surveillance programmes. Snowden flew to Hong Kong from Hawaii in May 2013, and supplied confidential US government documents to media outlets including the Guardian.
What’s the situation now?
He is on exile. His most recent interview in Moscow Russia on September 2018. (Refer below url)
https://www.youtube.com/watch?v=wimHE6SNddc
Why Edward Snowden should be pardoned?(Refer below url)
https://www.amnesty.org.uk/edward-snowden-nsa-whistleblower-pardon