Category Archives: Under our observation

Official alert – APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations (9th Oct 2020)

Preface: Zero-day attacks don’t have signatures; no one in the security community has analyzed the exploited vulnerability yet. It was probably only discovered after the victim reported it. And therefore we should setup a comprehensive vulnerability management program.

Risk management – In reality, it’s not easy applying every patch as soon as it comes out. This is why it’s important for us to craft a comprehensive vulnerability management program through which we can use a risk profile to prioritize security flaws.

How to detect zero day vulnerability?
DNS sink hole setup can assists systems evaluate programs and try to anticipate whether their actions are actually intended, or linked to a deliberate change in function. With time, these systems are exposed to the entire operations profile of programs and are able to raise alerts when they detect suspicious data access attempts.

Within this year, we are noticed that there are critical vulnerabilities found. Perhaps we cannot imagine that famous secuirty solution vendor also become a victim (see below):
– Citrix NetScaler CVE-2019-19781
– MobileIron CVE-2020-15505
– Pulse Secure CVE-2019-11510
– Palo Alto Networks CVE-2020-2021
– F5 BIG-IP CVE-2020-5902
– Fortinet FortiOS VPN vulnerability CVE-2018-13379
The federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure are also make use of their products.
On 9th October 2020, CISA and FBI Release Joint Advisory Regarding APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.

Offical announcement, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa20-283a

APT developing new evasion technique to conducting cyber attack – 23rd Sep 2020

Preface: The APT organization provides a hard-to-detect malware to attack other hostile campus.

Synopsis: The evasion technique found recently by security expert team is that APT 29 exploit the design weakness of detection machanism. They do a re-engineering to covert a zip file to JPEG.
“This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front,” the researchers explain.

Perhaps APT 28 and 29 using different evasion technique aim to delivery the malicious resources to landing. Whereby, the final executor is the power shell.

So called Zebrocy. Its function is mainly Downloader. The evasion effect is better than the technique use by APT 29. After running, it will perform a persistence operation and pop up an error message box to confuse the user. When it is started with specific parameters, a screenshot will be taken. Through the timer callback function, send data to the remote server and wait for the subsequent payload to be downloaded.

Should you disable PowerShell?
No, minimize the risks with PowerShell Constrained Language mode.

Enabling Constrained Language mode ^
PS C:\Users\xxxx> $ExecutionContext.SessionState.LanguageMode = “ConstrainedLanguage”

This could be configured in registry HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment__PSLockdownPolicy .

Running PS as Admin you can simple remove this property
Remove-ItemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\” -name __PSLockdownPolicy

Recommended article: PSLockDownPolicy and PowerShell Constrained Language Mode – https://docs.microsoft.com/en-us/archive/blogs/kfalde/pslockdownpolicy-and-powershell-constrained-language-mode

Cyber security Focus – Cloud collaboration for OT engineering (4th Sep 2020)

Preface: In line with its Industrie 4.0 effort, Google Cloud will use the OPC UA open standard to incorporate machine data into analytics and AI solutions.

The existing atmosphere of the Internet world – According to the network attack statistics report. Different types of attacks are involved. Nowadays, receiving personal or confidential data illegally is one of the way run aggressive by attackers. In the future, we foreseen that many vendors will be planned to phase out basic authentication using passwords and cookie-based authentication.

Business needs drive the implementation of new technologies – Integrated with IT. OT-BASE allows IT applications to pull asset information via a powerful REST API. This way you can easily leverage OT asset details in SIEM, data analysis and custom built applications.

Genesis of new concept: Cloud collaboration enables people to work simultaneously on documents that live ‘in the cloud’. Consolidation of OT configuration details in a central platform, accessible by web browser and REST API. System details are no longer known to individual engineers only, but are instantly available to every team member, making the team more efficient.

OPC Unified Architecture (OPC UA) is one of the most important communication protocols for Industry 4.0 and the IoT. Let do a quick review of OPC UA security features.

Unlike OPC Classic, OPC UA design is able to working with firewall technology because it support TCP/IP communication protocol. Whereby, it can be managed and governance through standard network technologies.

Remark: OPC Classic using DCOM as a communication protocol. Due to the DCOM technology used, cross-network communication via OPC Classic is very difficult.

In general practice, the OPC UA software application development will using Simple Object Access Protocol (SOAP). SOAP is a simple XML-based protocol that enables applications to exchange information via HTTP. Meanwhile, OPC UA uses a certificate exchange for further security, so that each client has to authenticate with a certificate. In this way it can be controlled which client is allowed to connect to the server. In the sense that it has access control implement.

Advanced System Integration – Data exchange between PLC and REST interface

To create or modify objects using data from a PLC, the PLC can be connected via OPC UA and the OPC Client plug-in. Which objects can be addressed in the target system can be queried and browsed via the OpenAPI / Swagger function by the OPC router. If, for example, a batch can be created via REST, the PLC must provide all data in OPC data points when the batch is created and trigger the REST call. The data points are then transferred as a JSON packet by REST call and the batch is created as an object.

Technical Background: REST or RESTful API design (Representational State Transfer) is designed to take advantage of existing protocols. While REST can be used over nearly any protocol, it usually takes advantage of HTTP when used for Web APIs. This means that developers do not need to install libraries or additional software in order to take advantage of a REST API design. It includes four types most-commonly-used HTTP verbs (see below):

  1. GET” to retrieve a resource.
  2. PUT” to change the state of or update a resource, which can be an object, file or block. 
  3. POST” to create that resource;
  4. DELETE” to remove it.

Additional: “PATCH” applies a partial update to the resource. This means that you are only required to send the data that you want to update, and it won’t affect or change anything else.

Even the flexibility of the design allowed to use a “curl” command. Curl Options shown as below:

   –X , –request – The HTTP method to be used.

   –i , –include – Include the response headers.

   –d , –data – The data to be sent.

   –H , –header – Additional header to be sent.

Example: curl https://xxx[.]restapi[.]com/posts?userId=8

Consolidation of OT configuration details in a central platform, accessible by web browser and REST API. System details are no longer known to individual engineers only, but are instantly available to every team member, making the team more efficient.

Security Focus: REST API has emerged as the most versatile and useful web service API. The major trend in data management today is the move toward cloud integration. REST APIs are most commonly used with SaaS (software as a solution) platforms. Fundamentally speaking, REST focuses on the transferability and consumption of data, rather than providing built-in measures to ensure data security during transmission. Perhaps today it has been enhanced using the HTTPS method. But is this enough to prevent today’s cyber attacks? Below list are some of the known cyber attack. Let take a quick look.

  1. The attacker could be at the client side. Attacker can creates a rogue. It aim to consuming resources from destination server.
  2. For resources exposed by RESTful web services, attacker can exploit application vulnerability (Cross Site Request Forgery) to execute PUT, POST, and DELETE functions.
  3. The attack scenario will be according of the architecture set up. If four types most-commonly-used HTTP verbs do not have access control. As a result, the impact will be included server side and related infrastructure.

How to secure industrial communications with OPC UA (see below):

  1. At least the “Basic256Sha256” security policy should be selected.
  2. Never store private keys or the corresponding certificate files on an unencrypted file system. Use the dedicated certificate stores of your operating system and use operating system capabilities for setting the access rights.
  3. Because Java components sometimes find vulnerabilities. Thereby affecting customized Java applications. Therefore, patch and vulnerability management should follow best practices.

Summary: Since HTTPS is suggest to used to call REST endpoints, the authentications available in the standard system can also be used OAuth1 and OAuth2.Besides the standard authentication options, a so-called AppKey is often exchanged. This key is a secret code created for the client, which is transferred with every call to get the authorization for the call. In General point of view, REST is considered secure due to the use of widely used methods.

CVE-2020-7711- Pure Go repositories (goxmidsig) vulnerability – 23-08-2020

Preface: SAML 2.0 implementation for Service Providers based on etree and goxmldsig, a pure Go implementation of XML digital signatures.

Background: “nil” in Go that represents zero values for pointers, interfaces, channels, maps, slices and function types.

Vulnerability Details: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Reference: When “Go” initializes the pointer, it assigns the value of pointer i to nil, but the value of i represents the address of *i. If nil, the system has not assigned an address to *i. So at this time, * i assignment will have problem occur.

Remedy: Official announcement not announce yet. See whether it can apply the similar syntax to do a short term remediation of this design weakness? The gosmal2 package has encountered the similar technical matter (nil point dereference) on Aug 14, 2019 . For more details, please refer to diagram.

Remote Access Trojan: BLINDINGCAN – 19th Aug 2020

Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.

Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.

Official announcement: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

Recommendation: Check your MS office Patch – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance?
No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.

Do not use insecure deserializer BinaryFormatter – 19th Aug 2020

Preface: SharePoint is a web-based collaborative platform that integrates with Microsoft Office.So called WebParts”gadgets” that provide new functionality when added to a page.

Background: On July 14, 2020, Microsoft released a security update to fix the vulnerabilities found in the .NET Framework, Microsoft SharePoint and Visual Studio. A proof of concept shown that attacker can use tool so called “YSOSERIAL” . This tool can generating payloads that exploit unsafe Java object deserialization. In the sense that when attack make use of tool find the class contains no interface members. From technical point of view, the attacker will use the tool in the first step to find classes that do not contain interface members.The way is to generate a base64 payload of a serialized ObjectStateFormatter gadget chain.As a result, attacker can plug the payload into the following DataSet gadget and trigger remote code execution against the target SharePoint Server.

Example: xxxxxxxxx[.]xxx -g TypeConfuseDelegate -f LosFormatter -c mspaint

Remark: ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects.

Reference: A specially crafted method sequence needs to be created by the attacker. Each method in the sequence is called a “gadget” and the malicious sequence of method calls is known as a “gadget chain”.

Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

c-ares 1.16.0 (Use-After-Free) – 9th Aug 2020

Preface: c-ares 1.16.0: ares_destroy() with pending ares_getaddrinfo() leads to use-after-free

Background: Google added support for a feature known as asynchronous DNS to Google Chrome, which aims to speed up page loading times by resolving the IP address of a website before you click the link.
Recent versions of Google Chrome employ a feature called Async DNS. This feature bypasses the normal operating system mechanisms for resolving domain names and uses the browser directly. In this mode, DNS requests will uses SSL to communicate directly with Googles own DNS servers and some third party providers.
DNS features no only for domain lookup. Modern world technology can exploit DNS activities to do monitoring. (The word surveillance perhaps not suitable in this matter).

What is c-ares?
c-ares is a C library for asynchronous DNS requests (including name resolves).

Vulnerability details: PendingResolutions get destroyed when complete or when c-ares sent ARES_EDESTRUCTION. Refer to attached diagram, ARES_EDESTRUCTION only happened when the resolver was destroyed. Meanwhile, PendingResolutions can be destroyed, without the callback target being aware. This leads to potential use after free issues.

Additional: The recommendation remedy method posted on Feb 2020. If you want to do additional protection., please refer to information shown on bottom of the diagram.

DLL Hijacking vulnerability and the Remedy solution – 7th Aug 2020

Preface: Software application could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Vulnerability details: If workstation install Python, by default it will install on the C Driver :\directory instead of the C Drive:\Program Files. Therefore the authenticated users will have write access in that directory. If user compromised by phishing attack. This give a way to conducting the privilege escalation because the attacker can share the authenticated user permission write a malicious DLL in Python program directory. When the computer reboot in next time the process will restart with the permission of that process. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. Or, it is a programming technique misused? Whether, it is a unknown matter?

Scenario of attack:

  • An attacker could plant a DLL with the same name earlier in the import resolution search path, such as the application directory. Protected directories are more difficult – but not impossible – for an attacker to change.
  • If the DLL is missing from the application, %windows%\system32, and %windows% directories, import resolution falls through to the current directory. An attacker could plant a DLL there.

Microsoft’s remedy: If you specify the link option /DEPENDENTLOADFLAG:0x800 (the value of the flag LOAD_LIBRARY_SEARCH_SYSTEM32), then the module search path is limited to the %windows%\system32 directory. It offers some protection from planting attacks on the other directories.

Trojan under the .NET platform remains unchanged for a hundred years (22nd Jul 2020)

Preface: SharePoint will simply not use Framework versions for which they do not apply. For example, SharePoint 2010 uses .NET 2.0. If you install .NET 4, it will remain unused by SharePoint 2010. SharePoint 2019 uses .NET 4.7 and any lower version will simply not be used.

Background: Using Microsoft sharepoint as CRM, or external protal are popular setup past few years. SharePoint is a web-based platform built atop an ASP.NET framework. It is favored by many companies because the interface can be fully integrated with Microsoft Office.
Remark: SharePoint Server includes a set of web parts that users can add to pages after installing the product. If an organization needs custom web parts, a developer can write custom ASP.NET web parts and install them.

Design weakness: For .NET platform applications. By default, the executable string “Response.Write” after connection establish. Because the code-behind modules are compiled first, all of the output that is generated by Response.Write, Response.WriteFile, or inline server-side <SCRIPT> tags appears before any HTML tags when the HTML output is sent to the browser. Coincidentally, the chopper’s technique have way to conduct the attack to .NET Framework ASP.NET app.

Current status: The cyber criminals will be targeted insecure default configurations in common web servers. General speaking, they used their initial unauthorized access to place malicious web shell programs and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers and related entities.

Windows 10 command “wsreset” co-exists with “mklink” generate a way of User Account Control bypass. (21st JUl 2020)

Preface: UAC bypass has following techniques – using Eventvwr and the Registry Key or using COM Handler Hijack

A new way with different technique: WSReset[.]exe open the Windows Store app and clear Windows Store Cache when Windows store cache is damaged or you encounter problems when using Windows Store. If an attacker can create a link that points this \InetCookies path (refer to attached diagram) to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs.

Observation: UAC bypass power extend to evade access control. Security expert found this design weakness and conduct a proof of concept to shown on how to delete antivirus folder. Thus make it malfunction after reboot.
This findings awaken myself. The Microsoft UAC a security boundary provides opportunity for attacker.
From technical point of view, quite a lot of antivirus has file lock when the process running. Attacker may not make use of this method to compromise a machine.
However Directory junctions can be performed by any user and does not require administrator privileges making it perfect for exploiting by attacker. We keep our eye open, see whether vendor should address this technical matter.