Category Archives: Under our observation

IoT World and Smart City must staying wide-awake!

SmartCity project wide spreading implement in the world. The framework transform existing IT world domain includes Cloud computing, virtual machine, router and network infrastructure. Meanwhile it carry the design flaw so called vulnerability simultaneously. As we know, Microsoft product has famous activities patch Tuesday to do the mitigation of critical risk occurs on their product. Since IoT technology cope with smartCity project. It is hard to avoid to evade not to chosen a brand nae which require frequently doing the patching. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. A question has been queries to the world. SmartCity items involves public safety regulations. If the smartCity facilities become the main trend of the society. However the major facilities encountered denial of service through heap corruption. Do you think how worst is the situation will be?

CVE-2017-18187
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVE-2018-0488
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

CVE-2018-0487
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

Official announcement for reference.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

 

 

City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

Sounds horrible!

A heist occurred from SWIFT payment system again? Chief Executive Officer N. Kamakodi called it a “conspiracy” involving multiple countries, and added the lender was still investigating how it had happened. But the statement seems not precise to describe.

A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.

Quote:

When to use the MT 202 COV?

It must only be used to order the movement of funds related to an underlying customer credit transfer that was sent with the cover method.

The MT 202 COV must not be used for any other interbank transfer.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

City Union Bank in India victim of cyber hack through SWIFT system (19th Feb 2018) – See following URL (Reuters Headline News) for reference.

https://www.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-idUSKCN1G20AF?feedType=RSS&feedName=technologyNews

Heists last year – SWIFT defense solution

Reuters news told that a heist occurred in Russia Bank last year. Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system. Perhaps we are not going speculating the reason to delaying the public announcemnt. Yes, it may be for forensic investigation and trace the hacker silently or protect the reputation. But the design weakness will be replace by new solution soon. For more details, please see below:

Defense solution given by SWIFT:

  • Conventional FIN messages (e.g. MT202) can be used until 16 November 2018. Communication takes place through the SWIFTNet, and the SWIFT FIN service will be used until 16 November 2018.
  • As of 17 November 2018, all participants must use ISO 20022 and the SWIFT InterAct service will be used for communication.

Headline News by Reuters (16th Feb 2018)

https://uk.reuters.com/article/us-russia-cyber-swift/hackers-stole-6-million-from-russian-bank-via-swift-system-central-bank-idUKKCN1G00DV

ISO 20022 for US wire transfer systems Timeline

UK blames Russia for NotPetya cyber-attack on June 2017

UK blames Russia for NotPetya cyber-attack last year (details shown below url for reference)

https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine

MeDoc is widely used among tax accountants in Ukraine, and the software was the main option for accounting for other Ukrainian businesses. Threat actors using email scam counterfeit MeDoc lure victims goal suspend the services of Nuclear power supply facilities operations. Perhaps my observation in June last year found that cyber attacks will turn into military weapons. Should you have interested to collect the details. Below articles will provide hints to you in this regard.

21st century kill chain (logic bomb, cyber bomb and ransomware)

21st century kill chain (logic bomb, cyber bomb and ransomware)

The other side of the story on cyber attack (Electronic war between countries)

The other side of the story on cyber attack (Electronic war between countries)

Potential black force – digitize Godzilla

Potential black force – digitize Godzilla

End session. Thank you.

Status update on 17th Feb 2018

Canada’s Communications Security Establishment, Australia’s Minister for Law Enforcement and Cybersecurity, and New Zealand’s Government Communications Security Bureau followed suit with similar press releases after UK announcement.

Canada CSE announcement (see below url for reference)

https://www.cse-cst.gc.ca/en/media/2018-02-15?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_shares%3BTFYhDm98SA%2BkEGuW%2Fut2Ig%3D%3D

Australia government announcement (see below url for reference)

http://minister.homeaffairs.gov.au/angustaylor/Pages/notpetya-russia.aspx?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_shares%3BTFYhDm98SA%2BkEGuW%2Fut2Ig%3D%3D

New Zealand government announcement (see below url for reference)

https://www.gcsb.govt.nz/news/new-zealand-joins-international-condemnation-of-notpetya-cyber-attack/

 

 

 

Mew Trend 2018 – Exfiltrating Data via DNS

New Trend 2018 – Exfiltrating data via DNS (see below url for reference)

https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Comments: A popular discussion on cyber attack topic this year focusing on DNS attack. Security expert found that threat actor transform DNS topology as a hack tool assists their goal. It show small data set with frequent connections. But the new generation of malware found today looks like a prototype. Why? The fact is that malware relies on executable file instead of hide himself in memory.

My imagination – New way of money laundry evade regulations

We heard turmedous crypto currency heist this year (see below). Do you  think is it a trick? Let’s think it over. The refund of the fees after heist is a grey area of regulator custodian.Since the money is a new sources far away from criminal activities revenue.How to using legal regulation forfeiting their money.Let’s think it over. How to dick out the money on a secure platform. Is it luck or counterfeit message with phishing technique. I believe that this is a old technique. How to evade the legal enforcement proceed legal action to forfeiting their money. End of Jan 2018 – Coincheck $530 million cryptocurrency heist may be biggest ever 2nd week of Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million.

Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million:

https://www.youtube.com/watch?v=Sb2_ZBcS7NE

Jan 2018 – Coincheck heist discussion:

Doubt – $530 million cryptocurrency heist

Perhaps the Meltdown & Spectre vulnerabilities in CPU equivalent to human immunodeficiency virus (HIV)?

Preface:

Human immunodeficiency virus infection and acquired immune deficiency syndrome (HIV/AIDS) is a spectrum of conditions caused by infection with the human immunodeficiency virus (HIV).

Background:

On July 2017, Meltdown was discovered independently by Jann Horn from Google’s Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology, as well as Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology. The same research teams that discovered Meltdown also discovered a related CPU security vulnerability now called Spectre.

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors.It allows a rogue process to read all memory, even when it is not authorized to do so.

Spectre is a vulnerability that affects modern microprocessors that perform branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers.

Remark: On January 28, 2018, Intel was reported to have shared news of the Meltdown and Spectre security vulnerabilities with Chinese technology companies before notifying the U.S. government of the flaws.

A dramatic development

The CPU manufacturer (AMD) claimed that they are not vulnerable to this design flaw. As a result all we are focus and believe that the flaw only given by Intel. Regarding to this CPU design flaw, there are total of three design flaws. They are Spectre (Types 1 and 2) and Meltdown (Type 3). However AMD Zen core based products are only immune to Meltdown. And therefore they are still under the Spectre flaw finally. The official announcement by AMD shown as below:

The announcement by AMD looks that they are not going to take any action in regards to Spectre. Their situation similar comparing to the operating system and computer relationship. The operation itself do not have feature to avoid virus. As a result, it relies on antivirus program. The CPU vendor (AMD) apply the similar idea of concept to this vulnerability and therefore they transfer the responsibility to OS vendor.

Vendors have begun to roll out OS patches

Microsoft

However so called install the remediation CPU patch looks amazed the windows OS user. I am using window 7 instead of windows 10. Perhaps I just did the windows update this morning. It behind my seen that CPU vulnerability still valid on my PC. The cache-misses as compared to missed-branches data collected from Spectre is possible on my PC (see attached screen-shot for reference).

Perhaps my diagnosis executed on 19th Jan 2018. It can’t tell the truth explicitly. Since at least 3 rounds of patch (patch tuesday) has been executed. In order to protect your windows OS. Please refer to below url for references (Microsoft official announcement)

https://portal.msrc.microsoft.com/en-US/security-guidance

Apple iPhone

Apple iPhone released that patch on 23rd Jan 2018. For more details, please refer to below picture diagram for reference.

Apple computer issue the patch on 8th Jan 2018 only for Spectre attack. The remediation products include iPhone, MacOS and Safari.

macOS High Sierra 10.13.2 Supplemental Update

https://support.apple.com/en-hk/HT208397

Safari 11.0.2 includes security improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208403

iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208401

Linux – Retpoline

In order to mitigate against kernel or cross-process memory disclosure (the Spectre attack), OS developer find the following way. A technical definition so called retpoline. A retpoline is a return trampoline that uses an infinite loop that is never executed to prevent the CPU from speculating on the target of an indirect jump. Technical details shown in below url:

Linux https://lkml.org/lkml/2017/11/22/956

The remediation step will be focus on the following protection technique.

ARM (Protection Unit (PU))

The advantages of this system are:

  • Access control held entirely on-chip (no need for any off-chip tables)
  • Provides four levels of access control, cache and write-buffer control
  • Separate control over instruction and data caches.

The disadvantages are:

• Small number of regions

• Restrictions on region size and alignment.

VMware

Even though mitigation plan has been released. For recent chip design weakness, once the patches are applied, developers have to rewrite code to support the patch. Perhaps VMware programming team cannot address the problem in full scale. But you do not have choices if you are a VM users!

VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245) – see below url for reference.

https://kb.vmware.com/s/article/52245

Cloud platform service provider

AWS – Amazon

As far as I know, Cloud services provides is the earlier customer to receive the patch provided by Intel. The guidelance release to remediate meltdown and Spectre vulnerabilities start from the 1st version issued on 3rd Jan 2018 to 23rd Jan 2018 (version 17). For more details, please refer below url for reference.

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Discussion checkpoint

Regarding to my observation. The similar vulnerability found on Aug 2017. I remember that my article posted here mentioned before (see below url for reference). In the meantime, I personally agree with Intel announcement that based on the CPU features to date, many types of computing devices with many different vendors’ processors and operating systems are susceptible to these exploits. And therefore Intel might not the only victim.

The enemy of ASLR (Address space layout randomization) – memory leak

The cache side channel attack of this security incident on Intel side looks compatible to other chips vendor. The worst scenario is that similar channel attack will be happened once you have cache. So, foreseen that this is the prelude of new form of attack in this year!

Hardware vendor patch announcement on 5th Jan 2018

ARM https://developer.arm.com/support/security-update

Intel https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

F5 https://support.f5.com/csp/article/K91229003

WAN acceleration solution vendor

I speculated that WAN acceleration solution vendor and Software defined network will be the next of the victims but now they are keep silent. Perhaps headline news article comment that no know cyber attacks deployed similar definition of theory utilization in past. But I’m in doubt?

As of today short term summary:

The research report evident that the Meltdown vulnerability occurs on Intel processors only, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors. AMD not vulnerable to GPZ Variant 3 since AMD enforced use of privilege level protections within paging architecture. However AMD is not going to take any action in regards to Spectre. Their situation similar comparing to the operating system and computer relationship. The operation itself do not have feature to avoid virus. As a result, it relies on antivirus program. The CPU vendor (AMD) apply the similar idea of concept to this vulnerability and therefore they transfer the responsibility to OS vendor. As a matter of fact, Intel CPU design flaw lack of permission check. It allows a rogue process to read all memory, even when it is not authorized to do so. Spectre, an attacker may be able to extract information about the private data using a timing attack.

Since the flaw given from CPU design. The alternative taken today is urge OS and application vendor setup the protect front-line to avoid Java, C++ execute the malicious code causes leak passwords and sensitive data. The situation similar the HIV virus attacks a specific type of immune system cell in the body, known as CD4 helper lymphocyte cells. HIV destroys these cells, making it harder for your body to fight off virus. Meltdown and Spectre given from CPU fundamental design flaw. If we are only relies on OS and application remediation. Threat actors still have opportunities jump to CPU side satisfy their wants.

End of topic, thank you.

 

 

CVE-2018-4878 against South Korean Targets. See whether is it true?

In July 2017, Adobe announced that it would end support for Flash Player in 2020, and continued to encourage the use of open HTML5 standards in place of Flash. The announcement was coordinated with Apple, Facebook,Google,Microsoft,and Mozilla. If you would like to know what is the flash vulnerability actual destructive power. Let review the suggestion by Antivirus big brother Kaspersky (Jul 2017). Kaspersky recommends disabling Flash Player, in order to stay protected. Perhaps you may not have interest to read below url. But on-line games and on-line casino still requires Adobe Flash in the moment. We all known South Korea is the leader in the gaming section. And therefore The South Korean Computer Emergency Response Team (KR-CERT) has issued a security alert warning of a zero-day vulnerability affecting Adobe’s Flash Player.

CVE-2018-4878

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets

Be aware of RTMFP protocol

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

Let keep our eye open , see whether such vulnerability will be occurs this year. If this nightmare come true. A unforeseen destruction of the reputation to the company includes vendor and customer!

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Preface:

SCADA systems are the backbone of many modern industries, including: Energy, Food and beverage, Manufacturing, Oil and gas, Power, Recycling, Transportation, Water and waste water,….etc

SCADA evolution:

The first generation of SCADA system relies with mainframe computers. As time goes by, the evolutionary of SCADA build on top of open system foundation (Unix) in 80’s. Perhaps the Microsoft product dominate the computer world. And such away engaged the transformation in 90’s. The SCADA software that utilizes the power of SQL databases provides flexibility and advantages to traditional SCADA system.

One big benefit of using SQL databases with a SCADA system is that it makes it easier to integrate into existing MES and ERP systems, allowing data to flow seamlessly through an entire organization.

  • (MES) – Manufacturing execution systems are computerized systems used in manufacturing, to track and document the transformation of raw materials to finished goods.
  • (ERP) – Enterprise resource planning is the integrated management of core business processes, often in real-time and mediated by software and technology.

Evolving from classic program (non web access) to Web Platform

SCADA system on the Cloud (cope with modern technology trend with access anywhere function)

Before we start the discussion in security topic, we do a quick introduction of big-data frameworks. Since the Hadoop and Apache Spark pay the key role on this architecture especially big data function. For more details, please see below:

Big-data frameworks:

Hadoop is essentially a distributed data infrastructure: It distributes massive data collections across multiple nodes within a cluster of commodity servers.

Features: 

  • Indexes and keeps track of that data
  • Enabling big-data processing and analytics

Apache Spark is an open-source cluster-computing framework.

  • Spark can interface with other file system including Hadoop Distributed File System (HDFS).

Remark: From technical point of view, Spark is a data-processing tool that operates on those distributed data collections; it doesn’t do distributed storage.

Go to discussion

As of today, more and more business migrated their system application to Cloud platform including SCADA industry. Since SCADA system belongs to energy, food and beverage, manufacturing, oil and gas, Power, Recycling, Transportation, water and waste water. And therefore cyber security news and articles lack of their news. Perhaps we can hear the news is that after nuclear power station encounter hacker or malware attack.

Actually SCADA now expand their user function to mobile device. Even though a mobile phone can do a remote monitoring of the system. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets (see below picture for reference) development and management.

Let’s think it over, the WebAccess SCADA system involved in energy, aerospace and public facilities control. However those product sound like your IT devices. The SCADA hits vulnerabilities and recorded in CVE database not the 1st time. We know that hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015. Lets reader judge by yourself, let review their vulnerabilities found so far. Does it relate to SCADA vulnerability occurs which causes denied of services. Or it is really server malfunction?

Quote: Hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015.

Quote: A United spokeswoman said that the glitch was caused by an internal technology issue and not an outside threat or hacker.

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs. Let’s take a closer look on Advantech scada webaccess products vulnerabilities so far.

The vulnerabilities found on 2014 include an OS command injection, CVE-2014-8387, in the Advantech EKI-6340 series, a stack-based buffer overflow, CVE-2014-8388, in Advantech WebAccess, and a buffer overflow, CVE-2014-8386, in Advantech AdamView, CVE-2014-0770 – Advantech WebAccess SCADA webvact.ocx UserName Buffer Overflow. It looks that the design weakness keeps appear till today! For more details, please refer below details for references.

https://nvd.nist.gov/vuln/detail/CVE-2015-3947

https://nvd.nist.gov/vuln/detail/CVE-2018-5445

https://nvd.nist.gov/vuln/detail/CVE-2018-5443

Our observation in regards to above known vulnerabilities.

Regarding to WebAccess support specifications. It support the following open real-time data connectivity : OPC, Modbus, BACnet, DDE Server and the following open offline data connectivity: SQL Server, Oracle, MySQL, and Microsoft Access Database. If the repository is the MS SQL server. The IT administrator must staying alert of the SQL injection vulnerability. Since the OS user privilege escalation via Windows Access Token abuse is possible also via SQL injection.

End discussion. Thank you.

Reference:

Information appending on 3rd Feb 2018 – additional technical information supplement. My study on SCADA system risk factors to nuclear facilities (see below):

Potential black force – digitize Godzilla

 

Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability

Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180131-ipv6

IPv6 design limitation highlights by Cisco on 2013 RSA conference. Since ICMP header is in 2nd fragment. Defense mechanism especially RA guard no cue where to find (see my cartoon picture). Perhaps stateful firewall can doing the defense. Meanwhile, this issue told the world there is no real secure Internet Protocol! But this vulnerability occurs on Cisco only causes Denial of Service (reboot). At least no privileges escalation or data leakage.