Category Archives: Under our observation

data breach spread to banking enterprise. no exception to bank of America – 28th may 2020.

Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.

Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.

Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.

Accessing E-TranE-Tran Options
•loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database
•A Web page where lenders can enter loan information on individual loans

One of the ways: XML injection attacks typically occur in this way: An attacker injects malicious JavaScript markup code as escaped text in an XML document. The XML document is then parsed by an XML application. Later, content of the XML element that contains malicious JavaScript markup code is used as input data for a website.

Official announcement – Please refer follow link :

Ebayer, are you aware someone behind you? 25th may 2020

Preface: Host discovery function embedded detection and vulnerability scan service. Under normal circumstances, since you are on a private network, there is no objection in this setting.

Synopsis: When visiting the eBay, a script will run that performs a local port scan of your computer to detect remote support and remote access applications, said bleeping computer.

Verification: Refer to the “Bleeping Computer” information. ( There is already a program script on the eBay front-end Web portal, which has a scanning function, please refer to the following url ( . Apart from that this matter lure my interest to know the details. Following my analysis step, it also found current user profile has design weakness (SQL injection). Perhaps this issue was only detected when the user logged in. Now return the focus to the scan function. From technical point of view, it is not 100% guarantee on existing protection mechanism can avoid session fixation. So eBay should be aware of it. For the details of session fixation. Please refer below:

Wiki: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

Comment: I am the eBayer since 2000. However I could not find the official announcement that eBay is going to scan my device. Perhaps I am not the only one has this unsatisfied feeling.

an issue was discovered in smartbear readyapi soapui pro 3.2.5 (20th May 2020)

Preface: SmartBear ReadyAPI and SoapUI are automated testing tools that you can use to create functional and security tests for web service APIs. The easiest way to run ReadyAPI tests from Azure DevOps is to use the SoapUI Pro for Azure DevOps task.

Background: The ReadyAPI platform accelerates functional, security and load testing of RESTful, SOAP, GraphQL and other web services right inside the CI/CD pipeline. The DevOps team is no stranger.

Vulnerability details: The security expert found a possible way to conduct cyber attack. When a insider threat occurs. The threat prepatrator can be figure out the target license setup condition. If victim deployed remote floating license setup by ReadyAPI. They will exploit the design weakness for Licensing Server. Since the communications in between SmartAPI and license server is using Java RMI protocol on port 1099 but without transport security. Meanwhile, Java RMI, and the underlying JRMP protocol, relies on Java serialization to transport method arguments, return values and exception data intensively. And therefore the problem is that there’s no way to know what you’re deserializing before you’ve decoded it. So an attacker can serialize a bunch of malicious objects and send them to your application.

Remedy: Allow deserialization, but make it impossible for attackers to create instances of arbitrary classes.
For instance: limit the input to a maximum of 10 embedded objects and 50 bytes of input. Besides, the official remedy solution not release yet.

Hacker target EU supercomputer – 19th May 2020

Preface: What if your computer is slow? Perhaps it is a sign of malware infection. This scenario also apply to modern supercomputer. Perhaps it is powerful. So no one aware. This is only a assumption. However modern supercomputer will be infected by malware. Why? Because part of the modern supercomputer has deployed a Linux OS system.

Details: It is true. For instance, Cray has Cluster compatibility mode.It is a standard x86/Linux environment. Several affected labs said that only the login portal to the supercomputer were affected, said Because hacker will be more interested of scientific research result in this period of time. In this case, how the attacker tried to infect the supercomputer. Please refer to the attached drawing. As usual, the attack entry point is the login portal. But the attacker should infect the client workstation on the beginning phase. For example Cryptocurrency mining malware shell script will be saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns every hour. But it need to take the right time to land the script.

Headline News

Is it a cyber attack or a design change? (Sunday, May 17, 2020 (EDT))

Preface: High-level state-backed APT groups wreak havoc on cyber world. Does this attack only in short time or it will become a constant activities?

Security focus: Information technology professional will relies on DHS (US Homeland security) news update as a standard security alert indicator. For example, I am the follower. Found by tonight that the cyber security main page has changes. To be honest, my observation feedback to me that it is not normal. Regarding to the web page design, it shown that it do not use iFrame. However, the web site layout looks strange. I do not want to use the key term broken to describe. Because of this matter, I just take a look of the header information. It show to me that it is running Drupal.

Anyway it is recommend to remove this disclosure information. Perhaps the method is straight forward. The simplest method is to remove the header in a custom EventSubscriber. Please refer to diagram. The official information shown in follow URL.

The problem now fixed by homeland security – 18th May 2020 – HKT

Little-Known Linux Exploits is being weaponize – 15th May 2020

Preface: The following information will continue the theme released yesterday. For review the details by yesterday, please follow this link –

About the theme: Sound can tell, according to statistic provided by Microsoft. Cyber security attack is rapidly growth especially in education area within past 30 days. Perhaps Healthcare and pharmaceuticals area cyber attack volume not as high as education area. However the details found by Microsoft has similarity with security expert observe in past. There are more and more attacker focus to Linux environment.

Security focus: Backdoor code in the popular Bootstrap. To launch the action, the backdoor must be embedded in a “bootstrap” application (a dropper) that is written in C and called xxx.c. Once compiled and started, the dropper program must infect the first Linux ELF executable that it finds in the current directory. Then, when this newly infected file is executed, your virus code is supposed to run.

The myth said that Linux will be secure than Windows. It will be not correct anymore.

High-level state-backed APT groups entrenched in plenty of servers for nearly a decade Using Little-Known Linux Exploits – 14th May 2020

Preface: According to statistical data, most organizations store data in cloud platforms operating in Linux based environment. Statistics show that, compared with the Windows operating system, Linux coverage rate exceeds 75%.

Background: Linux system commonly using drive by downloads on an infected website. For instance you install program on Linux sometimes require specify library file (.so). Perhaps your sense of defensive will be downgrade during software installation because you aim to achieve completed the milestone and therefore unintended let the rootkit implant to you Linux system. The rootkit is considered to be a type of Trojan horse. Many Trojan horses exhibit the characteristics of a rootkit. The main difference is that rootkits actively conceal themselves in a system and also typically provide the hacker with administrator rights.

RootKit specifications:

  • Kernel mode rootkits (Ring 0)
  • User mode rootkit (Ring 3)

What can we do now? Actively monitor web applications for unauthorized access, modification, or anomalous activities. But stay alert when you download the library file.

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link.

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details –

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL:

Storm of Go language based malware – 6th May 2020

Preface: New Kaiji malware targets IoT devices via SSH brute-force.

Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.

Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.

What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.

Facts: So it benefits to attacker when he written a malware.

Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.

The things you can do right now: Implement effective passwords on all IoT devices when possible.

Headline News:

Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. (3rd May 2020)

Preface: Perhaps my alert late for 3 days, but the specify vulnerability hide himself in webLogic product for few years!

Vulnerability details: Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. You can read the official announcement in following link –

One of the exploit methods – The attacker can locate all of the objects by packet capture. For more details, please refer to attached diagram for reference. As a result, the attacker can replace these objects with his malicious payload. Since the server receives the data and unpacks (deserializes) without integrity check. And therefore it let attacker execute the malicious code on the underlying WebLogic core, allowing the attacker to take control over unpatched systems.