Category Archives: Under our observation

hiccup, web server load balancing solution  3rd May 2022

Preface: Online banking cannot lack of load balancing solution today. However in terms of life cycle of operation system and software libaries , Java language development platform and on-demand custom fuctions. Does it bother the load balancing functions? The most challenging parts is the layer 7 load balancing. Perhaps you can do the healt check on appliation functions. However, it is difficult to garantee the non stop function on application side (availability).

Background: The load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. An additional function includes client non interrupt services using application & service availability (health-checks performance).

My focus: Online banking platform (Hong Kong)
Error 500: java.lang.RuntimeException: no EntityContext found in existing session
Date: Around 8:15 am 5/3/2022

Fundamentally, Web server load balancing function in correct way make no downtime. Therefore when you connected to web server had problem. The load balancing function will keep persistence (SSL Sticky) then redirect your connection to the web server which is available.
My experience operating in online banking system in today morning (3rd May, 2022) hints the technical information to me.
I encountered error my web services. (Reminded – it successful logged on and doing operations). However an error 500 display on my screen. Thereafter. even I close the browser, make new established connection to Banking system. It still redirect my new connection to e-banking1.hangseng.com. But in round robin setup architecture, I can connect to e-banking2.hangseng.com by chance.

Observation: Perhaps, load balancer capable web application health check function. But for online banking system, it do a health check on web server front page. On java server page. For example: The EntityContext interface contains the getEjbObject and getPrimaryKey methods that a bean can use to find out about the object it is associated with. The client communicates with the bean via the EJBObject. If one of the java service had error occur. May be the load balancer health check function not know what’s happening.

Whether there is concerns on vulnerable Java SE Embedded versions. So,  apply tight protection and causes this technical problem occurs. Or there is an software configuration problem in web application itself?

Get rid of crafted Modbus traffic to bother your defense mechansim – 21st JAN 2022

Preface: Le Rouge et le Noir – Not a bad guy is good guy. If, the vulnerability is due to an integer overflow when handling Modbus traffic. Is it an early warning?

Background: The reason Modbus was so successful was the fact that it could be so readily understood by non-programmers. Engineers who built glue machines, meters, measuring devices, and such could easily understand the concept of coils/registers and the simple commands to read and write them.

About cyber attack: Modbus over serial is immune to any common malware attacks. But what methods will increase the risk of Modbus network attacks? See below:

I. MODBUS over TCP means a MODBUS RTU packet wrapped in a TCP packet.
II. MODBUS TCP means a MODBUS TCP packet wrapped in a TCP packet.

Perhaps a common idea will said Modbus driver might be vulnerable to attack. However, above two types of TCP communications methods are increasing the possibilities of attack. For instance, an attacker could sending crafted Modbus traffic attack a IDS. (This IDS device aim to protect the back-end HMI, PLC and SCADA infrastructure).
Due to implementation of decoding a message type incorrectly exposing a buffer overrun. This is equivalent a denial of service.

One of the possible ways to enhance validation in related IDS modules. (see below):

  1. Check the crc, and if it isn’t correct ignore the request.
  2. Check the validty of the data based on the function code.
  3. Broadcast is not supported
  4. Add bytes to expected request size (2 x Index, 2 x Count)

Due to PLC, the HMI for repair or mitigation is not so flexible because it affects industrial systems and/or related operating functions.
Sometimes even IIoT manufacturers cannot provide you with a clear upgrade roadmap. Therefore, installing IDS as detection and preventive control is an effective way to implement protection. This discussion does not focus on any IDS devices. If you have any related matters, it is recommended to listen to the supplier’s opinions.

End of writing.

RAT targeting Nginx. Can we say that NGINX is secure than Apache? (2-12-2021)

Preface: dlopen() The function dlopen() loads the dynamic shared object (shared library) file named by the null-terminated string filename and returns an opaque “handle” for the loaded object.

Background: NGINX Plus provides a supported and tested version.Starting at $2500 per year. NGINX is an open source software. Dynamic modules add functionality to NGINX Plus such as geolocating users by IP address, resizing images and embedding NGINX JavaScript njs or Lua scripts into the NGINX Plus event‑processing model.
Modules are created both by NGINX and third‑party developers.

NGINX, at its core, is a collection of modules. Whether you are using core modules, like the http and stream modules. Or 3rd party module, like geoip or RTMP, they are using the same module framework.
With the addition of dynamic module support, modules are an even better way to add functionality to NGINX.

Details of attack: A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. For more details, please refer to the link – https://sansec.io/research/nginrat

Observation: We are also considering a special case in which libraries are loaded during execution by using dlopen() so that external function addresses can be obtained by using dlsym().

Remark: From technical point of view, the return addresses are only used with paired call/ret instructions and are not read or written by other instructions.

However, attackers can also exploit another source of code pointers, return addresses, to perform memory disclosure attacks.

CISA urges to be vigilant! About GPS Daemon (GPSD) Rollover Bug (21st Oct, 2021)

Preface: If you are using a security token (fobs or software), when there is a problem with the NTP time source. This is unforeseen. Maybe there is nothing wrong with it. Or, in the worst case, similar you mistaken reset the NTP server time setting. Therefore, all your tokens should be suspended.

Background: Because in the original GPS protocol, only 10 bits were used to represent the week number. If there are 10 bits, it will overflow after counting to 1023, so it can only indicate about 19.6 years. Since the GPS time epoch (epoch) began in the early 1980s, there have been two rollover events (in 1999 and 2019, respectively). In April 2019, Headline News (The Register) announced this vulnerability to the public. It indicates that if you do not or cannot update, there will be a problem. Over time, the deadline has arrived.

Vulnerability details: Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038 , but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.

Official details for reference: https://isc.sans.edu/forums/diary/Keeping+Track+of+Time+Network+Time+Protocol+and+a+GPSD+Bug/27886/

Fastly CDN outage, perhaps not cyber attack (4th Oct, 2021)

Preface: In addition to cyber security attacks. Cloud service providers face different technical challenges, including software and hardware levels.

Background: Fastly is a company that provides content delivery network (CDN) services, mainly providing host static content and quickly showing it to Internet users. Fastly peers with other Internet Service Providers (ISPs) and Content Networks with IPv4 and IPv6 connectivity on Autonomous System (AS) 54113 for the purpose of exchanging traffic between these networks.

Service instability Report on October 4, 2021: It is reported that during the partial paralysis of Fastly CDN, Internet websites and services using the Fastly Content delivery Network (CDN) could not be used normally for more than an hour. Some users cannot access it directly, while others have entered an unexpected version of the website.

Their design attracted my attention: Fastly cloud distributed routing agent, called Silverton, which orchestrates route configuration within Fastly POPs. Silverton peers with the BGP daemon, BIRD, which interfaces with the outside internet. BIRD supports Internet Protocol version 4 and version 6 by running separate daemons. It establishes multiple routing tables,hand uses BGP, RIP, and OSPF routing protocols, as well as statically defined routes. If one service node have problem occurred which let the service up and down frequently (reboot). OSPF will update the routing table until completed. Whereby, it cause network traffic in slow response.

Current Status: Maybe we should wait for the supplier to announce the reason.

Stealth attack of UEFI bootkit (29th Sep 2021)

Preface: Digital spyware and monitoring tech that allows the user to covertly monitor a target’s communications, or collect personal data emitted from their devices.

Background: FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

Synopsis: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit.

Impact:
– Bypasses kernel protections (NX and Patch guard)
– Bypasses local authentication
– Elevated process privileges

Technical details: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. Kaspersky said.

Ref: FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio.

For more detailed information on the findings of this survey, please visit the Kaspersky website for details – https://securelist.com/finspy-unseen-findings/104322/#iocs

Security Focus on Microsoft windows CMD Stack Buffer Overflow (19-09-2021)

Preface: Twenty years ago, content filter firewalls were not popular. A quick way to harden the Microsoft Internet Information server is to delete all cmd commands to avoid network attacks.

Background: If you would like to run cmd in privileged mode. You have to do the following:

  1. type “CMD” you can hit Ctrl+Shift+Enter to open as administration
  2. Explorer – Hold Shift and right click on a folder, and choose “Open command window here”

To use multiple commands for , separate them by the command separator && and enclose them in quotation marks.

Vulnerability details: Expert found that special crafted payload will trigger a Stack Buffer Overflow in the NT Windows “cmd[.]exe” commandline interpreter. Furthermore, running file type especially [dot]cmd or [bot]bat will be risky. However, when cmd[.]exe accepts arguments using /c /k flags which execute commands specified by string, that will trigger the buffer overflow condition.

Above attack only exploit in local workstation. Do you think it can do it remotely? As far as I remember, if the situation is available. For example, Windows OS server encounter zero day or not patched.The netcat tool can do a remote command execution by CMD. Refer to attached diagram, if the stack buffer overflow run by tool to exploit by concept. Therefore this vulnerability will become more risky.

Observation: If your are using application firewall. It will drop the malicious traffic including netcat command automatically. Since this idea is still in concept stage. So, no need to worries.

Unkown backdoor run on TCP 7614, virtual patching is one of the protective control methods (12th Sep, 2021)

Preface: Virtual patching acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patching works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability.

Background: This is so called Evasion Techniques. One of the first techniques that attackers use to avoid antivirus detection. The idea used by malware authors is do reverse engineering the software design. The goal is to obfuscate the defense mechanism detection. The files using de-assembly method for landing the victim workstation.

Create a hidden worksheet. Use a base 64 encoded to convert the exe to text. Store that text in worksheet cells on the hidden worksheet. Since there is a limit on the number of characters in a cell (32,767), cyber criminals need to break the string into chunks.

Security Focus: A Backdoor program (Backdoor.Win32.Wollf.h) was found in victim workstation. It has been rated as critical. Affected by this issue is some unknown functionality of the component Service Port 7614. Wollf backdoor creates a service named “wrm” and listens on TCP port 7614, there is no authentication allowing anyone to take over the infected system.

Workaround: Addressing this vulnerability is possible by firewalling or MSSP can be used to assist in implementing virtual patches to solve this problem.

Infection channel: Excel file with malicious code embedded in email attachment.

Interested topic last week (AWS “AKIA” discussion) – 5th Sep, 2021

Preface: On 2014, Amazon Web Services (AWS) is asking those that write code and use GitHub to go back and check their work to make sure they didn’t forget to remove login credentials. The warning comes as news is circulating about the availability of nearly 10,000 AWS keys in plain sight on GitHub just by running a simple query.

Background: Security expert found that search for it through source-code on the web, you can find further words by doing find the word ‘AKIA’ to find the Access Key and you can get the Secret key too, if you have found it you can do AWS Configuration.

GitHub does not allow searching of regular expressions in code, and thus the naive approach to search for such patterns is to create a clone of every repository – essentially a mirror of GitHub – and then search their contents for such patterns.

Ref:IAM access key IDs beginning with AKIA are long-term credentials, and access key IDs beginning with ASIA are temporary credentials. ASIA credentials are used with AWS Security Token Service (AWS STS) operations for temporary access to AWS services.

Best practice recommended by vendor:

-Note that we recommended against using the root user for everyday work in AWS.

-As a security best practice, we recommended that you regularly rotate (change) IAM user access keys.

-You can review the AWS access keys in your code to determine whether the keys are from an account that you own.

Another flaw prompted an urgent U.S. government warning and providing Guidance (Azure Cosmos DB) – 29th Aug 2021

Preface: Data scientists are big data wranglers, gathering and analyzing large sets of structured and unstructured data. Jupyter Notebooks allow data scientists to create and share their documents, from codes to full blown reports (Help them streamline their work).

Background: Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and Azure Cosmos DB accounts, let data scientists easy to use. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.

Speculation related to this matter: A trojan malware campaign found November last year (2020) is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Vulnerability details: A misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. In the first step, the attacker will gained access to the client’s Cosmos DB primary key. For example, exploit the vulnerability on Jupyter Notebook (virtual machine) to get the key.

Ref: Primary keys are long-lived and allow full READ/WRITE/DELETE access to customer data.

Workaround: Navigate to your Azure Cosmos DB account on the Azure portal and Regenerate Secondary Key. Please refer to url for details – https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

CISA announcement – https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance