Category Archives: Under our observation

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

  • Malware tricks you into installing software, allowing scammers to access your files and track your actions.
  • Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ said Headline News – 9th May 2021

Preface: The hacker group claimed that its ransomware attacks were only used for “right targets.” The organization claimed that they only targeted ransomware attacks and large profitable companies to “make the world a better place.”

Background: Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place.
Last year, the security department expressed such concerns.

Security Focus: The hacking team is very active on hack forums and keeps its customers updated with news related to the ransomware. Speculated that attacker gaining an initial foothold in the network not limited to email phishing. Perhaps they exploit SSL VPN design weakness or Microsoft Zero day. In the Oil and Gas Industry . It is common of the implementation of OPC UA technology. It is hard to avoid to using Microsoft product. Even though their OPC UA is running on a linux base machine.But Darkside 2.0 has fastest encryption speed on the market, and it capable for Windows and Linux versions. So this related thing started the story.

Headline News – https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/

Replay Protected Memory Block (RPMB) protocol vulnerability impact may more than expected – 16th Nov 2020.

Preface: With the advent of the 5G era, starting in 2019, UFS 3.0 has gradually been adopted by flagship smartphones.
UFS 3.1 is an optimized version of 3.0.

Background: The RPMB layer aims to provide in-kernel API for Trusted Execution Environment (TEE) devices that are capable to securely compute block frame signature. In case a TEE device wish to store a replay protected data, it creates an RPMB frame with requested data and computes HMAC of the frame, then it requests the storage device via RPMB layer to store the data.

A storage device registers its RPMB (eMMC) partition or RPMB
W-LUN (UFS) with the RPMB layer providing an implementation for
rpmb_cmd_seq() handler. The interface enables sending sequence of RPMB standard frames.

Vulnerability details: The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Since the impact not explicitly confirm by vendor yet. See below url for reference.

Western Digital – https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications

Netapp – https://security.netapp.com/advisory/ntap-20201113-0005/

CERT Coordination Center – https://kb.cert.org/vuls/id/231329

Design limitation of iDS6 DSSPro Digital Signage System 6.2 – 6th Nov 2020

Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display.
Users can then manage the content with a content management system.

Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function.
Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it.
How to reduce the risk?

Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment.
If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.

  1. Avoid to use WiFi do the management. It should use a workstation in a trusted network.
  2. Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
  3. From point B to point A it should be a cable network instead of WiFi connection.

Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response,
then the cookie will time out after 4 minutes of inactivity.

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Official alert – APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations (9th Oct 2020)

Preface: Zero-day attacks don’t have signatures; no one in the security community has analyzed the exploited vulnerability yet. It was probably only discovered after the victim reported it. And therefore we should setup a comprehensive vulnerability management program.

Risk management – In reality, it’s not easy applying every patch as soon as it comes out. This is why it’s important for us to craft a comprehensive vulnerability management program through which we can use a risk profile to prioritize security flaws.

How to detect zero day vulnerability?
DNS sink hole setup can assists systems evaluate programs and try to anticipate whether their actions are actually intended, or linked to a deliberate change in function. With time, these systems are exposed to the entire operations profile of programs and are able to raise alerts when they detect suspicious data access attempts.

Within this year, we are noticed that there are critical vulnerabilities found. Perhaps we cannot imagine that famous secuirty solution vendor also become a victim (see below):
– Citrix NetScaler CVE-2019-19781
– MobileIron CVE-2020-15505
– Pulse Secure CVE-2019-11510
– Palo Alto Networks CVE-2020-2021
– F5 BIG-IP CVE-2020-5902
– Fortinet FortiOS VPN vulnerability CVE-2018-13379
The federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure are also make use of their products.
On 9th October 2020, CISA and FBI Release Joint Advisory Regarding APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.

Offical announcement, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa20-283a

APT developing new evasion technique to conducting cyber attack – 23rd Sep 2020

Preface: The APT organization provides a hard-to-detect malware to attack other hostile campus.

Synopsis: The evasion technique found recently by security expert team is that APT 29 exploit the design weakness of detection machanism. They do a re-engineering to covert a zip file to JPEG.
“This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front,” the researchers explain.

Perhaps APT 28 and 29 using different evasion technique aim to delivery the malicious resources to landing. Whereby, the final executor is the power shell.

So called Zebrocy. Its function is mainly Downloader. The evasion effect is better than the technique use by APT 29. After running, it will perform a persistence operation and pop up an error message box to confuse the user. When it is started with specific parameters, a screenshot will be taken. Through the timer callback function, send data to the remote server and wait for the subsequent payload to be downloaded.

Should you disable PowerShell?
No, minimize the risks with PowerShell Constrained Language mode.

Enabling Constrained Language mode ^
PS C:\Users\xxxx> $ExecutionContext.SessionState.LanguageMode = “ConstrainedLanguage”

This could be configured in registry HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment__PSLockdownPolicy .

Running PS as Admin you can simple remove this property
Remove-ItemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\” -name __PSLockdownPolicy

Recommended article: PSLockDownPolicy and PowerShell Constrained Language Mode – https://docs.microsoft.com/en-us/archive/blogs/kfalde/pslockdownpolicy-and-powershell-constrained-language-mode