Category Archives: Under our observation

Trojan under the .NET platform remains unchanged for a hundred years (22nd Jul 2020)

Preface: SharePoint will simply not use Framework versions for which they do not apply. For example, SharePoint 2010 uses .NET 2.0. If you install .NET 4, it will remain unused by SharePoint 2010. SharePoint 2019 uses .NET 4.7 and any lower version will simply not be used.

Background: Using Microsoft sharepoint as CRM, or external protal are popular setup past few years. SharePoint is a web-based platform built atop an ASP.NET framework. It is favored by many companies because the interface can be fully integrated with Microsoft Office.
Remark: SharePoint Server includes a set of web parts that users can add to pages after installing the product. If an organization needs custom web parts, a developer can write custom ASP.NET web parts and install them.

Design weakness: For .NET platform applications. By default, the executable string “Response.Write” after connection establish. Because the code-behind modules are compiled first, all of the output that is generated by Response.Write, Response.WriteFile, or inline server-side <SCRIPT> tags appears before any HTML tags when the HTML output is sent to the browser. Coincidentally, the chopper’s technique have way to conduct the attack to .NET Framework ASP.NET app.

Current status: The cyber criminals will be targeted insecure default configurations in common web servers. General speaking, they used their initial unauthorized access to place malicious web shell programs and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers and related entities.

Windows 10 command “wsreset” co-exists with “mklink” generate a way of User Account Control bypass. (21st JUl 2020)

Preface: UAC bypass has following techniques – using Eventvwr and the Registry Key or using COM Handler Hijack

A new way with different technique: WSReset[.]exe open the Windows Store app and clear Windows Store Cache when Windows store cache is damaged or you encounter problems when using Windows Store. If an attacker can create a link that points this \InetCookies path (refer to attached diagram) to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs.

Observation: UAC bypass power extend to evade access control. Security expert found this design weakness and conduct a proof of concept to shown on how to delete antivirus folder. Thus make it malfunction after reboot.
This findings awaken myself. The Microsoft UAC a security boundary provides opportunity for attacker.
From technical point of view, quite a lot of antivirus has file lock when the process running. Attacker may not make use of this method to compromise a machine.
However Directory junctions can be performed by any user and does not require administrator privileges making it perfect for exploiting by attacker. We keep our eye open, see whether vendor should address this technical matter.

Australia (ACSC) urges local citizens to be vigilant against cyber attacks. The so-called copy-paste compromises – 18th June 2020

Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020

Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.

Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.

machine learning vulnerability – vu#425163 (4th Jun 2020)

Preface: Artificial Intelligence applied machine learning and other techniques to solve problems. Will AI impact human?

Background: You can use the Machine Learning model to get predictions on new data for which you do not know the target. For instance, AWS developing AI technology to predict cyber attack especially email spam, email phishing , etc. Amazon ML supports three types of ML models: binary classification, multiclass classification, and regression. The type of model you should choose depends on the type of target that you want to predict.
The learning rate is a constant value used in the Stochastic Gradient Descent (SGD) algorithm. If stochastic gradient descent is used to find a global minimizer, for the broadly defined set of representing neural networks, then the fitted neural network approximation will be vulnerable to adversarial manipulation.

What is an adversarial attack?
Adversarial examples are inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake; they’re like optical illusions for machines.

Official article, please refer to following linkhttps://kb.cert.org/vuls/id/425163

do you know the weaknesses of IP-in-IP design? 2nd jun 2020.

Background: IPIP tunnel is typically used to connect two internal IPv4 subnets through public IPv4 internet. It has the lowest overhead but can only transmit IPv4 unicast traffic.

Vulnerability details: The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. Should you have interested of the actual impact, please refer attached diagram.

Remedy: Users can block IP-in-IP packets by filtering IP protocol number 4 (IPv4 encapsulation – RFC 2003).

For official announcement, please refer to following link – https://kb.cert.org/vuls/id/636397

data breach spread to banking enterprise. no exception to bank of America – 28th may 2020.

Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.

Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.

Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.

Accessing E-TranE-Tran Options
•loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database
•A Web page where lenders can enter loan information on individual loans

One of the ways: XML injection attacks typically occur in this way: An attacker injects malicious JavaScript markup code as escaped text in an XML document. The XML document is then parsed by an XML application. Later, content of the XML element that contains malicious JavaScript markup code is used as input data for a website.

Official announcement – Please refer follow link : https://oag.ca.gov/system/files/2020-3523_Privacy_Notification_Final_Template%20%28P%29.pdf

Ebayer, are you aware someone behind you? 25th may 2020

Preface: Host discovery function embedded detection and vulnerability scan service. Under normal circumstances, since you are on a private network, there is no objection in this setting.

Synopsis: When visiting the eBay, a script will run that performs a local port scan of your computer to detect remote support and remote access applications, said bleeping computer.

Verification: Refer to the “Bleeping Computer” information. (https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/) There is already a program script on the eBay front-end Web portal, which has a scanning function, please refer to the following url (https://src.ebay-us.com/fp/check.js?org_id=usllpic0&session_id=1) . Apart from that this matter lure my interest to know the details. Following my analysis step, it also found current user profile has design weakness (SQL injection). Perhaps this issue was only detected when the user logged in. Now return the focus to the scan function. From technical point of view, it is not 100% guarantee on existing protection mechanism can avoid session fixation. So eBay should be aware of it. For the details of session fixation. Please refer below:

Wiki: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

Comment: I am the eBayer since 2000. However I could not find the official announcement that eBay is going to scan my device. Perhaps I am not the only one has this unsatisfied feeling.

an issue was discovered in smartbear readyapi soapui pro 3.2.5 (20th May 2020)

Preface: SmartBear ReadyAPI and SoapUI are automated testing tools that you can use to create functional and security tests for web service APIs. The easiest way to run ReadyAPI tests from Azure DevOps is to use the SoapUI Pro for Azure DevOps task.

Background: The ReadyAPI platform accelerates functional, security and load testing of RESTful, SOAP, GraphQL and other web services right inside the CI/CD pipeline. The DevOps team is no stranger.

Vulnerability details: The security expert found a possible way to conduct cyber attack. When a insider threat occurs. The threat prepatrator can be figure out the target license setup condition. If victim deployed remote floating license setup by ReadyAPI. They will exploit the design weakness for Licensing Server. Since the communications in between SmartAPI and license server is using Java RMI protocol on port 1099 but without transport security. Meanwhile, Java RMI, and the underlying JRMP protocol, relies on Java serialization to transport method arguments, return values and exception data intensively. And therefore the problem is that there’s no way to know what you’re deserializing before you’ve decoded it. So an attacker can serialize a bunch of malicious objects and send them to your application.

Remedy: Allow deserialization, but make it impossible for attackers to create instances of arbitrary classes.
For instance: limit the input to a maximum of 10 embedded objects and 50 bytes of input. Besides, the official remedy solution not release yet.

Hacker target EU supercomputer – 19th May 2020

Preface: What if your computer is slow? Perhaps it is a sign of malware infection. This scenario also apply to modern supercomputer. Perhaps it is powerful. So no one aware. This is only a assumption. However modern supercomputer will be infected by malware. Why? Because part of the modern supercomputer has deployed a Linux OS system.

Details: It is true. For instance, Cray has Cluster compatibility mode.It is a standard x86/Linux environment. Several affected labs said that only the login portal to the supercomputer were affected, said Swissinfo.ch. Because hacker will be more interested of scientific research result in this period of time. In this case, how the attacker tried to infect the supercomputer. Please refer to the attached drawing. As usual, the attack entry point is the login portal. But the attacker should infect the client workstation on the beginning phase. For example Cryptocurrency mining malware shell script will be saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns every hour. But it need to take the right time to land the script.

Headline Newshttps://www.swissinfo.ch/eng/bloomberg/hackers-target-european-supercomputers-researching-covid-19/45764250

Is it a cyber attack or a design change? (Sunday, May 17, 2020 (EDT))

Preface: High-level state-backed APT groups wreak havoc on cyber world. Does this attack only in short time or it will become a constant activities?

Security focus: Information technology professional will relies on DHS (US Homeland security) news update as a standard security alert indicator. For example, I am the follower. Found by tonight that the cyber security main page has changes. To be honest, my observation feedback to me that it is not normal. Regarding to the web page design, it shown that it do not use iFrame. However, the web site layout looks strange. I do not want to use the key term broken to describe. Because of this matter, I just take a look of the header information. It show to me that it is running Drupal.

Anyway it is recommend to remove this disclosure information. Perhaps the method is straight forward. The simplest method is to remove the header in a custom EventSubscriber. Please refer to diagram. The official information shown in follow URL. https://drupal.stackexchange.com/a/201297/47547

The problem now fixed by homeland security – 18th May 2020 – HKT