Category Archives: Under our observation

Reflections – New 5G network edge server design

NSA Senior Cybersecurity Advisor questions Bloomberg Businessweek’s China iCloud spy chip claim (see below url)

http://macdailynews.com/2018/10/10/nsa-senior-cybersecurity-advisor-questions-bloomberg-businessweeks-china-icloud-spy-chip-claim/

Now we take a quick discussion but do not related to conspiracy. From technical point of view, if hardware is polluted (spy feature). It is hard to imagine what the impact was?

In the SD-branch, routing, firewall, and WAN optimization are provided as virtual functions in a cloud-like NaaS model, replacing expensive hardware. As a result, the telephone company will use SD-branch to provide virtual CPE and unversal CPE services.

Meanwhile uCPE consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. So uCPE in reposible of very import role in future technology. What if there is vulnerability occurs in this place. It make the problem worst, complicated!

Supermicro Designs New Open Software-Defined Networking (SDN) Platform Optimized for 5G and Telco Applications and Launches verified Intel® Select Solution for uCPE

http://ir.supermicro.com/news-releases/news-release-details/supermicro-designs-new-open-software-defined-networking-sdn

Advisory on PHP Vulnerabilities – 12th Oct 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities today (refer below url):

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/

Perhaps PHP program version will make you frustrated. Why? The vulnerabilities addressed by MS-ISAC only for Version 7.2.11 & Version 7.1.23. However there is another fix coming soon (see below):

PHP 7.1.24

Core:

Fixed bug #76946 (Cyclic reference in generator not detected)

Date: unknown

Fixed bug #75851 (Year component overflow with date formats “c”, “o”, “r” and “y”). (Adam Saponara)

FCGI:

Fixed bug #76948 (Failed shutdown/reboot or end session in Windows).

(Anatol)

Fixed bug #76954 (apache_response_headers removes last character from header

name). (stodorovic)

FTP:

. Fixed bug #76972 (Data truncation due to forceful ssl socket shutdown).

(Manuel Mausz)

intl:

. Fixed bug #76942 (U_ARGUMENT_TYPE_MISMATCH). (anthrax at unixuser dot org)

Standard:

. Fixed bug #76965 (INI_SCANNER_RAW doesn’t strip trailing whitespace).

(Pierrick)

XML:

. Fixed bug #30875 (xml_parse_into_struct() does not resolve entities).

Should you have interested, please review above diagram. PHP look likes a game.

Five publicly available tools, which have been used for malicious purposes – Oct 2018

US-Cert urge that there are total five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world (see below):

Remote Access Trojan: JBiFrost
Webshell: China Chopper
Credential Stealer: Mimikatz
Lateral Movement Framework: PowerShell Empire
C2 Obfuscation and Exfiltration: HUC Packet Transmitter

RSA found a malware in 2017 and explore remote access Trojan (RAT) feature with advanced invisible feature.

In this short discussion, I am going to focus the RAT (JBiFrost). Adzok is famous in dark web.

We seen malware exploits the Java archives.

A JAR (Java archive) is a package file format. It can be used as Java library or as standalone application. He is easy to change the shape to evade the detection.

Adzok proviced free download version. Some antivirus vendor already has defensive to avoid the infiltration.

Friendly reminder that still have some vendor do not have this malware signature.

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

About cyber security threats in aero industry – Oct 2018

DHS has few critical cyber security announcement few days ago. Some technical articles may bring the practitioner attentions. Do you read technical article “Threats to Precision Agriculture” yet? My personal opinion is that the prediction of cyber attack scenario not only happen in agriculture. It may have happen in aero industry. Real-time kinematic (RTK) positioning is a technique used to enhance the precision of position data derived from satellite -based systems. The GPS system is now considered a “crosssector dependency” for the Department of Homeland Security’s (DHS) 16 designated critical infrastructure sectors. GNSS is vulnerable to jamming and natural interference. When GNSS is denied, PNT information can be seriously affected in ways that increase risks to the safety of navigation. It is hard to avoid Microsoft operating system integrate to critical system infrastructure nowadays. Microsoft formalized Patch Tuesday schedule and zero day are the concerns of the world includes airline industry. What do you think? It looks that virtual patching service is the first choice in all IT industry coming year.

3rd Oct 2018 – Do you think they are APT 38?

The cyber attack hot topic we focus retail payment system (Fastcash campaign) and adobe product vulnerabilities this week. However an additional cyber security alert announced by DHS. Yes, it is a APT cyber attack activities.
APT processes require a high degree of covertness over a long period of time. If you habit to observe the online real time cyber attack statis map. It looks that cyber attack vector in north korea not in high volume. As far as we know, an APT usually targets either private organizations, states or both for business or political motives. Do you experience below malware actvities?

Can Hijack All Windows Versions
1. Target a legitimate x86 PE (Portable Executable)
2. Create a Windows Registry key with the name same as application he wants to hijack.
3. Provide custom DLL for inject into a legitimate process of application (legitimate x86 PE).
4. Once the custom DLL has been injected, windows OS will be compromised.

Whether we can blame Microsoft fifteen years old undocumented legitimate feature?

Should you have interest for APT 38. Below URL can provide the details.

https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html

Hypothesis – About the cyber attack on Port of Barcelona (Sep 2018)

We heard that the Port of Barcelona suffers an attack of hackers last week (20th Sep 2018). The logistics and transportation industry lure hackers’ interest because they can extort ransom.

There is no official or incident details announcement till today. The following details merely my personal imagination of this incident. Any resemblance to actual events or persons is entirely coincidental.

We noticed that Portic Barcelona uses WebLogic for Private PaaS in 2014. The solution aim to enhance the performance and facilitates interaction between its members through its information services to logistics agents and other customers.

What if below vulnerability occurs, do you think the scenario whether will have similarity to the incident.

ORACLE WEBLOGIC SERVER JAVA DESERIALIZATION REMOTE CODE EXECUTION VULNERABILITY (CVE-2018-2628) BYPASS

Headline News article for reference.

https://www.portseurope.com/barcelona-port-suffers-a-cyber-attack/

It is a hurricane, but it happen in cyber world – Multiple vulnerabilities in PHP (Sep 2018)

The United States and Asia were hit by hurricanes. It looks that the similar situation is happen in cyber world. MS-ISAC Releases Advisory on PHP Vulnerabilities urge technology world to staying alert. For more details, please refer below hyperlink:

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-101/

Hacker exploit the PHP design weakenss (Arbitrary Code Execution or RCE) for attack must fulfill below conditions.

  1. The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks.
  2. Pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading.
  3. The data passed to unserialized comes from a file, so a file with serialized data must be present on the server.

Sep 2018 – Veeam MongoDB left unsecured, 440 million records exposed

Sanitization process is important in IT world. If without correct validation, it may allow malicious code pass to trust boundary. As a result it may causes remote code execution, SQL injection, trigger Zero day attack, ….etc. So…… Headline News this week. Should you have interest, my picture can tell my speculation.

https://www.scmagazine.com/home/news/veeam-mongodb-left-unsecured-440-million-records-exposed/

Vulnerability looks scary! However, as the variety and volume of data has increased in recent years, non-relational databases like MongoDB have arisen to meet the new needs of our fluid data.

Security Notification – Modicon M221 (Sep 2018)

Because many industries requires monitoring and control capabilities that SCADA offers. In most uses, SCADA is used to manage a physical process of Electric, Gas and water Utilities.We heard cyber security alert in SCADA facilities so far. As a citizen we cannot immagine how worst will be the incident happened. For instance once SCADA PLC compromised by hacker (malware).

Coolant in a nuclear reactor is used to remove heat generated from it. It flushes out heat to electrical generators and environment. But how to monitor the temperature. Deploy Schneider M221 can conduct the Electric Temperature Control.

On end of Aug 2018, vendor found design weakness on Modicon M221. For more details, please refer below URL.

https://www.schneider-electric.com/en/download/document/SEVD-2018-235-01/