Category Archives: Under our observation

Potential Risk of CVE, Under our observation

Security Focus – CVE-2019-0626 Microsoft Windows DHCP Server Remote Code Execution Vulnerability (12th Feb 2019)

Leave a comment

Preface: This vulnerability is included in MS Patch Tue this week. However the vulnerability is more critical than others. Since threat actor can be conduct a remote code execution through social engineering.

Technical highlight: The official announcement told that attacker could exploit the vulnerability by sending a DHCP packet that submits malicious input to the affected software because a design weakness occurs in software (DHCP server) which has a flaw of handles objects in memory. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

My observation: We did not found additional details of this vulnerability. My speculation is that whether windows 2008 DHCP server has non page memory leak flaw which causes this problem. What do you think?

Official remediation: CVE-2019-0626 | Windows DHCP Server Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626

2019, IoT, Under our observation

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Leave a comment

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

Under our observation

Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks – 28th Jan 2019

Leave a comment

Preface: EWS Push Subscription, you will get notifications as long as you respond to the server and acknowledge that you received the notification.

The CERT Coordination Center (CERT/CC) announcement – 29th Jan 2019: Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

Vulnerability detail: Exchange allows any user to specify a desired URL for Push Subscription, and the server will attempt to send notifications to this URL….. For more detail, please refer to attached diagram for reference.

Remedy:

  1. Disable EWS push/pull subscriptions.
  2. Remove privileges that Exchange has on the domain object.

Technical article for reference: https://www.kb.cert.org/vuls/id/465632/

Application Development, Under our observation

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Leave a comment

Preface: Some organizations that use MySQL include GitHub, US Navy, NASA, Tesla, Netflix, WeChat, Facebook, Zendesk, Twitter, Zappos, YouTube,…etc

Background: Technology writer Ionut Ilascu alert that there is command in MySQL server could be use for steal the personal and web server data without a high level evasion technique.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access.

Security Issues with LOAD DATA LOCAL on web server side:
In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.

Sounds scary. Should you have interest of this topic, please refer below url: https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html

Uncategorized, Under our observation

Simple and powerful evasion technique – Threat actor will be exploit MS word document.

Leave a comment

Preface: Preface: Threat Intelligence vendor (FireEye) alert that Global DNS Hijacking Campaign rapidly growth. This storm affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

Synopsis: More information about the impact of this cyber attack.. Please refer to below url for reference. https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

Reflection – The attack method:

Let us think that this kind of attack seems to happen in our daily lives. Perhaps sometime even though Defense mechanism not aware. Microsoft Office documents containing built-in macros is very useful and can become a Swiss army knife to hurt you. Macros are essentially bits of computer code, and historically they’ve been vehicles for malware. Should you have interest of this topic, attach diagram can provide high level overview for your reference.

Remark: Seems the SIEM endpoint event monitoring will be the effective remedy solution. However it might have involves confidential data label. So this part requires management review and separation of duties.

Cyber War, Under our observation, Virus & Malware

Analysis Reports by US Homeland Security – Legitimate open source remote administration tool re-engineer by threat actor as APT way of attack – Dec 2018

Leave a comment

Preface: Quasar, a legitimate open-source remote administration tool. It is a fast and light-weight remote administration tool coded in C#.

Background: APT actors have adapted Quasar and created modified minor (1.3.4.0) and major (2.0.0.0 and 2.0.0.1) versions. Since the re-engineering Quasar client will be mimics a Mozilla Firefox 48 browser running on Windows 8.1 or mimics an Apple Safari 7.0.3 browser running on Mac OS X 10.9.3 in order to evade IDS monitoring. However there are way lets security operation center find their fingerprint. The distinctive first 4 bytes of the payload can be used to identify Quasar traffic.

As a result, below analytic way can be enforce the detective control:
Signature 1: TCP Payload Size Tracking

Signature 2: IP Lookup User-Agent String, HyperText Transfer Protocol Header Host, and HyperText Transfer Protocol Header URI

Signature 3: Hidden HTTP Request User-Agent String and Time-to-Live

More details can be found below url: https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/

Under our observation

Virus, malware and ransomware may be can help mankind once AI develop become extreme.

Leave a comment

Preface: What is your expectation from our robot counterparts in the future?

Before Professor Stephen Hawking leave the world. The final warning for humanity: AI is coming for us. In the world now in preparing the 5G mobile technology, Big Data technology and Smart City. A silent force unintend to drive human go to next generation of world. We believe all the regime in the world now get into this competitions. A quick idea to you is that the term so called Smart or intelligence most likely are efficiency and productivity. All the components within the earth are running fast in the moment. But what is your expectation from our robot counterparts in the future? Because they are coming!

Why do we recommend thinking about it at this time?
For instance, the global surface temperature increases while climate change includes global warming and everything else. The extreme changes was began in mid 80’s. Why? Manufacturer cost allocation & development country boots up their power. Now we understand the impact. But seems too late!
So this is the right time to consider.

Reference: https://www.vox.com/future-perfect/2018/10/16/17978596/stephen-hawking-ai-climate-change-robots-future-universe-earth


2018, cyber security incident news highlight, Under our observation

Credit reporting agency TransUnion – personal data security flaw (Nov 2018)

Leave a comment

Preface:
Transunion offers total credit protection all in one place from credit score, credit report and credit alert. On June 25, 2015, TransUnion became a publicly traded company for the first time, trading under the symbol TRU.

Who is CreditGo?
CreditGo provides free access to credit circular reports and credit scores for Hong Kong residents. Meanwhile the credit information provided by CreditGo comes from TransUnion.

Data privacy leakage incident:
The Hong Kong arm of American consumer credit reporting agency TransUnion was forced to suspend its online services on Thursday after a local newspaper was easily able to access the personal data of the city’s leader and finance minister.

What is the reason?
Incorrect program logic from online web application cause database leak.

Remedy:
Suspend online services.

Comments:
Refer to attached diagram, it is hard to avoid your data personal privacy leakage since when bank or financial institute check the information of a person. It is because a duplicate copy will be generate.
Business world and our daily life is insane now!

Headline news:

https://www.scmp.com/news/hong-kong/hong-kong-economy/article/2175654/credit-agency-transunion-suspends-online-services

Application Development, System, Under our observation

SWIFT Customer Security Controls Framework

Leave a comment

 

Preface:

All SWIFT users must comply with the mandatory security controls by the end of 2018.

Objective:

Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently known new and arising threats in order to pragmatically raise the security bar.

Technical details:

Mandatory Security Controls
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
2. Reduce Attack Surface and Vulnerabilities
3. Physically Secure the Environment
4. Prevent Compromise of Credentials
5. Manage Identities and Segregate Privileges
6. Detect Anomalous Activity to Systems or Transaction Records
7. Plan for Incident Response and Information Sharing

Observation:
Swift system is on the way do the enhancement continuously. But do you think such continuous program will be effectively avoided cyber security attack? For instance Bangladesh heist.
It is hard to tell what is the next cyber attack challenge in the moment. Let’s keep our eye open. Stay tuned!

Reference:

Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

Potential Risk of CVE, Under our observation

Security Updates for SIPROTEC and SICAM Products (Oct 2018)

Leave a comment

Preface:

SIPROTEC and SICAM – Siemens products and solutions for protection engineering, station automation, power quality, and measurement – can be connected directly and easily to MindSphere and other cloud-based platforms.

What is MindSphere?
MindSphere is an open cloud platform or “IoT operating system” developed by Siemens for applications in the context of the Internet of Things. MindSphere stores operational data and makes it accessible through digital applications to allow industrial customers to make decisions based on valuable factual information.

Product Updates:
SICAM Q200 V2.40 firmware released with security-relevant updates
SICAM Q100 V1.30 firmware released with security-relevant updates

Question?
OpenSSL sources modified by Siemens issued on 11th Sep 2018.
However OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack (use variations in the signing algorithm recover the private key).
Above vulnerability with reference number CVE-2018-0734 announced on 30th Oct 2018.
It looks that there is a gap in between version. But it cannot confirm whether there is an impact?
Regarding to above technical details. Do you have any doubt?