Preface: Le Rouge et le Noir – Not a bad guy is good guy. If, the vulnerability is due to an integer overflow when handling Modbus traffic. Is it an early warning?

Background: The reason Modbus was so successful was the fact that it could be so readily understood by non-programmers. Engineers who built glue machines, meters, measuring devices, and such could easily understand the concept of coils/registers and the simple commands to read and write them.

About cyber attack: Modbus over serial is immune to any common malware attacks. But what methods will increase the risk of Modbus network attacks? See below：

I. MODBUS over TCP means a MODBUS RTU packet wrapped in a TCP packet.
II. MODBUS TCP means a MODBUS TCP packet wrapped in a TCP packet.

Perhaps a common idea will said Modbus driver might be vulnerable to attack. However, above two types of TCP communications methods are increasing the possibilities of attack. For instance, an attacker could sending crafted Modbus traffic attack a IDS. (This IDS device aim to protect the back-end HMI, PLC and SCADA infrastructure).
Due to implementation of decoding a message type incorrectly exposing a buffer overrun. This is equivalent a denial of service.

One of the possible ways to enhance validation in related IDS modules. (see below):

1. Check the crc, and if it isn’t correct ignore the request.
2. Check the validty of the data based on the function code.
3. Broadcast is not supported
4. Add bytes to expected request size (2 x Index, 2 x Count)

Due to PLC, the HMI for repair or mitigation is not so flexible because it affects industrial systems and/or related operating functions.
Sometimes even IIoT manufacturers cannot provide you with a clear upgrade roadmap. Therefore, installing IDS as detection and preventive control is an effective way to implement protection. This discussion does not focus on any IDS devices. If you have any related matters, it is recommended to listen to the supplier’s opinions.

End of writing.

Preface: dlopen() The function dlopen() loads the dynamic shared object (shared library) file named by the null-terminated string filename and returns an opaque “handle” for the loaded object.

Background: NGINX Plus provides a supported and tested version.Starting at $2500 per year. NGINX is an open source software. Dynamic modules add functionality to NGINX Plus such as geolocating users by IP address, resizing images and embedding NGINX JavaScript njs or Lua scripts into the NGINX Plus event‑processing model.
Modules are created both by NGINX and third‑party developers.

NGINX, at its core, is a collection of modules. Whether you are using core modules, like the http and stream modules. Or 3rd party module, like geoip or RTMP, they are using the same module framework.
With the addition of dynamic module support, modules are an even better way to add functionality to NGINX.

Details of attack: A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. For more details, please refer to the link – https://sansec.io/research/nginrat

Observation: We are also considering a special case in which libraries are loaded during execution by using dlopen() so that external function addresses can be obtained by using dlsym().

Remark: From technical point of view, the return addresses are only used with paired call/ret instructions and are not read or written by other instructions.

However, attackers can also exploit another source of code pointers, return addresses, to perform memory disclosure attacks.

Preface: In addition to cyber security attacks. Cloud service providers face different technical challenges, including software and hardware levels.

Background: Fastly is a company that provides content delivery network (CDN) services, mainly providing host static content and quickly showing it to Internet users. Fastly peers with other Internet Service Providers (ISPs) and Content Networks with IPv4 and IPv6 connectivity on Autonomous System (AS) 54113 for the purpose of exchanging traffic between these networks.

Service instability Report on October 4, 2021: It is reported that during the partial paralysis of Fastly CDN, Internet websites and services using the Fastly Content delivery Network (CDN) could not be used normally for more than an hour. Some users cannot access it directly, while others have entered an unexpected version of the website.

Their design attracted my attention: Fastly cloud distributed routing agent, called Silverton, which orchestrates route configuration within Fastly POPs. Silverton peers with the BGP daemon, BIRD, which interfaces with the outside internet. BIRD supports Internet Protocol version 4 and version 6 by running separate daemons. It establishes multiple routing tables,hand uses BGP, RIP, and OSPF routing protocols, as well as statically defined routes. If one service node have problem occurred which let the service up and down frequently (reboot). OSPF will update the routing table until completed. Whereby, it cause network traffic in slow response.

Current Status: Maybe we should wait for the supplier to announce the reason.

Preface: Twenty years ago, content filter firewalls were not popular. A quick way to harden the Microsoft Internet Information server is to delete all cmd commands to avoid network attacks.

Background: If you would like to run cmd in privileged mode. You have to do the following:

1. type “CMD” you can hit Ctrl+Shift+Enter to open as administration
2. Explorer – Hold Shift and right click on a folder, and choose “Open command window here”

To use multiple commands for , separate them by the command separator && and enclose them in quotation marks.

Vulnerability details: Expert found that special crafted payload will trigger a Stack Buffer Overflow in the NT Windows “cmd[.]exe” commandline interpreter. Furthermore, running file type especially [dot]cmd or [bot]bat will be risky. However, when cmd[.]exe accepts arguments using /c /k flags which execute commands specified by string, that will trigger the buffer overflow condition.

Above attack only exploit in local workstation. Do you think it can do it remotely? As far as I remember, if the situation is available. For example, Windows OS server encounter zero day or not patched.The netcat tool can do a remote command execution by CMD. Refer to attached diagram, if the stack buffer overflow run by tool to exploit by concept. Therefore this vulnerability will become more risky.

Observation: If your are using application firewall. It will drop the malicious traffic including netcat command automatically. Since this idea is still in concept stage. So, no need to worries.

Preface: Virtual patching acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patching works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability.

Background: This is so called Evasion Techniques. One of the first techniques that attackers use to avoid antivirus detection. The idea used by malware authors is do reverse engineering the software design. The goal is to obfuscate the defense mechanism detection. The files using de-assembly method for landing the victim workstation.

Create a hidden worksheet. Use a base 64 encoded to convert the exe to text. Store that text in worksheet cells on the hidden worksheet. Since there is a limit on the number of characters in a cell (32,767), cyber criminals need to break the string into chunks.

Security Focus: A Backdoor program (Backdoor.Win32.Wollf.h) was found in victim workstation. It has been rated as critical. Affected by this issue is some unknown functionality of the component Service Port 7614. Wollf backdoor creates a service named “wrm” and listens on TCP port 7614, there is no authentication allowing anyone to take over the infected system.

Workaround: Addressing this vulnerability is possible by firewalling or MSSP can be used to assist in implementing virtual patches to solve this problem.

Infection channel: Excel file with malicious code embedded in email attachment.