Category Archives: Under our observation

cyber security incident news highlight, Under our observation

Hypothesis – About the cyber attack on Port of Barcelona (Sep 2018)

We heard that the Port of Barcelona suffers an attack of hackers last week (20th Sep 2018). The logistics and transportation industry lure hackers’ interest because they can extort ransom.

There is no official or incident details announcement till today. The following details merely my personal imagination of this incident. Any resemblance to actual events or persons is entirely coincidental.

We noticed that Portic Barcelona uses WebLogic for Private PaaS in 2014. The solution aim to enhance the performance and facilitates interaction between its members through its information services to logistics agents and other customers.

What if below vulnerability occurs, do you think the scenario whether will have similarity to the incident.

ORACLE WEBLOGIC SERVER JAVA DESERIALIZATION REMOTE CODE EXECUTION VULNERABILITY (CVE-2018-2628) BYPASS

Headline News article for reference.

https://www.portseurope.com/barcelona-port-suffers-a-cyber-attack/

Under our observation

It is a hurricane, but it happen in cyber world – Multiple vulnerabilities in PHP (Sep 2018)

The United States and Asia were hit by hurricanes. It looks that the similar situation is happen in cyber world. MS-ISAC Releases Advisory on PHP Vulnerabilities urge technology world to staying alert. For more details, please refer below hyperlink:

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-101/

Hacker exploit the PHP design weakenss (Arbitrary Code Execution or RCE) for attack must fulfill below conditions.

  1. The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks.
  2. Pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading.
  3. The data passed to unserialized comes from a file, so a file with serialized data must be present on the server.
Potential Risk of CVE, Under our observation

Sep 2018 – Veeam MongoDB left unsecured, 440 million records exposed

Sanitization process is important in IT world. If without correct validation, it may allow malicious code pass to trust boundary. As a result it may causes remote code execution, SQL injection, trigger Zero day attack, ….etc. So…… Headline News this week. Should you have interest, my picture can tell my speculation.

https://www.scmagazine.com/home/news/veeam-mongodb-left-unsecured-440-million-records-exposed/

Vulnerability looks scary! However, as the variety and volume of data has increased in recent years, non-relational databases like MongoDB have arisen to meet the new needs of our fluid data.

Potential Risk of CVE, Under our observation

Security Notification – Modicon M221 (Sep 2018)

Because many industries requires monitoring and control capabilities that SCADA offers. In most uses, SCADA is used to manage a physical process of Electric, Gas and water Utilities.We heard cyber security alert in SCADA facilities so far. As a citizen we cannot immagine how worst will be the incident happened. For instance once SCADA PLC compromised by hacker (malware).

Coolant in a nuclear reactor is used to remove heat generated from it. It flushes out heat to electrical generators and environment. But how to monitor the temperature. Deploy Schneider M221 can conduct the Electric Temperature Control.

On end of Aug 2018, vendor found design weakness on Modicon M221. For more details, please refer below URL.

https://www.schneider-electric.com/en/download/document/SEVD-2018-235-01/

cyber security incident news highlight, Under our observation

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

The Spokesman of British Airways said around 380,000 payment cards had been compromised and it had notified the police.He stated that they suspected that hacker stolen customers’ bank details through official website and or mobile apps. However the stolen data didn’t include travel or passport details.

If there is european citizens become a victims of this incident. The penalty is that it can lead to fines of up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Official announcement shown as below:

https://www.britishairways.com/en-hk/information/incident/data-theft/latest-information?dr=&dt=British%20Airways&tier=&scheme=&logintype=public&audience=travel&CUSTSEG=&GGLMember=&ban=%7C%7CP1M%7C%7C%7C%7C%7C%7C%7CHOME%7C%7C%7C%7CL4%7C%7C%7C%7Canonymous-inspiration%7C%7C%7C&KMtag=c&KMver=1.0&clickpage=HOME

Under our observation

Automatic DNS registration and autodiscovery boots up cyber attacks – Sep 2018

Have a look back of the LLMNR technical feature, NetBIOS and Link-Local Multicast Name Resolution (LLMNR) are Microsoft’s name resolution protocols for workgroups and domains designed primarily for name resolution in the LAN. When DNS resolution fails, Windows systems use NetBIOS and LLMNR to search for names. These protocols are designed only for local connections. Above netbios and LLMNR features seems not only provides function to computer user. Meanwhile it allow hacker to re-engineering of this function. Threat actors can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system.

New vulnerability found on both automatic DNS registration and auto discovery function. UC-CERT announcement aim to alert the world staying alert of these design weakness. For more details, please see below:

https://www.kb.cert.org/vuls/id/598349

Potential Risk of CVE, Under our observation

Amazon Web Services (AWS) CLI weak security – CVE-2018-15869

The amazon-ebs Packer builder is able to create Amazon AMIs backed by EBS volumes for use in EC2. Found design weakness on Amazon Web Services (AWS) that CLI could provide weaker than expected security, caused by the failure to require the –owners flag when describing images. By setting similar image properties, a remote attacker could exploit this vulnerability to trigger the loading of an undesired AMI.

For details, please refer below url:

https://github.com/hashicorp/packer/issues/6584

Potential Risk of CVE, Under our observation

Node JS CVE – Aug 2018

Retropective of the programming history, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage’s HTML and run client-side by a JavaScript engine in the user’s web browser. Node js programming technique lets developers use JavaScript to write command line tools thus transfer script programming function to server-side. It let the programming scripts execute on server-side to produce dynamic web page content before the page is sent to the user’s web browser. As a result, it provides equivalent asynchronous I/O functionality (also non-sequential I/O). Asynchronous is a form of input/output processing that permits other processing to continue before the transmission has finished. But node js itself is difficult ro avoid traditional design bottleneck. For instance memory leakage issues. Found 2 issue on node js this month. However similar Buffer ucs2 and utf16le encoding issue found on 2012. For instance memory leakage issues. Found 2 issue on node js this month. However such similar Buffer ucs2 and utf16le encoding issue was found on 2012.

Official details shown below URL: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

Under our observation

Quick overview – Microsoft windows task scheduler design weakness

It’s hard to imagine the destructive power of a privilege escalation vulnerability? Security Guru found zero day or system design weakness in Windows OS system. It looks that zero day not rare issue but this time the first pier of announcement was not the vendor. May be we wait for next Patch Tue to do the remediation.

Vulnerability Note VU#906424:Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interfacehttps://www.kb.cert.org/vuls/id/906424

Potential Risk of CVE, Under our observation

Invalid certificate on your remote access endpoint or a MITM attack presenting an invalid certificate compromise your workstation.

We heard cyber attack causes privileges escalation. Thus technology expert in creative way discover many solution to avoid such behavior happen. Perhaps we are focusing the patch management, antivirus signature update, malware detector yara rules. A silent way similar penetrate to your end point devices, even though server side will be compromised of this attack. Yes, we are talking about the Windows privilege escalation. Sounds like complicate, but it is simple on the other way round. If your remote client access software use SSL certificate establish TLS encryption. One of the possible way shown as below diagram. Be aware and stay alert! There are more products has this vulnerability but not exploit yet!

On the other hand, Adobe announce security updates for Creative Cloud Desktop Application. No specifics details provided. But only know the impact cause by Improper Certificate Validation. Detail shown as below url:

https://helpx.adobe.com/security/products/creative-cloud/apsb18-32.html