Category Archives: Under our observation

25th JUl 2018 – Malicious Cyber Activity Targeting ERP Applications (Stay alert!)

 

A consulting firm observe that the abuse of the SAP Invoker Servlet rapidly increase (built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms)). The fact is that customer may not aware or encounter technical difficulties to remediate a former vulnerability. May be a new attack (former vulnerability + Zero day) let the risk happens.

Quick step of remediation in the moment:

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

2. Analyze systems for malicious or excessive user authorizations.

3. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

4. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

Should you have interest of the report. You can go to this place to download.

https://www.onapsis.com/research/reports/erp-security-threat-report

 

Lost of civilization – Enterprise MDM solution may not detect these apps

The installation packages of Android apps (.APK files) are deploy with.ZIP files. Because of the fundemental design concept. It let malware has way for infection. Yes, threat actor can place a malicious DEX file at the start of the APK file. But V2 signing mechanism can avoid above types of infection. However of the compatiblity issue, older Android versions with only version 1 of the signing scheme application still alive. We known that risk may occurs in such circumstances. The fact is that Enterprise MDM solutions may not detect these apps.

Reference: https://developer.android.com/about/versions/nougat/android-7.0#apk_signature_v2

Defending the Power Grid From Hackers – Jul 2018

Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?

The Next Cyber Battleground

Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.

Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.

We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?

The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.

The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.

Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.

Quote:

Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.

On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.

722154A36F32BA10E98020A8AD758A7A MD5 FILENAME:CV Controls Engineer.docx
243511A51088D57E6DF08D5EF52D5499 MD5 FILENAME:CV Control Engeneer.docx
277256F905D7CB07CDCD096CECC27E76 MD5 FILENAME:CV Jon Patrick.docx
4909DB36F71106379832C8CA57BA5BE8 MD5 FILENAME:Controls Engineer.docx
4E4E9AAC289F1C55E50227E2DE66463B MD5 FILENAME:Controls Engineer.docx
5C6A887A91B18289A70BDD29CC86EBDB MD5 FILENAME:High R-Value Energy.docx
6C3C58F168E883AF1294BBCEA33B03E6 MD5 FILENAME:CV_Jon_Patrick.docx
78E90308FF107CE38089DFF16A929431 MD5 FILENAME:CV Jon Patrick.docx
90514DEE65CAF923E829F1E0094D2585 MD5 FILENAME:CV_Jon_Patrick.docx
C1529353E33FD3C0D2802BB558414F11 MD5 FILENAME:Build Hydroelectric Turbine.docx
CDA0B7FBDBDCEF1777657182A504283D MD5 FILENAME:Resume_Key_And_Personal.docx
DDE2A6AC540643E2428976B778C43D39 MD5 FILENAME:CV_Jon_Patrick.docx
E9A906082DF6383AA8D5DE60F6EF830E MD5 FILENAME:CV_Jon_Patrick.docx
038A97B4E2F37F34B255F0643E49FC9D MD5 FILENAME:Controls Engineer (2).docx
31008DE622CA9526F5F4A1DD3F16F4EA MD5 FILENAME:Controls Engineer (4).docx
5ACC56C93C5BA1318DD2FA9C3509D60B MD5 FILENAME:Controls Engineer (7).docx
65A1A73253F04354886F375B59550B46 MD5 FILENAME:Controls Engineer (3).docx
8341E48A6B91750D99A8295C97FD55D5 MD5 FILENAME:Controls Engineer (5).docx
99AA0D0ECEEFCE4C0856532181B449B1 MD5 FILENAME:Controls Engineer (8).docx
A6D36749EEBBBC51B552E5803ED1FD58 MD5 FILENAME:Controls Engineeer.docx
3C432A21CFD05F976AF8C47A007928F7 MD5 FILENAME:Report03-23-2017.docx
34A11F3D68FD6CDEF04B6DF17BBE8F4D MD5 FILENAME:corp_rules(2016).docx
141E78D16456A072C9697454FC6D5F58 MD5 FILENAME:corp_rules(2016).docx
BFA54CCC770DCCE8FD4929B7C1176470 MD5 FILENAME:invite.docx
848775BAB0801E5BB15B33FA4FCA573C MD5 FILENAME:Controls Engineer.docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:invite.docx

Happy hunting – bye!

Node.js hits arbitrary command injection (CVE-2018-13797)

Node.js framework become popular today. Node.js can build the application on ethereum (cryptocurrency). Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world.

Meanwhile, npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. Software developers must stay alert on CVE-2018-13797. Should you have interested, please refer below:

Fixes arbitrary command injection by using execFile instead of exec:

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

https://github.com/scravy/node-macaddress/pull/20/

Jul 2018 – Siemens Security Advisory by Siemens ProductCERT

Selective Availability (SA) was an intentional degradation of public GPS signals implemented for national security reasons. In May 2000, at the direction of President Bill Clinton, the U.S government discontinued its use of Selective Availability in order to make GPS more responsive to civil and commercial users worldwide. And therefore the GPS open to public usage. Measuring distance from a satellite define by the following:

  1. Velocity x time = distance
  2. Three perfect measurements can locate a point in 3-dimensional space, means synchorning the satellite and receiver are based on perfect timing (clock). A major element in GPS system.

But security vulnerabilities occurs on the timing machine. Official announcement shown as below:

Siemens Security Advisory by Siemens ProductCERT SSA-197012: Vulnerabilities in SICLOCK central plant clocks: https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf

Jul 2018 – The IoT P2P (Peer to Peer) design flaw let passwords of over 30,000 devices exposed in search engine

The P2P (Peer to Peer) function is common function for the operation support for Internet of things devices. It aim to simplify the operation and increasing flexibility. We now focusing on data personal privacy but the fundamental of user friendly functions looks contained contradiction with secure operation. The firm (NewSky security) found password for tens of thousands of Dahua devices cached in the IoT search engine. In the meantime the hardware manufacturer not provides any responses in regard to this incident. Stay tuned! And see whether what is the reply by hardware vendor.

Should you have interested to know the details, please refer to attached diagram and url for references.

Passwords for tens of thousands of Dahua devices cached in the IoT search engine – https://amazingreveal.com/2018/07/15/passwords-for-tens-of-thousands-of-dahua-devices-cached-in-the-iot-search-engine/

Official Announcement/Notice – https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice

Vulnerability found recently

22nd May 2018: Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

 

New version of black energy cyber attack target Microsoft OLE product design weakness

Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).

However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!

Reference:

Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/

My speculation on how Cisco (Talos) found the malware (VPNFilter malware)

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

 

July 06, 2018 – Apple Releases Security Update for Boot Camp

WiFi connection seems secure when IT Department authenticating wifi users with windows active directory. A know issue told the world that WPA is not secure and therefore the WiFi authentication best practices jump to WPA2. From general point of view, we all focusing to WiFi access point, authentication protocol and encryption method. It looks that we forget endpoint itself is our missing area. A design weakness found on Apple Mac book products. The explanation by Apple is that a logic issue existed in the handling of state transitions. See attached diagram, when endpoint enforce packet number (PN) reset to 1. Then the attacker possible to engage the replay attack.

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks – KRACK)

Comment: With WPA/WPA2, rekeying of both unicast and global encryption keys is required. Seems WPA2 is the main trend today. So WPA looks ignore by manufacturer. And therefore is going to fix the bug in WPA now!

Official announcement – https://support.apple.com/en-us/HT208847

Jun 2018 – SSL Forward Proxy vulnerability (CVE-2018-5527)

Since data privacy is the 1st pirority of objective in cyber world. We now internet connectivity heavy utilize of SSL cert. For instance SSL VPN, PKI, SSL web server,etc. Popular web portal receive large amount of connectiviies per second. And therefore the popluar solution is TCP offload. Install SSL server cert out of web server and install in web server front end. That is load balancer. Even though you said, you have TCP offload. But fundenmental limation told that SSL connections consume about twice as much memory as HTTP layer 7 connections, and four times as much memory as layer 4 with TCP proxy. Meanwhile huge amount of ssl session from cache while full garbage collection seems cause IO Thread owned lock delayed, and other I/O threads BLOCKED.

F5 now resolved their SSL forward proxy vulnerability (CVE-2018-5527). See below:

https://support.f5.com/csp/article/K20134942

But believe that it is a not easy ending story caused by the following factors!

1. Huge amount of ssl session from cache while full garbage collection seems cause IO Thread owned lock delayed, and other I/O threads BLOCKED.

2. SSL connections consume about twice as much memory as HTTP layer 7 connections, and four times as much memory as layer 4 with TCP proxy.

The world cup 2018 – malicious game website and phishing email also involved in this competition. This like malware transformation of football shooting.

THE 2018 WORLD CUP lure hacker interest, a breeding ground for hackers. The phishing campaign linked to the start of the FIFA World Cup where cyber-criminals attempt to lure would-be victims into downloading. For instance, Games, email and related information. Such download contain malware and let the downloader become cyber attack victim.

How do you defend against this football (malware)? 1. Use and maintain antivirus software. 2. Keep software and operating systems up-to-date. 3. Be wary of downloading files from websites. 4. Think before you Click!

Headline News :

https://www.independent.co.uk/sport/football/world-cup/world-cup-live-streaming-free-streams-fifa-2018-football-matches-risk-fans-watch-a8419266.html