Category Archives: Under our observation

Security Updates for SIPROTEC and SICAM Products (Oct 2018)

Preface:

SIPROTEC and SICAM – Siemens products and solutions for protection engineering, station automation, power quality, and measurement – can be connected directly and easily to MindSphere and other cloud-based platforms.

What is MindSphere?
MindSphere is an open cloud platform or “IoT operating system” developed by Siemens for applications in the context of the Internet of Things. MindSphere stores operational data and makes it accessible through digital applications to allow industrial customers to make decisions based on valuable factual information.

Product Updates:
SICAM Q200 V2.40 firmware released with security-relevant updates
SICAM Q100 V1.30 firmware released with security-relevant updates

Question?
OpenSSL sources modified by Siemens issued on 11th Sep 2018.
However OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack (use variations in the signing algorithm recover the private key).
Above vulnerability with reference number CVE-2018-0734 announced on 30th Oct 2018.
It looks that there is a gap in between version. But it cannot confirm whether there is an impact?
Regarding to above technical details. Do you have any doubt?

Self-Encrypting Solid-State Drive Vulnerabilities – November 06, 2018

Preface:
Retrospective last decade, the key word so called vulnerability look like a stranger to us. But it change today. Design vulnerability, it was no doubt to say. They are the belongings of cost effective solution, market competition (short development life cycle) and satisfy human want.

Design technique – Wear leveling (also written as wear levelling) is a technique for prolonging the service life of some kinds of erasable computer storage media.

Design limitation – Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten).
Remark: Consumer Notice regarding Samsung SSDs – https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/

Impact – There is possible way to allow data theft to collect and read the encrypted data through physical attack (reverse engineering). A vulnerability for hardware encryption method.

Remedy – Fully turn off BitLocker to decrypt the drive on windows OS
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

Cathay Pacific hack: Personal data of up to 9.4 million airline passengers stolen.

From public safety point of view, if a enterprise firm found 9.4 million personal records steal by hacker. Since the firm postpone the announcement schedule. From technical point of view. the law enforcement must require to interview with the firm top management to understand the root cause.

Regarding to my observation, the cyber security incident roadmap in airline industry looks special. Nippon found TLS could allow attacker man-in-the-middle attack on Jun. Thereafter British Airways announce that total 380,000 customers’ bank details stolen by hacker. However both 2 items of cyber security incident announce to public in acceptable manner.

From technical point of view, it was not possible leak such big amount of data from TLS vulnerability and mobile apps programming bug. It shown that such vulnerability most likely given by SQL injection attack. This is so called SQL injection vulnerabilities dumping the DB.

For more details of above cyber security incident records, please refer below url for reference.

Cathay Pacific hack – https://www.scmp.com/news/hong-kong/law-and-crime/article/2170107/hong-kong-privacy-chief-slams-cathay-pacific-taking

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

25th Oct 2018 – BA status update

http://mediacentre.britishairways.com/pressrelease/details/86/2018-247/10234

Jun 2018 – ALL NIPPON Airways Security Advisories

Jun 2018 – ALL NIPPON Airways Security Advisories

 

Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer

 

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

https://www.eset.com/int/greyenergy-exposed/

So, It is possible to make people predict the attack may targeting Advantech customer.

Factor:
In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Synopsis:
Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Oracle Releases October 2018 Security Bulletin – Stay alert!

Oracle has released a gamut security update to address high amounts of vulnerabilities in its various enterprise products. The official vulnerability checklist includes some follow up actions given by 2016 and 2017. Perhaps we focus vulnerability in frequent and do the priority of analysis for the score. Even though the vulnerability score is important. But we must consider the vulnerability which allow the unauthenticated remote attack. For Oracle DB, the update addresses a total of three defects. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication. For more detail, please see below url:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

VMWARE ESXi,Workstation and Fusion out-of-bounds read vulnerability in SVGA device – 16thOct2018

Malware authors constantly seek new methods to obfuscate their code so as to evade detection by virus scanners. Have you heard shader code?
In order to avoid the vulnerability occurs, VMware Releases Security Updates on October 16, 2018.
ESXi has an out-of-bounds read vulnerability in the SVGA device that might allow a guest to execute code on the host (CVE-2018-6974).
The side effect of the Out-of-bounds read is serious. It allocates uninitialized Buffers when number is passed in input. An attacker could exploit this vulnerability to take control of an affected system.
Official announcement is shown as below:

https://www.vmware.com/security/advisories/VMSA-2018-0026.html

Buzz Lightyear slogan – To Infinity… and Beyond!

Reflections – New 5G network edge server design

NSA Senior Cybersecurity Advisor questions Bloomberg Businessweek’s China iCloud spy chip claim (see below url)

http://macdailynews.com/2018/10/10/nsa-senior-cybersecurity-advisor-questions-bloomberg-businessweeks-china-icloud-spy-chip-claim/

Now we take a quick discussion but do not related to conspiracy. From technical point of view, if hardware is polluted (spy feature). It is hard to imagine what the impact was?

In the SD-branch, routing, firewall, and WAN optimization are provided as virtual functions in a cloud-like NaaS model, replacing expensive hardware. As a result, the telephone company will use SD-branch to provide virtual CPE and unversal CPE services.

Meanwhile uCPE consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. So uCPE in reposible of very import role in future technology. What if there is vulnerability occurs in this place. It make the problem worst, complicated!

Supermicro Designs New Open Software-Defined Networking (SDN) Platform Optimized for 5G and Telco Applications and Launches verified Intel® Select Solution for uCPE

http://ir.supermicro.com/news-releases/news-release-details/supermicro-designs-new-open-software-defined-networking-sdn

Advisory on PHP Vulnerabilities – 12th Oct 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities today (refer below url):

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/

Perhaps PHP program version will make you frustrated. Why? The vulnerabilities addressed by MS-ISAC only for Version 7.2.11 & Version 7.1.23. However there is another fix coming soon (see below):

PHP 7.1.24

Core:

Fixed bug #76946 (Cyclic reference in generator not detected)

Date: unknown

Fixed bug #75851 (Year component overflow with date formats “c”, “o”, “r” and “y”). (Adam Saponara)

FCGI:

Fixed bug #76948 (Failed shutdown/reboot or end session in Windows).

(Anatol)

Fixed bug #76954 (apache_response_headers removes last character from header

name). (stodorovic)

FTP:

. Fixed bug #76972 (Data truncation due to forceful ssl socket shutdown).

(Manuel Mausz)

intl:

. Fixed bug #76942 (U_ARGUMENT_TYPE_MISMATCH). (anthrax at unixuser dot org)

Standard:

. Fixed bug #76965 (INI_SCANNER_RAW doesn’t strip trailing whitespace).

(Pierrick)

XML:

. Fixed bug #30875 (xml_parse_into_struct() does not resolve entities).

Should you have interested, please review above diagram. PHP look likes a game.

Five publicly available tools, which have been used for malicious purposes – Oct 2018

US-Cert urge that there are total five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world (see below):

Remote Access Trojan: JBiFrost
Webshell: China Chopper
Credential Stealer: Mimikatz
Lateral Movement Framework: PowerShell Empire
C2 Obfuscation and Exfiltration: HUC Packet Transmitter

RSA found a malware in 2017 and explore remote access Trojan (RAT) feature with advanced invisible feature.

In this short discussion, I am going to focus the RAT (JBiFrost). Adzok is famous in dark web.

We seen malware exploits the Java archives.

A JAR (Java archive) is a package file format. It can be used as Java library or as standalone application. He is easy to change the shape to evade the detection.

Adzok proviced free download version. Some antivirus vendor already has defensive to avoid the infiltration.

Friendly reminder that still have some vendor do not have this malware signature.

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies