Category Archives: Under our observation

Simple and powerful evasion technique – Threat actor will be exploit MS word document.

Preface: Preface: Threat Intelligence vendor (FireEye) alert that Global DNS Hijacking Campaign rapidly growth. This storm affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

Synopsis: More information about the impact of this cyber attack.. Please refer to below url for reference.

Reflection – The attack method:

Let us think that this kind of attack seems to happen in our daily lives. Perhaps sometime even though Defense mechanism not aware. Microsoft Office documents containing built-in macros is very useful and can become a Swiss army knife to hurt you. Macros are essentially bits of computer code, and historically they’ve been vehicles for malware. Should you have interest of this topic, attach diagram can provide high level overview for your reference.

Remark: Seems the SIEM endpoint event monitoring will be the effective remedy solution. However it might have involves confidential data label. So this part requires management review and separation of duties.

Analysis Reports by US Homeland Security – Legitimate open source remote administration tool re-engineer by threat actor as APT way of attack – Dec 2018

Preface: Quasar, a legitimate open-source remote administration tool. It is a fast and light-weight remote administration tool coded in C#.

Background: APT actors have adapted Quasar and created modified minor ( and major ( and versions. Since the re-engineering Quasar client will be mimics a Mozilla Firefox 48 browser running on Windows 8.1 or mimics an Apple Safari 7.0.3 browser running on Mac OS X 10.9.3 in order to evade IDS monitoring. However there are way lets security operation center find their fingerprint. The distinctive first 4 bytes of the payload can be used to identify Quasar traffic.

As a result, below analytic way can be enforce the detective control:
Signature 1: TCP Payload Size Tracking

Signature 2: IP Lookup User-Agent String, HyperText Transfer Protocol Header Host, and HyperText Transfer Protocol Header URI

Signature 3: Hidden HTTP Request User-Agent String and Time-to-Live

More details can be found below url:

Virus, malware and ransomware may be can help mankind once AI develop become extreme.

Preface: What is your expectation from our robot counterparts in the future?

Before Professor Stephen Hawking leave the world. The final warning for humanity: AI is coming for us. In the world now in preparing the 5G mobile technology, Big Data technology and Smart City. A silent force unintend to drive human go to next generation of world. We believe all the regime in the world now get into this competitions. A quick idea to you is that the term so called Smart or intelligence most likely are efficiency and productivity. All the components within the earth are running fast in the moment. But what is your expectation from our robot counterparts in the future? Because they are coming!

Why do we recommend thinking about it at this time?
For instance, the global surface temperature increases while climate change includes global warming and everything else. The extreme changes was began in mid 80’s. Why? Manufacturer cost allocation & development country boots up their power. Now we understand the impact. But seems too late!
So this is the right time to consider.


Credit reporting agency TransUnion – personal data security flaw (Nov 2018)

Transunion offers total credit protection all in one place from credit score, credit report and credit alert. On June 25, 2015, TransUnion became a publicly traded company for the first time, trading under the symbol TRU.

Who is CreditGo?
CreditGo provides free access to credit circular reports and credit scores for Hong Kong residents. Meanwhile the credit information provided by CreditGo comes from TransUnion.

Data privacy leakage incident:
The Hong Kong arm of American consumer credit reporting agency TransUnion was forced to suspend its online services on Thursday after a local newspaper was easily able to access the personal data of the city’s leader and finance minister.

What is the reason?
Incorrect program logic from online web application cause database leak.

Suspend online services.

Refer to attached diagram, it is hard to avoid your data personal privacy leakage since when bank or financial institute check the information of a person. It is because a duplicate copy will be generate.
Business world and our daily life is insane now!

Headline news:

SWIFT Customer Security Controls Framework



All SWIFT users must comply with the mandatory security controls by the end of 2018.


Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently known new and arising threats in order to pragmatically raise the security bar.

Technical details:

Mandatory Security Controls
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
2. Reduce Attack Surface and Vulnerabilities
3. Physically Secure the Environment
4. Prevent Compromise of Credentials
5. Manage Identities and Segregate Privileges
6. Detect Anomalous Activity to Systems or Transaction Records
7. Plan for Incident Response and Information Sharing

Swift system is on the way do the enhancement continuously. But do you think such continuous program will be effectively avoided cyber security attack? For instance Bangladesh heist.
It is hard to tell what is the next cyber attack challenge in the moment. Let’s keep our eye open. Stay tuned!


Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

Security Updates for SIPROTEC and SICAM Products (Oct 2018)


SIPROTEC and SICAM – Siemens products and solutions for protection engineering, station automation, power quality, and measurement – can be connected directly and easily to MindSphere and other cloud-based platforms.

What is MindSphere?
MindSphere is an open cloud platform or “IoT operating system” developed by Siemens for applications in the context of the Internet of Things. MindSphere stores operational data and makes it accessible through digital applications to allow industrial customers to make decisions based on valuable factual information.

Product Updates:
SICAM Q200 V2.40 firmware released with security-relevant updates
SICAM Q100 V1.30 firmware released with security-relevant updates

OpenSSL sources modified by Siemens issued on 11th Sep 2018.
However OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack (use variations in the signing algorithm recover the private key).
Above vulnerability with reference number CVE-2018-0734 announced on 30th Oct 2018.
It looks that there is a gap in between version. But it cannot confirm whether there is an impact?
Regarding to above technical details. Do you have any doubt?

Self-Encrypting Solid-State Drive Vulnerabilities – November 06, 2018

Retrospective last decade, the key word so called vulnerability look like a stranger to us. But it change today. Design vulnerability, it was no doubt to say. They are the belongings of cost effective solution, market competition (short development life cycle) and satisfy human want.

Design technique – Wear leveling (also written as wear levelling) is a technique for prolonging the service life of some kinds of erasable computer storage media.

Design limitation – Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten).
Remark: Consumer Notice regarding Samsung SSDs –

Impact – There is possible way to allow data theft to collect and read the encrypted data through physical attack (reverse engineering). A vulnerability for hardware encryption method.

Remedy – Fully turn off BitLocker to decrypt the drive on windows OS

Cathay Pacific hack: Personal data of up to 9.4 million airline passengers stolen.

From public safety point of view, if a enterprise firm found 9.4 million personal records steal by hacker. Since the firm postpone the announcement schedule. From technical point of view. the law enforcement must require to interview with the firm top management to understand the root cause.

Regarding to my observation, the cyber security incident roadmap in airline industry looks special. Nippon found TLS could allow attacker man-in-the-middle attack on Jun. Thereafter British Airways announce that total 380,000 customers’ bank details stolen by hacker. However both 2 items of cyber security incident announce to public in acceptable manner.

From technical point of view, it was not possible leak such big amount of data from TLS vulnerability and mobile apps programming bug. It shown that such vulnerability most likely given by SQL injection attack. This is so called SQL injection vulnerabilities dumping the DB.

For more details of above cyber security incident records, please refer below url for reference.

Cathay Pacific hack –

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

25th Oct 2018 – BA status update

Jun 2018 – ALL NIPPON Airways Security Advisories

Jun 2018 – ALL NIPPON Airways Security Advisories


Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer


Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

So, It is possible to make people predict the attack may targeting Advantech customer.

In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Oracle Releases October 2018 Security Bulletin – Stay alert!

Oracle has released a gamut security update to address high amounts of vulnerabilities in its various enterprise products. The official vulnerability checklist includes some follow up actions given by 2016 and 2017. Perhaps we focus vulnerability in frequent and do the priority of analysis for the score. Even though the vulnerability score is important. But we must consider the vulnerability which allow the unauthenticated remote attack. For Oracle DB, the update addresses a total of three defects. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication. For more detail, please see below url: