Category Archives: Under our observation

Buffer Overflow (SEH Bypass), perhaps it is easy to encounter in medical software system (20th Apr 2020)

Preface: IoT Enterprise runs on 32-bit and 64-bit x86 chipsets with support for Universal Windows Platform (UWP) apps as well as Classic Windows(e.g. Win32 and .NET) applications. Perhaps you will discover plenty of medical devices still use 32 bit windows application.

Recent security alert on medical product: The ‘DICOM Viewer 2.0’ capable of handling all DICOM files of any modality (X-Ray angiogram, ultrasound, CT, MRI, Nuclear, waveform etc.), compression (lossless and lossy Jpeg, Jpeg200, RLE), depth or color. The proof of concept shown that software encountered buffer overflow (SEH) in specify circumstances.

What is Buffer overflow (SEH): An exception handler is a portion of code contained within an application, designed to handle an exception that may occur during runtime. Windows contains an exception handler by default (SEH) which is designed to catch an exception and generate an error. If the buffer is overflown and data is written to the SEH (located eight bytes after ESP), then all of the CPU registers are set to zero (0) and this prevents us from executing our shellcode successfully. If attacker can removing the eight additional bytes from the stack, and returning execution to the top of the stack, thus allowing execution of the shellcode.

Status: Waiting for official information update.

Reference: https://www.rubomedical.com/

winducms – attacker exploit php feature cause sql injection and REC (20th Apr 2020)

Preface: Why we found vulnerability on apps in frequent? Fundamentally, apps goal provided services and function. Even though you said it is a design weakness. But protection control should relies on other separate service or component. It will increase the difficulties for attacker when you install the antivirus(malware) on your mobile phone.

Vulnerability background: Windu CMS is a simple, lightweight and fun-to-use website content management system for Twitter Bootstrap. Security expert found bug on Windu 3.1. The proof of concept shown that it can exploits on PHP feature trigger SQL injection and remote code execution.

Security Focus: The PoC point out there is important factor cause the vulnerability and thus the developer pay the attention. In high level, it is simple. Software developer should disable eval function in PHP. Other than that, we should install antivirus program on smartphone.

Reference: WinDu CMS official website – http://en.windu.org/

Centreon – Remote code execution can be configured via Poller (18th Mar 2020)

Preface: Centreon Engine allows you to schedule periods of planned downtime for hosts and service that you’re monitoring. So if design weakness occurs in this place. It provides a way to attacker for exploit.

Background: Centreon is an open source IT monitoring solution by Centreon. It is easy to install and you can deploy within minutes.

Vulnerability details: An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. Meanwhile, it provides a path for attacker to exploit. Official announcement: No status update yet. But you can receive the updated release note in this place – https://documentation-fr.centreon.com/docs/centreon/en/latest/release_notes/index.html

Perhaps vulnerability might happen in open source in frequent. But I support opensource personally.

Political and Justice – 2020

Wyden and Khanna proposed amending the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information. (see below url) https://www.wyden.senate.gov/news/press-releases/wyden-and-khanna-introduce-bill-to-protect-whistleblowers-ensure-journalists-arent-targeted-for-publishing-classified-information-

If you are also interested of cyber security information developing state. Perhaps you will seen the cyber security protection will be transform to preventive instead of defensive. But who can imagine that the computer technology will be transform a weapon style of attack. In our world there is no absolute correct state . If the hostile state doing aggressive activities. Therefore the adjacent side will doing the defense. Conducting the spy in digital technology relies on malware. It conduct the Infiltration . So it is not limit to computer backdoor, email phishing and advanced espionage technologies will be used. But sometimes, it will have contradition. Furthermore it can become a political fight tool.

Meanwhile, we can only give a salute to the Whistleblowers.

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness,..

Monthly news focus – Mar 2020

Preface: Do you have doubt for the road map of application penetration test? I believe that it is a logical step. Sometimes, you will concerning the limit time windows for remediation for different of vulnerability result. The penetration tester will narrow down the work scope especially the high risk rating vulnerability item. Since this is the highest priority job which requires customer to do the remedy.

How do you deal with application vulnerabilities? I also encountered this error because the high-risk level vulnerability made me nervous. Believe it or not, whether an application system can do a good vulnerability management sometimes depends on how hard the penetration tester analyzes the collected information. Below example can let you know my statement is true.

Get for POST (Risk: informational) – A request that was originally observed as a POST was also accepted a a GET. This issue does not represent a securit weakness into itself. However it may facilities simplification of other attacks. For example if the original is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Hey Guys, don’t be worry too much. But you should be careful when you do the application penetration test report next time. Be remember that ask your consultant once you got a question.

A retrospective album of BlackEnergy – Feb 2020

Somewhere in time. This is 2015 – BlackEnergy2 exists in the form of a kernel-mode driver, which makes it harder for network administrators to discover the compromise. Black energy Group will mimics their custom tool(driver) thus made to look like a normal Windows component. They are interested in infecting Windows servers especially OPC server. But Microsoft implemented a driver signing policy in order to avoid loading unsigned driver. This feature is enabled on 64 bits versions of Windows systems.

Synopsis: In normal circumstances, activate the function of the cyber espionage and information destruction attack features needed to be rebooted in order to start the mimics driver. Even though black energy do not have exception.This unplanned reboot of the Windows server could raise suspicion. To solve the reboot issue, the attackers started to use a tool called DSEFix (an open-source tool that exploits CVE-2008-3431, a vulnerability in the legitimate VirtualBox driver), in order to disable the driver signature check. The attackers will made a custom version of DSEFix that also modifies boot configuration data (BCD) in order to enable TESTSIGNING mode.

What is TESTSIGNING mode: By default, Windows does not load test-signed kernel-mode drivers. To change this behavior and enable test-signed drivers to load, use the boot configuration data editor, BCDEdit.exe, to enable or disable TESTSIGNING, a boot configuration option. You must have Administrator rights to enable this option.

Those cyber criminal will focusing the OPC server.Because the OPC client uses the OPC server to get data from or send commands to the hardware.

Will it happen today? The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection.

Staying alert of Emotet infection, even though you are a Mac User. Feb 2020

Preface: Apple Mac OS as not as easy to compromised compare with other popular operation system.

Details (A): Emotet is malware originally engineered as a banking Trojan designed to steal sensitive information.
It is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. But their design presents challenges for traditional security tools, because it is designed specifically to bypass endpoint solutions. Even Mac computers are no exception.

Details (B): See attached diagram, Emotet keen to infect the computer by email. It traditionally will display several reasons require you to execute next action (clicks on it). As Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.

Official channel:
What can you do if your MacOS is infected by Emotet?
AppleCare does not provide support for removal of the malware. But customer can go to the Apple Online Store and the Mac App Store for antivirus software options.

Additional: Just do a google search, there are solution everywhere. So, you can make your decision.

Vulnerabilities in VMware (RMI communication in vRealize Operations for Horizon) are also apply for those vendor who is using RMI in Java environment. (20th Feb 2020)

Preface: JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol).

Synopsis: A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.

Security Focus: CVE-2020-3943 – The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to the affected software uses a JMX RMI service which is not securely configured. A remote attacker can execute arbitrary code in vRealize Operations, with the Horizon Adapter running.

Horizon wiki – The Horizon adapter runs on a cluster node or remote collector node in vRealize Operations Manager. You can create a single Horizon adapter instance to monitor multiple Horizon pods. During broker agent configuration, you pair the broker agent with a Horizon adapter instance.

Attack basis: The attacker would have to trick the victim to open a a specially crafted file.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2020-0003.html

Hacker exploit Coronavirus Crisis, send scam email to different industries – 18th Feb 2020

Synopsis:

a. Attackers disguise their scam email as an official (WHO) alert issued by the Centers for Disease Control Health Alert Network. (Targeting individuals from the United States and the United Kingdom)

b. Attackers disguise their scam email as an alert of Coronavirus status, they are target to shipping industry.

Description: About the attack to shipping industry – Hacker exploit the vulnerability of CVE 2017-11882, perhaps they found that the patch management on the boat not enforce in frequent. And therefore the attack explicitly target shipping industry. About the attack to individuals from the United States and the United Kingdom – WHO urge that if anyone see similar type of scam email. Report to WHO – https://www.who.int/about/report_scam/en/

The slogan – Do not rush to open a URL or open a email. Take care.

Hong Kong Broadband Network customer staying alert! 17th Feb 2020

Synopsis: The threat actors hidden their email phishing package anywhere. As common we know, email phishing scam foot print are wide in area. But the antivirus and malware solution vendor setup blacklist domain name and content filtering function has reduced the infection ratio of malware and ransomware. It looks that the similar of idea to hunting cyber victim still valid. In my observation, the attacker sometimes will be reuse their technique. This time they store the trap in social media web. Found that the scam activities which mimic Hong Kong Broadband luck draw online program activities is awaken again. I found similar activities on yesterday (16th Feb 2020). Even the VirusTotal repository has only one cybersecurity vendor detected a similar record type. In the sense that they can escape your defense solution.

For more detail, please refer to announcement by HKBN in past. https://www.hkbn.net/personal/dist/img/src/pdf/Warning-Against-Phishing-Website_en.pdf