Category Archives: Under our observation

Potential Risk of CVE, Under our observation

CISA cyber Security Alert – About the May 2021 MS patch (21st Aug, 2021)

August 23, 2021 admin Leave a comment

Preface: With Exchange Server vNext, Microsoft is phasing out the on-premise delivery model, making Exchange Server 2019 the last on-premise product version.

Point of view: Perhaps quite a lot of people will be surprised of this notification. Since more and more organizations has been migrated the mail server to office 365. The patch issued on May 2021 was applied already. But the patch management from small to medium firm not easy to managed. It is quite common that a one I.T. technical support person supporting everything. It is unbelievable but it is factual. You can see a lot of large size mailbox not being managed. Furthermore, the patch management may not do it immediately. It wait for their schedule time window to do the patch management. As a result, before they conduct patch management. Attacker may landed to their email server. Apart of lack of SIEM facility, only relies on a single firewall is hard to defense such vulnerability attack. Or you will say, will the local OS antivirus can be do the detection. The answer is that if the antivirus feature do not involve to content security filter function. Therefore the attack might have chance to do the evasion . I believe that CISA on their malware sink hole infrastructure will see the details. And this is the objective of this alert.

Ref: Apart from design weakness (vulnerability). The modern architecture is virtual machine infrastructure. It is not rare that the exchange server front-end and back-end are located in same hardware box because we are living in virtual machine world. So if such vulnerability occur in an on premise infrastructure. The risk will be rapidly increase.

Vulnerability details: Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities:
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. Details can be found in the following link (CISA official announcement) – https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell

2021, Data privacy, Public safety, Under our observation

Kubernetes Hardening Guidance by NSA & CISA (3rd Aug 2021)

August 4, 2021 admin Leave a comment

Preface: Docker helps to “create” containers, and Kubernetes allows you to “manage” them at runtime. What is Kubernetes Security? That is Cloud, Cluster, Container and code.

Background: Kubernetes is commonly targeted for three reasons observing by NSA and CISA. They are data theft, computational power theft, or denial of service. Cyber attacks encountered in the Kubernetes environment in 2020. Details are as follow:

Capital One – Occurring in 2019, this breach saw 30GB of credit application data affecting about 106 million people being exfiltrated.
A mis-configured firewall that allowed an attacker to query internal metadata and gain credentials of an Amazon Web Services
Docker hub – Attackers managed to plant malicious images in the Docker hub. unknowingly deployed cryptocurrency miners in the form of Docker
containers that then diverted compute resources toward mining cryptocurrency for the attacker.
Microsoft Azure – Microsoft is another organization that’s been seeing a lot of cryptojacking woes of its own. After disclosing that there was a large-scale cryptomining attack against Kubernetes cluster in Azure in April 2020.
Telsa – Automaker Tesla was one of the earlier victims of cryptojacking when a Kubernetes cluster was compromised due to an administrative
console not being password protected.(Mis-configuration)
Jenkins – Hackers managed to exploit a vulnerability in Jenkins to cryptomine to the tune of about $3.5 million, or 10,800 Monero in 18 months. In Docker’s operation environment, it was discovered that six malicious images had been collectively pulled over 2 million times, that’s 2 million users potentially mining Monero for the attacker.

To avoid similar incidents from happening – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” Primary actions include the scanning of containers and Pods for vulnerabilities or mis-configurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. Please refer to the link for details – https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

2021, cyber security incident news highlight, Ransomware, Under our observation

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

July 9, 2021 admin Leave a comment

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Ransomware, Under our observation, Virus & Malware

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

July 5, 2021 admin Leave a comment

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

Malware tricks you into installing software, allowing scammers to access your files and track your actions.
Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Ransomware, Under our observation, Virus & Malware

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

June 15, 2021 admin Leave a comment

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.

Public safety, Ransomware, Under our observation

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

May 20, 2021 admin Leave a comment

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

2021, cyber security incident news highlight, Under our observation, Virus & Malware

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ said Headline News – 9th May 2021

May 10, 2021 admin Leave a comment

Preface: The hacker group claimed that its ransomware attacks were only used for “right targets.” The organization claimed that they only targeted ransomware attacks and large profitable companies to “make the world a better place.”

Background: Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place.
Last year, the security department expressed such concerns.

Security Focus: The hacking team is very active on hack forums and keeps its customers updated with news related to the ransomware. Speculated that attacker gaining an initial foothold in the network not limited to email phishing. Perhaps they exploit SSL VPN design weakness or Microsoft Zero day. In the Oil and Gas Industry . It is common of the implementation of OPC UA technology. It is hard to avoid to using Microsoft product. Even though their OPC UA is running on a linux base machine.But Darkside 2.0 has fastest encryption speed on the market, and it capable for Windows and Linux versions. So this related thing started the story.

Headline News – https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/

Potential Risk of CVE, Under our observation

Replay Protected Memory Block (RPMB) protocol vulnerability impact may more than expected – 16th Nov 2020.

November 16, 2020 admin Leave a comment

Preface: With the advent of the 5G era, starting in 2019, UFS 3.0 has gradually been adopted by flagship smartphones.
UFS 3.1 is an optimized version of 3.0.

Background: The RPMB layer aims to provide in-kernel API for Trusted Execution Environment (TEE) devices that are capable to securely compute block frame signature. In case a TEE device wish to store a replay protected data, it creates an RPMB frame with requested data and computes HMAC of the frame, then it requests the storage device via RPMB layer to store the data.

A storage device registers its RPMB (eMMC) partition or RPMB
W-LUN (UFS) with the RPMB layer providing an implementation for
rpmb_cmd_seq() handler. The interface enables sending sequence of RPMB standard frames.

Vulnerability details: The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Since the impact not explicitly confirm by vendor yet. See below url for reference.

Western Digital – https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications

Netapp – https://security.netapp.com/advisory/ntap-20201113-0005/

CERT Coordination Center – https://kb.cert.org/vuls/id/231329

IoT, Under our observation

Design limitation of iDS6 DSSPro Digital Signage System 6.2 – 6th Nov 2020

November 6, 2020 admin Leave a comment

Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display.
Users can then manage the content with a content management system.

Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function.
Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it.
How to reduce the risk?

Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment.
If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.

Avoid to use WiFi do the management. It should use a workstation in a trusted network.
Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
From point B to point A it should be a cable network instead of WiFi connection.

Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response,
then the cookie will time out after 4 minutes of inactivity.

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3

Public safety, Under our observation, Virus & Malware

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

November 3, 2020 admin Leave a comment

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Cyber security technical information