Category Archives: Under our observation

Is it a cyber attack or a design change? (Sunday, May 17, 2020 (EDT))

May 17, 2020 admin Leave a comment

Preface: High-level state-backed APT groups wreak havoc on cyber world. Does this attack only in short time or it will become a constant activities?

Security focus: Information technology professional will relies on DHS (US Homeland security) news update as a standard security alert indicator. For example, I am the follower. Found by tonight that the cyber security main page has changes. To be honest, my observation feedback to me that it is not normal. Regarding to the web page design, it shown that it do not use iFrame. However, the web site layout looks strange. I do not want to use the key term broken to describe. Because of this matter, I just take a look of the header information. It show to me that it is running Drupal.

Anyway it is recommend to remove this disclosure information. Perhaps the method is straight forward. The simplest method is to remove the header in a custom EventSubscriber. Please refer to diagram. The official information shown in follow URL. https://drupal.stackexchange.com/a/201297/47547

The problem now fixed by homeland security – 18th May 2020 – HKT

Cyber War, Under our observation, Virus & Malware

Little-Known Linux Exploits is being weaponize – 15th May 2020

May 15, 2020 admin Leave a comment

Preface: The following information will continue the theme released yesterday. For review the details by yesterday, please follow this link – www.antihackingonline.com/cyber-war/high-level-state-backed-apt-groups-entrenched-in-plenty-of-servers-for-nearly-a-decade-using-little-known-linux-exploits-14th-may-2020/

About the theme: Sound can tell, according to statistic provided by Microsoft. Cyber security attack is rapidly growth especially in education area within past 30 days. Perhaps Healthcare and pharmaceuticals area cyber attack volume not as high as education area. However the details found by Microsoft has similarity with security expert observe in past. There are more and more attacker focus to Linux environment.

Security focus: Backdoor code in the popular Bootstrap. To launch the action, the backdoor must be embedded in a “bootstrap” application (a dropper) that is written in C and called xxx.c. Once compiled and started, the dropper program must infect the first Linux ELF executable that it finds in the current directory. Then, when this newly infected file is executed, your virus code is supposed to run.

The myth said that Linux will be secure than Windows. It will be not correct anymore.

Cyber War, Under our observation

High-level state-backed APT groups entrenched in plenty of servers for nearly a decade Using Little-Known Linux Exploits – 14th May 2020

May 14, 2020 admin Leave a comment

Preface: According to statistical data, most organizations store data in cloud platforms operating in Linux based environment. Statistics show that, compared with the Windows operating system, Linux coverage rate exceeds 75%.

Background: Linux system commonly using drive by downloads on an infected website. For instance you install program on Linux sometimes require specify library file (.so). Perhaps your sense of defensive will be downgrade during software installation because you aim to achieve completed the milestone and therefore unintended let the rootkit implant to you Linux system. The rootkit is considered to be a type of Trojan horse. Many Trojan horses exhibit the characteristics of a rootkit. The main difference is that rootkits actively conceal themselves in a system and also typically provide the hacker with administrator rights.

RootKit specifications:

Kernel mode rootkits (Ring 0)

User mode rootkit (Ring 3)

What can we do now? Actively monitor web applications for unauthorized access, modification, or anomalous activities. But stay alert when you download the library file.

Data privacy, IoT, Public safety, Under our observation

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

May 8, 2020 admin Leave a comment

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link. https://www.hackread.com/user-data-found-in-tesla-car-parts-ebay/

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details – http://www.antihackingonline.com/application-development/who-can-you-trust-in-the-internet-world-security-issues-with-load-data-local-in-mysql-db/

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

IoT, Public safety, Under our observation

Storm of Go language based malware – 6th May 2020

May 6, 2020 admin Leave a comment

Preface: New Kaiji malware targets IoT devices via SSH brute-force.

Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.

Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.

What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.

Facts: So it benefits to attacker when he written a malware.

Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.

The things you can do right now: Implement effective passwords on all IoT devices when possible.

Headline News:https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/

Potential Risk of CVE, Under our observation

Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. (3rd May 2020)

May 3, 2020 admin Leave a comment

Preface: Perhaps my alert late for 3 days, but the specify vulnerability hide himself in webLogic product for few years!

Vulnerability details: Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. You can read the official announcement in following link – https://blogs.oracle.com/security/apply-april-2020-cpu

One of the exploit methods – The attacker can locate all of the objects by packet capture. For more details, please refer to attached diagram for reference. As a result, the attacker can replace these objects with his malicious payload. Since the server receives the data and unpacks (deserializes) without integrity check. And therefore it let attacker execute the malicious code on the underlying WebLogic core, allowing the attacker to take control over unpatched systems.

Potential Risk of CVE, Public safety, Under our observation

headline news – cyber attackers from exploiting web servers via web shell malware. 23rd Apr 2020

April 24, 2020 admin Leave a comment

Preface: Web shells are a well-known attacker technique, but they are often difficult to detect because of their proficiency in blending in with an existing web application.

Details: to gain root access to server. Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Vulnerabilities and Environment executable frequently used by attackers:

CVE-2019-0604 (affecting Microsoft SharePoint)
CVE-2019-19781 (affecting Citrix appliances)
CVE-2019-3396 and CVE-2019-3398 (affecting Atlassian Confluence Server and Data Center Widget Connector)
CVE-2019-9978 (affecting the social-warfare plugin for WordPress)
CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357 (affecting Progress Telerik UI)
CVE-2019-11580 (affecting Atlassian Crowd)
CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central)
CVE-2019-8394 (affecting Zoho ManageEngine ServiceDesk Plus)
CVE-2020-0688 (affecting Microsoft Exchange Server)
CVE-2018-15961 (affecting Adobe ColdFusion).

Remark: Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Official announcement – https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/

Under our observation

Buffer Overflow (SEH Bypass), perhaps it is easy to encounter in medical software system (20th Apr 2020)

April 22, 2020 admin Leave a comment

Preface: IoT Enterprise runs on 32-bit and 64-bit x86 chipsets with support for Universal Windows Platform (UWP) apps as well as Classic Windows(e.g. Win32 and .NET) applications. Perhaps you will discover plenty of medical devices still use 32 bit windows application.

Recent security alert on medical product: The ‘DICOM Viewer 2.0’ capable of handling all DICOM files of any modality (X-Ray angiogram, ultrasound, CT, MRI, Nuclear, waveform etc.), compression (lossless and lossy Jpeg, Jpeg200, RLE), depth or color. The proof of concept shown that software encountered buffer overflow (SEH) in specify circumstances.

What is Buffer overflow (SEH): An exception handler is a portion of code contained within an application, designed to handle an exception that may occur during runtime. Windows contains an exception handler by default (SEH) which is designed to catch an exception and generate an error. If the buffer is overflown and data is written to the SEH (located eight bytes after ESP), then all of the CPU registers are set to zero (0) and this prevents us from executing our shellcode successfully. If attacker can removing the eight additional bytes from the stack, and returning execution to the top of the stack, thus allowing execution of the shellcode.

Status: Waiting for official information update.

Reference: https://www.rubomedical.com/

Under our observation

winducms – attacker exploit php feature cause sql injection and REC (20th Apr 2020)

April 21, 2020 admin Leave a comment

Preface: Why we found vulnerability on apps in frequent? Fundamentally, apps goal provided services and function. Even though you said it is a design weakness. But protection control should relies on other separate service or component. It will increase the difficulties for attacker when you install the antivirus(malware) on your mobile phone.

Vulnerability background: Windu CMS is a simple, lightweight and fun-to-use website content management system for Twitter Bootstrap. Security expert found bug on Windu 3.1. The proof of concept shown that it can exploits on PHP feature trigger SQL injection and remote code execution.

Security Focus: The PoC point out there is important factor cause the vulnerability and thus the developer pay the attention. In high level, it is simple. Software developer should disable eval function in PHP. Other than that, we should install antivirus program on smartphone.

Reference: WinDu CMS official website – http://en.windu.org/

Potential Risk of CVE, Under our observation

Centreon – Remote code execution can be configured via Poller (18th Mar 2020)

March 22, 2020 admin 1 Comment

Preface: Centreon Engine allows you to schedule periods of planned downtime for hosts and service that you’re monitoring. So if design weakness occurs in this place. It provides a way to attacker for exploit.

Background: Centreon is an open source IT monitoring solution by Centreon. It is easy to install and you can deploy within minutes.

Vulnerability details: An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. Meanwhile, it provides a path for attacker to exploit. Official announcement: No status update yet. But you can receive the updated release note in this place – https://documentation-fr.centreon.com/docs/centreon/en/latest/release_notes/index.html

Perhaps vulnerability might happen in open source in frequent. But I support opensource personally.