Category Archives: Under our observation

Data privacy, IoT, Public safety, Under our observation

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

Leave a comment

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link. https://www.hackread.com/user-data-found-in-tesla-car-parts-ebay/

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details – http://www.antihackingonline.com/application-development/who-can-you-trust-in-the-internet-world-security-issues-with-load-data-local-in-mysql-db/

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

IoT, Public safety, Under our observation

Storm of Go language based malware – 6th May 2020

Leave a comment

Preface: New Kaiji malware targets IoT devices via SSH brute-force.

Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.

Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.

What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.

Facts: So it benefits to attacker when he written a malware.

Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.

The things you can do right now: Implement effective passwords on all IoT devices when possible.

Headline News:https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/

Potential Risk of CVE, Under our observation

Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. (3rd May 2020)

Leave a comment

Preface: Perhaps my alert late for 3 days, but the specify vulnerability hide himself in webLogic product for few years!

Vulnerability details: Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. You can read the official announcement in following link – https://blogs.oracle.com/security/apply-april-2020-cpu

One of the exploit methods – The attacker can locate all of the objects by packet capture. For more details, please refer to attached diagram for reference. As a result, the attacker can replace these objects with his malicious payload. Since the server receives the data and unpacks (deserializes) without integrity check. And therefore it let attacker execute the malicious code on the underlying WebLogic core, allowing the attacker to take control over unpatched systems.

Potential Risk of CVE, Public safety, Under our observation

headline news – cyber attackers from exploiting web servers via web shell malware. 23rd Apr 2020

Leave a comment

Preface: Web shells are a well-known attacker technique, but they are often difficult to detect because of their proficiency in blending in with an existing web application.

Details: to gain root access to server. Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Vulnerabilities and Environment executable frequently used by attackers:

CVE-2019-0604 (affecting Microsoft SharePoint)
CVE-2019-19781 (affecting Citrix appliances)
CVE-2019-3396 and CVE-2019-3398 (affecting Atlassian Confluence Server and Data Center Widget Connector)
CVE-2019-9978 (affecting the social-warfare plugin for WordPress)
CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357 (affecting Progress Telerik UI)
CVE-2019-11580 (affecting Atlassian Crowd)
CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central)
CVE-2019-8394 (affecting Zoho ManageEngine ServiceDesk Plus)
CVE-2020-0688 (affecting Microsoft Exchange Server)
CVE-2018-15961 (affecting Adobe ColdFusion).

Remark: Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Official announcement – https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/

Under our observation

Buffer Overflow (SEH Bypass), perhaps it is easy to encounter in medical software system (20th Apr 2020)

Leave a comment

Preface: IoT Enterprise runs on 32-bit and 64-bit x86 chipsets with support for Universal Windows Platform (UWP) apps as well as Classic Windows(e.g. Win32 and .NET) applications. Perhaps you will discover plenty of medical devices still use 32 bit windows application.

Recent security alert on medical product: The ‘DICOM Viewer 2.0’ capable of handling all DICOM files of any modality (X-Ray angiogram, ultrasound, CT, MRI, Nuclear, waveform etc.), compression (lossless and lossy Jpeg, Jpeg200, RLE), depth or color. The proof of concept shown that software encountered buffer overflow (SEH) in specify circumstances.

What is Buffer overflow (SEH): An exception handler is a portion of code contained within an application, designed to handle an exception that may occur during runtime. Windows contains an exception handler by default (SEH) which is designed to catch an exception and generate an error. If the buffer is overflown and data is written to the SEH (located eight bytes after ESP), then all of the CPU registers are set to zero (0) and this prevents us from executing our shellcode successfully. If attacker can removing the eight additional bytes from the stack, and returning execution to the top of the stack, thus allowing execution of the shellcode.

Status: Waiting for official information update.

Reference: https://www.rubomedical.com/

Under our observation

winducms – attacker exploit php feature cause sql injection and REC (20th Apr 2020)

Leave a comment

Preface: Why we found vulnerability on apps in frequent? Fundamentally, apps goal provided services and function. Even though you said it is a design weakness. But protection control should relies on other separate service or component. It will increase the difficulties for attacker when you install the antivirus(malware) on your mobile phone.

Vulnerability background: Windu CMS is a simple, lightweight and fun-to-use website content management system for Twitter Bootstrap. Security expert found bug on Windu 3.1. The proof of concept shown that it can exploits on PHP feature trigger SQL injection and remote code execution.

Security Focus: The PoC point out there is important factor cause the vulnerability and thus the developer pay the attention. In high level, it is simple. Software developer should disable eval function in PHP. Other than that, we should install antivirus program on smartphone.

Reference: WinDu CMS official website – http://en.windu.org/

Potential Risk of CVE, Under our observation

Centreon – Remote code execution can be configured via Poller (18th Mar 2020)

1 Comment

Preface: Centreon Engine allows you to schedule periods of planned downtime for hosts and service that you’re monitoring. So if design weakness occurs in this place. It provides a way to attacker for exploit.

Background: Centreon is an open source IT monitoring solution by Centreon. It is easy to install and you can deploy within minutes.

Vulnerability details: An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. Meanwhile, it provides a path for attacker to exploit. Official announcement: No status update yet. But you can receive the updated release note in this place – https://documentation-fr.centreon.com/docs/centreon/en/latest/release_notes/index.html

Perhaps vulnerability might happen in open source in frequent. But I support opensource personally.

Under our observation

Political and Justice – 2020

Wyden and Khanna proposed amending the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information. (see below url) https://www.wyden.senate.gov/news/press-releases/wyden-and-khanna-introduce-bill-to-protect-whistleblowers-ensure-journalists-arent-targeted-for-publishing-classified-information-

If you are also interested of cyber security information developing state. Perhaps you will seen the cyber security protection will be transform to preventive instead of defensive. But who can imagine that the computer technology will be transform a weapon style of attack. In our world there is no absolute correct state . If the hostile state doing aggressive activities. Therefore the adjacent side will doing the defense. Conducting the spy in digital technology relies on malware. It conduct the Infiltration . So it is not limit to computer backdoor, email phishing and advanced espionage technologies will be used. But sometimes, it will have contradition. Furthermore it can become a political fight tool.

Meanwhile, we can only give a salute to the Whistleblowers.

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness,..

Application Development, Under our observation

Monthly news focus – Mar 2020

Preface: Do you have doubt for the road map of application penetration test? I believe that it is a logical step. Sometimes, you will concerning the limit time windows for remediation for different of vulnerability result. The penetration tester will narrow down the work scope especially the high risk rating vulnerability item. Since this is the highest priority job which requires customer to do the remedy.

How do you deal with application vulnerabilities? I also encountered this error because the high-risk level vulnerability made me nervous. Believe it or not, whether an application system can do a good vulnerability management sometimes depends on how hard the penetration tester analyzes the collected information. Below example can let you know my statement is true.

Get for POST (Risk: informational) – A request that was originally observed as a POST was also accepted a a GET. This issue does not represent a securit weakness into itself. However it may facilities simplification of other attacks. For example if the original is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Hey Guys, don’t be worry too much. But you should be careful when you do the application penetration test report next time. Be remember that ask your consultant once you got a question.

Public safety, Under our observation, Virus & Malware

A retrospective album of BlackEnergy – Feb 2020

Somewhere in time. This is 2015 – BlackEnergy2 exists in the form of a kernel-mode driver, which makes it harder for network administrators to discover the compromise. Black energy Group will mimics their custom tool(driver) thus made to look like a normal Windows component. They are interested in infecting Windows servers especially OPC server. But Microsoft implemented a driver signing policy in order to avoid loading unsigned driver. This feature is enabled on 64 bits versions of Windows systems.

Synopsis: In normal circumstances, activate the function of the cyber espionage and information destruction attack features needed to be rebooted in order to start the mimics driver. Even though black energy do not have exception.This unplanned reboot of the Windows server could raise suspicion. To solve the reboot issue, the attackers started to use a tool called DSEFix (an open-source tool that exploits CVE-2008-3431, a vulnerability in the legitimate VirtualBox driver), in order to disable the driver signature check. The attackers will made a custom version of DSEFix that also modifies boot configuration data (BCD) in order to enable TESTSIGNING mode.

What is TESTSIGNING mode: By default, Windows does not load test-signed kernel-mode drivers. To change this behavior and enable test-signed drivers to load, use the boot configuration data editor, BCDEdit.exe, to enable or disable TESTSIGNING, a boot configuration option. You must have Administrator rights to enable this option.

Those cyber criminal will focusing the OPC server.Because the OPC client uses the OPC server to get data from or send commands to the hardware.

Will it happen today? The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection.