Category Archives: Under our observation

Application Development, Under our observation

Can it be remedied or is it a enigma? – JAN 2020

Preface: User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.

Synopsis: UAC Bypass Using eventvwr.exe was exploited by malware in 2017. Microsoft fixes Eventvwr.exe UAC Bypass Exploit in Windows 10 Creators Update. In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. But the investigator still discovered similar of UAC bypass exploit technique was used by ransomware.
In April of 2019, expert found a new type of ransomware named Sodinokibi. Their design utilize a module loaded into memory functions as a loader on phase 1. Meanwhile it will try to conduct UAC bypass if the processes privileges are insufficient.

The mechanism of UAC bypass technique not limit to use eventvwr.exe. The attacker can writes itself to the registry key (Software\Classes\mscfile\shell\open\command) and launches a new instance of explorer.exe to execute compmgmtlauncher.exe. Whereby it executes anything configured in the registry key Software\Classes\mscfile\shell\open\command\ then execute a script (see above diagram).

So, we have a basic concept that if we only following vendor announcement conduct a patch management will not be a efficient technique to protect your machine avoid ransomware attack.

Objectives and definitions for establishing light weapons: In order to avoid the detection of the anti-malware mechanism, quite a lot of notorious APT malware will be relied on design weakness of UAC. As a result, it can bypass the access control, meanwhile it can significant increase the successful rate of the phase one of cyber attack because it bring the difficulties to the defense mechanism. The fact is that only detect a simple script or code not easy to predict what the intention was. When Wannacry ransomware was born, perhaps the design goal is SMB vulnerability. But it lack of competence of the attack strategy. Whereby, when ransomware take the action to deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation (see below diagram). So it alert the end user something will be happened when it click. Therefore the new generation of ransomware try to management this design weakness.

Ransomware author leverage UAC Bypass technique: A novel technique, Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll. Perhaps you might say, this vulnerability has been fixed by Microsoft. But the market feedback is as follow:

Microsoft doesn’t consider UAC a security barrier, and thus they often don’t fix UAC bypasses. These bypasses are common and easy. The following figure shows another scenario of UAC bypass.
Let’s open our eyes and see what happens in the evolving world of cybersecurity?

……………………………………………..END

Additional topic: I am wishing that the Coronavirus will be gone in next morning. Perhaps it was not possible but such punishment to man kind that has been enough!

Under our observation

Are there other similarly vulnerability component like ws2ifsl.sys in Windows?

Preface: You found an error in somewhere, sometimes will be expanded your idea of thinking.

Synopsis: Ws2ifsl.sys is found in the C:\Windows\System32\drivers directory. In many cases, a driver creates a symbolic link and its name can be used as a file name for CreateFileA, but this is not the case with ws2ifsl. It only calls nt!IoCreateDevicewith the DeviceName set to ‘\Device\WS2IFSL’. IoCreateDevice creates a device object and returns a pointer to the object. The caller is responsible for deleting the object when it is no longer needed by calling IoDeleteDevice.

Vulnerability details: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.

Patch analysis: According to Microsoft patched version (10.0.18362.356). We can see the patched features:
– CreateProcessFile
– Delivery closed
– Signal cancelled
– Signal requirements
– RequestRundownRoutine
– CancelRundownRoutine

Under my observation: If a device name is not supplied (that is, DeviceName is NULL), the device object created by IoCreateDevice will not (and cannot) have a discretionary access control list (DACL) associated with it. Do you think this issue will give an oppuntunity let attacker to exploit?

Under our observation

Design weakness found 1 year ago (Jan 2019), but the details expose today! Fortinet FortiSIEM 5.2.5 / 5.2.6 Hardcoded Key (Jan 2020)

Preface: Stupid Solutions to Stupid Problems: Hardcoding Your SSH Key in the system.

Vulnerability background: FortiSIEM 5.2.5 / 5.2.6 could use the hardcoded password to log in to the underlying system via Secure Shell (SSH). This means that anyone with access to any FortiSIEM image (to copy the SSH private key) can authenticate successfully via SSH to the FortiSIEM. Supervisor on port 19999/tcp as tunneluser. They will be limited to the /opt/phoenix/phscripts/bin/tunnelshell script, but if this is bypassed then full shell access can be obtained.

Impact: While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Versions 5.2.5 and 5.2.6 have been verified as vulnerable.

Public safety, Under our observation

In order to avoid MS ‘.Group’ file handling RCE vulnerability. Think it before click – Jan 2020

Preface: Perhaps you would say the ‘.group’ file handling is the design defect. So hacker exploit social engineer trigger this vulnerability (GROUP FILE URL FIELD CODE EXECUTION). Do you agree?

What is a GROUP file? The file is located inside this location: C:\Program Files\Windows Mail.

Vulnerability details: Microsoft Windows is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.

Former 0-day record: About eleven months ago, Microsoft ‘.contact’ File vulnerability found. It allow Arbitrary Code Execution. Less than 1 year, there is another vulnerability occurs on ‘.group’ file handling. Perhaps the WAB.exe features could be do a re-engineering.

Reference url: https://www.symantec.com/security-center/vulnerabilities/writeup/111355?om_rssid=sr-advisories

Under our observation

about ransomware attack on Maastricht University – 24th Dec 2019

1 Comment

Preface: Maastricht University (UM) encountered serious cyber attack,” the university announced on Christmas Eve, December 24, 2019.

Synopsis: Not known the root cause but if ransomware can spread out in a quick way most likely it exploit of the Microsoft SMB Protocol.
Perhaps it is affected by RYUK Ransomware !
Other than that Maastricht University relies on Github with technology programs development. Meanwhile, it similar create a pathway let the cybercriminals fork other projects, which on Github means producing a copy of someone else’s project, to build upon the project or to use as a starting point and subsequently push a new commit with the malware to the project. Such malware can connecting to a GitHub account to obtain the exact location of its C&C servers. Then activate ransomware infection.

Observation: Has any personal information leaked? Therefore, this will be relevant to GDPR regulations.
It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack.

Headline News: Please refer to https://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/

Under our observation

CVE 2019-19492 (FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml) Remote command execution – Last update: 26th Dec 2019

Preface: FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware.

Background: FreeSWITCH listens on port 8021 by default and will accept and run commands sent to it after authenticating. By default commands are not accepted from remote hosts.

Design weakness: FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. How do hackers exploit vulnerabilities: Since the design weakness shown the default password in event_socket.conf.xml. By default commands are not accepted from remote hosts. If an attacker do python socket programming. It can use the default password and excute the command remotely.

Remedy: It is recommended to block all untrusted python socket connections with a firewall on this device until the vendor provides an official patch.

Under our observation

Not a serious mistake and could cause more trouble! (21st Dec, 2019)

Preface: Computer technology especially software application is the soul of digital world.

Background: Pingbacks (also known as trackbacks) are a form of automated comment for a page or post, created when another WordPress blog links to that page or post. When you publish a new blog post, WordPress attempts to ‘ping‘ all the sites that were linked to in your post. i.e. Your WordPress website is informing other websites that you’ve linked to them.

Design weakness: Trackbacks and Pingbacks were meant to help inter-blog conversation when the specification was created years ago. These days almost 100% of Trackbacks and Pingbacks are spam, said Akismet. May cause more trouble!

Comments: WordPress release ver 5.3.1 on December 2019. However above concerns seem not been addressed in the moment. Heard that attacker can exploit the weakness of pingback. And work together with XML-RPC. As a result, it will consume system resources causes a denial of service. So we must staying alert!

Remedy: Refer to diagram

5.3.1 Official announcementhttps://wordpress.org/support/wordpress-version/version-5-3-1/

System, Under our observation

How we focus design weakness?

Preface: Flaws that require root access are not considered security issues in existing policy. If we are not using cloud computing concept. It is acceptable. But we need cloud system!

Security focus: Turkish information security specialist found a design weakness in Windows kernel design. According to the vendor’s Bug Bounty program rules, flaws that require root access are not considered security issues and are not classified as vulnerabilities. However our the whole IT world in the trend of cloud technology. It is hard to guarantee similar type of vulnerability will be impact the public cloud farm. Perhaps it might have possibility to do a re-engineering become as a Surveillance tool.

Defect details: An PoC tool proof that it can hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler. My intention is going to urge Microsoft should be consider this technical issue. Perhaps it may become a zero-day. So I do not display related url.Should you have interested of this topic, not difficult to do a search. You will find the details.

Reference:

The ntoskrnl.exe kernel service, which is responsible for handling exceptions, system call procedures, and thread scheduling in Windows.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel.

Fundamental design concept – related to this matter:

  1. RSPx is loaded in whenever an interrupt causes the CPU to change PL to x. The TSS in long mode also holds the Interrupt Stack Table, which is a table of 7 known good stack pointers that can be used for handling interrupts.
  2. BKPT #0x3 ; Breakpoint with immediate value set to 0x3 (debugger can ; extract the immediate value by locating it using the PC- (program counter))
  3. x86_64 also has a feature which is not available on i386, the ability to automatically switch to a new stack for designated events such as double fault or NMI, which makes it easier to handle these unusual events on x86_64. This feature is called the Interrupt Stack Table (IST). There can be up to 7 IST entries per CPU. The IST code is an index into the Task State Segment (TSS). The IST entries in the TSS point to dedicated stacks; each stack can be a different size.

This topic is under our observation.

2019, cyber security incident news highlight, Under our observation

Gun and bullet – SMBV1 and Ransomware (Nov 2019)

Preface: Starting from around 2012 the use of ransomware scams has grown internationally.

Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.

Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.

Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.

For more information on headline news, please refer – https://www.bloomberg.com/news/articles/2019-11-13/a-hacker-wants-about-5-million-from-pemex-by-end-of-november

Under our observation

Suspected that Podman-Varlink encounter Remote Code Execution – Under observation (14th Oct 2019)

Preface: Red Hat is investing in CRI-O and Podman. Meanwhile they are involved in the Open Container Initiative Standards Organization. The goal is to contribute and introduce drive innovation in their products, such as Red Hat OpenShift and Red Hat Enterprise Linux.

Background: Podman decide to provide a simple CLI for managing pods and containers. The design goal of Varlink aims to make services accessible to both humans and machines in the simplest feasible way. They described its product is an “interface description format and protocol”. It is just such another. Podman decided to build the Podman API based on varlink so users and developers can interact with Podman programmatically.

Design Synopsis: Podman relies on a Systemd feature called socket activation. Systemd allows developers to create socket unit files that tells systemd to listen on a particular socket like the unix domain socket “/run/io.projectatomic.podman”. When a process connects to this socket, systemd will launch the command specified in the service file with the same name. The launched command then handles the socket communications.

Vulnerability details: Depend on how Podman and Varlink are deployed, they can be susceptible to local and remote attacks. There are a few API bugs in Podman itself, as well as a way to execute arbitary commands if one can hit Podman via the Remote API. Running Podman with Varlink over tcp listening either on localhost or the network interface is the most vulnerable setup. For more details, please refer to diagram.