Preface: Apple Mac OS as not as easy to compromised compare with other popular operation system.
Details (A): Emotet is malware originally engineered as a banking Trojan designed to steal sensitive information. It is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. But their design presents challenges for traditional security tools, because it is designed specifically to bypass endpoint solutions. Even Mac computers are no exception.
Details (B): See attached diagram, Emotet keen to infect the computer by email. It traditionally will display several reasons require you to execute next action (clicks on it). As Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.
Official channel: What can you do if your MacOS is infected by Emotet? AppleCare does not provide support for removal of the malware. But customer can go to the Apple Online Store and the Mac App Store for antivirus software options.
Additional: Just do a google search, there are solution everywhere. So, you can make your decision.
Preface: JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol).
Synopsis: A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.
Security Focus: CVE-2020-3943 – The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to the affected software uses a JMX RMI service which is not securely configured. A remote attacker can execute arbitrary code in vRealize Operations, with the Horizon Adapter running.
Horizon wiki – The Horizon adapter runs on a cluster node or remote collector node in vRealize Operations Manager. You can create a single Horizon adapter instance to monitor multiple Horizon pods. During broker agent configuration, you pair the broker agent with a Horizon adapter instance.
Attack basis: The attacker would have to trick the victim to open a a specially crafted file.
a. Attackers disguise their scam email as an official (WHO) alert issued by the Centers for Disease Control Health Alert Network. (Targeting individuals from the United States and the United Kingdom)
b. Attackers disguise their scam email as an alert of Coronavirus status, they are target to shipping industry.
Description: About the attack to shipping industry – Hacker exploit the vulnerability of CVE 2017-11882, perhaps they found that the patch management on the boat not enforce in frequent. And therefore the attack explicitly target shipping industry. About the attack to individuals from the United States and the United Kingdom – WHO urge that if anyone see similar type of scam email. Report to WHO – https://www.who.int/about/report_scam/en/
The slogan – Do not rush to open a URL or open a email. Take care.
Synopsis: The threat actors hidden their email phishing package anywhere. As common we know, email phishing scam foot print are wide in area. But the antivirus and malware solution vendor setup blacklist domain name and content filtering function has reduced the infection ratio of malware and ransomware. It looks that the similar of idea to hunting cyber victim still valid. In my observation, the attacker sometimes will be reuse their technique. This time they store the trap in social media web. Found that the scam activities which mimic Hong Kong Broadband luck draw online program activities is awaken again. I found similar activities on yesterday (16th Feb 2020). Even the VirusTotal repository has only one cybersecurity vendor detected a similar record type. In the sense that they can escape your defense solution.
Preface: The security of FIDO deployment largely depends on the choice of underlying security subsystems and their implementation.
Background: An ioctl , which means “input-output control” is a kind of device-specific system call. There are only a few system calls in Linux (300-400), which are not enough to express all the unique functions devices may have. So a driver can define an ioctl which allows a userspace application to send it orders. Samsung’s kernel tree contains two implementations of device-side MTP. One of them (drivers/usb/gadget/function/f_mtp.c), based on its copyright headers,seems to be from Google, but this one is disabled at build time. The second one is drivers/usb/gadget/function/f_mtp_samsung.c. Both of them have ioctl handlers that handle the ioctl command SEND_FILE_WITH_HEADER; the Google version runs this handler under a lock, but Samsung version doesn’t hold any locks.
Impact: If the object has been freed and then filled with data controlled by attacker, the EIP/RIP register for x86/x64 architecture or the register for ARM architecture is to be hijacked to injected shellcode and an arbitrary code execution in kernel will be achieved.
Preface: Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated at runtime and typically contains program data.
Product background: F-Secure Internet Gatekeeper for Linux, aim to serve for small and medium business cyber security protection services. It capable to scanning incoming and outgoing including SMTP, HTTP, FTP and POP3 traffic for all types of malware.
Vulnerability details: F-Secure Internet Gatekeeper contains an admin panel that runs on port 9012/tcp. If attacker send a large size “Content-Length” with an unsigned long int through user administration process. It will causes strtoul return the ULONG_MAX value which corresponds to 0xFFFFFFFF on 32 bit systems. Adopt to above circumstances, when the fs_httpd_civetweb_callback_begin_request function tries to issue a malloc request to handle the data send by attacker, it first adds 1 to the content_length variable and then calls malloc. This causes a problem as the value 0xFFFFFFFF + 1 will cause an integer overflow. During the overflow, this code will read an arbitrary amount of data onto the heap – without any restraints.
Remedy: This critical issue was tracked as FSC-2019-3 and fixed in F-Secure Internet Gatekeeper versions 5.40 – 5.50 hotfix 8 (2019-07-11).
Synopsis: Staying alert especially to healthcare and pharmaceutical industry. Condemn this phishing scam email similar to harm ordinary people during this period of time.
Observation: A sample phishing email detected last Tuesday, by email filter expert firm (Mimecast), shows cyber criminal send email with malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease (see attached diagram). Their goal is stolen the credential and personal information because it found Emotet payloads inside.
To ensure the cyber security awareness of your staff. IT Dept especially healthcare and pharmaceutical industry should be staying alert.
Preface: User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.
Synopsis: UAC Bypass Using eventvwr.exe was exploited by malware in 2017. Microsoft fixes Eventvwr.exe UAC Bypass Exploit in Windows 10 Creators Update. In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. But the investigator still discovered similar of UAC bypass exploit technique was used by ransomware. In April of 2019, expert found a new type of ransomware named Sodinokibi. Their design utilize a module loaded into memory functions as a loader on phase 1. Meanwhile it will try to conduct UAC bypass if the processes privileges are insufficient.
The mechanism of UAC bypass technique not limit to use eventvwr.exe. The attacker can writes itself to the registry key (Software\Classes\mscfile\shell\open\command) and launches a new instance of explorer.exe to execute compmgmtlauncher.exe. Whereby it executes anything configured in the registry key Software\Classes\mscfile\shell\open\command\ then execute a script (see above diagram).
So, we have a basic concept that if we only following vendor announcement conduct a patch management will not be a efficient technique to protect your machine avoid ransomware attack.
Objectives and definitions for establishing light weapons: In order to avoid the detection of the anti-malware mechanism, quite a lot of notorious APT malware will be relied on design weakness of UAC. As a result, it can bypass the access control, meanwhile it can significant increase the successful rate of the phase one of cyber attack because it bring the difficulties to the defense mechanism. The fact is that only detect a simple script or code not easy to predict what the intention was. When Wannacry ransomware was born, perhaps the design goal is SMB vulnerability. But it lack of competence of the attack strategy. Whereby, when ransomware take the action to deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation (see below diagram). So it alert the end user something will be happened when it click. Therefore the new generation of ransomware try to management this design weakness.
Ransomware author leverage UAC Bypass technique: A novel technique, Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll. Perhaps you might say, this vulnerability has been fixed by Microsoft. But the market feedback is as follow:
Microsoft doesn’t consider UAC a security barrier, and thus they often don’t fix UAC bypasses. These bypasses are common and easy. The following figure shows another scenario of UAC bypass. Let’s open our eyes and see what happens in the evolving world of cybersecurity?
……………………………………………..END
Additional topic: I am wishing that the Coronavirus will be gone in next morning. Perhaps it was not possible but such punishment to man kind that has been enough!
Preface: You found an error in somewhere, sometimes will be expanded your idea of thinking.
Synopsis: Ws2ifsl.sys is found in the C:\Windows\System32\drivers directory. In many cases, a driver creates a symbolic link and its name can be used as a file name for CreateFileA, but this is not the case with ws2ifsl. It only calls nt!IoCreateDevicewith the DeviceName set to ‘\Device\WS2IFSL’. IoCreateDevice creates a device object and returns a pointer to the object. The caller is responsible for deleting the object when it is no longer needed by calling IoDeleteDevice.
Vulnerability details: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.
Patch analysis: According to Microsoft patched version (10.0.18362.356). We can see the patched features: – CreateProcessFile – Delivery closed – Signal cancelled – Signal requirements – RequestRundownRoutine – CancelRundownRoutine
Under my observation: If a device name is not supplied (that is, DeviceName is NULL), the device object created by IoCreateDevice will not (and cannot) have a discretionary access control list (DACL) associated with it. Do you think this issue will give an oppuntunity let attacker to exploit?
Preface: Stupid Solutions to Stupid Problems: Hardcoding Your SSH Key in the system.
Vulnerability background: FortiSIEM 5.2.5 / 5.2.6 could use the hardcoded password to log in to the underlying system via Secure Shell (SSH). This means that anyone with access to any FortiSIEM image (to copy the SSH private key) can authenticate successfully via SSH to the FortiSIEM. Supervisor on port 19999/tcp as tunneluser. They will be limited to the /opt/phoenix/phscripts/bin/tunnelshell script, but if this is bypassed then full shell access can be obtained.
Impact: While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Versions 5.2.5 and 5.2.6 have been verified as vulnerable.
.jpg)
