Category Archives: Under our observation

Under our observation

NCSC prediction – DNS monitoring will get harder (Sep 2019)

Preface: DNS monitoring can let you predict the user behaviour. According to Cisco’s research, over 90% of attacks are done over DNS and only two-thirds of organizations monitor their DNS records.

Technical details:
Go to options->Advanced->Network->Settings->Automatic proxy configuration url and enter 8.8.8.8 All you Mozilla traffic uses Google dns now. Google Public DNS fully supports DNSSEC for Domain Name Security Extensions which works against cache poisoning attacks. Meanwhile if mobile device leave company network, DDNS given by wireless hotspot might have way to leave your monitoring. Due to above feature, the Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. For more details, please refer to URL: https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder

Potential Risk of CVE, Under our observation

Previous NFS 4.1 vulnerability (CVE-2018-16884) show linux kernel design weakness.

Preface: A vulnerability in the NFS41+ subsystem of the Linux Kernel could allow an authenticated, adjacent attacker execute arbitrary code on a targeted system. The vulnerability exists because the bc_svc_process() function of the affected software uses the wrong back-channel ID. use-after-free in svc_process_common

The defect not only affected software uses the wrong back-channel ID. Furthermore it causes access freed memory because of use-after-free vulnerability in svc_process_common(). Perhaps Use-After-Free Vulnerabilities in Linux Kernel are common. Most likely causes by the following factors.

  • use an object without checking whether the pointer is valid
  • free an object without cleaning the pointer

Doubt: If all the objects in a cache are freed, the whole space of the cache is going to be recycled by the kernel.
Was the space definitely to be re-used for a cache storing the objects of the original type? No.
So it is benefit for attacker.

For NFS 4.1 matter, it was highly recommended to following Best Practices guideline. For instance, If you use NFS version 3 and NFS version 4.1, do not mix them on the same volumes/data shares. Separate the backend storage NFS network from any client traffic.

For remedy of the “use after free” vulnerability of NFS41 – Please refer to url: https://patchwork.kernel.org/patch/10733769/

Under our observation

it might be new path way in cyber attack. yes, it is uefi.

Leave a comment

Preface: UEFI has slowly come to replace BIOS. Whereby Intel schedule to completely replace BIOS with UEFI on all chipsets by 2020.

Quote: Firmware is software, and is therefore vulnerable to the same threats that typically target software.

Technical details: From technical point of view, EFI Runtime services are usually located below 4GB. As a result it has a way into Linux on high memory EFI booting systems.

What is the different when malware alive into these areas?

  • Malware injected into the address space is transient, and will be cleaned up on the next boot.
  • Malware injected into the firmware flash regions is persistent, and will run on every subsequent boot

Using the follow command can display x509 v3 digital certificate and confirm thatgrubx64.efi can read (/boot/efi/EFI/fedora/)grub.cfg. Oh! It is easy to access this file when you have root privileges. But do not contempt this issue.

  • sudo tree /boot/efi
  • sudo hexdump -C /boot/efi/EFI/fedora/shim.efi | egrep -i -C 2 ‘grub|g.r.u.b’
  • sudo strings /boot/efi/EFI/fedora/grubx64.efi | grep grub.cfg

Sound interesting. Should you have interested, please refer below guide book :NIST Special Publication 800-147 BIOS Protection Guidelines https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf

Under our observation

China raised the security level for its vessels heading through the Strait of Malacca. Perhaps cyber security vulnerabilities causes shipping traffic jam in that place! Jul 2019

Leave a comment

Preface: The string of attacks last month on tankers near Hormuz. It alerting to related industry and countries about bottleneck on supply chain.

Quote: The head of Indonesian Maritime Security Agency, said it’s looking into the issue. And it doesn’t see why China raised the alert status?

From technical point of view: As a matter of fact, it is not difficult to make trouble to world by cyber attack nowadays. For example, Ransomware or exploit the vulnerability on the computer system. As far as we know, on the tankers side, it install GPS and management system. Those systems are the Windows or Linux OS base of machines. If you are belongs to marine industry especially shipping company, see whether you are require to re-cofirm the patch level of your maritime bandwidth management system. Do not let those vulnerabilities causes shipping traffic jam. For more details, please see below url for reference.

https://navarino.gr/archives/6989

Perhaps not merely the specified vulnerability. Should you interested if the Headline news. Please refer below:

https://www.bloomberg.com/news/articles/2019-07-03/china-raises-warning-for-shipping-in-malacca-strait-people-say

Status update on 8th July 2019: U.S. Coast Guard recommendation: the maritime community can help strengthen their defenses by implementing the following basic cybersecurity measures:

  • Implement network segmentation.
  • Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary.
  • Be wary of external media.
  • Install anti-virus software.
  • Keep software updated.
Potential Risk of CVE, Under our observation

Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen – Jun 2019

Vulnerability Note VU#576688
Original Release Date: 2019-06-04 | Last Revised: 2019-06-04

Preface: The more the power you have, the greater the risk is being infected.

Synopsis: Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.

My observation: Observing that Microsoft re-engineering the RDP with create a channel with MS_T120 and Index 31.
But vulnerability occurs when someone send data to the system’s MS_T120 channel and reference the closed channel again.

Interim remediation step:

  • RDP is disabled if not needed.
  • SIEM firing rule – client requests with “MST-T120′ on any channel other than 31

Reference: https://kb.cert.org/vuls/id/576688/

Potential Risk of CVE, Under our observation

May 2019 – Printerlogic shown weak vulnerability management

Preface: Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers.

Background: PrinterLogic’s printer and driver management platform reduces infrastructure costs by eliminating print servers and providing centralized management of every printer on the network. Sold in both on-premise and cloud configurations, PrinterLogic also offers secure pull printing, mobile printing, and improved performance in virtual desktop (VDI) environments.

Vulnerability details: For more information on the vulnerability, please visit the following URL – https://www.kb.cert.org/vuls/id/169249/

Comment on CVE-2018-5409: If compromised server connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. It may crash the target server.

Potential Risk of CVE, Under our observation

CVE-2019-1002101: Vulnerabilities found in Kubernetes’ kubectl cp command (3rd May 2019)

Preface: Some supercomputers in the world, they are also using Kubernetes.

Technical background: kubectl controls the Kubernetes cluster manager.Make use of “kubectl cp” command is able to copy files and directories to and from containers.

Vulnerability details: An attacker can fool a user to use the kubectl cp command to copy and store a malicious tar file in a container. Successful exploitation may allow an attacker to overwrite or delete any file in the user’s security context.

Remedy: Kubernetes has released a software update via the following link: https://github.com/kubernetes/kubernetes/releases

Comment: This vulnerability looks has difficulties to compromise the system. However the level of risk depends on the feature of the docker services. So do not contempt the issue because it is hard to predict the level of risk.

2019, cyber security incident news highlight, Under our observation

2nd May 2019 – Don’t let you SAP facility become a cyber attack target

Preface: Heard that estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked.

Technical details:
When you configure sap router (saprouter) to allow remote (from the Internet) connections via the SAP GUI. The original design will add entries to the route tables for TCP port 3300, 3301, and 3303 the external application they are using (a gateway connection on these ports).

Default TCP gateway port exploit by hacker:
Since a default pathway built, so the hacker might have a channel to compromise the system. For example, send the malicious code try to conduct remote code execution. As a matter of fact, a proof of concept shown that SAP backend response with malicious code.

Remedy: If you outsource your cyber security watch guard responsibility to managed security services provider. They will create the yara rules to deny such malicious activities.
If not, you are require to create yara rules by yourself on IDS system. For more details, please refer to diagram.

Under our observation

Do you have any concerns on multiple vulnerabilities in WPA3 Protocol? (Arp 2019)

Preface: WPA3 protocol aim to enhance Wi-Fi security protection. Yes, it does. But something wrong with him this time.

Technology Synopsis: The very damaging DoS attack consists of clogging one peer with bogus requests with forged source IP addresses. Due to computationally intensive nature of modular exponentiation, the DH key exchange is highly vulnerable to clogging (DoS) attack.The SAE handshake of WPA3 also uses a cookie exchange procedure to mitigate clogging attacks.

Vulnerability highlights:

  1. The SAE handshake of WPA3 uses a cookie exchange procedure to mitigate clogging attacks.
    But the design of the cookie exchange mechanism has technical limitation. Since everyone will receive the (supposedly secret) cookies.
  2. An attacker with a rogue access point can force the client connecting to it to use WPA2’s 4-way handshake and, consequently, to get enough information to launch an offline dictionary attack.

Should you have interest, please refer to the following url: https://www.kb.cert.org/vuls/id/871675/

Potential Risk of CVE, Public safety, Under our observation

Unknown vulnerability Found Affecting Intel CPUs – 5th Mar 2019

Preface: So called Spoilter, a vulnerability given by Intel CPU design limitation. If hacker successful exploit such vulnerability. They can conduct “Rowhammer” attack for privileges escalation.

Vulnerability detail: The speculative execution function of Intel’s processors aim to increase the performance of a CPU. Meanwhile it caused Intel CPU vulnerability issues in the past. A new found technique is able to determine how virtual and physical memory is related to each other. By discovering time differences, an attacker can determine the memory layout and then know which area to attack. For more details, please refer attached diagram for reference.

Remedy: There is no mitigation plan that can completely erase this problem.

Headline news: https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

Conclusion: Perhaps “rowhammer” is hard to detect.. Be remind that a predictive defense solution will be reduce the risk. For example you have 360 degree cyber protection includes spam and DNS filter, SIEM, malware protection and managed security services. The impact cause by this vulnerabilities will be under control.