Category Archives: Virus & Malware

About CVE-2023-29345 and CVE-2023-33143, Microsoft released Security Updated of the Chromium project (6th June 2023)

Preface: Windows has traditionally run on machines that are powered by x86 / x64 processors. Windows 11 adds the capability to run unmodified x64 Windows apps on Arm devices! This capability to run x86 & x64 apps on Arm devices gives end-users confidence that the majority of their existing apps & tools will run well even on new Arm-powered devices. For the best of result, it can exploit Arm-native Windows apps theoretically, as a result, developers cope with trend , thus built or port Arm-native Windows apps.


Background: Codenamed “Anaheim”, on December 6, 2018, Microsoft announced its intent to base Edge on the Chromium source code, using the same browser engine as Google Chrome but with enhancements developed by Microsoft. The new Microsoft Edge (Chromium) is built on the same underlying technology as Google Chrome. During the Ignite 2021 conference, Microsoft revealed plans to align the codebase of the Edge browser on all supported platforms.


Vulnerability details:
CVE-2023-29345 Microsoft Edge Remote Code Execution – A vulnerability was found in Microsoft Edge (Web Browser) (version unknown).
CVE-2023-33143 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
For details, please refer to the link – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security

What is the value of the Trusted Execution Environment (TEE) ? (20th JAN 2023)

Preface: Some said, found malware lets cybercriminal remotely manipulate your Android.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel.

Technical details: According to headline news, a new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). said bleepingcomputer news.

For details, please refer to URL – https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/

Speculation: If this reported malware achieves their goals, do you think they will relies on vulnerability such as CVE-2023-21420?

Solution: To avoid Android malware, you should only install apps from the Google Play Store.

Here’s wishing you a Happy Chinese New Year 2023.

The evasion technique of Ring 3 continues to improve. Since this is the entry point. Therefore Layer 7 with deep packet inspection is the bases for defensive technique. (6th Dec 2021)

Preface: In fact, despite the excel icon, the XLL file is a Dynamic Linked Library, a binary executable file.

Background: The number of data breaches as of September 30, 2021 has exceeded 17% of the total number of incidents in 2020 (1,291 breaches in 2021, and 1,108 breaches in 2020).

The fundamental objective of MS office products goal to increase the office automation efficiency. Before MS product born, type writer, carbon copy and copy machine coverage is fully utilized. When virus appear in early 90s. The evolution of cyber attack from disruption extend to suspend the office operation. Fundamentally, the role of automation software are operations. Perhaps there is no prefect things in our world. From certain view point, cyber criminals exploit the product design weakness is misused. On the other hand design weakness can be group to mis-config. When cyber criminals abuse above two matters. The software is a weapon. Heard some of the domain expert separate I.T and O.T. But MS office also become one of the operation components in their backend operation. What if MS office suddenly become a cyber attack tools. What they can be do?

If the different in between I.T and O.T are safety and longer product life cycle. Apart from safety, the soft ware product life cycle is shorter comparing ten years ago. However hardware is driven by software driver under industrial automation. So it is clear to understand that if O.T product life cycle longer than traditional I.T. Therefore the product end of life and end of support require to focus in this area. Otherwise, when similar of incident occurs, the benefits will give to cyber attacker.

Security Focus: Mshta.exe is a signed Microsoft application that runs Microsoft HTML Applications (HTA) files. These are HTML files that execute JavaScript or VBScript outside of the browser, with the full permission of the executing user.

Furthermore HTA files will run automatically if a user double clicks on them, because of this HTA files are excellent for Phishing, Malvertising, or Waterhole attacks where the user will click on the file and infect themselves. As a matter of fact, lack of security awareness is the potential weakness. If you are interested of HTA attack scenario. Please refer to attached diagram.

But who wants to know a simple way to set up compensation control in your office or industrial area?
If the system infrastructure had integrate to internet, clean DNS service, SIEM and defense including managed security service, local defense (antivirus) will be the defense baseline.
Be my guest, see whether you have time to think it over of this topic.

Stay alert: Recently, an unknown trojan attack in the Linux environment, a malicious ELF file with UPX compression (11th Oct, 2021)

Preface: Antivirus software isn’t entirely useless on Linux. If you are running a Linux-based file server or mail server, you will probably need antivirus help.

Background: ELF file extension, an acronym for Executable and Linkable Format, is a common standard file extension used for executable, object code, core dumps and shared libraries. It was being chosen as the standard binary file format for Unix and Unix-based systems.

Observation and synopsis: Cyber criminal will send a email to you lure that to download a ELF binary file because of the following reason. An ELF file is an executable file meant to be used with a Nintendo Wii or Nintendo Wii emulator. It contains a video game or other Wii application. ELF files may contain official Wii applications or homebrew applications. For above reasons, you will click to downloading ELF binary files.

Perhaps, you have not installed antivirus software on the Linux platform. But you can use a simple Linux command to check whether the ELF binary file is embedded with UPX compression. Maybe this is a malicious file.

Hints: Suspicious ELF binary with UPX compression
In the source code to UPX, there’s a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d (unpack executable). Magic or strings can detect whether UPX compressed file is embedded in elf binary file. It shows which offsets are to be tested to detect if a file was packed with UPX.

Reference: For more information, see Virustotal – https://www.virustotal.com/gui/file/efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa/detection

About GriftHorse Malware (30th Sep 2021)

Preface: Large portion of smartphone will not installed antivirus software. Even though it is installed. The antivirus vendor similar doing racing campaign with cyber criminals. Nowadays, vendor established malware sinkhole to find zero day vulnerability and existing cyber attack. If cyber criminals relies on software design limitation hiding itself on phone. Perhaps sinkhole not easy to figure it is a malicious acclivities. Therefore certain amount of personal data will be go to unknown area.

Ref: Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.

Background: Headline News (Bleepingcomputer) report today that there is a malware nickname GriftHorse. It did the infiltration to Android and causes hundred of million smartphones become a victims. According to the article by Bleepingcomputer expert. A mobile security solution firm (Zimperium) observe malware (GriftHorse) exploiting the software flexibility of Apache Cordova. And hunting over 10 million victims globally.

Details: The Trojans are developed using the mobile application development framework named Apache Cordova, Zimperium said. They uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing. Before you read the details of the article. Perhaps you can quickly read the attached picture to understand that there are many ways to exploits Apache Cordova feature to sniff the data on the endpoint.

Ref: Cordova wraps your HTML/JavaScript app into a native container which can access the device functions of several platforms. Apache Cordova is an open source framework that enables web developers to use their HTML, CSS, and JavaScript content to create a native application for a variety of mobile platforms.

Reference article, please refer to the link:

Bleepingcomputer – https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

Zimperium – https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Stealth attack of UEFI bootkit (29th Sep 2021)

Preface: Digital spyware and monitoring tech that allows the user to covertly monitor a target’s communications, or collect personal data emitted from their devices.

Background: FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

Synopsis: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit.

Impact:
– Bypasses kernel protections (NX and Patch guard)
– Bypasses local authentication
– Elevated process privileges

Technical details: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. Kaspersky said.

Ref: FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio.

For more detailed information on the findings of this survey, please visit the Kaspersky website for details – https://securelist.com/finspy-unseen-findings/104322/#iocs

Another flaw prompted an urgent U.S. government warning and providing Guidance (Azure Cosmos DB) – 29th Aug 2021

Preface: Data scientists are big data wranglers, gathering and analyzing large sets of structured and unstructured data. Jupyter Notebooks allow data scientists to create and share their documents, from codes to full blown reports (Help them streamline their work).

Background: Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and Azure Cosmos DB accounts, let data scientists easy to use. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.

Speculation related to this matter: A trojan malware campaign found November last year (2020) is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Vulnerability details: A misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. In the first step, the attacker will gained access to the client’s Cosmos DB primary key. For example, exploit the vulnerability on Jupyter Notebook (virtual machine) to get the key.

Ref: Primary keys are long-lived and allow full READ/WRITE/DELETE access to customer data.

Workaround: Navigate to your Azure Cosmos DB account on the Azure portal and Regenerate Secondary Key. Please refer to url for details – https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

CISA announcement – https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

  • Malware tricks you into installing software, allowing scammers to access your files and track your actions.
  • Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ said Headline News – 9th May 2021

Preface: The hacker group claimed that its ransomware attacks were only used for “right targets.” The organization claimed that they only targeted ransomware attacks and large profitable companies to “make the world a better place.”

Background: Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place.
Last year, the security department expressed such concerns.

Security Focus: The hacking team is very active on hack forums and keeps its customers updated with news related to the ransomware. Speculated that attacker gaining an initial foothold in the network not limited to email phishing. Perhaps they exploit SSL VPN design weakness or Microsoft Zero day. In the Oil and Gas Industry . It is common of the implementation of OPC UA technology. It is hard to avoid to using Microsoft product. Even though their OPC UA is running on a linux base machine.But Darkside 2.0 has fastest encryption speed on the market, and it capable for Windows and Linux versions. So this related thing started the story.

Headline News – https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/