Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.
Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.
Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance? No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.
Preface: Starting with Oracle 11g release 1 (11.1), there is a just-in-time (JIT) compiler for Oracle JVM environment. A JIT compiler for Oracle JVM enables much faster execution because, it manages the invalidation, recompilation, and storage of code without an external mechanism.
Background: A way to prevent attack code execution by stack and heap. It marking stack and heap as non-executable. However some apps need executable heap (For instance JIT compiler), so it does not defend against `Return Oriented Programming’ exploits.
What is ROP exploit technique:Return–oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.
Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.
Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.
Accessing E-TranE-Tran Options •loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database •A Web page where lenders can enter loan information on individual loans
Preface: What if your computer is slow? Perhaps it is a sign of malware infection. This scenario also apply to modern supercomputer. Perhaps it is powerful. So no one aware. This is only a assumption. However modern supercomputer will be infected by malware. Why? Because part of the modern supercomputer has deployed a Linux OS system.
Details: It is true. For instance, Cray has Cluster compatibility mode.It is a standard x86/Linux environment. Several affected labs said that only the login portal to the supercomputer were affected, said Swissinfo.ch. Because hacker will be more interested of scientific research result in this period of time. In this case, how the attacker tried to infect the supercomputer. Please refer to the attached drawing. As usual, the attack entry point is the login portal. But the attacker should infect the client workstation on the beginning phase. For example Cryptocurrency mining malware shell script will be saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns every hour. But it need to take the right time to land the script.
About the theme: Sound can tell, according to statistic provided by Microsoft. Cyber security attack is rapidly growth especially in education area within past 30 days. Perhaps Healthcare and pharmaceuticals area cyber attack volume not as high as education area. However the details found by Microsoft has similarity with security expert observe in past. There are more and more attacker focus to Linux environment.
Security focus: Backdoor code in the popular Bootstrap. To launch the action, the backdoor must be embedded in a “bootstrap” application (a dropper) that is written in C and called xxx.c. Once compiled and started, the dropper program must infect the first Linux ELF executable that it finds in the current directory. Then, when this newly infected file is executed, your virus code is supposed to run.
The myth said that Linux will be secure than Windows. It will be not correct anymore.
Preface: It is impossible to rely on small group of expert to track malicious activities on the Internet. In fact, it needs strong financial support. This is reality, maybe this is a long-running game.
Background: US Homeland Security issue an evaluation article on hostile country malware and phishing attacks motion. Perhaps you may ask? Can it be relies on SIEM do this monitoring. My opinion is that we should say thanks to DNS Sinkhole.A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. But it require DNS lookup service. By using the DNS sinkhole technique it is also possible to deny access to any of malicious C&C websites. Besides, the queries will be written down to DNS Sinkhole record.
Security focus of specifics malware: COPPERHEDGE, is described as a Remote Access Tool (RAT). TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator. PEBBLEDASH is yet another trojan acting like a full-featured beaconing implant and used by hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
Somewhere in time. This is 2015 – BlackEnergy2 exists in the form of a kernel-mode driver, which makes it harder for network administrators to discover the compromise. Black energy Group will mimics their custom tool(driver) thus made to look like a normal Windows component. They are interested in infecting Windows servers especially OPC server. But Microsoft implemented a driver signing policy in order to avoid loading unsigned driver. This feature is enabled on 64 bits versions of Windows systems.
Synopsis: In normal circumstances, activate the function of the cyber espionage and information destruction attack features needed to be rebooted in order to start the mimics driver. Even though black energy do not have exception.This unplanned reboot of the Windows server could raise suspicion. To solve the reboot issue, the attackers started to use a tool called DSEFix (an open-source tool that exploits CVE-2008-3431, a vulnerability in the legitimate VirtualBox driver), in order to disable the driver signature check. The attackers will made a custom version of DSEFix that also modifies boot configuration data (BCD) in order to enable TESTSIGNING mode.
What is TESTSIGNING mode: By default, Windows does not load test-signed kernel-mode drivers. To change this behavior and enable test-signed drivers to load, use the boot configuration data editor, BCDEdit.exe, to enable or disable TESTSIGNING, a boot configuration option. You must have Administrator rights to enable this option.
Those cyber criminal will focusing the OPC server.Because the OPC client uses the OPC server to get data from or send commands to the hardware.
Will it happen today? The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection.
a. Attackers disguise their scam email as an official (WHO) alert issued by the Centers for Disease Control Health Alert Network. (Targeting individuals from the United States and the United Kingdom)
b. Attackers disguise their scam email as an alert of Coronavirus status, they are target to shipping industry.
Description: About the attack to shipping industry – Hacker exploit the vulnerability of CVE 2017-11882, perhaps they found that the patch management on the boat not enforce in frequent. And therefore the attack explicitly target shipping industry. About the attack to individuals from the United States and the United Kingdom – WHO urge that if anyone see similar type of scam email. Report to WHO – https://www.who.int/about/report_scam/en/
The slogan – Do not rush to open a URL or open a email. Take care.
Preface: Not the first time heard that cyber criminals mimics email from bank to hunting the victims.
Historical record: HSBC’s “Payment Notification” malware email was discovered in 2018. These emails are designed to confuse people’s vigilance and use the HSBC brand name to reduce the defensive awareness of email recipients. An “auto-generated” email suggests that you open an attachment to view the payment proposal document. If you open the attached Microsoft word file, you will be prompted to enable macros. If you do allow, a malicious macro will run in the background, The macro will download and install malware on your computer. I believed that cyber criminals hunting the mobile phone users this round.
Preface: Unlike C, C++ is an object-oriented programming language, following a programming model that uses objects that contain data as well as functions to manipulate the data. Word is an object-oriented program.
Security focus: The malware author usually exploit some kind of arbitrary code execution or zero day. And therefore it have chances to evade the anti-defense mechanism detection. The reason behind is that before reassemble of the modules, it do not take any action. But perhaps you have doubt? How do they get another module? In modern defense technology, the machanism of the malware detector will be based on blacklist domain for the first piority. If attacker compromise a web site not included in domain blacklist. So, when download other module by http or https traffic might not detected by defense machanism. As a matter of fact, the http get and put action are frequently happens in our internet web browsing. Therefore you will understand that why does cyber criminals target to compromising a boutique shop style web site and social media. It was because the web sites still in white list before compromise.