Category Archives: Virus & Malware

Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer

 

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

https://www.eset.com/int/greyenergy-exposed/

So, It is possible to make people predict the attack may targeting Advantech customer.

Factor:
In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Synopsis:
Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Five publicly available tools, which have been used for malicious purposes – Oct 2018

US-Cert urge that there are total five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world (see below):

Remote Access Trojan: JBiFrost
Webshell: China Chopper
Credential Stealer: Mimikatz
Lateral Movement Framework: PowerShell Empire
C2 Obfuscation and Exfiltration: HUC Packet Transmitter

RSA found a malware in 2017 and explore remote access Trojan (RAT) feature with advanced invisible feature.

In this short discussion, I am going to focus the RAT (JBiFrost). Adzok is famous in dark web.

We seen malware exploits the Java archives.

A JAR (Java archive) is a package file format. It can be used as Java library or as standalone application. He is easy to change the shape to evade the detection.

Adzok proviced free download version. Some antivirus vendor already has defensive to avoid the infiltration.

Friendly reminder that still have some vendor do not have this malware signature.

2nd Oct 2018 – Homeland security alert (Retail payment system security advisory)

US Homeland security urge banking industry especially payment gateway services provider staying alert of new round of malicious cyber attack of their system. Similar of cyber attack was happened in Taiwan. The heist draw the cash equal to $2.6m (£2.1m). Homeland security reveal how the technique let ATM machine like human vomiting. But this is the bank note. You and me like it.

The key item of this attack is prioritize to compromise the switching application server.  Then malicious applications generate a counterfeit response message using GenerateResponseTransaction1() or GenerateResponseTransaction2() function to response to the acquire with a counterfeit response message and drops the request before the payment switch application processes the message. As a result it fool the issuer with no knowledge of the transaction. Should you have interest of above details, please refer to below URL:

https://www.us-cert.gov/ncas/alerts/TA18-275A

20th Jul 2018 – Win32/Emotet return again!

Strange! A Trojan (Win32/Emotet) found on 2014. It  looks that similar of cyber attack comes again.

Published Jul 23, 2014 (Trojan:Win32/Emotet) – https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Emotet

This threat can steal your personal information, including your banking user names and passwords. It is usually installed when you open a spam email attachment or click on a malicious link in a PDF. But it includes Microsoft word processing document this time. Stay alert!

Defending the Power Grid From Hackers – Jul 2018

Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?

The Next Cyber Battleground

Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.

Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.

We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?

The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.

The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.

Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.

Quote:

Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.

On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.

722154A36F32BA10E98020A8AD758A7A MD5 FILENAME:CV Controls Engineer.docx
243511A51088D57E6DF08D5EF52D5499 MD5 FILENAME:CV Control Engeneer.docx
277256F905D7CB07CDCD096CECC27E76 MD5 FILENAME:CV Jon Patrick.docx
4909DB36F71106379832C8CA57BA5BE8 MD5 FILENAME:Controls Engineer.docx
4E4E9AAC289F1C55E50227E2DE66463B MD5 FILENAME:Controls Engineer.docx
5C6A887A91B18289A70BDD29CC86EBDB MD5 FILENAME:High R-Value Energy.docx
6C3C58F168E883AF1294BBCEA33B03E6 MD5 FILENAME:CV_Jon_Patrick.docx
78E90308FF107CE38089DFF16A929431 MD5 FILENAME:CV Jon Patrick.docx
90514DEE65CAF923E829F1E0094D2585 MD5 FILENAME:CV_Jon_Patrick.docx
C1529353E33FD3C0D2802BB558414F11 MD5 FILENAME:Build Hydroelectric Turbine.docx
CDA0B7FBDBDCEF1777657182A504283D MD5 FILENAME:Resume_Key_And_Personal.docx
DDE2A6AC540643E2428976B778C43D39 MD5 FILENAME:CV_Jon_Patrick.docx
E9A906082DF6383AA8D5DE60F6EF830E MD5 FILENAME:CV_Jon_Patrick.docx
038A97B4E2F37F34B255F0643E49FC9D MD5 FILENAME:Controls Engineer (2).docx
31008DE622CA9526F5F4A1DD3F16F4EA MD5 FILENAME:Controls Engineer (4).docx
5ACC56C93C5BA1318DD2FA9C3509D60B MD5 FILENAME:Controls Engineer (7).docx
65A1A73253F04354886F375B59550B46 MD5 FILENAME:Controls Engineer (3).docx
8341E48A6B91750D99A8295C97FD55D5 MD5 FILENAME:Controls Engineer (5).docx
99AA0D0ECEEFCE4C0856532181B449B1 MD5 FILENAME:Controls Engineer (8).docx
A6D36749EEBBBC51B552E5803ED1FD58 MD5 FILENAME:Controls Engineeer.docx
3C432A21CFD05F976AF8C47A007928F7 MD5 FILENAME:Report03-23-2017.docx
34A11F3D68FD6CDEF04B6DF17BBE8F4D MD5 FILENAME:corp_rules(2016).docx
141E78D16456A072C9697454FC6D5F58 MD5 FILENAME:corp_rules(2016).docx
BFA54CCC770DCCE8FD4929B7C1176470 MD5 FILENAME:invite.docx
848775BAB0801E5BB15B33FA4FCA573C MD5 FILENAME:Controls Engineer.docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:invite.docx

Happy hunting – bye!

New version of black energy cyber attack target Microsoft OLE product design weakness

Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).

However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!

Reference:

Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/

My speculation on how Cisco (Talos) found the malware (VPNFilter malware)

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

 

The world cup 2018 – malicious game website and phishing email also involved in this competition. This like malware transformation of football shooting.

THE 2018 WORLD CUP lure hacker interest, a breeding ground for hackers. The phishing campaign linked to the start of the FIFA World Cup where cyber-criminals attempt to lure would-be victims into downloading. For instance, Games, email and related information. Such download contain malware and let the downloader become cyber attack victim.

How do you defend against this football (malware)? 1. Use and maintain antivirus software. 2. Keep software and operating systems up-to-date. 3. Be wary of downloading files from websites. 4. Think before you Click!

Headline News :

https://www.independent.co.uk/sport/football/world-cup/world-cup-live-streaming-free-streams-fifa-2018-football-matches-risk-fans-watch-a8419266.html

Dark power (malware) jeopardize the open geospatial data

Preface

The geospatial digital environment supports planning, management, modeling, simulation and visualization related to smart initiatives across the city.

Quick understanding – Basic data structure for GIS

  1. Vector
  2. Raster
  3. Tringulate irregular network

4. Tabular data (attribute table)

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system.

So, can we store big data in RDBMS? The fact is that the specifics of data get pretty large fairly quickly and therefore it’s not very well suited to huge quantities of data.

Remark: A traditional database product would prefer more predictable, structured data. Big data design fundmentally backend contains extremely dynamic data operations.

One of the key capabilities of a NoSql type environment is the ability to dynamically, or at least easily, expand the number of servers being used for data storage. This is the reason why does NoSql DB become popular in big data infrastructure environment.

DBMS ranking and technical details

Top 5 NoSQL database engines closer look

The advantage for deploy NoSQL Database for Management of Geospatial Data

NoSQL database are primarily called as non-relational or distributed database. NoSQL is not faster than SQL. They are exactly the same. However the non relational database (NoSQL) provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.

Redis, an open source, in-memory, data structure server is frequently used as a distributed shared cache (in addition to being used as a message broker or database) because it enables true statelessness for an applications’ processes, while reducing duplication of data or requests to external data sources. Thereby redis being growth the usage in big data infrastructure environment (specifications are shown as below):

  • Redis is very fast and can perform about 110000 SETs per second, about 81000 GETs per second.
  • All the Redis operations are atomic, which ensures that if two clients concurrently access Redis server will get the updated value.

Hacker targeted Redis server recently

Redis general security model

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket (see below)

Reference:

  • default port of SSH 22/TCP
  • default port of REDIS Server 6379/TCP

Redis improved access control since version 3.2. It was implemented protected mode. As of today the version 4.0.9 released. They are not in high priority focus on cyber security protection. Since Redis is designed to be accessed by trusted clients inside trusted environments. But what’s the reasons lets hackers follow it?

Observation:

The cyber criminal divided into 3 interested parties of existing technology world. The cyber criminal dark force are divided into three different group in the world nowadays.

The famous one is the Advanced Persistent Threats (APT). In normal circumstances their attack are according to the political reasons.

  • Looking for financial interest on demanding crypto currencies zone. Hacker create malware or implant malicious code for bitcoin mining.
  • Looking for benefits on crypto currencies market. Hacker create malware or implant malicious code to the compromised web site or end user web browser for fulfilling their objective. It is bitcoin mining.
  • Ransomware spreading group – Interference business operation and suspend public services. Their goal is looking for ransom.

Perhaps the design weakness on current situation of Redis servers fulfill above hacker objectives and let them doing a lot of reverse engineering works for achievement.Below picture show the famous Case of vulnerability on Redis 3.2 server. So called “crackit”.

Attacker compromises the Redis server instance and add an SSH key to /root/.ssh/authorized_keys and login to compromised Redis server with SSH connection. Since there are certain amount of Redis servers is on the way to provides geospatial data services. The classification of spatial data services are based on the geographic services taxonomy of EN ISO 19119. This taxonomy is organised in categories, the subcategories defining the value domain of the classification of spatial data services.

In general speaking, hacker might not interest of those data but they can re-engineering the compromised server become a C&C server, APT botnet and sinkhole.

How to enhance Redis server protection level

In order to avoid Redis server has been compromised by hacker. The official website has security improvement solutions suggest to user.

Network layer:

Bind Redis to a single interface by add the following command line to the redis.conf file:

bind 127.0.0.1

And therefore external anonymous client not able to reach Redis server.

Application layer:

Three Must-Have Redis Configuration Options For Production Server

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""

The above disables three powerful and dangerous commands. You could take it a step further and disable other questionable commands, like KEYSDEBUG SEGFAULT and SAVE.

Should you have interest of the security protection recommended by Redis. Please visit below official website for reference.

https://redis.io/topics/security

— End —

Bank ATM Framework QUICK TOUR

Believe that ATM scammer or criminal activities will be signigicant dropped after ATM thief are under sentence. It looks that I am overlook the attraction of bank note since a new jackpotting malware is under development. I surprise to me that the malware originate country is in Hong Kong. We known that bank of China did the system update (perhaps including ATM machine) during easter Hoilday. The ATM infrastructure looks prefect under the custodiance of Hong Kong monetary authority. However there are system design bugs and limiations on both hardware and software so it lure the hacker interest. It bring misunderstanding of ATM technology to the IT people so far, ATM archiecture is old fashion. But the truth is that ATM system architecture has been line up with Microsoft client-server architecture for financial applications on the Microsoft Windows platform in last decade. Threat actors can appear all around the world. The highlight of this news incidentally let the world know that Hong Kong is also a technology development zone. It is not only limit to business financial area.

For more details about the headline news articles. Please refer below url for reference.

https://www.securityweek.com/new-strain-atm-jackpotting-malware-discovered

Magento-Based Websites Hacked: Steal Credit Card Data and Install Mining Malware

I keep observe Magento platform so far. On Jan 2018, OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers. A security expert found that Oneplus exploiting Magento eCommerce platform. Heard that over 1000 Magenoto stores as hacked this week (Apr 2018). It looks strange that only for 3 months another new cyber security accident happen again. Security experts observed there are three possible ways make the incident happen.

1. Insert malicious code in Magento core files.

2. Attackers deploy cryptojacking scripts that mine Monero on the computers of store visitors.

3. Adobe Flash Player update packages, which would infect users with the AZORult infostealers.

Remark: TrendMicro investigation report display in below url for reference.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/magento-based-websites-hacked-to-steal-credit-card-data-and-install-cryptocurrency-mining-malware

But my observation looks have different than above. For more details, please refer to above diagram.