it might be new path way in cyber attack. yes, it is uefi.

Preface: UEFI has slowly come to replace BIOS. Whereby Intel schedule to completely replace BIOS with UEFI on all chipsets by 2020.

Quote: Firmware is software, and is therefore vulnerable to the same threats that typically target software.

Technical details: From technical point of view, EFI Runtime services are usually located below 4GB. As a result it has a way into Linux on high memory EFI booting systems.

What is the different when malware alive into these areas?

  • Malware injected into the address space is transient, and will be cleaned up on the next boot.
  • Malware injected into the firmware flash regions is persistent, and will run on every subsequent boot

Using the follow command can display x509 v3 digital certificate and confirm thatgrubx64.efi can read (/boot/efi/EFI/fedora/)grub.cfg. Oh! It is easy to access this file when you have root privileges. But do not contempt this issue.

  • sudo tree /boot/efi
  • sudo hexdump -C /boot/efi/EFI/fedora/shim.efi | egrep -i -C 2 ‘grub|g.r.u.b’
  • sudo strings /boot/efi/EFI/fedora/grubx64.efi | grep grub.cfg

Sound interesting. Should you have interested, please refer below guide book :NIST Special Publication 800-147 BIOS Protection Guidelines https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf

Multiple high vulnerabilities in Advantech WebAccess/SCADA -CVE-2019-10989,CVE-2019-10991 & CVE-2019-10993

Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.

Background: Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.

Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.

CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.

CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.

Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.

Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block.
So attacker can leverage this vulnerability to execute code under the context of Administrator.

Advantech has issued an update to correct this vulnerability – https://www.us-cert.gov/ics/advisories/icsa-19-178-05

China raised the security level for its vessels heading through the Strait of Malacca. Perhaps cyber security vulnerabilities causes shipping traffic jam in that place! Jul 2019

Preface: The string of attacks last month on tankers near Hormuz. It alerting to related industry and countries about bottleneck on supply chain.

Quote: The head of Indonesian Maritime Security Agency, said it’s looking into the issue. And it doesn’t see why China raised the alert status?

From technical point of view: As a matter of fact, it is not difficult to make trouble to world by cyber attack nowadays. For example, Ransomware or exploit the vulnerability on the computer system. As far as we know, on the tankers side, it install GPS and management system. Those systems are the Windows or Linux OS base of machines. If you are belongs to marine industry especially shipping company, see whether you are require to re-cofirm the patch level of your maritime bandwidth management system. Do not let those vulnerabilities causes shipping traffic jam. For more details, please see below url for reference.

Perhaps not merely the specified vulnerability. Should you interested if the Headline news. Please refer below:

https://www.bloomberg.com/news/articles/2019-07-03/china-raises-warning-for-shipping-in-malacca-strait-people-say

Status update on 8th July 2019: U.S. Coast Guard recommendation: the maritime community can help strengthen their defenses by implementing the following basic cybersecurity measures:

  • Implement network segmentation.
  • Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary.
  • Be wary of external media.
  • Install anti-virus software.
  • Keep software updated.

CVE-2019-10141 Red Hat OpenStack openstack-ironic-inspector Introspection SQL Injection Vulnerability – JUl 2019

Preface:The cloud can be managed with a web-based dashboard or command-line clients, which allow administrators to control.At the same time it lures the arrival of cyber attackers.

Product background: Red Hat OpenStack Platform provides the foundation to build a private or public Infrastructure-as-a-Service (IaaS) cloud on top of Red Hat Enterprise Linux.

Vulnerability details:

A SQL-injection vulnerability was found in openstack-ironic-inspector’s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results
An attacker could exploit this vulnerability by submitting malicious introspection data to the targeted system. A successful exploit could allow the attacker to conduct SQL injection attacks on the targeted system.

Remediation: Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

802.1AB is the burden of Cisco Nexus 9000 series Fabric switches. it let cisco increase one more vulnerability (CVE-2019-1890) – 3rd Jul 2019

Preface: Switched Fabric or switching fabric is a network topology in which network nodes interconnect via one or more network switches.

What is Cisco ACI? – Cisco ACI is a tightly coupled policy-driven solution that integrates software and hardware. The hardware for Cisco ACI is based on the Cisco Nexus 9000 family of switches. The software and integration points for ACI include a few components, including Additional Data Center Pod, Data Center Policy Engine, and Non-Directly Attached Virtual and Physical Leaf Switches.

Vulnerability background & details: 802.1AB(LLDP) build in May 2005. LLDP was developed as an open and extendable standard. It was modeled on and borrowed concepts from the numerous vendor proprietary discovery protocols such as Cisco Discovery Protocol (CDP), Extreme Discovery Protocol (EDP) and others. At that time cyber security not as serious today. So the design weakness extend till today and causes an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.

We seen the impact posted by Cisco. They state that if strict mode is configured, this vulnerability cannot be exploited. Strict mode enforces further firmware security checks before allowing a connection.

Remark: Only Cisco Discovery Protocol provides an additional capability not found in LLDP-MED that allows the switch to extend trust to the phone. That is the phone will be trusted to mark the packets received on the PC port accordingly.

Official announcementhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass

2nd Jul 2019 – VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)

Preface: ESXi is not built upon the Linux kernel, but uses an own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.

In common Linux circumstances to avoid SACK vulnerabilities. The workaround are:

CVE-2019-11477
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11478
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11479
Filter command:
Sudo iptables -A INPUT -p tcp -m tcpmss –mss 1:500 -j DROP

Turn off tcp_mtu_probing:
Sysctl net.ipv4.tcp_mtu_probing

Perhaps this is VMWARE. So you must follow below solution by vendor.

https://www.vmware.com/security/advisories/VMSA-2019-0010.html

cve-2019-7225 hmi hardcoded credentials vulnerability (jul 2019)

Preface: As time goes by, As time goes by, the common software design mistake found on business computer world now extend to industrial area. The impact includes SCADA , PLC and graphical user interfaces software.

Design defect: On systems, a default administration account exists which is set to a simple default password which is hard-coded into the program or device.From cyber security point of view, it is not the best practices. Meanwhile it boots up the overall risk level.

Vulnerability details: Design limitation encountered on ABB HMI components: A hidden administrative accounts embedded. This credential will be used during the provisioning phase of the HMI interface. Apart from that the credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

Impact: An attacker can use these credentials to login to ABB HMI to control the operations. Those credentials are used over both HTTP(S) and FTP. Furthermore it let the attacker receive the read/write authority. As a result, it provide a pathway to implant malware into the system.

Official announcement ABB PB610 – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP635 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP651 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

Orvibo smart home devices leak billions of user records – customer must staying alert – Jul 2019

Preface: If victim is not negligence. Can we give an excuse to him?

Company background: Orvibo, a Chinese smart home solutions provider.

Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world.
Does the admin using easy to guess password or………

Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.

If you are aware your personal information has been stolen by above incident. What should You do?

Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.

Headline News – https://www.dailymail.co.uk/sciencetech/article-7202675/Maker-smart-home-software-continues-leave-database-containing-users-passwords-OPEN-online.html

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

  • Volume Shadow Server & Backup Kill
  • Installed lang check:
    SYSTEM\CurrentControlSet\Control\Nls\Language\
    InstallLanguage
    0419 (Russia)
    0422 (Ukrainian)
    0423 (Belarusian)
  • Arp Blaclklist check
  • GetComputerName check
  • Process kill

Advisory report for download – https://www.ncsc.gov.uk/news/ryuk-advisory

IoT world hiccups – CVE-2019-12951 Mongoose parse mqtt() Function Heap-Based Buffer Overflow Vulnerability – Now fixed – Jun 2019

Preface: Smart City look like a housekeeper. The sensor is his eye.But do you have question? He is a man or she is a woman.

Background: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker).

What is MQTT? MQTT is a simple messaging protocol, designed for constrained devices with low-bandwidth. It works on the TCP/IP protocol suite.

Vulnerability details: An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.

Impact: It could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system (see attached diagram).

Reference: Example of arbitrary code

strcpy(char *dest, const char *src) – May overflow the dest buffer
strcat(char *dest, const char *src) – May overflow the dest buffer

The vendor has released a bug fix – https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb

antihackingonline.com