Lost of civilization – Enterprise MDM solution may not detect these apps

The installation packages of Android apps (.APK files) are deploy with.ZIP files. Because of the fundemental design concept. It let malware has way for infection. Yes, threat actor can place a malicious DEX file at the start of the APK file. But V2 signing mechanism can avoid above types of infection. However of the compatiblity issue, older Android versions with only version 1 of the signing scheme application still alive. We known that risk may occurs in such circumstances. The fact is that Enterprise MDM solutions may not detect these apps.

Reference: https://developer.android.com/about/versions/nougat/android-7.0#apk_signature_v2

23rd Jul 2018 – Bluetooth vulnerability

Elliptic Curve Diffie Hellman (ECDH) make man in the middle attack difficult since hacker would not be able to find out the shared secret and therefore it looks secure. The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final ‘E’ stands for “ephemeral”). Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoid man-in-the-middle attacks. The truth is that similar type of setup has vulnerability occurs.Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.

Reference: Vulnerability Note VU#304725 Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchangehttps://www.kb.cert.org/vuls/id/304725

Ethereum carrier Solidity shield – Call abuse vulnerability (CVE-2018-14087)

An Integer Overflow is the condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. Ethereum hits such vulnerability in frequent. The solidity programming language rescue Ethererum in the cryptocurrency world. But no prefect things in the world. A vulnerability found on Ethereum EUC token recently. The EUC token build by solidity programming language. The guru given his nick name “call abused” vulnerability. For details, please see below hyperlink for references.

Ethereum EUC Token (call abused) – CVE-2018-14087

https://github.com/rootclay/Audit-of-smart-contracts/tree/master/0x8810C63470d38639954c6B41AaC545848C46484a

Additional information – Ethereum integer overflow vulnerabilities

Ethereum aditus token (CV-2018-12959):

https://github.com/hellowuzekai/blockchains/blob/master/overflow2.md

Ethereum mkcb_token:

https://github.com/hellowuzekai/blockchains/blob/master/README.md

Ethereum singaporecoinorigin token:

https://github.com/hellowuzekai/blockchains/blob/master/overflow1.md

Ethereum stex white list token:

https://github.com/hellowuzekai/blockchains/blob/master/overflow3.md

Ethereum tracto token:

https://github.com/tracto2/Tracto-ERC20/issues/1

Ethereum virgo zodiactoken token:

https://github.com/hellowuzekai/blockchains/blob/master/transferFrom.md

Not belongs to integer overflow vulnerability:

Ethereum userwallet 0x0a7bca9fb7af-f26c6ed8029b-b6f0f5d291587c42 token:

https://github.com/hellowuzekai/blockchains/blob/master/delegatecall.md

A vulnerability has been identified in IEC 61850 system configurator – CVE-2018-4858

When a lot of cyber security Guru focusing the nuclear power and critical facilities. It looks they also requires to includes the power substation. From techincal point of view, control central will be hardening both console and network environment. But how about the configuration console for substation? Does it allow install the configuration software (IEC 61850 system configurator) on notebook for outdoor work? Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions. Cyber security attack will be exploited different channels. But the major pathway is the product vulnerabilities.

Official announcement by Siemens shown as below:

https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

Status update: 30th Jul 2018

A vulnerability confirm by vendor that a Denial-of-Service occurs in EN100 Ethernet Communication Module and SIPROTEC 5 relays.

Official announcement by Siemens shown as below:

https://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf

20th Jul 2018 – Win32/Emotet return again!

Strange! A Trojan (Win32/Emotet) found on 2014. It  looks that similar of cyber attack comes again.

Published Jul 23, 2014 (Trojan:Win32/Emotet) – https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Emotet

This threat can steal your personal information, including your banking user names and passwords. It is usually installed when you open a spam email attachment or click on a malicious link in a PDF. But it includes Microsoft word processing document this time. Stay alert!

Defending the Power Grid From Hackers – Jul 2018

Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?

The Next Cyber Battleground

Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.

Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.

We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?

The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.

The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.

Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.

Quote:

Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.

On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.

722154A36F32BA10E98020A8AD758A7A MD5 FILENAME:CV Controls Engineer.docx
243511A51088D57E6DF08D5EF52D5499 MD5 FILENAME:CV Control Engeneer.docx
277256F905D7CB07CDCD096CECC27E76 MD5 FILENAME:CV Jon Patrick.docx
4909DB36F71106379832C8CA57BA5BE8 MD5 FILENAME:Controls Engineer.docx
4E4E9AAC289F1C55E50227E2DE66463B MD5 FILENAME:Controls Engineer.docx
5C6A887A91B18289A70BDD29CC86EBDB MD5 FILENAME:High R-Value Energy.docx
6C3C58F168E883AF1294BBCEA33B03E6 MD5 FILENAME:CV_Jon_Patrick.docx
78E90308FF107CE38089DFF16A929431 MD5 FILENAME:CV Jon Patrick.docx
90514DEE65CAF923E829F1E0094D2585 MD5 FILENAME:CV_Jon_Patrick.docx
C1529353E33FD3C0D2802BB558414F11 MD5 FILENAME:Build Hydroelectric Turbine.docx
CDA0B7FBDBDCEF1777657182A504283D MD5 FILENAME:Resume_Key_And_Personal.docx
DDE2A6AC540643E2428976B778C43D39 MD5 FILENAME:CV_Jon_Patrick.docx
E9A906082DF6383AA8D5DE60F6EF830E MD5 FILENAME:CV_Jon_Patrick.docx
038A97B4E2F37F34B255F0643E49FC9D MD5 FILENAME:Controls Engineer (2).docx
31008DE622CA9526F5F4A1DD3F16F4EA MD5 FILENAME:Controls Engineer (4).docx
5ACC56C93C5BA1318DD2FA9C3509D60B MD5 FILENAME:Controls Engineer (7).docx
65A1A73253F04354886F375B59550B46 MD5 FILENAME:Controls Engineer (3).docx
8341E48A6B91750D99A8295C97FD55D5 MD5 FILENAME:Controls Engineer (5).docx
99AA0D0ECEEFCE4C0856532181B449B1 MD5 FILENAME:Controls Engineer (8).docx
A6D36749EEBBBC51B552E5803ED1FD58 MD5 FILENAME:Controls Engineeer.docx
3C432A21CFD05F976AF8C47A007928F7 MD5 FILENAME:Report03-23-2017.docx
34A11F3D68FD6CDEF04B6DF17BBE8F4D MD5 FILENAME:corp_rules(2016).docx
141E78D16456A072C9697454FC6D5F58 MD5 FILENAME:corp_rules(2016).docx
BFA54CCC770DCCE8FD4929B7C1176470 MD5 FILENAME:invite.docx
848775BAB0801E5BB15B33FA4FCA573C MD5 FILENAME:Controls Engineer.docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:corp_rules(2016).docx
MD5 FILENAME:invite.docx

Happy hunting – bye!

If you are the cisco SD WAN /iWan customer, you should stay alert! 18th Jul 2018 (Cisco security advisories)

Intelligent WAN (iWAN) is a Cisco SD-WAN product that was built from an existing Cisco product (also called iWAN).

How do you deploy Cisco SD-WAN?
• Cloud-based management and vAnalytics dashboard
• Virtual or physical secure routers for on-premise or cloud
• In-house IT or managed service with service providers or system integrators
• Capital Expenditures (CapEx) and annual subscription licenses or
enterprise-based agreements

If you are the cisco SD WAN /iWan customer, you should stay alert in below items.

Cisco SD-WAN Solution Arbitrary File Overwrite Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-fo

Cisco SD-WAN Solution Zero Touch Provisioning Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos

Cisco SD-WAN Solution Configuration and Management Database Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cx

Cisco SD-WAN Solution Command Injection Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-coinj

Cisco SD-WAN Solution CLI Command Injection Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdnjct

Cisco SD-WAN Solution VPN Subsystem Command Injection Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj

Cisco SD-WAN Solution Zero Touch Provisioning Command Injection Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-ci

 

Cisco Security Advisories and Alerts published on Wed 18th Jul 2018.

Cisco Policy Suite for Mobile is a carrier-grade policy, charging, and subscriber data management solution. It helps service providers rapidly create and bring services to market, deliver a positive user experience, and optimize network resources. It also generates monetization opportunities across 3G, 4G, and LTE access networks as well as IP Multimedia Subsystem (IMS) service architectures.

Seems this round will make ISP busy!

Cisco Policy Suite Policy Builder Unauthenticated Access Vulnerability (CVE-2018-0376) – Critical

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-pspb-unauth-access

Cisco Policy Suite OSGi Interface Unauthenticated Access Vulnerability (CVE-2018-0377) – Critical

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access

Cisco Policy Suite Policy Builder Database Unauthenticated Access Vulnerability (CVE-2018-0374) – Critical

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-unauth-access

Cisco Policy Suite Cluster Manager Default Password Vulnerability (CVE-2018-0375) – Critical

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-cm-default-psswrd

Jul 2018 – What’s up involving LabCorp Cyber Security incident ?

Headline News said a global laboratory company suspect encounter cyber attack this month (Jul 2018). LabCorp  a leading global life sciences company,  aim to provides diagnostic, drug development and technology-enabled solutions for more than 115 million patient encounters per year. As of today, we did not heard any official announce the details. However the news on article given hints to speculated the root cause. The company insider senior managers were informed that the entire computer network of LabCorp, a Fortune 500 company, was shut down across the US Sunday morning after hackers tried to access the private medical records of millions of people.

Regarding to this unconfirmed cyber attack incident, can you still remember CVE-2018-10593 and CVE-2018-10595. What if attacker hunt the staff from LabCorp go through phishing email or send malicious MS Word document. It luck to evade the antivirus and firewall IPS. Then conduct the design weakness of BD Kiestra system vulnerabilities (CVE-2018-10593 and CVE-2018-10595). It looks that one of the data breach scenario will be successful establish.

A VULNERABILITY FOUND IN BECTON DICKINSON DB MANAGER (CVE-2018-10593 AND CVE-2018-10595)

A vulnerability found in becton dickinson DB Manager (CVE-2018-10593 and CVE-2018-10595)

Headline News:

EXCLUSIVE: Hackers have breached the network at LabCorp – one of the largest diagnostic blood testing laboratories in the US – sparking fears of exposing MILLIONS of patients’ private medical records

http://www.dailymail.co.uk/news/article-5959021/LabCorp-blood-testing-labs-hacked-sparking-fears-exposing-MILLIONS-patients-records.html

FBI Aware Of ‘Reports Of Ransomware Attack’ Involving LabCorp Security Breach

https://www.wfmynews2.com/article/news/fbi-aware-of-reports-of-ransomware-attack-involving-labcorp-security-breach/83-574887499

 

antihackingonline.com