Preface: According to statistical data, most organizations store data in cloud platforms operating in Linux based environment. Statistics show that, compared with the Windows operating system, Linux coverage rate exceeds 75%.
Background: Linux system commonly using drive by downloads on an infected website. For instance you install program on Linux sometimes require specify library file (.so). Perhaps your sense of defensive will be downgrade during software installation because you aim to achieve completed the milestone and therefore unintended let the rootkit implant to you Linux system. The rootkit is considered to be a type of Trojan horse. Many Trojan horses exhibit the characteristics of a rootkit. The main difference is that rootkits actively conceal themselves in a system and also typically provide the hacker with administrator rights.
Kernel mode rootkits (Ring 0)
User mode rootkit (Ring 3)
What can we do now? Actively monitor web applications for unauthorized access, modification, or anomalous activities. But stay alert when you download the library file.
Preface: It is impossible to rely on small group of expert to track malicious activities on the Internet. In fact, it needs strong financial support. This is reality, maybe this is a long-running game.
Background: US Homeland Security issue an evaluation article on hostile country malware and phishing attacks motion. Perhaps you may ask? Can it be relies on SIEM do this monitoring. My opinion is that we should say thanks to DNS Sinkhole.A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. But it require DNS lookup service. By using the DNS sinkhole technique it is also possible to deny access to any of malicious C&C websites. Besides, the queries will be written down to DNS Sinkhole record.
Security focus of specifics malware: COPPERHEDGE, is described as a Remote Access Tool (RAT). TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator. PEBBLEDASH is yet another trojan acting like a full-featured beaconing implant and used by hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”
Preface: If application do not defenses against directory traversal attacks, so an attacker can request the following URL: hxxp://xxx[.]com/loadImage?filename=../../../etc/passwd
Vulnerability details: The VMware Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 can integrate with Salt (SaltStack). However the vulnerabilities (CVE-2020-11651 and CVE-2020-11652) found in saltstack this month will be impact VMware operation simultaneously. The impact causes by SaltStack causes VMware vRealize Operations Manager (vROps) vulnerable to Directory traversal vulnerability. Meanwhile it has possiblites to happen critical impact (authentication bypass). For details, please refer to follow official announcement url. https://kb.vmware.com/s/article/79031
Observation: From technical point of view, the design weakness of salt open TCP port 4505 and 4506 on behalf of service daemon. So attacker can be inject command in this part without authentication.
Preface: The pandemic virus has killed about 211,000 people. Is it an artificial product or created by nature?
My story can tell: Population growth, it is hard to avoid has a cold. The symptom causes cough & sneeze.However the main problem is the sputum. Perhaps we are the living in modern civilization. However the spit behaviors we seen everywhere. We assumed that the sputum dissolve into soil. However this pollute cycle keep run in a constant cycle into long period of time. So,the unknown matter contains in the soil then transform to a virus storage. The high density populated insect living in the world equivalent man kind population in the earth. It is the ant under the ground. Perhaps the virus or virus being transformation could not kill them. Therefore, ant become couriers. Who is the enemy of ant. Pangolins eat ants. If human being eat the pangolins. As a result, the infection cycle being started.
If you think the above prediction is nonsense. Please read the headlines. How did coronavirus start and where did it come from? Was it really Wuhan’s animal market?
Preface: New Kaiji malware targets IoT devices via SSH brute-force.
Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.
Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.
What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.
Facts: So it benefits to attacker when he written a malware.
Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.
The things you can do right now: Implement effective passwords on all IoT devices when possible.
Product background: If you have one hundred servers, so it makes sense to use Puppet(open source DevOps systems management tool)for centralizing and automating the configuration management process. SaltStack itself is an open source infrastructure centralized management platform. Compared with other commercial products, its deployment and configuration are slightly more complicated.
Vulnerability details: SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. A remote attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to attached diagram. The official announcement can be found here. https://docs.saltstack.com/en/latest/topics/releases/3000.2.html
1. Upgrade SaltStack to a recommended version. It is recommended to take a snapshot backup before upgrading.
2. Set the Salt Master’s default listening ports (default 4505 and 4506) to prohibit opening to the public network, or only to trusted objects.
Preface: Perhaps my alert late for 3 days, but the specify vulnerability hide himself in webLogic product for few years!
Vulnerability details: Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. You can read the official announcement in following link – https://blogs.oracle.com/security/apply-april-2020-cpu
One of the exploit methods – The attacker can locate all of the objects by packet capture. For more details, please refer to attached diagram for reference. As a result, the attacker can replace these objects with his malicious payload. Since the server receives the data and unpacks (deserializes) without integrity check. And therefore it let attacker execute the malicious code on the underlying WebLogic core, allowing the attacker to take control over unpatched systems.
Preface: Perhaps when you do the web scan or web penetration test. XSS will be easy to find out. However people has contempt this matter.
How to avoid XSS happen?
1. Input should filter characters especially < > & ‘ ” .
2. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.
3. Sanitizing user input.
About CVE-2020-3955: For whom with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.
Preface: Friendly speaking, the similar types of attack apply to all Linux base devices including firewall.
The impact of this vulnerability – If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web.
My observation: One of the possibility is that an attacker can craft a kernel message that contains ‘%’ characters between pairs of ‘[<‘ and ‘>]’ symbol markers to gain root access to the system. Perhaps if the attacker goal to do surveillance, he can delete the log events and fool the SIEM system. Since SIEM log event correlation functions relies on log event.