High-level state-backed APT groups entrenched in plenty of servers for nearly a decade Using Little-Known Linux Exploits – 14th May 2020

Preface: According to statistical data, most organizations store data in cloud platforms operating in Linux based environment. Statistics show that, compared with the Windows operating system, Linux coverage rate exceeds 75%.

Background: Linux system commonly using drive by downloads on an infected website. For instance you install program on Linux sometimes require specify library file (.so). Perhaps your sense of defensive will be downgrade during software installation because you aim to achieve completed the milestone and therefore unintended let the rootkit implant to you Linux system. The rootkit is considered to be a type of Trojan horse. Many Trojan horses exhibit the characteristics of a rootkit. The main difference is that rootkits actively conceal themselves in a system and also typically provide the hacker with administrator rights.

RootKit specifications:

  • Kernel mode rootkits (Ring 0)
  • User mode rootkit (Ring 3)

What can we do now? Actively monitor web applications for unauthorized access, modification, or anomalous activities. But stay alert when you download the library file.

For Malicious Cyber Activity, US Homeland Security provides visibility to the world – 13th May 2020

Preface: It is impossible to rely on small group of expert to track malicious activities on the Internet. In fact, it needs strong financial support. This is reality, maybe this is a long-running game.

Background: US Homeland Security issue an evaluation article on hostile country malware and phishing attacks motion. Perhaps you may ask? Can it be relies on SIEM do this monitoring. My opinion is that we should say thanks to DNS Sinkhole.A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. But it require DNS lookup service. By using the DNS sinkhole technique it is also possible to deny access to any of malicious C&C websites. Besides, the queries will be written down to DNS Sinkhole record.

Security focus of specifics malware:
COPPERHEDGE, is described as a Remote Access Tool (RAT).
TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator.
PEBBLEDASH is yet another trojan acting like a full-featured beaconing implant and used by hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

For more information about the report, please click this link – https://www.us-cert.gov/northkorea

Remedy on CVE-2020 -11651, CVE-2020 -11652 VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities – 12th May 2020

Preface: If application do not defenses against directory traversal attacks, so an attacker can request the following URL: hxxp://xxx[.]com/loadImage?filename=../../../etc/passwd

Vulnerability details: The VMware Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 can integrate with Salt (SaltStack). However the vulnerabilities (CVE-2020-11651 and CVE-2020-11652) found in saltstack this month will be impact VMware operation simultaneously. The impact causes by SaltStack causes VMware vRealize Operations Manager (vROps) vulnerable to Directory traversal vulnerability. Meanwhile it has possiblites to happen critical impact (authentication bypass). For details, please refer to follow official announcement url. https://kb.vmware.com/s/article/79031

Observation: From technical point of view, the design weakness of salt open TCP port 4505 and 4506 on behalf of service daemon. So attacker can be inject command in this part without authentication.

From imagination point of view – The assembly process of Coronvirus kill chian – 10th May 2020

Preface: The pandemic virus has killed about 211,000 people. Is it an artificial product or created by nature?

My story can tell: Population growth, it is hard to avoid has a cold. The symptom causes cough & sneeze.However the main problem is the sputum. Perhaps we are the living in modern civilization. However the spit behaviors we seen everywhere. We assumed that the sputum dissolve into soil. However this pollute cycle keep run in a constant cycle into long period of time. So,the unknown matter contains in the soil then transform to a virus storage. The high density populated insect living in the world equivalent man kind population in the earth. It is the ant under the ground. Perhaps the virus or virus being transformation could not kill them. Therefore, ant become couriers. Who is the enemy of ant. Pangolins eat ants. If human being eat the pangolins. As a result, the infection cycle being started.

If you think the above prediction is nonsense. Please read the headlines. How did coronavirus start and where did it come from? Was it really Wuhan’s animal market?

https://www.theguardian.com/world/2020/apr/28/how-did-the-coronavirus-start-where-did-it-come-from-how-did-it-spread-humans-was-it-really-bats-pangolins-wuhan-animal-market

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link. https://www.hackread.com/user-data-found-in-tesla-car-parts-ebay/

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details – http://www.antihackingonline.com/application-development/who-can-you-trust-in-the-internet-world-security-issues-with-load-data-local-in-mysql-db/

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

Storm of Go language based malware – 6th May 2020

Preface: New Kaiji malware targets IoT devices via SSH brute-force.

Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.

Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.

What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.

Facts: So it benefits to attacker when he written a malware.

Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.

The things you can do right now: Implement effective passwords on all IoT devices when possible.

Headline News:https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/

SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2 (1st May 2020)

Product background: If you have one hundred servers, so it makes sense to use Puppet(open source DevOps systems management tool)for centralizing and automating the configuration management process. SaltStack itself is an open source infrastructure centralized management platform. Compared with other commercial products, its deployment and configuration are slightly more complicated.

Vulnerability details: SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. A remote attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to attached diagram. The official announcement can be found here. https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

Recommendation:

1. Upgrade SaltStack to a recommended version. It is recommended to take a snapshot backup before upgrading.

2. Set the Salt Master’s default listening ports (default 4505 and 4506) to prohibit opening to the public network, or only to trusted objects.

Take care, data center administrators.

Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. (3rd May 2020)

Preface: Perhaps my alert late for 3 days, but the specify vulnerability hide himself in webLogic product for few years!

Vulnerability details: Alert users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. You can read the official announcement in following link – https://blogs.oracle.com/security/apply-april-2020-cpu

One of the exploit methods – The attacker can locate all of the objects by packet capture. For more details, please refer to attached diagram for reference. As a result, the attacker can replace these objects with his malicious payload. Since the server receives the data and unpacks (deserializes) without integrity check. And therefore it let attacker execute the malicious code on the underlying WebLogic core, allowing the attacker to take control over unpatched systems.

VMware ESXi patches address Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3955) – 28th Apr 2020

Preface: Perhaps when you do the web scan or web penetration test. XSS will be easy to find out. However people has contempt this matter.

How to avoid XSS happen?

1. Input should filter characters especially < > & ‘ ” .

2. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.

3. Sanitizing user input.

About CVE-2020-3955: For whom with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.

Remedy: VMware official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0008.html

Juniper harden itself. Avoid log event services daemon encountered injection attack – 28th Apr 2020

Preface: Friendly speaking, the similar types of attack apply to all Linux base devices including firewall.

The impact of this vulnerability – If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web.

My observation: One of the possibility is that an attacker can craft a kernel message that contains ‘%’ characters between pairs of ‘[<‘ and ‘>]’ symbol markers to gain root access to the system. Perhaps if the attacker goal to do surveillance, he can delete the log events and fool the SIEM system. Since SIEM log event correlation functions relies on log event.

Official announcementhttps://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021

antihackingonline.com