1st June 2018 – Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe on 1st June 2018. The Visa payment service resumed on 2nd June 2018. Visa announced that systems now operating at ‘full capacity’ after crash cripples payments  (See below url for reference)

https://finance.yahoo.com/quote/V180608P00095000?p=V180608P00095000

The service interruption because of hardware failure, said Visa. Observation – The fellow payment card systems MasterCard and Maestro are not affected.

My comment is that see whether is there any design limitation of the enhanced 3-D Secure 2.0 causes this incident? No problem, cyber world looks no secret. Even though it is non-disclosed at this time. May be we will know the details in future.

Have a nice Sunday.

 

A vulnerability found in becton dickinson DB Manager (CVE-2018-10593 and CVE-2018-10595)

On May 2017, Ransomware attack suspended UK healthcare system services. It shown the security weakness in hospital and clinic IT system infrastructure. BD is a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics and the delivery of care. A vulnerabilitiy found on Becton Dickinson causes a series of products being effected. It includes BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. The vendor state that this vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.According to the vendor solution , their product allow both thick client and thin client (web base) access. And therefore the vendor requires to remind the client who engaged the web base function to staying alert. Should you have interested to find out the details. Please refer below url for reference.

https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-bd-kiestra-tla-bd-kiestra-wca-bd-inoqula

22nd May 2018: Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

Based in Hangzhou, China, Dahua Technology is one of the world’s leading manufacturers of security and video surveillance equipment. According to its unaudited results for 2017, it had a turnover of $2.89bn representing a year-on-year increase of 41%, and a gross profit of $404m, growing by 31%.Based on above details, you can imagine that how the popularity of the Dahua IP devices market coverage.

Regarding to the CVE reference number, it indicate that vulnerability found on 2017. Acording to the official web site announcement, the historical status shown as below:

  • 2018-5-22 UPDATE Affected products and fix software
  • 2018-3-16 INITIAL

We notice that VPN filter malware infect estimate total of 500,000 units of device (router and Network access storage) jeopardizing the world. Whereby, the US court order enforce the justice and thus quarantine the specified C&C servers. It won this battle.

But is there any hiccups of this matter?

Should you have interest of this matter, please refer below url for reference.

Security Advisory : Privilege escalation vulnerability found in some Dahua IP products https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice/337

21st May 2018 – Citrix XenMobile 10.x Multiple Security Updates

Applicable Products (XenMobile 10.7 & XenMobile 10.8)

Affecting XenMobile Server 10.7 and 10.8:

  • CVE-2018-10653 (High): XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server
  • CVE-2018-10650 (Medium): Insufficient Path Validation Vulnerability in Citrix XenMobile Server
  • CVE-2018-10654 (Medium): Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server
  • CVE-2018-10648 (Low): Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server
  • CVE-2018-10651 (Low): Open Redirect Vulnerabilities in Citrix XenMobile Server

Affecting XenMobile Server 10.7: ………..

Mitigating Factors: …………………………..

Should you have interest of this topic, refer below url for reference.

https://support.citrix.com/article/CTX234879

The book of Revelation – OPC UA will be the target for next phase of SCADA system attack.

 

Preface

A fascinating, unusual story which creates an eerie atmosphere. The security report issued by Kaspersky on 10th May 2018 driven my interest to do this study. So the report equivalent to enlightenment my conception.

Background

A tremendous potential cyber attack found by Cisco. Thereby it announced to public last week. They reveal this unknown story to the world. And therefore the major security focus shift to a new malware. As a result, we know the technical specifications of malware so called “VPNFilter”. However, similar cyber attacks was encountered in past. A similarity of those cyber attacks are focusing the public facilities especially nuclear power facility , gas and water supply system as the major target. We bring your attentions today for OPC UA (Object Linking and Embedding for Process Control Unified Automation) to OPC Unified Architecture (OPC UA) system vulnerabilities. Those vulnerabilities are not running in high profile. But it requires technical people for attention.

About OPC & OPC Unified Architecture

OPC is an industry standard, it defines methods for exchanging realtime automation data between PC-based clients using Microsoft operating systems. The organization that manages this standard is the OPC Foundation. OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.

Overview of OPC Unified Architecture

Kaspersky technical findings

Referring to technical report announced by Kaspersky on 10th May 2018. The key critical design flaws are shown as below:

  1. Quote: OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.

………………………….

It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”. ………

…………After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges.

Hints –  See whether below assembly language source code (call OpcUa-memory_Alloc@4) can provides any idea to you in this regard.

2. In the process of analyzing the application, found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier.

Hints: What is XXE attack? Below picture shown traditional XXE attack for reference.This XXE attack so called billion laughs attack .

Remark: By disabling DTDs, application developers are also able to strengthen the parser’s ability to protect itself against DoS (denial of service) attacks.

My observation:

Upon inspection, the OPC UA requires the following library files.

libeay32.dll, ssleay32.dll, and uastack.dll

The above library file (ssleay32.dll) belongs to OpenSSL 1.0.2j. It was configured and built with the options no-idea, no-mdc2, no-ntt, and no-rc5 to avoid patent issues. If bugs are found in the version of OpenSSL. You may compile and use your own version because this is a open source program.

Reminder: Kaspersky Labs identified 17 zero-day vulnerabilities in OPC Foundation open source code. For more details about the report, please refer below url for reference.

Review of Kaspersky Labs Report Confirms OPC Foundation’s Transparent, Open Source OPC UA Implementations Strategy Improves Security

— End —

Heads-up: Low-end Wi-Fi router vulnerability – 24th May 2018

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

The devices which could be affected by new malware (vpnfilter). Below is the checklist for reference.

LINKSYS DEVICES:

E1200
E2500
WRVS4400N

MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:

1016
1036
1072

NETGEAR DEVICES:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

TP-LINK DEVICES:

R600VPN

Special Item: QNAP DEVICES  (Network-attached storage)

TS251
TS439 Pro
Other QNAP NAS devices running QTS software

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

Preface:

Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)

https://blog.talosintelligence.com/2018/05/VPNFilter.html

However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is  an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four items of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).

Summary:

In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

24th May 2018 – status update:

FBI take control of APT28’s. They are the suspect threat actor of this attack.

The US Federal Bureau of Investigation (FBI) has obtained court orders and has taken control of the command and control servers of a massive botnet of over 500,000 devices, known as the VPNFilter botnet.

Headline news article for reference.

http://www.scmp.com/news/world/united-states-canada/article/2147561/us-disrupts-botnet-500000-hacked-routers-suspected?edition=hong-kong

Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

 

Vulnerabilities – Waiting for vendor response – 23rd May 2018

The cyber attacks are wreak havoc today. In order to protect the power facility, water supply, Gas supply and petroleum industry daily operations. The SCADA control system vendor implemented security control in their system infrastructure. However when vulnerabilities encounter on their products. The remediation step of the vendor response sometimes not in effecient. For instance, Advantech one of the key player of SCADA WebAccess. But it lack of motivation to drive the remedation solution on their products. There is no official announcement how to do the remedation on their products so far. Vulnerabilities are shown as below:

CVE-2018-7499 – buffer overflow vulnerabilities which may allow an attacker to execute arbitrary code
CVE-2018-7503 – a path transversal vulnerability which may allow an attacker to disclose sensitive
CVE-2018-7505 – information on the target TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-10591 – allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
CVE-2018-10590 – exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.
CVE-2018-10589 – WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7497 – several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-8845 – a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7495 – an external control of file name or path vulnerability has been identified, which may
CVE-2018-8841- allow an attacker to delete files.
an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.
CVE-2018-7501 – several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

21 May 2018 – CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks

Regarding to the subject matter, please refer to below url for reference.

Q2 2018 Speculative Execution Side Channel Update

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Quick look in virtual machine Zone (CVE-2018-8897) – 05/18/2018

Technology world is a challengeing zone. The key word “rest” looks do not apply to system developer, application programmer and IT expert! I re-call the vulnerability (CVE-2018-8897) to review. It ennounced by security experts for week ago. Perhaps you have full understanding. However no harm in my view point to do the review since it is important. I have time to drill down the detail and visualize my standpoint. This CVE subject mainly focus mishandling of assembler command syntax by system developer since they overlook some advice by CPU vendor. In short the issue is that if the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. So the focus will be go to virtual machine world. Yes, we are a cloud computing world in the moment. For more details, please refer below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2018-8897

antihackingonline.com