Intel CPU design hiccups – CVE-2017-5753,CVE-2017-5715,CVE-2017-5754

Below details better than what I say thousand of words.
Current status update in regards to CPU (Intel) design limitations.

AMD https://www.amd.com/en/corporate/speculative-execution

  • AMD proud of it, they did not made this mistake! Seems it is a long run in development,It is hard to tell this moment. Stay tuned. Good luck to him!

ARM https://developer.arm.com/support/security-update

Intel https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Microsoft https://portal.msrc.microsoft.com/en-US/eula

Linux https://lkml.org/lkml/2017/11/22/956

F5 https://support.f5.com/csp/article/K91229003

It looks strange that similar vulnerability found on Aug 2017. I remember that my article posted here mentioned before (see below url for reference). In the meantime, I personally agree with Intel announcement that  based on the CPU features to date, many types of computing devices  with many different vendors’ processors and operating systems are susceptible to these exploits. And therefore Intel might not the only victim.

The enemy of ASLR (Address space layout randomization) – memory leak

Any other vendors especially virtual machine OS, they do not confirm yet and inform that they are not involve in this CPU design limitation vulnerability?

The cache side channel attack of this security incident on Intel side looks compatible to other chips vendor. The worst scenario is that similar channel attack will be happened once you have cache. So, foreseen that this is the prelude of new form of attack in this year!

Processor Bug harm virtual machine and cloud computing platform

Headline news today told the world of chip design hiccups given by CPU manufacturer (Intel).  You are easy to do a google search to find out the details.  During the first announcement of virtual machine design concept come to the world, security expert foreseen that a multiple vulnerabilities will be happen in future. It looks that the victims on this incident is cloud computing service provider. Since their operation fully compatible with virtual machine. In short below picture can simply to provide the idea. For more detail, please refer below url issued by Forbes.

Intel Processor Bug Leaves All Current Chips Vulnerable And Its Fix Saps Performance [Updated by forbes.com] – https://www.forbes.com/sites/davealtavilla/2018/01/03/intel-processor-bug-leaves-all-current-chips-vulnerable-and-its-fix-saps-performance/#75546002570a

VMware VMSA-2018-0001 – CVE-2017-15548,CVE-2017-15549,CVE-2017-15550

A runner who run faster achieve the goal, he is the winner. We just go to first week of 2018. The VMware faster than Microsoft announce their critical vulnerability on 2nd Jan 2018 (Advisory ID: VMSA-2018-0001). Quote: “A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems” Remark: vSphere Data Protection is a backup solution for use in vSphere. The official announcement shown in below url:

https://www.vmware.com/security/advisories/VMSA-2018-0001.html

Renaissance – Cyber attack transformation

Preface:

Renaissance – The period of this revival, roughly the 14th through the 16th century, marking the transition from medieval to modern times.

Background:

The virus and malware wreak havoc in information technology environment in past decade especially on Microsoft windows operating system platform. It looks that a transformation was happened since smartphone leading the IT technology trend today. The percentage of usage for smartphones are bigger than traditional computer devices (desktop, notebook and server).

Transformation of cyber attack scenario

The major of cyber attacks in information technology environment are given by tradition virus since early 90’s. A quick and simplified explanation below diagram is able to awaken your memories in this regard.

The Evolution diagram of virus, worm, malware and ransomware

Remark: Perhaps we shown the generations of the virus and malware past three decades. The diagram looks simple. However it represents the virus and malware in the specific period of time.

The attack surface targets to Microsoft products till SmartPhone appears.

We all known the design goal of virus and malware targeted Microsoft products fundamentally. We feel that Linux base operating system will be provided a secure environment. But the question is that which element change the atmosphere in silent way?

We understand that the infection of malware divided into four phase (see below diagram). Since the malicious file (so called dropper – file) relies on the PE (portable executable) to execute the infiltation. The way is that the malicious code will try to infiltrate for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems.

However the specifics mechanism does not work in Linux environment till ELF malware invented.

Stages of a Malware Infection and technology evolution overview

Where it began? Code Injection to Linux world.

Linux Operating system looks like a well protected castle but a beast live inside. Whether are you familiar with ptrace() command on Linux? With reference to tutorial (execute man command in Linux). The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.

Docker, an open-source technology. Meanwhile Docker is the company driving the container movement and the only container platform provider to address every application across the hybrid cloud. Microsoft cloud product family also embraced Docker. Below informatics diagram can bring an idea to you on how the docker works.

No matter Fedora workstation or Cloud computing platform (Docker). The command (ptrace()) can do the magic. Even though attach to system process!

Reference: you can disable this behavior by the following:

If you are using Fedora (see below for reference)

echo 0 > /proc/sys/kernel/yama/ptrace_scope

or modify (with root privileges)

/etc/sysctl.d/10-ptrace.conf

If you are using Docker, you will probably need below options:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Above detail information intends to proof of comment which described earlier. Linux Operating system looks like a well protected castle but a beast live inside. Why? If there is a zero day vulnerability occurred in Linux. A ELF format of file embedded malicious code relies on zero day vulnerability execute the attack. That is to awake the beast with privileges escalation. This assumption not rare. Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel found last year. Such incident not only harm to workstation. It also includes cloud infrastructure. From technical point of view, it do not have difference in between Microsoft Product and Linux product.

ELF malware space

Above example highlight the ELF format file. ELF is flexible, extensible, and cross-platform, not bound to any given central processing unit (CPU) or instruction set architecture. This has allowed it to be adopted by many different operating systems on many different hardware platforms. Since smartphone especially Android phone fully utilize Linux OS platform. Perhaps the vendor announcement told this is not a standard Linux OS. But the truth is that they are using Linux base kernel.

According to the IDC Quarterly Mobile Phone Tracker, phone companies shipped a total of 344.3 million smartphones worldwide in the first quarter of 2017 (1Q17). And such away the cyber attack includes BYOD botnet or IoT botnet wreak havoc.

In order to cope with IT technology and smartphone trend. The attackers will build ELF malware using a customized builder. And therefore the malware of target to Linux system includes smartphone rapidly growth. For instance, Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms. Should you have interest, please refer below url for reference.

https://wikileaks.org/vault7/#OutlawCountry

Summary:

Information security expert found Stagefright exploit puts millions of Android devices at risk on early 2016. The attack is effective against devices running Android versions 2.2 through 4.0 and 5.0 and 5.1. Another way round of malware attack to android devices is copyCat. CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016. Since this is a history but the malware attacks to Linux world are on the way!

Forever 21 retail shop data breach – official announcement

Credit Card POS malware wreak havoc. Read the headline news notice that  Forever 21 confirm that data breach occurred. The breach exposed card numbers, expiration dates and verification codes, but not cardholder names. Regarding to the information reported by engadget.com. Chipotle and GameStop suffered similar breaches this year (2017). Hotel giant HEI similar data breach occurred 2016. An announcement on 27th June 2017 told that Forever 21 Partners With Toshiba GCS on New POS. Found that hardware vendor announce that a potential vulnerability in Infineon TPN used in Toshiba notebook products. Do you think POS and notebook will be using similar TPM? Since POS and workstation can run on top of Windows OS. World not safe especially technology world!

Forever 21 breach exposed customer credit card info for months URL for reference – https://www.engadget.com/2017/12/29/forever-21-breach-exposed-credit-card-info-months/

Potential vulnerability in Infineon TPM (Trusted Platform Module) used in Toshiba notebook products URL for reference – http://www.toshiba.co.uk/generic/potential-vulnerability-in-Infineon-TPM/

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

December 2017 published – Vmware vulnerabilities

Watch TV noticed that the brokers work in New York Stock Exchange are busy. However who else can say he will be busy than IT guy. Each week 0-day announcement. Perhaps the individual vulnerability happen on different vendor daily.
Staging, testing, backup and patch implementation all the job task will be implement earlier morning. All we are fall asleep. This month VMware looks like a vulnerability champion winner. The vulnerability happen in computer end looks like apply quantum computing theory. It is multi angle (quantum superposition).

For more details, see below url for reference: VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2017-0021.html

 

Merry X’mas 2017

Christmas evolved over two millennia into a worldwide religious and secular celebration. We sing the song (Silent night, holy night) tonight. Let’s celebrate Christmas honoring the birth of Jesus Christ. Our friend computer system also say celebration but it is a hex code (48 61 70 70 79 42 69 72 74 68 64 61 79 4a 65 73 75 73 20 21 ). That’s is Happy Birthday Jesus. We wish you Merry X’mas and Happy new Year.

About DHS Malware Analysis Report (MAR) – 10135536-B

Preface:

There are books of which the backs and covers are by far the best parts!

― Charles Dickens, Oliver Twist

Discussion details:

Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.

DHS malware report (10135536-B) technical findings

There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:

  1. PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB

Antivirus vendor capable to detect checklist

  • K7 – Trojan ( 700000041 )
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent

2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC

Antivirus vendor capable to detect checklist

  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent
3. PE file name checksum (MD5): 0137F688436C468D43B3E50878EC1A1F 
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
4.  PE file name checksum (MD5): 114D8DB4843748D79861B49343C8B7CA
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Variant.Graftor.373993
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda  – BScope.Trojan.Agent
  • BitDefender – Gen:Variant.Graftor.373993
  • Emsisoft – Gen:Variant.Graftor.373993 (B)

5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141

Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
6. PE file name checksum (MD5)
2950E3741D7AF69E0CA0C5013ABC4209
Antivirus vendor capable to detect checklist
  • F-secure – Trojan.Inject.RO
  • VirusBlokAda – BScope.Trojan.Agent
  • Ahnlab – Trojan/Win32.Akdoor
7.  PE file name checksum (MD5)
964B291AD9BAFA471DA3F80FB262DBE7
Antivirus vendor capable to detect checklist
  • nProtect – Trojan/W64.Agent.95232
  • McAfee – Trojan-FLDA!964B291AD9BA
  • ClamAV – Win.Trojan.Agent-6319549-0
  • Ahnlab – Trojan/Win64.Dllbot
  • Quick Heal – Trojan.Generic
My observation:
It was strange and surprise to me that the total checksum provided by homeland security malware report only 1 item can find the record on virustotal database. It was not usual from technical stand point. The item 7 PE checksum can found on virustotal database. The earlier malware detected period fall back to 2014.  Apart from that  PE file checksum item from 1 to 5 only acknowledge by few antivirus vendor.
As we know, Kapersky pay an important role of APT cyber attack investigation analysis so far. But this time it did shown on report. We understand that there is a lawsuit in between US government and Kapersky.  May be this is the reason. However we couldn’t find any details on virustotal repository. It is very rare! It looks that  F-secure virus vendor done well in this matter since their detection rate is 3 out of 7. On the other hand, the body guard for South Korea government (AhnLab) is the antivirus detect the attack earlier in 2014. However the overall detection performance only maintain on 2 out of 7.
From general point of view, no matter Lazarus Group or Hidden Cobra their design goal looks is their natural enemy if the attack was engaged by North Korean government. However it looks that the major cyber attacks given by Hidden Cobra went to cross bother countries especially USA or European countries. The virus vendor F-Secure hometown in Finland. Their business market coverage in APAC country looks significant reduce in PC market recently. But they are aggressive in mobile phone devices. Perhaps the alert given by Homeland security malware attack target machines are on windows base. And therefore it such away bypass their focus.
It looks confused with managed security services vendor especially APAC country of this cyber alert!
The report given by US homeland security awaken our general opinion for antivirus vendor. Apart of my favor Kapersky  there are potential antivirus contain powerful capability to  detect and quarantine the unknown APT activities and malware. For example on the report we seen the brand name of K7,  Cyren, VirusBlokAda, Emsisoft  and BitDefender.
Anyway  I still have hesitation or hiccups of this report since some information not disclose in normal way. For example, I could not found the history record on virustotal repository. But place safe that following the recommendation provide by DHS is the best practice (Yara rule shown as below):

 

rule Unauthorized_Proxy_Server_RAT

{

meta:

Author="US-CERT Code Analysis Team"

Incident="10135536"

MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"

MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:

$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}

$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}

$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}

$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}

$s4 = {B91A7900008A140780F29A8810404975F4}

$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F

D19CA59F7E9F539CEF9F

029F969C6C9E5C9D949FC99F}

$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}



$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}

$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}

$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}

$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}

$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}

$s12 = {448BE8B84FEC

C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}

$s13 = {8A0A80F9627C2380F9797F1E80F9647C

0A80F96D7F0580C10BEB

0D80F96F7C0A80F9787F05}

condition:

any of them

}

Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

Summary:

In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!

Winter solstice blessing 2017

The sun shines directly on the Tropic of the Capricorn in the southern Hemisphere. The Northern hemisphere is tilted away from the sun. Whereby a festival hand down thousand years in galaxy especially the earth. This is the winter solstice. The IT guy especially security operation center requires working in 24 hours. Perhaps you must take a rest and enjoy the dinner with your family tonight. This is the space to balance your life. Enjoy!

antihackingonline.com