The US Securities and Exchange Commission (SEC) new guidance

Big country versus Big discussion:

The US Securities and Exchange Commission (SEC) released a statement urge high-ranking executives not to trade stocks before the disclosing breaches, major vulnerabilities, and other cybersecurity related incidents.

New guidance – https://www.sec.gov/rules/interp/2018/33-10459.pdf

Meanwhile Intel release guidance this week (details of availability and schedule for microcode update). For more details, please see below url for reference.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

It is a funny cyber and economic world!

 

 

For your attention! Multiple vulnerabilities in both Drupal 7 and Drupal 8

It indeed a tragedy. A multiple vulnerabilities in both Drupal 7 and Drupal 8. Drupal is a free and open source content-management framework written in PHP and distributed under the GNU General Public License.

In short, in order to avoid unforeseen technology risk issue occurs, please read the official announcement shown as below:

https://www.drupal.org/sa-core-2018-001

Synopsis:

Comment reply form allows access to restricted content – Critical – Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass – Moderately Critical – Drupal 7

When using Drupal’s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass – Moderately Critical – Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution:

Install the latest version:

Reported By:
  • Comment reply form allows access to restricted content – Critical – Drupal 8

  • JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8)

  • Private file access bypass – Moderately Critical – Drupal 7

  • jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

  • Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

  • Settings Tray access bypass – Moderately Critical – Drupal 8

  • External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Fixed By:

————————-  End ———————————————–

Cisco Releases Security Updates for Multiple Products – 21st Feb 2018

Understanding:

The VOSS platform is integrated in Cisco HCS where it is called Cisco Unified Communications Domain Manager (UCDM). VOSS has web services application programming interfaces (APIs) available to third-party developers.Features of VOSS include Web-based Administration, Centralised Management, Collaboration Lifecycle Management, Collaboration Service Management, Business Process Layer on top Network Infrastructure and Communications Architectures Management.

The Cisco Elastic Services Controller (ESC) provides a comprehensive lifecycle management platform for NFV. It provides end-to-end capabilities to automate various tasks such as deploying, monitoring, and elastically scaling virtualized functions, and make them available as business-level service.

Security updates:

Cisco Unified Communications Domain Manager Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-ucdm

Cisco Elastic Services Controller Service Portal Authentication Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc

Cisco Elastic Services Controller Service Portal Unauthorized Access Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc1

Cisco Unified Customer Voice Portal Interactive Voice Response Connection Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-cvp

About APT37

A cyber security company (FireEye) so bold to accuse a country. As a matter of fact the APT threat actor make a mistake. It inadvertently show their location. Regarding to the details provided by FireEye. The APT 37 develop total 10 different types of malware to satisfy their goal. Regarding to my observation. I would suggest that staying alert to a backdoor function malware. His nickname is SHUTTERSPEED. The overall specification equivalent to a Trojan spyware. It so called Trojan-Spy.Win32.Agent.jkvl.

Since this spyware is not a new design and therefore window defender and antivirus have capability to kill it. However a multiple types of malware attack might have opportunities let this trojan implant to workstation.

Should you have interest to understand their full picture of attack for APT 37. Please refer below url for reference.

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

 

UK cyber security agency sticks with China’s Huawei despite US spy fears

The espionage scandal jeopardize the trustworthy reputation. However China is not the espionage program initiator. But America worries about espionage by cross counties. It is hard to tell who’s correct or who’s wrong!

UK cyber security agency sticks with China’s Huawei despite US spy fears. For more details, please refer below url for reference.

http://www.telegraph.co.uk/technology/2018/02/20/uk-cyber-security-agency-sticks-chinas-huawei-despite-us-spy/

Vulnerability in SCADA CODESYS Web Server CVE-2018-5440

To be honest, it make surprise to me this month. An abnormal situation causes SCADA system in high risk. CVE-2018-5440 focusing vulnerability on COdesys web server.This product deployment use mainly in the critical manufacturing and energy sectors. Perhaps this is a Microsoft product and hard to avoid vulnerability occurs. The accusation of NotPetya ransomware attack last week bring the world focusing to SCADA system in the world. Meanwhile this vulnerability add unknown factor to SCADA control system environment. The official announcement suggest to do the following:

1. Use controllers and devices only in a protected environment to minimize network exposure and ensure they are not accessible from outside
2. Use firewalls to protect and separate the control system network from other networks
3. Use VPN (Virtual Private Networks) tunnels if remote access is required
4. Protect both development and control systems from unauthorized access (e.g., by means of the operating system)
5. Protect both development and control system by using up-to-date virus detecting solutions

For CVE details, please refer below url for reference.

https://www.securityfocus.com/bid/102909

 

IoT World and Smart City must staying wide-awake!

SmartCity project wide spreading implement in the world. The framework transform existing IT world domain includes Cloud computing, virtual machine, router and network infrastructure. Meanwhile it carry the design flaw so called vulnerability simultaneously. As we know, Microsoft product has famous activities patch Tuesday to do the mitigation of critical risk occurs on their product. Since IoT technology cope with smartCity project.  It is hard to avoid to evade not to chosen a product which must doing the patching in frequent way. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. A question has been queries to the world. SmartCity items involves public safety regulations. If the smartCity facilities become the main trend of the society. However the major facilities encountered denial of service through heap corruption. Do you think how worst is the situation will be?

CVE-2017-18187
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVE-2018-0488
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

CVE-2018-0487
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

Official announcement for reference.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

 

 

City Union Bank in India victim of cyber hack through SWIFT system – Reuters Headline News (19th Feb 2018)

Sounds horrible!

A heist occurred from SWIFT payment system again? Chief Executive Officer N. Kamakodi called it a “conspiracy” involving multiple countries, and added the lender was still investigating how it had happened. But the statement seems not precise to describe.

A fundamental design limitation on original MT 202 message. Perhaps MT 202 COV doing the compensated control. However MT 202 still valid and not end of life yet. A hints input of technical concerns shown on attach picture see whether this is root causes of this incident.

Quote:

When to use the MT 202 COV?

It must only be used to order the movement of funds related to an underlying customer credit transfer that was sent with the cover method.

The MT 202 COV must not be used for any other interbank transfer.

MT 202 design weakness lure financial crime

i. Suspicious activity monitoring on the underlying originator and beneficiary in the message would not be performed.

ii. The originating bank could be in a jurisdiction with different sanction watch lists and the technical capabilities of each bank’s sanction screening program could vary.

City Union Bank in India victim of cyber hack through SWIFT system (19th Feb 2018) – See following URL (Reuters Headline News) for reference.

https://www.reuters.com/article/us-city-union-bank-swift/indias-city-union-bank-ceo-says-suffered-cyber-hack-via-swift-system-idUSKCN1G20AF?feedType=RSS&feedName=technologyNews

Heists last year – SWIFT defense solution

Reuters news told that a heist occurred in Russia Bank last year. Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system. Perhaps we are not going speculating the reason to delaying the public announcemnt. Yes, it may be for forensic investigation and trace the hacker silently or protect the reputation. But the design weakness will be replace by new solution soon. For more details, please see below:

Defense solution given by SWIFT:

  • Conventional FIN messages (e.g. MT202) can be used until 16 November 2018. Communication takes place through the SWIFTNet, and the SWIFT FIN service will be used until 16 November 2018.
  • As of 17 November 2018, all participants must use ISO 20022 and the SWIFT InterAct service will be used for communication.

Headline News by Reuters (16th Feb 2018)

https://uk.reuters.com/article/us-russia-cyber-swift/hackers-stole-6-million-from-russian-bank-via-swift-system-central-bank-idUKKCN1G00DV

ISO 20022 for US wire transfer systems Timeline

Remediation step – Saturn Ransomware

Preface:

Can we saying this? it is Google Adwords design flaw? It lure the threat actors go through this service to spread malware from Google search engine.

Quick note:

Saturn ransomware found this month (Feb 2018). It looks strange that attack victim only on physical machine instead of Virtual Machine. Why? Does the threat actor concern about VMware or HyperV have quick data recovery by Snap shot backup? Security expert found the following hints:

Saturn will execute the following commands to delete shadow volume copies, disable Windows startup repair, and to clear the Windows backup catalog.

cmd.exe /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Perhaps hacker understand that doing ransomware targeting home user will be easier. May be enpterprise firm or cloud services provider contains full scope of SIEM system. As such, forensic investigator can be tracing them. Or this is a prototype may be there is another round of attack later on.

Status updated – 19th Feb 2018

20 antivirus engines detected this ransomware. Hash shown as below:

b3040fe60ac44083ef54e0c5414135dcec3d8282f7e1662e03d24cc18e258a9c

Anyway IT world do not have key words so called permanent solution. In the mean time. The action we can execute is doing the remediation.

Step 1: Start PC in Safe Mode

Through the F8 key (for Windows 7/Vista)

  1. Once the computer is restarted (usually after you hear the first computer beep), continuously tap the F8 key in 1 second intervals. If successful, the Advanced Boot Options menu will appear.
  2. Use the arrow keys to select Safe Mode and press ENTER.

For windows 10

Use the “Shift + Restart” combination. Another way of getting into Safe Mode in Windows 10 is to use the Shift + Restart combination. Open the Start menu and click or tap on the Power button. Then, while keeping the Shift key pressed, click or tap on Restart.

Step 2: Stop Saturn Processes From Windows Task Manager

Step 3: Remove Saturn Ransomware from Control Panel

Procedure 1:

Procedure 2:

Procedure 3:

Main body of the Saturn Ransomware relies browser to work and hide himself in web browser. So we require to uninstall the web browser:

Remark: We are not allow to uninstall or delete Internet Explorer from Windows 7, 8 and 10 and therefore we are going to delete the additional web browser. Since Saturn ransomware relies on web browser for operation.

Step 4: remove Malicious Registry Entries Created by Saturn Ransomware

Step 5: Remove Saturn Ransomware From Infected Internet Explorer

Take Down Saturn Ransomware From Internet Explorer. Open IE and click on Gear Icon from right-top corner in order to open the Tools. Tap on Manage Add-ons option.

Step 6: Reset Internet Explorer Settings

Open IE and click on Tools menu and then select Internet options.

Step 7: Download decryption tool

The decryption tool will not run if:

  • It can’t find a valid ransom note
  • It cannot find a valid encrypted file (i.e a file that is not corrupted)
  • It can’t decrypt the User ID field in the ransom note

End, Thank you.

Additional comment: New ransomware nickname Saturn was born this month. This ransomware provides a hints to me that it is the 1st phase of attack. Or it is a prototype. Perhaps we seen cyber attack, virus, malware and ransomware daily. The cyber world added one more member of bad guy we could not surprised!

antihackingonline.com