Do you worry your camera on your iphone manipulate by hacker. 6th Apr 2020

Preface: Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Background: If you let your friend access your phone for 5–7 minutes, they could have downloaded spyware. Perhaps this action only for joking. As a matter of fact, hacker can implant malicious code into a web page to conduct the similar function. Most recently, Apple paid $75,000 to the hacker for reporting the camera hijacking bugs.

Observation: Referring to the attached picture, a simple html file can easily trigger the iphone camera function. Because the control effect of apple is very good. Therefore, it will trigger the control and then let you know. In fact, a hacker hijacked your iPhone camera through a software application or website. However, the iPhone owner can know which application can access your camera. Therefore, it is recommended to check the phone settings in a timely manner. Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Chrome and Safari on iOS can access your lens without special markup and can perform both AJAX POST and synchronous form POST operations just like a desktop browser. So, please be careful to use your phone doing web browsing.

Staying alert! – Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR (3rd Apr 2020)

Preface: According on 2020 market statistic, FireFox market share only 9.25%. But Chrome has 68.11% coverage. However I like FireFox.

How Firefox’s memory allocator works?

Firefox uses a memory allocator called moz jemalloc. There are two properties which focus by cyber security expert so far!

[PSJ] – In essence, a chunk is broken into several runs.

– Each run holds regions of a specific size. [TSOF]

– The feature of jemalloc is that it operates in a last-in-first-out (LIFO) manner, a free followed by a garbage collection and a subsequent allocation request for the same size, most likely ends up in the freed region.

Vulnerability details: CVE-2020-6819 is a use-after-free vulnerability due to a race condition when the nsDocShell destructor is running. CVE-2020-6820 is a use-after-free vulnerability due to a race condition in the ReadableStream class, which is used to read a stream of data.

Official announcement – https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Why US Homeland security urge to public stay alert of the vulnerability on DrayTek Devices? 3rd April 2020

Preface: A conspiracy was leaked this week, someone ambitious to spying the world.

Details: The espionage activities will be exploit computer technology as 1st approach in today. It is merely relies on design weakness. Yes, it is the vulnerability. When I read the conspiracy details, I was wonder that if the formulation of this design (see attached diagram) goals to do a DDoS. Perhaps this is no a perfect way. However when US Homeland security urge to US citizen staying alert of the vulnerability found in DrayTek Devices. As everyone knows, today’s Tor network cannot perfectly hide the whereabouts of hackers. Because law enforcement already shutdown the proxy servers on the network. Besides, attacker also worries that does the proxy server has monitoring function. From attacker view point, they should perfectly hide itself. Refer to attached diagram, the new formulation of botnet technique will be exploited the new vulnerability found on IoT as a component. It looks like a plug-in module.

There are two types of operating system that sit under the SDK. Low cost and lower specification routers will select the RTOS. Since low end router cannot fulfill their requirement. Perhaps the VPN Router is the correct target because when compromised VPN router form a bot net group can compensate the current resources outage in Tor network.

Immediate action: Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. If you are customer of DrayTek. Please do the upgrade immediately. https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)

Marriott says 5.2 million guest records were stolen in another data breach, said Marriott. 31st Mar 2020

Preface: Perhaps this is not the key factor causes data breach on Jan 2020. But the sound can tell.

Observation: It is believed that a new round of data breaches by Marriott this week has attracted attention. Maybe the hotel industry will run within 24 hours. Do maintenance or system upgrade is not easy. We only look at the homepage of Marriott’s “Member Credit Card Rewards”. Found a vulnerable “jquery” still in operation. From attacker point of view, such hints similar give him an indication that this web site may have more space for exploitation. As we know, jQuery(version 1.11.3) which has XSS vulnerability found on March, 2017. Why still valid in an enterprise web site. The root cause is hard to tell. May be it is a extend legacy web application. I think you will be concern the details of official announcement. See below url:

https://mysupport.marriott.com/

Kwampirs Targeted Attacks Involving Healthcare Sector – (31st Mar 2020)

Preface: Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015.

Synopsis: Why does Kwampirs fall into the “Advanced Persistent Threat (APT)” category?

  • For tradition malware “click and action” attacks. APT attack not condct the similar action. Instead, APT merely do the infiltration on network and communicate with C&C peer daily. asking for updates.
  • The APT malware rare to do the destructive action especially encrypting data. Ask victim to pay the ransome.

About Kwampirs : FBI alert that Kwampirs goal to implant the remote-access Trojan (RAT). His target include organizations that run industrial control systems (ICS), financial services firms, energy companies and healthcare institutions. As a matter of fact, The Kwampirs was used by Orangeworm group as a backdoor Trojan. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines in past. So it was not suprising with Cyber security Guru that he return to healthcare industry.

How did Kwampirs infiltrate my computer? There are several ways to distribute Kwampirs. For instance, by using email campaigns, fake software updates, untrustworthy third party software download channels and unofficial software activation tools. So only relies on Yara rules in IDS not a effective solution to avoid this attack. The observation proves that the internal access control of the 3rd party device is one of the effective channel.

Should you have interested of this matter, please refer to URL – https://www.infragard-la.org/wp-content/uploads/2020/02/FLASH-CP-000118-MW-TLP-GREEN-YARA-Rules-to-Identify-Kwampirs-Malware-Employed-in-Ongoing-Cyber-Supply-Chain-Campaign-Targeting-Global-Industries.pdf

By the way, we hope that the corona-virus will disappear in the world as soon as possible.

Apocalypse: Unknown secret plan – project citing Mirai malware and intend to exploit IoT design weakness triggers cyber attack (29th Mar 2020)

Preface: The Greece Myth – During the war against Cronus, the Cyclops gave Lightning Fire to Zeus as weapon. Meanwhile Poseidon received Trident, and Hades achieve Invisible Helmet.

Background: The strategic outsourced concept of IT services not limited to commercial In-house IT team. It is also practiced in intelligence circles.

The group claimed that it is inspired by Mirai. The primary approach of attack is exploit factory default logins and common username/password combinations for IoT devices. Once a password attack was successful, the device would be integrated into the botnet.

Mirai DDoS attack capabilities include SYN flooding, User Datagram Protocol flooding, ACK flooding and HTTP GET, POST and HEAD attacks. Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search.

Details: In past decade, even though how was the attack technique you has. Perhaps the destructive power will be limited by society situation. Comparing today, all the people at least has a mobile phone and wireless router at home. The threat actors can conduct a DDoS to web hosting or collaboration service cloud within an hour. The headline news uncovers the contractors of the Russian national secret service FSB was hack which let the world know this conspiracy.

Perhaps this is a alert signal to smart city.

You may be interested of article shown below:

If you are using Adobe Creative Cloud Desktop Application for Windows. You should do the update immediately. 24th Mar 2020

Preface: Maybe the software vendor didn’t disclose it explicitly. But you will be interested review this concept.

Background: Adobe Creative Cloud is a set of applications and services from Adobe Inc. that gives subscribers access to a collection of software used for graphic design, video editing, web development, photography, along with a set of mobile applications and also some optional cloud services. The Creative Cloud desktop application is instralled automatically when you download your first Creative Cloud product. If you have Adobe Application Manager installed, it auto-updated to the Creative Cloud desktop application.

Vulnerability Details: Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. Successful exploitation could lead to arbitrary code execution. As the software vendor did not disclose details. The vulnerability is suspected to come from the synchronization feature. See whether the diagram can provides an hints to you.

Official Announcement https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

Microsoft Windows Type 1 font parsing remote code execution vulnerabilities – 23rd Mar 2020

Preface: Make our life easy, just rename or disable it.

Background: Type 1 is a font format which came to market around 1984, together with PostScript and the Apple LaserWriter. Perhaps ATMFD.DLL was first built into Windows 2000. Through observation, this vulnerability was caught by Google project Zero in 2015. Over time, maybe someone has forgotten this. Therefore, the direct method is to disable it.

Impact: Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner. In most modern computer systems, each thread has a reserved region of memory referred to as its stack. A specially-crafted font that is capable of operating on any data on the thread stack and has all the instructions (including arithmetic, logic, condition, and other instructions) in the Type 1 / Type 2 Charstring instruction set. Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Or quick and Dirty: Right-click C:\Windows\System32\atmfd.dll Properties | Security | Advanced | Owner, take ownership. Close dialogs, go back in and give yourself Full Control.

Centreon – Remote code execution can be configured via Poller (18th Mar 2020)

Preface: Centreon Engine allows you to schedule periods of planned downtime for hosts and service that you’re monitoring. So if design weakness occurs in this place. It provides a way to attacker for exploit.

Background: Centreon is an open source IT monitoring solution by Centreon. It is easy to install and you can deploy within minutes.

Vulnerability details: An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules (to perform certain actions), by the scheduler for data processing, etc. Meanwhile, it provides a path for attacker to exploit. Official announcement: No status update yet. But you can receive the updated release note in this place – https://documentation-fr.centreon.com/docs/centreon/en/latest/release_notes/index.html

Perhaps vulnerability might happen in open source in frequent. But I support opensource personally.

Security Focus – CVE-2020-326 – So called New wine in old bottles (18th Mar 2020)

Preface: Cisco SD-WAN Solution Privilege Escalation Vulnerability. Sound dangerous but it can only conduct internally. If someone can make it happen. It can elevate privileges to root on the underlying operating system.

Details: Perhaps Cisco fans still remember that a vulnerability encountered on SDWAN on Jun 2019. I presumably there may be similarities to this matter. The official announcement said An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain root-level privileges. The details happened on June 2019 shown as below:

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9

Other than that perhaps you will be interested of other vulnerabilities found on SDWAN

Buffer overflow – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

Command Injection – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v

antihackingonline.com