Practical 2
Name : Premsagar Manoj Pawar
Subject : Cyber Security Lab
Class : BE Computer
Section : B
Roll No : 30
Aim: Study of recent Cyber Incidents / Vulnerability.
Description: Write at least FIVE recent Security Alerts and Vulnerability Notes each of the year 2021, 2020 & 2019. Write at least THREE recent Virus Alerts. Write about how to report Security Incident and Vulnerability. Write about Filing a Complaint on National Cyber Crime Reporting Portal.
Three recent Virus Alerts
A. "Siloscape" Malware
Original Issue Date :- June 14, 2021
Virus Type :- Malware Targeting Windows Containers
Description :- It has been reported that a new category of malware is targeting misconfigured Kubernetes clusters through Windows containers to compromise cloud environments. The malware variant gains initial access by exploiting vulnerabilities in common cloud applications or vulnerable web page or database and then utilizes windows container escape techniques, executes code on underlying node and then spreads in poorly configured Kubernetes clusters to open a backdoor in order to run/deploy malicious containers. Once cluster is compromised, the attacker might be able to steal critical information such a usernames and passwords, an organizationis confidential and internal files or even entire databases hosted in the cluster. This malware can leverage the computing resources in Kubernetes cluster for cryptocking and potentially exfiltrate Sensitive data from hundreds of applications running in the compromised clusters.
Behaviour :-
Uses Windows container escape techniques to escape the container and gain code execution on the underlying node.
Attempts to abuse the node's credentials to spread in the cluster.
Siloscape uses the Tor proxy and an onion" domain to anonymously connect to its command and control (C2) server
Best practices and Countermeasures :-
Kubernetes cluster configuration should restrict nede privileges such that creation of new deployments is not possible. (It means that any process running in Windows Server containers should not have the same privileges as admin). Malware is ineffective in this case.
It is advised to follow Microsoft's recommendation of discarding use of Windows containers 95 security feature. Hyper-V containers should be employed for operations that rely on containerization as a security boundary and it is recommended to move applications running in Windows Server containers to Hyper-V containers.
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Check regularly for the integrity of the information stored in the databases.
Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
If not required consider disabling, PowerShell / windows script hosting.
Restrict users' abilities (permissions) to install and run unwanted software applications.
Enable personal firewalls on workstations.
Enable Windows Defender Application Guard with designated the trusted sites as whitelisted, so that rest all sites will be open in container to block the access to memory, local storage, other installed applications or any other resources of interest to the attacker.
Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers. Repeat audits at regular intervals.
Maintain updated Antivirus software on all systems.
B. Sarbloh Ransomware
Original Issue Date :- March 12, 2021
Virus Type :- Ransomware
Description :- It has been reported that a new ransomware named "Sarbloh" is spreading via specially crafted malicious documents sent as spear phishing email attachments. Malicious document is embedded with Marco with a heavily obfuscated VBA code, which downloads original payload (Sarbloh Ransomware) from an AWS URL silently. Once executed, it encrypts files on affected system (Audio, images, video, databases, and other document files) and renames the encrypted files with the "Sarbloh" extension to make them unusable. The ransom note ("README_SARBLOH.txt") states that the user's files are encrypted and will not be recovered until Sarbloh's creator's demands are fulfilled. Best Practices and remedial measures Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/attacks.
Best Practice and Remedial Measures :-
Maintain updated Antivirus software on all systems
Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
Do not open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
Do not enable Macros if prompted by document received from untrusted sources.
Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Check regularly for the integrity of the information stored in the databases
Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
If not required consider disabling, PowerShell / windows script hosting
Restrict users' abilities (permissions) to install and run unwanted software applications.
Enable personal firewalls on workstations.
Enabled Windows Defender Application Guard with designated the trusted sites 25 whitelisted, so that rest all sites will be open in container to block the access to memory, local storage, other installed applications or any other resources of interest to the attacker
Enable Exploit Protection (Successor to EMET] that includes several client side mitigation steps. Detailed configuration steps can be seen in https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.
Turn on attack surface reduction Rules, including rules that block credential theft, ransom were activity, and suspicious use of PsExec and WMI.
Implement strict External Device (USB drive) usage policy.
Employ data-at-rest and data-in-transit encryption.
Consider installing Enhanced Mitigation Experience Toolkit, or similar hest-level anti-exploitation tools.
Block the attachments of file types, exepiftmp/url|vb|VDserreg cerpstemd combat|ll|dathipha wst
Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical
networks/systems, especially database servers from CERT-IN empaneled auditors. Repeat audits at regular intervals.
Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released.
C. Adrozek Malware
Original Issue Date :- December 11, 2020
Virus Type :- Browser Modifiers
Description :- The malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software. The software installs the Adrozek malware, which then proceeds to obtain reboot persistence with the help of a registry key. The malware looks for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, Yandex Browser and attempts to force-install an extension by modifying the browser's AppData folders. It also modifies some of the browsers' DLL files to change browser settings and disable security features to make sure that browser's security features doesn't detect unauthorized modifications, modifications performed by Virus.
Adrozek include :-
Disabling browser updates.
Disabling file integrity checks.
Disabling the Safe Browsing feature.
Registering and activating the extension they added in a previous step.
Allowing their malicious extension to run in incognito mode.
Allowing the extension to run without obtaining the appropriate permissions.
Hiding the extension from the toolbar.
Modifying the browser's default home page.
Modifying the browser's default search engine
2) VULNERABILITY NOTES
2021
i)CIVN-2021-0146 Multiple Vulnerabilities in Intel Products
Overview-Multiple vulnerabilities have been reported Intel products which could be exploited by an attacker to escalate privileges or cause denial of service conditions on a targeted system
Description- These vulnerabilities exist in Intel products due to improper control of resource, improper input validation improper access control, improper conditions check, insufficient control flow management, uncontrolled resource consumption, protection mechanism failure out-of-bounds write error, incomplete cleanup improper authentication, buffer overflow, path traversal improper resolution and uncontrolled search path element. Successful exploitation of these vulnerabilities could allow the attacker to escalate privileges or cause denial of service conditions cat a targeted system.
ii)CIVN-2021-0145 Multiple Vulnerabilities in SAP Products
Overview- Multiple vulnerabilities have been reported in SAP products which could allow a remote CNN attacker to execute arbitrary code, access sensitive information and perform other attacks on a targeted system.
Description-These vulnerabilities exist in SAP products due to missing authorization check, improper input validation, improper authentication, memory corruption and other flaws in the affected software. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code, access sensitive information: and perform other attacks on the targeted system.
iii)CIVN-2021-0144 Privilege Escalation Vulnerabilities in Intel NUC Firmware
Overview- Privilege escalation vulnerabilities have been reported in Intel NUC Firmware that could allow a privileged user to potentially enable escalation of privilege via local access on the targeted system.
Description-These vulnerabilities exist in Intel Products due to improper access control and buffer restrictions in system firmware for some Intel(R) NUCS. Successful exploitation of these vulnerabilities could allow a privileged user to potentially enable escalation of privilege via local access on the targeted system.
iv) CIVN-2021-0143 Multiple vulnerabilities in Google Android
Overview-Multiple Vulnerabilities have been reported in Google Android which could be exploited by an attacker to execute arbitrary code, obtain sensitive information or gain elevated privileges on the targeted system.
Description- These vulnerabilities exist in Google Android due to flaws in the Framework components, Media Framework components, System components, Kernel components, MediaTek components, Qualcomm components, Qualcomm closed-source components. An attacker' could exploit these vulnerabilities by hosting a specially crafted file. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code to disclose sensitive information, gain elevated privileges on the targeted system.
v) CIVN-2021-0142 Multiple Vulnerabilities in Linux Kernel
Overview-Multiple vulnerabilities were found in the Linux kernel which may result in privilege escalation and cause a denial of service (system crash) attack on the targeted system.
Description-1. Privilege Escalation Vulnerability (CVE-2021-3489 CVE-2021-3490) These vulnerabilities exists in the Linux kemels eBPF verification code due to improper handling of user-supplied eBPF programs prior to executing them. An attacker could exploit this vulnerability by executing low-privileged code in the context of the kernel. Successful exploitation of these vulnerabilities may allow an attacker to escalate privileges, execute code in the context of the kernel and poses a threat to data confidentiality and integrity.
2. Buffer overflow vulnerability (CVE-2021-3491 ) This vulnerability exists due to improper handling of buffers in io_uring and improper enforcement of the MAX_RW_COUNT limit in some situations. Successful exploitation of this vulnerability may allow an attacker to create a heap overflow (a type of buffer overflow) leading to arbitrary code execution in the context of the kernel and cause denial of service (system crash) attack on the targeted system.
2020
i)CIVN-2020-0450 Multiple Vulnerabilities in Google Android
Overview- Multiple vulnerabilities have been reported in Google Android operating system (OS) which could enable a remote attacker to perform arbitrary code execution, gain elevated privileges, obtain sensitive information and cause denial of service condition on the targeted system.
Description -These vulnerabilities exists in Google Android due to flaws in the Media Framework, System component, Kernel component, Broadcom components, MediaTek components, Qualcomm components and Qualcomm closed-source components. A remote attacker could exploit these vulnerabilities by hosting a specially crafted file designed to exploit the vulnerabilities. Successful exploitation of these vulnerabilities could allow remote attacker to perform arbitrary code execution within the context of a privileged process, gain elevated privileges, allow the attacker to access sensitive information from the targeted device and cause denial of service conditions on the targeted system.
ii)CIVN-2020-0449 Multiple Vulnerabilities in Foxit Reader and Phantom PDF
Overview-Multiple vulnerabilities have been reported in Foxit Reader and Phantom PDF which could allow a remote attacker to cause Out of-Bounds Write Remote Code Execution, Type Confusion Memory Corruption, denial of service condition or execute arbitrary code on the target system.
Description-These vulnerabilities exist due to insufficient validation of objects, incorrect processing of PDF files, lack of proper validation when an incorrect argument is passed to the app.media.openPlayer function, access or use of a deleted pointer and array overflow issue. A remote attacker could exploit these vulnerabilities by sending specially crafted malicious file on the target system Successful exploitation of these vulnerabilities could allow the attacker to cause Out-of-Bounds Write Remote Code Execution, Type Confusion Memory Corruption, denial of service condition or execute arbitrary code on the target system.
iii)CIVN-2020-0448 Multiple Vulnerabilities in Treck TCP/IP Stack
Overview- D Multiple vulnerabilities have been reported in Treck TCP/IP software, which could be exploited by a remote attacker toperform Denial of Service (DoS) attack or execute arbitrary code and take control of an affected system.
Description- Treck TCP/IP stack software is designed for and used in a variety of tot and embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. These vulnerabilities exist due to buffer overflow in the Treck HTTP Server component, out-of-bounds write in the IPV6 component, out-of-bound read in the DHCPv6 A remote attacker could exploit these vulnerabilities by sending specially crafted packets to the targeted system. Successful exploitation of these vulnerabilities allow a remote attacker to perform denial of service (DoS) attack or execute arbitrary code on the targeted system.
iv)CIVN-2020-0447 Multiple Vulnerabilities in Mozilla Products
Overview-Multiple vulnerabilities have been reported in Mozilla products which could allow a remote attacker to execute arbitrary code, perform spoofing attacks, disclose potentially sensitive information, or cause denial of service conditions on the targeted system.
Description- These vulnerabilities exist in Mozilla products due to uninitialized memory error in Bigint, heap buffer overflow error or use-after free in WebGL, improper sanitization of CSS Sanitizer, use-after-free in StyleGenericFlexBasis, improper security restrictions, improper processing of user supplied input, error while using proxy on Request callback request for view-source URLS, improper processing of downloaded files without extensions. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, perform spoofing attacks, disclose potentially sensitive information, or cause denial of service conditions on the targeted system.
v)CIVN-2020-0446 Information Disclosure Vulnerabilities in GE Healthcare Products
Overview-A vulnerability has been reported in GE Imaging and Ultrasound Products which could allow a remote attacker to gain access or modify the sensitive information on the targeted system,
Description-1. Information Disclosure Vulnerability (CVE-2020-25125) This vulnerability exists in GE Healthcare Imaging and Ultrasound Products due to unprotected transport of credentials A remote attacker could exploit this vulnerability by gaining access to the network Successful exploitation of this vulnerability could allow attacker to gain access to sensitive information on the targeted system
2. Information Disclosure Vulnerability (CVE-2020-25179 ) This vulnerability exists in GE Healthcare Imaging and Ultrasound Products because they allow exposed/default credentials to be utilized to access the system. An attacker could exploit this vulnerability by gaining access to the network Successful exploitation of this vulnerability could allow attacker to gain access or modify the sensitive information on the targeted system.
2019
i)CIVN-2019-0202 TP-Link Router Remote Code Execution Vulnerability
Overview- A vulnerability has been reported in TP-Link routers which could be exploited by a remote attacker to take complete control of the router.
Description-This vulnerability exists in TP Link routers due to improper handling of HTTP requests. A remote attacker could exploit this vulnerability by sending an HTTP request including a character string longer than the allowed number, resulting in the user password being with a value zero. Successful exploitation of this vulnerability could allow the attacker to take complete control of the router
ii)CIVN-2019-0199 Multiple Vulnerabilities in Microsoft Window
Overview-Multiple vulnerabilities have been reported in Microsoft Windows which could allow an attacker to bypass security restrictions, access sensitive information, cause denial of service (DoS) condition and execute arbitrary code on the targeted system.
Description-1. Microsoft Windows Win32k Privilege Escalation Vulnerability (CVE-2019-1458 ) This vulnerability exists in Microsoft windows due to improper handling of objects in memory. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
2. Microsoft Windows Win32k Information Disclosure Vulnerability (CVE-2019-1469 ) This vulnerability exists when the win32k component improperly provides kernel information. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to access sensitive information on the targeted system.
3. Microsoft Windows Hyper-V Information Disclosure Vulnerability (CVE-2019-1470 ) This vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to access sensitive information on the targeted system.
4. Microsoft Windows Hyper-V Remote Code Execution Vulnerability (CVE-2019-1471 ) This vulnerability exists when Windows Hyper-V on a host operating system fails properly validate input from an authenticated user on a guest operating system. A remote attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute remote code on the targeted system.
5. Microsoft Windows Kernel Information Disclosure Vulnerability (CVE-2019-1474) This vulnerability exists in Microsoft windows due to the improper handling of objects in memory. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
6. Microsoft Windows Printer Service Privilege Escalation Vulnerability (CVE-2019-1477 ) This vulnerability exists in Microsoft windows due to a boundary error when the Windows Printer Service improperly validates file paths while loading printer drivers. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
7. Microsoft Windows COM Server Privilege Escalation Vulnerability (CVE-2019-1478) This vulnerability exists in Microsoft windows due to the improper handling of COM object creation. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
8. Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1466 CVE-2019-1465 CVE-2019-1467 ) These vulnerabilities exist when the Windows GDI component improperly discloses the contents of its memory. A remote attacker could exploit this vulnerability by convincing a user to open a specially crafted document on the affected system. Successful exploitation of this vulnerability could allow the attacker to access sensitive information on the targeted system.
9. Microsoft Windows Kernel Information Disclosure Vulnerability (CVE-2019-1472 ) This vulnerability exists when the Windows kernel improperly handles objects in memory. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to access sensitive information on the targeted system.
10. Microsoft Win32k Graphics Remote Code Execution Vulnerability (CVE-2019-1468) This vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. A remote attacker could exploit this vulnerability by hosting a specially crafted website on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute remote code on the targeted system
11. Microsoft Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability (CVE-2019-1453 ) This vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. A remote attacker could exploit this vulnerability by sending a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to cause denial of service on the targeted system.
12. Privilege escalation vulnerability in Microsoft Windows AppX Deployment Server (CVE-2019-1476 CVE-20191483 ) These vulnerabilities exist in Microsoft windows due to an error in junctions handling within the Windows Appx Deployment Server. A local attacker could exploit this vulnerability by running a specially crafted application on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
13. Microsoft Defender Security Feature Bypass Vulnerability (CVE-2019-1488 ) This vulnerability exists in Microsoft windows due to the Microsoft Defender improperly handles specific buffers. A remote attacker could exploit this vulnerability by bypassing certain security restrictions and perform unauthorized actions on the affected system. Successful exploitation of this vulnerability could allow the attacker to bypass security features on the targeted system.
14. Microsoft Windows Media Player Information Disclosure Vulnerability (CVE-2019-1481 CVE-2019-1480 ) These vulnerabilities exist in Microsoft windows due to improper handling of objects in memory. A remote attacker could exploit this vulnerability by creating a specially crafted media file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system. Successful exploitation of these vulnerabilities could allow the attacker to access sensitive information on the targeted system.
15. Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2019-1484 ) This vulnerability exists in Microsoft windows due to insufficient validation of user-supplied input in Microsoft Windows OLE implementation. A remote attack could exploit this vulnerability by opening a specially crafted file on the affected system. Successful exploitation of this vulnerability could allow the attacker to execute remote code on the targeted system
iii)CIVN-2019-0198 Microsoft SQL Server Reporting Services XSS Vulnerability
Overview-A Vulnerability has been reported in Microsoft SQL Server Reporting Services which could allow an authenticated attacker to perform Cross-site Scripting (XSS) attack on the targeted system.
Description- This vulnerability exists in Microsoft SQL Server Reporting Services due to improper sanitization of a specially crafted web request to an affected SSRS server. An attacker could exploit this vulnerability by convincing an authenticated user to click a specially crafted link to an affected SSRS server. Successful exploitation of this vulnerability could allow an authenticated attacker to run scripts in the context of the targeted user.
iv)CIVN-2019-0200 Multiple Vulnerabilities in Intel Products
Overview-Multiple vulnerabilities have been reported in Intel products which could allow a local attacker to escalate privileges, cause denial of service (DoS) conditions or access sensitive information on a targeted system
Description- 1. Escalation of Privilege Vulnerability in Intel RST (CVE-2019-14568 ) This vulnerability exists in the Intel Rapid Storage Technology (RST) due to improper handling of permissions by the affected software. An authenticated attacker could exploit this vulnerability through local access to the system, Successful exploitation of this vulnerability could allow the attacker to get escalated privileges on the targeted system.
2.. Vulnerability in multiple Intel Processors (CVE-2019-14607) This vulnerability exists in multiple Intel Processors due to improper checking of conditions by the firmware. An attacker could exploit these vulnerabilities through local access to the targeted system. Successful exploitation of these vulnerabilities could allow the attacker to get escalated privileges, cause denial of service (DoS) conditions or access sensitive information on a targeted system.
v)CIVN 2019-0201 Microsoft SharePoint Server Information Disclosure Vulnerability
Overview- A Vulnerability has been reported in Microsoft SharePoint which could allow information from the targeted system. remote malicious user to obtain sensitive
Description- This vulnerability exists in Microsoft SharePoint. By sending a specially crafted request to a susceptible SharePoint Server instance, a remote attacker could exploit this vulnerability to read arbitrary files on the server.
3) How to report Security Incident and Vulnerability.
CERT-In shall operate an Incident Response Help Desk on 24 hours basis on all days including Government and other public holidays to facilitate reporting of cyber security incidents.
Reporting of incidents :-
Any individual, organisation or corporate entity affected by cyber security incidents may report the incident to CERT-In. The type of cyber security incidents as identified in Annexure shall be mandatorily reported to CERT-In as early as possible to leave scope for action. Service providers, intermediaries, data centers and body corporate shall report the cyber security incidents to CERT-In within a reasonable time of occurrence or noticing the incident to have scope for timely action.
The details regarding methods and formats for reporting cyber security incidents, vulnerability reporting and remediation, incident response procedures and dissemination of information on cyber security shall be published on the website of CERT-In www.cert-in.org.in and will be updated from time to time
4) How to report a cybercrime
1. For online reporting of cybercrime, visit the Cybercrime reporting portal.
2. You can either report a complain pertaining to online Child Pornography (CP)/ Child Sexual Abuse Material (CSAM) or sexually explicit content such as Rape/Gang Rape (CP/RGR) content either anonymously (i.e. without revealing your identity) or by revealing your identity. However, as a responsible citizen you should use “Report and Track” option for reporting the incident/ crime, since it would help the Law enforcement agencies to contact you for further details.
3. To report anonymously, click here. In this case, a user need not provide any personal information. However, information related to the incident / complaint should be complete for the police authorities to take necessary action. It is recommended that a user uploads the evidence with the complaint which would help police authorities for prompt action. However, a complaint can also be reported by providing information like website address, e-mail address, WhatsApp number etc. Please note that False information provided by complainant may lead to penal action as per law.
4. To report a crime revealing your identity, click the "Report and track option". Register by giving your details such as Name and Mobile number. You will receive a One Time Password (OTP) that will be used to verify your phone number. The OTP is valid for 30 minutes. Once you successfully register your mobile number on the portal, you will be able to report the compliant. Fill all the details related to the crime and submit.