Author: tungcmc

14 Nov

This morning, at the office of Ministry of Information & Communications, representing CMC Cyber Security Company, General Director Ta Hoang Linh and Deputy General Director Ha The Phuong attended a press conference for the program "Information Security Vietnam 2019 ”will be held on the coming November 29.

Speaking at the press conference, Mr. Ta Hoang Linh, General Director of CMC Cyber Security said: “Currently, the role of information security is becoming increasingly important. CMC Cyber Security is a unit that recognizes the importance of information security field very early and is very patient to follow although this field is very wide and difficult.

From the perspective of a business, I think this is an opportunity for Vietnamese businesses to develop products and solutions suitable for a certain class in the field of information security. CMC Cyber Security will continue to invest more heavily in the team of experts and products so that we can contribute a part in the overall development of the field of information security and security. ”

The press conference also had the participation of Deputy Minister of Information and Communications Nguyen Thanh Hung, representatives of the leaders of the co-organizer of events such as the Department of Information Security (Ministry of Information and Communications), Department of Information and Communications (Ministry of Education and Training). ), Ministry of Justice 86 (Ministry of National Defense), Government Cipher Committee, Department A05 (Ministry of Public Security) and a number of businesses participated in the event and representatives of 30 press agencies.

Deputy Minister of Information and Communications Nguyen Thanh Hung, President of VNISA, said: This year's conference was attended by the Director of the Standardization Department of the International Telecommunications Union (ITU) to present views, orientations, recommendations and reviews. price of Vietnam food safety rating.

The Deputy Minister also emphasized that ensuring the security of information security is like paying attention to preventive medicine according to the motto "prevention is better than cure". In order to do this, awareness is very important, avoiding "the jump to the feet". Workshops - exhibitions and related events are organized to raise awareness, enhance training ... to ensure food safety. The word cognitive will have specific actions.

“Currently, Vietnam as well as many countries around the world accelerate the fourth industrial revolution and the digital transformation process. Therefore, the development of national capacity on cybersecurity and security is a prerequisite for building an e-government, building a digital economy, serving the activities of the state, businesses and people, " Mr. Vu Quoc Thanh, Vice Chairman and General Secretary of VNISA shared.

This year's conference was organized with the theme: "Enhancing Safety, National Cyber Security in a digital age"

Organized with the largest scale ever, this year's Vietnam Information Security Conference 2019 has a large, covering topic, expressing the aspirations of security workers '' Enhancing Safety, Network Security '' (Enhancing national cybersecurity in the digital era).

"This will be an important national forum, the most outstanding event on network safety and security in 2019 in Vietnam," Mr. Vu Quoc Thanh emphasized.

Information Security Day 2019 is the 12th annual event, chaired by the Vietnam Information Security Association (VNISA), in collaboration with the Department of Information Security (Ministry of Information and Communications) and Space Command. network (Ministry of Defense) organized, under the auspices of the Ministry of Information and Communications.

The seminar will focus on analyzing the vision and orientation of the government on enhancing network safety and security in Vietnam; policies, current situation, needs of application and development of information security technology (ATTT) and solutions to improve Vietnam's network safety and security rankings.

The Conference program consisted of a Plenary session in the morning and 02 Thematic sessions in the afternoon, with nearly 30 speeches and presentations from leaders of state management agencies in the field of network safety and security; managers, senior experts on security of large companies at home and abroad.

Mr. Ha The Phuong - Deputy General Director of CMC Cyber Security responded to the press PV on the current issues related to information security.

08 Nov

Ransomware Petya

Rising from the wannacry's ashes, a new peril began: Petya. In 2016 and 2017, Petya ransomware and its variants affected thousands of computers worldwide. Immediately after the Wannacry ransomware showed signs of subsiding, Petya emerged as a perfect replacement.

The special feature of this malware is that it does not encrypt the user's data files, but changes the Master Boot Record (MBR) and the Master File Table (MFT) encryption so that users cannot even boot into the system. operating.

How Petya works - Source:

According to sources, the Petya ransomware attack originated from MEDoc, a Ukrainian-based audit company, through MEDoc's software containing Petya in an update. In addition, Petya is also inserted in the text file intentionally sent to the organization when the user opens it, the ransomware will trick the user into activating the marco available in versions of Office.

Stage 1: High level

There are many variations of Petya ransomware on the cyber network, but in this article we will focus on sample analysis:

SHA-256: 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

It's easy to recognize that ransomware samples need to be unpacked before executing real commands. In the debug ransomware process, there are calls to functions like VirtualProtect and VirtualAlloc to allocate and change the rights of a new device. The guess is that this will be the actual memory area of the ransomware after unpacking. So we just need to set a breakpoint at the beginning of the newly created memory and this is the result:

As we can see in the picture above, in the hexdump window is the header of a pe file. Dump the entire section and get a Setup.dll file with full import table that is easy to read.

Go through the functions performed in the Setup.dll file in turn when launched. First, Petya ransomware retrieves victim's hard drive information with DeviceIoControl function to retrieve the physical location of a volume on the hard drive, information about the type, size, and volume of the hard drive partition (by IOCTL_DISK_GET_PARTITION_INFO_EX, PARTITION_INFORMATION_EX) ,). Here is the pseudocode function that takes the physical position of a volume on one or more hard drives:

v1 = this;
  BytesReturned = 0;
  v2 = GetSystemDirectoryA(0, 0);
  v3 = v2;
  if ( !v2 )
    return 0;
  v5 = (CHAR *)sub_239090(v2);
  if ( !GetSystemDirectoryA(v5, v3) )
    return 0;
  *(_DWORD *)FileName = 1546542172;
  v9 = *v5;
  v10 = 58;
  v6 = CreateFileA(FileName, 0, 3u, 0, 3u, 0, 0);
  if ( v6 == (HANDLE)-1 )
    return 0;
  DeviceIoControl(v6, 0x560000u, 0, 0, &OutBuffer, 0x20u, &BytesReturned, 0);
  // In because 0x560000 is IoControlCode, it was changed to 0x70048, 0x70000 in the future to remove information in dia  
  qmemcpy(v1, "\\\\.\\PhysicalDrive", 17);
  v1[17] = v12 + 48;
  v1[18] = 0;
  return 1;

Ransomware then creates a buffer containing the ransom link "hxxp: // petya5koahtsf7sv [.] Onion / [Random]", "hxxp: // petya37h5tbhyvki [.] Onion / [Random]" Ransom Note. And call the CryptGenRandom function to generate the victim's private key.

  v4 = (_DWORD *)phProv;
  *(_DWORD *)phProv = 0;
  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return -60;
  if ( !CryptGenRandom(phProv, dwLen, pbBuffer) )
    return -60;
  CryptReleaseContext(phProv, 0);
  *v4 = dwLen;
  return 0;

After the payload, ransomware uses NtRaiseHardError to force the computer to reboot

v0 = GetCurrentProcess();
  if ( !OpenProcessToken(v0, 0x28u, &TokenHandle) )
    return 0;
  LookupPrivilegeValueA(0, "SeShutdownPrivilege", (PLUID)Newstate.Privileges);
  Newstate.PrivilegeCount = 1;
  Newstate.Privileges[0].Attributes = 2;
  AdjustTokenPrivileges(TokenHandle, 0, &Newstate, 0, 0, 0);
  if ( GetLastError() )
    return 0;
  v2 = GetModuleHandleA("NTDLL.DLL");
  v3 = GetProcAddress(v2, "NtRaiseHardError");
  ((void (__cdecl *)(signed int, _DWORD, _DWORD, _DWORD, signed int, char *))v3)(-1073740976, 0, 0, 0, 6, &v5);
  return 1;

Stage 2: Low level

Now we analyze the malicious code inserted into the MBR of the drive:

From the dump result from \. \ PhysicalDrive0 we have:

  • Sector 0: The first bootloader's unique score
  • Sector 1-33: This is all 0x37
  • Sector 34-49: The kernel segment of ransomware
  • Sector 50-53: Blank
  • Sector 54: Nonce, CNC and Personal Key
  • Sector 55-56: Data is encrypted

When the machine starts, the ransomware code will be executed:

To read the drive sector, it uses interrupt 13

Next, Ransomware will check if the MBR is encrypted?

If not encrypted, Petya uses Salsa20 algorithm to lock MFT.

MFT (Master File Table) is the most important component in the NTFS system. MFT contains information about all files and directories in the logical drive.

After the encryption is complete, the main screen will be displayed

When the user enters the Petya key, he will check the format of the key:

  • Has a length of 16 bytes
  • Only the following characters are accepted 123456789abcdefghijkmnopqrstuvwxABCDEFGHJKLMNPQRSTUVWX

Although, it is possible to bypass check_key by changing the address of some jump functions but that does not decode MFT. However, due to the size limitations of the sectors, Petya ransomware does not fully implement the Salsa 20 algorithm, so we can brute force the decryption key.

In Petya's decoding process we see:

  • Petya loads up the 512-byte memory of the 55th sector (this is the data to be decoded)
  • Petya loads 8 byte memory at offset 0x6c21 right before CNC in the 54th sector (this is nonce)

We have the code and the nonce. You can read salsa's algorithm and write brute force script yourself or use a golang script written by a very nice guy leo-stone.


Creating a ransomware launched in boot sector, MBR and MFT encryption is a very interesting direction. However, deploying ransomware under the kernel layer has created several vulnerabilities while implementing the encryption algorithm so that we can decode without a key. This has made Petya the first version of the body non-contagious. However, malicious code such as Petya, such as Goldeneye, has inspired hackers to develop ransomware to attack the kernel layer, posing a challenge for the security house.

06 Nov

CMC Cyber Sercurity malware analysts have reported that at least 4 units infected with Ransomware Cry36 / Nemesis all user data (except for files that may cause operating system errors) are encrypted and Change the extension to ". [id] _WECANHELP".

The ransomware model has the extension ". [Id] _WECANHELP" which is the latest variant of Cry36 / Nemesis that was first discovered on August 9, 2019. When it infects the victim's computer, it quickly scans all drive partitions and shared partitions to identify user data and ignores executable files and system files. Finally, the ransomware encrypts data, and in each folder it encrypts, a file containing information that the victim can conteacts with the attacker and the victim's ID is left behind. Variants of Cry36 / Nemesis are usually sent to the victim's computer via poorly secured RDP ports, spam emails or pretend to be software that trick users into downloading.

Currently, there is no effective method to break the code of Cry36 / Nemesis. However, the victims were never paid a ransom for the attacker. There have been many cases recorded, after paying the ransom victims also failed to decode the data or the decoded data was faulty. At the same time, paying the attacker will wake him up again.

To prevent the risk of becoming a victim of Cry36 / Nemesis, users should disconnect RDP service ports if not needed, set up firewall rules to restrict users, remote access to server, ensure the origin of the software, email before opening.

31 Oct

Recently, CMC CyberSecurity received a number of malicious samples believed to be developed by Panda hackers. In order to attack APT to foreign government organizations, including Vietnamese organizations.

Samples received after analysis can be divided into two types. Each type uses a different payload implementation but still has some common characteristics:

  • Use the .lnk shortcut file with the .doc extension (eg sample.doc.lnk) to deceive the user.
  • The lnk file attached to the hta file can execute vbscript.
  • Script to open the attached document file for the user and implicitly execute the payload.

Based on the content of document files prepared to deceive users, it can be surmised that the target that the attacker wants to target is users of some units of the Vietnamese government.

   1. Technical analysis

  1.1. Analysis of file type lnk 1

File LNK

The sample file is a shortcut file with the extension .lnk, usually named with the .doc extension to deceive users because the .lnk extension will be hidden by Windows. The suspicious point is in the target part of the shortcut file. Usually, the target of the shortcut usually points to a destination folder or file. However, the target of the templates all contain the following command:

%comspec% / c for %x in (%temp% = %) do for / f "delims ==" %i in ('dir "%x \ GIAYMOI.doc.lnk" / s / b') do start m%windir: ~ -1,11 exe "%i"

The above code was obfuscate by using the variable %comspec% instead of directly calling the string "cmd.exe" and the "s" in the file name mshta.exe was obtained by cutting the last character of the value contained in variable "%windir%" (usually C: \ Windows).

Mshta.exe is a microsoft application developed to take advantage of fast application building through html, css, vbscript, javascript. Using mshta and the .hta file format, we can open an html page as an application. The hta file format is the same as the html file. By adding tags into the card of the html file we have the hta file that can be opened via the mshta application.

The hta file can be inserted before its header. Take advantage of this,

the attacker has inserted an lnk file before it, with the command opening itself with mshta.exe to execute the embedded hta file. When the user opens the lnk file, will execute the command in the target of the lnk file and execute the mshta.exe file to open itself.

File HTA

By default, mshta.exe can execute both javascript and vbscript embedded in hta files using related dlls. The hta file that is embedded when opened will have the following properties: minimize, not shown on the taskbar, no menu and caption. Its sole task is to execute malicious vbscript code.

The vbscript script has been obfuscate (confusing) to make the analysis process difficult. After deobfuscate, you can see that the code snippet contains 1 data in binary form.

Then, the code uses the ADODB object to save the binary data as a file into the %temp% folder named 3.ps1.

Finally, execute the file 3.ps1 with the command line

powershell.exe -exec bypass -file & szTempPath, Null, Instance, MWcWurrkfEbtfWdZTY


The powershell script continues to be confused by using base64 to encode its entire contents. After decode the entire content, the script will continue to run through powershell's iex function.

The content after the script decode is also messed up to make its content more difficult to understand. After analysis, we can get a general overview of the content and tasks of the code as follows:

  • The code checks the Administrator rights of the current user and stores the result in a variable.
  • Proceed to decode the .doc file as base64 and save it to the directory %temp%. Then open this file for the user.
  • If the script is run with Administrator privileges, the .dat file will be saved in the "%windir% \ debug" directory. Otherwise, the %temp% folder will be used to save the .dat file.
  • The InstallUtil tool (v2.0 or 4.0) will be used as a loader to execute the .dat payload file. When having Administrator rights, the script will copy 2 InstallUtil.exe and schtasks.exe windows files into %temp% folder. Particularly, the file schtasks.exe (microsoft utility used to schedule automatic running of some programs and tasks 1) will be renamed to "wtask.exe".
  • Then use cmd to execute the wtask.exe file to run automatically, with the purpose of loading the executable file loader to run the .dat file with SYSTEM privileges.
  • Without Administrator rights, the loader will be executed indirectly through vbscript. The code also checks and adjusts how it executes accordingly when it detects an antivirus product installed on the computer.
  • After executing the process "wtask.exe" will create an entry in Task Scheduler to execute

Final Payload

InstallUtil.exe when loading payload file tmp_FlVnNI.dat will continue decode a shellcode in base64 format and copy the decoded part into a allocated memory with the attribute PAGE_EXECUTE_READWRITE and create a thread to execute shellcode.

Shellcode will automatically decode part of its code using the xor algorithm with the key of 0x44. After decoding 0xcf2 bytes, shellcode will execute the decoded part.

This is the final payload to make the connection to the attacker's server. Currently unable to connect to this server.

Analysis of file type lnk 2

First stage

Similar to type 1, type 2 is also an lnk file embedded before the hta file. At the time of vbscript execution, this script decodes and stores into %temp% folder 3 binary files in base64 and 1 document file.

The document file will then be opened for the user.

Meanwhile, the script will execute the 3.exe file to perform malicious actions.

Second stage

3.exe executable file is actually a clean file, but it will load a modified DLL file containing malicious code.

To do this, the attacker only needs to find a dll loaded by the LoadLibrary function in the 3.exe file (in this case http_dll.dll), then create a malicious dll file with the same name as the parameter of the LoadLibrary function. and put it in the same directory as the 3.exe file. When calling LoadLibrary, 3.exe will find the dll in the same directory first and load it up.

When uploaded, http_dll.dll will find the VirtualProtect function to modify the attribute of the 16 bytes of memory the module has loaded it at RVA of 0x157a to PAGE_EXECUTE_READWRITE. In this case, the corrected location will be the command jz 0x401533.

To perform malicious behavior, the command jz 0x401533 will be replaced with 3 push commands FFFFFFFF, push http_dll.10001230 and "ret" command to redirect the program 3.exe to sub_10001230 of the dll, then the program will leave for 3.exe to continue execution.

At sub_10001230, the malicious code will read the file http_dll.dat in the same directory. The content at the beginning of this dat file is a string with null-terminated and data. This string will be used to be the decryption key for the data portion of the dat file.

After that, the malicious code will create a new memory area to contain the decryption process conducted by the xor algorithm with the string key in the dat file as above.

The malware continues to change the properties of this new device with the PAGE_EXECUTE_READWRITE property and execute shellcode at this address.

The decoded content is a RAW PE file, but it has been cleverly integrated into a shellcode, starting from offset 0. This shellcode serves as a loader, load this raw PE file to be able to execute OK.

First, shellcode finds the address of kernel32.dll and then loads the functions LoadLibray, GetProcAddress, ZwFlushIntructionCache, VirtualAlloc by comparing the hash of the names of the functions that are exported by kernel32.

Then, Loader reads the header of the PE file, maps the sections to the corresponding memory areas, reallocates some addresses and resolves the Import Address Table of the file. Once completed, the program execution flow will be passed to the DllMain function of this PE file.

Final Payload

Here, the malicious code will take a number of paths to use, then decrypt a data section to use.

The decoding result is a number of strings including autorun key name, ip c & c server.

Then the malicious code will perform the following behaviors:

  • Make a copy of the three executable files to the user's profile directory or alluserprofile if there are sufficient administrator rights.
  • Add and lock autorun to activate the executable file which has just been dropped when restarting. Also relaunch itself if this is its first run. The malware distinguishes this by inserting another parameter to it at subsequent runs.
  • Create a mutex, connect to the server to receive commands from the server.
    • Creating a backdoor allows an attacker to execute commands remotely.
    • Support many different commands including upload file, folder, list folder, read file, get computer information, user, ...


By using various attack and disruptive techniques during execution, it is shown that the person behind the malware development has invested a lot of time in researching the target and developing the attack method accordingly. . APT is a malicious attack, carefully invested to steal important information and cause damage to the organization. To prevent APT attacks, always prepare new precautions and ongoing monitoring to ensure the security of users and organizations as well.

C&C ip, domain


30 Oct

Today, short clips, GIFs are everywhere on social media, on message boards, on chats, helping users to perfectly express their emotions, making it possible for people to Have fun, relax and highlight the meaning of the conversation. But what if a GIF greeting looks innocent with a message Good morning, Happy Birthday or Merry Christmas "hack" the phone in your hand?

The WhatsApp app (a cross-platform messaging app) recently patched an important security hole in its Android app, which has been patched since it was discovered three months after being discovered. and if exploited, can allow hackers to gain access to Android devices and potentially steal the files and resources on the device, and more seriously, chat messages or accounts of other applications have on the victim machine.

WhatsApp Remote Code Execution Vulnerability

The vulnerability, publicized with the ID CVE-2019-11932, is a "double-free" vulnerability, which simply means calling the free function twice when using HEAP dynamic memory in C. This flaw is not included in the source code. of the WhatsApp application that is in the open source library that WhatsApp uses to process photos.

Discovered by Vietnamese security researcher Pham Hong Nhat in May this year, this vulnerability led to remote code execution attacks (RCE), allowing attackers to execute arbitrary code on Mobile devices that use WhatsApp.

“Payload (exploit code) is executed in the WhatsApp context. Therefore, it has the right to read SDCard and access the WhatsApp message database, ”the author answered in an interview with Thehackernews.

“The malicious code will have all the rights that WhatsApp has, including recording, accessing the camera, accessing the file system, as well as WhatsApp's sandbox files including messaging facilities, and chats. protection by application, etc.

How does this flaw work?

WhatsApp uses a parsing library to create a preview of GIF files when users open their device before sending them to friends or family.

So this flaw can not "Activate" by sending a malicious GIF file to the victim. Instead, it is triggered when the victim selects the WhatsApp Gallery Picker library and sends these photos to others.

Readers can view PoC here:

To exploit this vulnerability, all an attacker needs to do is send a manually created malicious GIF (insert malicious code) to Android users via any online channel and wait for the user to open the image gallery. Photos in WhatsApp.

However, if an attacker wants to send a GIF file to a victim via any messaging platform like WhatsApp or Messenger, they need to send that file as a document instead of a media attachment, because when compressed Images used by these services will falsify malicious code hidden in the image.

The application version has vulnerabilities, and patches

The flaw affects versions of the WhatsApp 2.19.230 app and earlier versions running on Android 8.1 and 9.0 operating systems, which do not exist with Android OS 8.0 and below.

"In older versions of Android, the" double-free "flaw could still be affected. However, because malloc is called by the system after calling free functions, the application can only be exploited when I control the registers on the PC, "the researcher wrote.

Author Pham Hong Nhat told The Hacker News that he reported the vulnerability to Facebook, the owner of WhatsApp, in late July of this year, and the company developed a security patch in WhatsApp version 2.19.244. , released in September.

Therefore, in order to protect your device against all risks from this vulnerability, you should update WhatsApp to the latest version from the Google Play Store as soon as possible.

In addition, due to the vulnerability in the open source library, it is also possible that any other Android application using the same affected library could be vulnerable to the same attack. The effect, which is Android GIF Drawable, has also released version 1.2.18 of the software to patch this "double-free" flaw.

WhatsApp for iOS is not affected by this vulnerability.

We will have a technical analysis of this vulnerability, invite readers to watch and watch.


29 Oct

At the beginning of September, the CMC Threat Intelligence system received information about cyber attacks targeting some administrative units in the northern provinces of Vietnam. CMC Cyber Security has made in-depth analysis of the malicious files used in this campaign.

Through the process of understanding and analyzing signs and models serving for this attack, malicious analysts of CMC Cyber Security identified the attack group as likely originating from China. Specifically, experts identified the malicious documents that attacked Vietnam in this campaign originated from Mustang Panda group, a group of hackers highly appreciated for very methodical, technical and special tactics.

Malicious text files hackers use

Samples received after analysis can be divided into two categories. Each type uses a different payload implementation but still has some common characteristics:

  • The samples sent to the victim are compressed in zip files to avoid being intercepted by applications.
  • The zip file contains the .lnk shortcut file with the .doc extension (eg sample.doc.lnk) to deceive the user.
  • The lnk file attached to the hta file can execute the script.
  • Script to open the attached document file for the user and implicitly execute the payload.

For the first type, the template is a shortcut file with the extension .lnk, usually named with the .doc extension to fool users because the .lnk extension will be hidden by Windows. The suspicious point is in the target part of the shortcut file. However, the target of the sample contains a command to launch the Mshta.exe process to execute the embedded hta file. When the user opens the lnk file, the machine will execute the command in the target of the lnk file and execute the mshta.exe file to open itself.

Similar to type one, type two is also an lnk file embedded before the hta file. At the stage of vbscript execution, the script in the malware will decode and save into %temp% folder 2 binary files, 1 file is payload and 1 document file to display to the user.

The purpose of all the samples collected is to connect to the c & c server, download the malicious code to steal user information and provide remote control functionality.

The most remarkable thing is the sophistication in the documents created to deceive users. Unlike the apt templates we faced a few years ago, the "bait" documents were written sloppily, the slang, the patchwork documents were in a form that did not match the recent regular documents, Accurate and meticulous in attack documents is easy to deceive users. Especially even in the content, the text also clearly shows political purposes.

With the comprehensive prevention of the very difficult APT attack, CMC Cyber Security experts recommend to customers measures to prevent, minimize and detect APT's harm early:

  • For users:
    • Be careful when receiving emails, links, strange files.
    • Correctly authenticate safe and reliable sending sources.
    • Use the Endpoint Security tool.
  • For Businesses:
    • Implement surveillance systems, detect or prevent unauthorized intrusion.
    • Periodically assess and verify hazards to the system.
    • Raising awareness of each individual in the collective about responsibility to ensure information security and safety.
    • Having a plan to cope with incidents

Currently CMC Cyber Security has the latest software version of CMC Antivirus / CMC Internet Security, individual users can install anti-virus software on mobile phones and computers to prevent promptly before the computer is infected. .

22 Oct

With the current situation of high-tech cyber crime currently growing with large-scale attacks and properties, CMC Cyber Security - Vietnam's leading company in Security and Security has accumulated technologies and Experience to provide CMC Vulnerability Assessment Platform (C-VAP) solution.

This tool is able to support proactive network administrators in scanning and assessing vulnerabilities in their systems so that they can soon be the solution to protect, overcome and be the first choice for system administrators. system.

The solution has outstanding features such as:

  • Detects top 10 OWASP security vulnerabilities including SQL Injection, Cross Site Scripting, Broken Authentication, Broken Access Control, etc.
  • Integrated AI, Machine Learning helps early detection of vulnerabilities, quick and accurate alerts help reduce the time the system is at risk of being attacked.
  • Update vulnerability data continuously thanks to CMC Threat IntelligenceTM - a platform for collecting and sharing data about information security threats in the world, connecting to international data sources such as Proofpoint, Pulsedive , Anomali, Virustotal, OTX, MISP, etc.
  • International standard data, easily integrated with network security management systems of agencies and organizations.
  • The report is analyzed by several levels, suitable for C-level management or system administrators

Especially, the solution of automatically assessing security hole C-VAP will bring many benefits to customers:

  • Strict operation mechanism follows 4 steps (Planning, reviewing, exploiting, reporting).
  • Clear deployment model.
  • Easy to deploy installation.
  • Proactively scan vulnerabilities that are exploited in the system, website.
  • Reports, review results and recommendations help customers have an overview of the system status, from which soon there are plans to overcome and improve the organization's information security status.
  •  Government requirements on information security (Law on Cyber Security, Law on Information Security, Decree 85/2018 / ND-CP, ...)
Deployment model Solution C-VAP security vulnerability self-assessment solution

Regarding mechanism of operation, C-VAP operates in compliance with 4 main steps:

  • Planning: Gathering system information, defining scoping scope.
  • Review: Review networks, web applications, network devices and mobile devices.
  • Exploiting: Exploiting the vulnerability found.
  • Report: The report assesses the danger level and recommends remediation for each found flaw; Create reports for many different user levels such as engineering, management ...; Export reports in multiple formats PDF, DOCX, CSV, ...
22 Oct

C-WAF web application firewall solution (CMC Web Application Firewall) is part of the information security suite provided by CMC CS to businesses, integrated cloud services to protect websites, APIs against attacks, threats that have been or have never been. known by its powerful ruleset tools that integrate artificial intelligence to improve performance.

CMC WAP has the following outstanding features:

  • Application protection

CMC WAF protects the website against OWASP's top 10 threats including Cross-Site Scripting (XSS) and SQL Injection.

Protect your website against application-layer DDoS attacks (layer 7): All incoming traffic is continuously statistics and if it exceeds the threshold will be checked to verify it is coming from humans.

Virtual patching vulnerabilities: CMC WAF creates a virtual shield to protect the website against threats when the vulnerabilities are actually patched.

HTTPS / SSL via WAF: Secure security of data transfer between administrators and users, using WAF SSL certificates (SSL Certificates).

  • Powerful rule set, easy to customize

CMC CS continually researches and improves detection and minimizes threats from threats. In addition, CMC WAF allows users to add their own custom rules or turn on / off any of the available rules.

  • Real Time Monitoring & Analysis

CMC WAF provides real-time insights on web traffic and security events.

  • Unusual behavior detection using AI

Improve the ability to detect new threats and zero-day vulnerabilities by taking advantage of topic modeling techniques supported by CMC SOC AI to detect abnormal application requirements. and determine if they are a threat.

  • CMC Threat Intelligence

Threat Intelligence is a database of threats and weaknesses that can be exploited in cyberspace. CMC TI is researched, developed and optimized by the experts of CMC CS, which helps reduce false positive rates, saving management time.

CMC WAF uses CMC TI to help detect and prevent threats from attacking websites

Besides, CMC WAF solution also gives customers a lot of benefits and advantages:

  • Protect 24/7 applications and websites against OWASP top 10 threats including Cross-site Scripting and SQL Injection.
  • The dashboard interface easily manages firewall activity, network traffic.
  • Application of AI and Machine Learning technology helps detect threats instantly.
  • Easily customize the rule sets (rules) for the firewall to suit the characteristics of customers.
  • Easy scaling due to being integrated on the cloud.
  • Comply with PCI-DSS card data security standards for banks.

In terms of mechanism of operation, CMC WAF provides a continuous protection solution for websites and applications that use network traffic analysis and only allows valid access requests through.

21 Oct

The first engineer of CMC Cyber Security Company has successfully conquered Offensive Security Certified Expert - OSCE. This is one of the prestigious information security evaluation certificates in the world.

OSCE is recognized as one of the most difficult information security evaluation certificates in the industry. According to statistics from LinkedIn, up to now in the world, only nearly 3,000 people have passed the exam and successfully conquered the prestigious OSCE certificate.

In order to receive OSCE certification, engineers had to go through a lot of difficulties, challenges and pressures. Each engineer must complete the Cracking the Perimeter (CTP) course, undergo at least 30 days of practice in attacking labs on Offensive Security's system and pass the 48-hour online exam continuously.

The test results must then be written in English, assessed within 7 days before the official publication of results. This rigorous roadmap is the clearest evidence of the location and capacity of its owners. This is probably the most memorable time with many unforgettable memories of engineers when conquering OSCE certificate.

At the exam, engineers demonstrated their ability to research, collect information, identify all existing vulnerabilities and perform all attacks, exploit complex security vulnerabilities to gain control. system. It can be said that the most important assessment in the exam is sharp thinking and execution skills under great pressure.

Mr. Ha The Phuong - Deputy General Director of CMC Cyber Security said: “I am very happy that the company has the first engineer to achieve the prestigious OSCE world-class security expert certificate. To provide security assessment services of international standards, CMC Cyber Security always focuses on promoting the improvement of qualifications and capabilities of engineers. At the same time, the company always encourages and supports engineers to participate in competitions to achieve the most prestigious and valuable certificates in the world ”.

Mr. Phuong also said that CMC Cyber Security is a unit with more than 10 years of experience in providing professional information security assessment services with many projects for large customers, the company's engineers. achieving OSCE certification is a practical complement to the quality of critical information system assessment at both national and worldwide levels. This is also the clearest evidence for the capacity and qualification of the information security engineering team of CMC Cyber Security, helping customers to be more assured of the quality of information security assessment service that the company is. provided.

CMC bắt tay cùng Viettel, BKAV, VNCS, CyRadar  thành lập Câu lạc bộ Đánh giá, kiểm định an toàn thông tin Việt Nam
20 Sep

The Vietnam Information Security Testing, Evaluation and Verification Club has just been established by the Vietnam Information Security Association (VNISA) with 8 founding members including CMC, Viettel, FPT, BKAV, VNCS, CyRadar. , HPT and MISOFT.

As a professional organization under Vietnam Information Security Association - VNISA, Vietnam Information Security Testing, Evaluation and Verification Club includes VNISA members operating in the field of information security. network news, voluntarily join the Club and comply with the Club's Regulations.

Specifically, according to the establishment decision, the Vietnam Information Security Inspection, Evaluation and Testing Club has 8 founding members, namely Viettel Network Security Company, CyRadar Information Security Joint Stock Company, BKAV Joint Stock Company, Vietnam Cybersecurity Technology Joint Stock Company (VNCS), HPT Information Technology Services Joint Stock Company, Software Development and Technology Support Joint Stock Company (MISOFT) ), CMC Information Security Security Company Limited, FPT Network Security Center.

Internationally known as Vietnam Cyber Security Assessment and Audit Club (VSAC), the operation of Vietnam Information Testing, Evaluation and Verification Club aims to help members of the Club. and the community to improve knowledge in the field of information security services; At the same time, the information security service market in Vietnam will be developed and there will be a healthy competition among service providers.

The club has tasks such as: analyzing, researching, proposing and implementing measures to build and develop the information security testing, evaluation and testing service market in Vietnam; to contribute opinions to formulate state policies, to set up standards and regulations on examination and evaluation of state information security; building criteria and standards in the field of information security inspection, evaluation and verification of the Association.

In addition, this newly established club of VNISA will also be a place to share experiences and knowledge related to information security inspection, assessment and testing services of Club members and community. copper; assist members of the Assessment Club to assess the quality of information security testing, evaluation and testing services as proposed by members.

It is known that in the work plan in 2019, VNISA has expected with the support of the Department of Information Security - Ministry of Information and Communications, to develop and implement training programs and grant certificates of information security inspectors. Vietnam aims to contribute to the development of an independent, professional and civilian information security auditor.

Supporting VNISA's proposal, at the meeting of VNISA members in early 2019 taking place in March, the representative of the Information Security Department said: “Any country strong in information security, the Professional Association of that country is also very strong and reputable. In the world, these standards are often formed by Associations. Stemming from the point of view that the government does little, the Association, businesses, and the civil work force are the main ones. formulating and successfully deploying the training program, granting certificates of information security inspectors ”.