By Deeba Ahmed
The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection.
This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

Cybersecurity researchers from Kaspersky’s Global Emergency Response Team (GERT) have identified that the NKAbuse malware is actively targeting devices in Colombia, Mexico, and Vietnam.

Kaspersky’s Global Emergency Response Team (GERT) has discovered a new multiplatform malware threat that uses innovative tactics to hijack victims. The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection.

NKAbuse is a Go-based backdoor used as a botnet to target Linux desktops and potentially IoT devices. The malware allows attackers to launch Distributed Denial of Service (DDoS) attacks or fling remote access trojans (RATs).

It is worth noting that the backdoor relies on NKN for anonymous yet reliable data exchange. For your information, NKN is an open-source protocol that allows peer-to-peer data exchange over a public blockchain with over 60,000 active nodes. It aims to provide a decentralized alternative to client-to-server methods while preserving speed and privacy.

The botnet can carry out flooding attacks using the 60,000 official nodes and links back to its C2 (command & control) servers. It features an extensive arsenal of DDoS attacks and multiple features to turn into a powerful backdoor or RAT.

The malware implant creates a structure called “Heartbeat” that communicates with the bot master regularly. It stores information about the infected host, including the victim’s PID, IP address, free memory, and current configuration.

Kaspersky researchers uncovered NKAbuse while investigating an incident targeting one of its customers in the finance sector. Further examination revealed that NKAbuse exploits an old Apache Struts 2 vulnerability (tracked as CVE-2017-5638).

The vulnerability, as reported by Hackread.com in December 2017, allows attackers to execute commands on the server using a “shell” header and Bash and then execute a command to download the initial script.

NKAbuse leverages the NKN protocol to communicate with the bot master and send/receive information. It creates a new account and multiclient to simultaneously send/receive data from multiple clients.

The NKN account is initialized with a 64-character string representing the public key and remote address. Once the client is set up, the malware establishes a handler to accept incoming messages, which contains 42 cases, each performing different actions based on the sent code.

NKN data routing diagram (Image: Kaspersky’s GERT)

Researchers observed that attackers exploited the Struts 2 flaw using a publicly available proof of concept exploit. They executed a remote shell script, determining the victim’s operating system and installing a second-stage payload. Using NKAbuse’s amd64 version, the attack achieved persistence through cron jobs.

> _“This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host and its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.”_
> 
> Kaspersky’s Global Emergency Response Team (GERT)

NKAbuse has no self-propagation functionality and can target at least eight different architectures, although Linux is the priority. Successful implantation can lead to data compromise, theft, remote administration, persistence, and DDoS attacks.

For now, its operators are focusing on infecting devices in Colombia, Mexico, and Vietnam. However, researchers suspect its potential for expansion over time.

****_RELATED ARTICLES_****

1.  **Free Download Manager Site Pushed Linux Password Stealer**
2.  **New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms**
3.  **Hamas Hackers Targeting Israelis with New BiBi-Linux Wiper Malware**
4.  **Kinsing Crypto Malware Hits Linux Systems via Apache ActiveMQ Flaw**
5.  **Looney Tunables Linux Vulnerability Exposes Millions of Systems to Attack**

New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

Red Hat Security Advisory 2023-7856-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7856.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 8Advisory ID:        RHSA-2023:7856-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7856Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7856-03

Red Hat Security Advisory 2023-7855-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7855.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 9Advisory ID:        RHSA-2023:7855-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7855Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7855-03

Red Hat Security Advisory 2023-7854-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7854.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 7Advisory ID:        RHSA-2023:7854-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7854Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7854-03

Red Hat Security Advisory 2023-7851-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include cross site scripting and local file inclusion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7851.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Satellite 6.14.1 Async Security Update  
Advisory ID:        RHSA-2023:7851-03  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7851  
Issue date:         2023-12-14  
Revision:           03  
CVE Names:          CVE-2023-4886  
====================================================================

Summary: 

Updated Satellite 6.14 packages that fixes Important security bugs and several  
regular bugs are now available for Red Hat Satellite.

Description:

Red Hat Satellite is a system management solution that allows organizations  
to configure and maintain their systems without the necessity to provide  
public Internet access to their servers or other client systems. It  
performs provisioning and configuration management of predefined standard  
operating environments.

Security fix(es):

* rubygem-actionpack: actionpack: Possible XSS via User Supplied Values to redirect_to [rhn_satellite_6.14] (CVE-2023-28362)

* foreman: World readable file containing secrets [rhn_satellite_6.14] (CVE-2023-4886)

* python-urllib3: urllib3: Request body not stripped after redirect from 303 status changes request method to GET [rhn_satellite_6-default] (CVE-2023-45803 )

*  python-gitpython: GitPython: Blind local file inclusion [rhn_satellite_6-default] (CVE-2023-41040)

This update fixes the following bugs:

2250342 - REX job finished with exit code 0 but the script failed on client side due to no space.  
2250343 - Selinux denials are reported after following \"Chapter 13. Managing Custom File Type Content\" chapter step by step  
2250344 - Long running postgres threads during content-export  
2250345 - Upgrade django-import-export package to at least 3.1.0  
2250349 - After upstream repo switched to zst compression, Satellite 6.12.5.1 unable to sync  
2250350 - Slow generate applicability for Hosts with multiple modulestreams installed  
2250352 - Recalculate button for Errata is not available on Satellite 6.13/ Satellite 6.14 if no errata is present  
2250351 - Actions::ForemanLeapp::PreupgradeJob fails with null value in column \"preupgrade_report_id\" violates not-null constraint when run with non-admin user  
2251799 - REX Template for 'convert2rhel analyze' command  
2254085 - Getting '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] ERROR while trying to upgrade Satellite 6.13 to 6.14   
2254080 - satellite-convert2rhel-toolkit rpm v1.0.0 in 6.14.z

Users of Red Hat Satellite are advised to upgrade to these updated  
packages, which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4886

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/upgrading_red_hat_satellite_to_6.14/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2217785  
https://bugzilla.redhat.com/show_bug.cgi?id=2230135  
https://bugzilla.redhat.com/show_bug.cgi?id=2246840  
https://bugzilla.redhat.com/show_bug.cgi?id=2247040  
https://bugzilla.redhat.com/show_bug.cgi?id=2250342  
https://bugzilla.redhat.com/show_bug.cgi?id=2250343  
https://bugzilla.redhat.com/show_bug.cgi?id=2250344  
https://bugzilla.redhat.com/show_bug.cgi?id=2250345  
https://bugzilla.redhat.com/show_bug.cgi?id=2250349  
https://bugzilla.redhat.com/show_bug.cgi?id=2250350  
https://bugzilla.redhat.com/show_bug.cgi?id=2250351  
https://bugzilla.redhat.com/show_bug.cgi?id=2250352  
https://bugzilla.redhat.com/show_bug.cgi?id=2251799  
https://bugzilla.redhat.com/show_bug.cgi?id=2254080  
https://bugzilla.redhat.com/show_bug.cgi?id=2254085

Red Hat Security Advisory 2023-7851-03

Red Hat Security Advisory 2023-7841-03 - An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7841.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gstreamer1-plugins-bad-free security updateAdvisory ID:        RHSA-2023:7841-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7841Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-44446====================================================================Summary: An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.Security Fix(es):* gstreamer: MXF demuxer use-after-free vulnerability (CVE-2023-44446)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44446References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250249

Red Hat Security Advisory 2023-7841-03

Red Hat Security Advisory 2023-7840-03 - An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7840.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gstreamer1-plugins-bad-free security updateAdvisory ID:        RHSA-2023:7840-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7840Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-44446====================================================================Summary: An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.Security Fix(es):* gstreamer: MXF demuxer use-after-free vulnerability (CVE-2023-44446)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44446References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250249

Red Hat Security Advisory 2023-7840-03

Red Hat Security Advisory 2023-7836-03 - An update for avahi is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7836.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: avahi security update  
Advisory ID:        RHSA-2023:7836-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7836  
Issue date:         2023-12-14  
Revision:           03  
CVE Names:          CVE-2021-3468  
====================================================================

Summary: 

An update for avahi is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print with, and find shared files on other computers.

Security Fix(es):

* avahi: Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket (CVE-2021-3468)

* avahi: Reachable assertion in avahi_dns_packet_append_record (CVE-2023-38469)

* avahi: Reachable assertion in avahi_escape_label (CVE-2023-38470)

* avahi: Reachable assertion in dbus_set_host_name (CVE-2023-38471)

* avahi: Reachable assertion in avahi_rdata_parse (CVE-2023-38472)

* avahi: Reachable assertion in avahi_alternative_host_name (CVE-2023-38473)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-3468

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=1939614  
https://bugzilla.redhat.com/show_bug.cgi?id=2191687  
https://bugzilla.redhat.com/show_bug.cgi?id=2191690  
https://bugzilla.redhat.com/show_bug.cgi?id=2191691  
https://bugzilla.redhat.com/show_bug.cgi?id=2191692  
https://bugzilla.redhat.com/show_bug.cgi?id=2191694

Red Hat Security Advisory 2023-7836-03

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel.
"The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian

Blockchain / Internet of Things

A novel multi-platform threat called **NKAbuse** has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel.

"The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky said in a Thursday report.

NKN, which has over 62,000 nodes, is described as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside compromised systems.

Specifically, it uses the protocol to talk to the bot master and receive/send commands. The malware is implemented in the Go programming language, and evidence points to it being used primarily to single out Linux systems, including IoT devices.

It's currently not known how widespread the attacks are, but one instance identified by Kaspersky entails the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company.

Successful exploitation is followed by the delivery of an initial shell script that's responsible for downloading the implant from a remote server, but not before checking the operating system of the target host. The server hosting the malware houses eight different versions of NKAbuse to support various CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el.

Another notable aspect is its lack of a self-propagation mechanism, meaning the malware needs to be delivered to a target by another initial access pathway, such as through the exploitation of security flaws.

"NKAbuse makes use of cron jobs to survive reboots," Kaspersky said. "To achieve that, it needs to be root. It checks that the current user ID is 0 and, if so, proceeds to parse the current crontab, adding itself for every reboot."

NKAbuse also incorporates a bevy of backdoor features that allow it to periodically send a heartbeat message to the bot master, which contains information about the system, capture screenshots of the current screen, perform file operations, and run system commands.

"This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host," Kaspersky said. "Moreover, its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

By Waqas
Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity.
This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

According to cybersecurity researchers at FortiGuard Labs, the Russian intelligence-linked APT29 group exploited a critical TeamCity vulnerability, which had initially been patched in September 2023.

Polish Military Counterintelligence Service (SKW) has released an advisory revealing that Russian Foreign Intelligence Service (SVR) affiliated threat actors are utilizing JetBrains CVE in global targeting. 

Here, it is worth noting that TeamCity and JetBrains are closely linked, with TeamCity being a continuous integration (CI) server developed and maintained by JetBrains.

As **reported by Hackread**.com, the vulnerability, which scored 9.8 by CVSS, was patched in September 2023. However, authorities particularly identified the notorious advanced persistent threat group called APT29, aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, to be exploiting CVE-2023-42793.

The threat actor used Scheduled Tasks to execute GraphicalProton payloads, using rundll32 proxy execution as a defence evasion method. They also used legitimate third-party binaries vulnerable to search order hijacking.

“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations” the **advisory** read.

SKW’s findings are supported by the FortiGuard Labs team of researchers. In their latest **blog post**, FortiGuard reports that APT29 has targeted a US-based biomedical manufacturing organization (_the name of which has not been shared with the media or public_) and revealed the threat actor’s TTPs. The report discusses the intrusion of this vulnerability found in TeamCity, a Windows server, by **APT29**.

Researchers noted that on 6 September 2023, Sonar’s cybersecurity experts discovered a critical TeamCity On-Premises vulnerability (tracked as **CVE-2023-42793**). This vulnerability was assigned a CVSS score of 9.8 due to its ability to be deployed without authentication. CISA added it to its ‘Known Exploited Vulnerabilities Catalog’ on October 4, 2023.

The FortiGuard Incident Response team reports that in October 2023, a US-based biomedical manufacturing organization was compromised due to this vulnerability exploited by APT29. The attack was initially exploited using a custom-built Python script, matching the GraphicalProton malware used by APT29. 

Analysis of application and system logs revealed evidence of successful exploitation, but some threat actors were unsuccessful at running **Linux system** commands on the victim Windows Server. APT29 likely employed Nuclei to identify potential victims and began executing additional discovery commands to gather system and privilege information.

The US-based tertiary education organization was targeted by APT29 with a C2 IP address discovered by the FortiGuard IR team. They discovered the organization’s infrastructure was compromised and identified an exploitation of their vulnerable TeamCity server. 

The threat actor used the TeamCity exploit to install an SSH certificate, which they used to maintain access to another victim’s environment. The actor downloaded a DLL file, ‘AclNumsInvertHost.dll,’ on the TeamCity host and used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing the DLL file for persistence.

The screenshot shows the attack timeline of TeamCity intrusion (Credit: Fortinet Labs)

Despite a patch, the attacker persisted on the compromised host, leveraging their GraphicalProton implant. FortiGuard believes this attack was part of a **new APT29 campaign**. Significant OPSEC considerations included compromised infrastructure, search order hijacking with legitimate DLLs added, quality of masquerading, and single-use infrastructure components.

Researchers recommend containment and eradication actions, including blocking IP addresses, removing TeamCity software accounts, removing Windows accounts, removing backdoors, and removing malicious files dropped by threat actors to stay protected against threats like GraphicalProton.

****_RELATED ARTICLES_****

1.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**
2.  **Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks**
3.  **Microsoft warns of rising NOBELIUM credential attacks on defence sector**
4.  **Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group**
5.  **Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks**

Tag

#linux