Researchers describe discovery of ‘mega’ zero-day

Researchers describe discovery of ‘mega’ zero-day

Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’.

The researchers said they privately told Oracle about a serious vulnerability they discovered in Oracle Access Manager, tracked as CVE-2021–35587. The CVSS 9.8 bug is described as an “easily exploitable” flaw that allows unauthenticated attackers with network access via HTTP for application takeover.

**Accidental discovery**

Jang said the flaw was discovered by accident when the duo were “building a PoC \[proof of concept exploit code\] for another mega 0-day”.

While working with the Zero Day Initiative (ZDI), this research led to the discovery of CVE-2022–21445. This ‘mega’ bug, issued a severity score of 9.8, was found in the Oracle Application Development Framework (ADF) Faces architecture, a component of Oracle Fusion Middleware.

Catch up on the latest vulnerability-related security news and analysis

The deserialization of trusted data issue can be chained with CVE-2022–21497 (CVSS 8.1), a takeover flaw in Oracle Web Services Manager, to achieve pre-authentication RCE.

CVE-2022–21445 impacts a variety of products and services based on Fusion Middleware, various Oracle systems, and even Oracle’s cloud infrastructure. Unauthenticated attackers with network access, via HTTP, can abuse the vulnerability chain.

“One more thing to note, any website was developed by ADF Faces framework are affected,” Peterjson said.

**Disclosure and patches**

After testing Oracle services and domains, the vulnerability report was submitted to the vendor on October 25, 2021. In the same month, Oracle confirmed receipt of the report and said it was investigating. However, it took the best part of six months for a patch to be issued.

Both issues have been resolved in Oracle’s April round of patches. Oracle is one of many technology vendors, alongside Microsoft and Adobe, that releases a monthly patch update to tackle bugs in its software.

Companies utilizing vulnerable Oracle software are urged to apply the patch immediately.

Other vendors potentially impacted by the pre-auth RCE were notified via their respective bug bounty programs. Peterjson told The Stack that companies have been informed if they have not applied Oracle’s fix, and that he believes the number of exposed instances is “huge”.

“Why \[did\] we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous, it affects Oracle system\[s\] and Oracle’s customers,” Peterjson commented.

“That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.”

The Daily Swig has reached out to Oracle and we will update this story if and when we hear back.

YOU MIGHT ALSO LIKE Splunk patches critical vulnerability while users push for legacy updates

Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

CISA warns of log4shell being actively exploited to compromise VMware Horizon systems. We take a look at their warning.
The post CISA Log4Shell warning: Patch VMware Horizon installations immediately appeared first on Malwarebytes Labs.

CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.

**Log4Shell: what is it?**

Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.

Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.

Related bugs and additional vulnerabilities were also discovered and subsequently patched.

**Broadening Log4Shell’s horizons**

According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…

> _…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data._

Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.

Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:

*   SvcEdge.exe is a malicious Windows loader containing encrypted executable f7\_dump\_64.exe. When executed, SvcEdge.exe decrypts and loads f7\_dump\_64.exe into memory.
*   odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
*   praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
*   fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
*   winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.

**Advice for securing installations**

CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December _should treat any and all affected VMware systems as compromised_:

*   Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
*   Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
*   See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
*   **Note:** Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
*   If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. 
*   Prior to implementing any temporary solution, ensure appropriate backups have been completed. 
*   Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details. 

Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.

CISA Log4Shell warning: Patch VMware Horizon installations immediately

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.
The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.

The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.

The exploit in question is tracked as CVE-2022-29499 and was fixed by Mitel in April 2022. It's rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system, making it a critical shortcoming.

"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company noted in an advisory.

The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure.

In the incident investigated by CrowdStrike, the attacker is said to have used the exploit to create a reverse shell, utilizing it to launch a web shell ("pdf\_import.php") on the VoIP appliance and download the open source Chisel proxy tool.

The binary was then executed, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." But subsequent detection of the activity halted their progress and prevented them from moving laterally across the network.

The disclosure arrives less than two weeks after German penetration testing firm SySS revealed two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could allow an attacker to gain root privileges on the devices.

"Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant," CrowdStrike researcher Patrick Bennett said.

"Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via 'one hop' from the compromised device."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Mitel VoIP Zero-Day Bug to Deploy Ransomware

By Deeba Ahmed
This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper. Cybersecurity researchers at…
This is a post from HackRead.com Read the original post: Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

****This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper.****

Cybersecurity researchers at Check Point have shared details of a new malware campaign suspected to be launched by a Chinese hacking group Tropic Trooper.

The malware operators are using a unique loader Nimbda, written in Nim language, and a new variant of Yahoyah trojan.

Researchers state that the hackers possess extensive cryptographic knowledge as they have extended the AES specification in a customized implementation.

**Info-Stealing Trojan Embedded in SMS Bomber Tool**

According to Check Point’s analysis, the info stealing trojan is hidden inside a Chinese language greyware tool called SMS Bomber. This tool is used for targeting cellphones with Denial of Service attacks (DoS attacks).

SMS Bomber tool allows users to enter any phone number to flood their phones with a message, rendering the devices unusable. Novice hackers typically use such tools to compromise websites.

**Attack Scenario**

When the infected version of SMS Bomber (equipped with standard functionalities and the tool’s binary) is downloaded to the device, the attack sequence is immediately initiated. The downloaded tool also contains additional coding injected into a notepad.exe process. 

In a blog post, researchers explained that This executable is the Nimbda loader, which uses the SMS Bomber as an icon and an executable while the loader injects shellcode in the notepad process in the background. The process then reaches a GitHub repository, fetches an obfuscated executable, decodes it, and executes it through process hollowing in Dllhost.exe, the new Yahoyah variant. 

This variant collects host-related data and transmits it to the attacker-operated C2 server. The final payload that Yahoyah executable drops is encoded in a JPG file through steganography. Researchers identified it as TClient. It is a backdoor used in previous campaigns by Tropic Trooper.

The interface of SMS Bomber (left) – Infection chain of the malware (right)

**What Information is Collected**

Yahoyah can collect device names, local wireless networks’ SSIDs located within the target device’s vicinity, MAC address, antivirus products installed on the device, OS version, and presence of Tencent and WeChat files.

The encryption used for Yahoyah is a custom AES implementation to perform the inverted sequence of round operations twice. Therefore, Check Point named it AEES. Though it doesn’t make encryption any stronger, it makes analyzing it complicated for researchers.

**Potential Targets**

Tropic Trooper has mainly focused on espionage in their previously identified phishing campaigns targeting Russian entities. However, in this campaign, the hackers have trojanized the SMS Bomber tool; hence they have narrowed down their targets.

Researchers believe their target could be based on the intelligence information the group collected during past espionages. Tropic Trooper also uses KeyBoy, Earth Centaur, and Pirate Panda monikers.

The group has a history of targeting targets in Hong Kong, Taiwan, and the Philippines. Moreover, their prominent targets are linked to the government, transportation, healthcare, and technology sectors.

**More Chinese Hackers in Action News**

*   China’s insidious surveillance against Uyghurs with Android malware
*   Android malware HenBox hits Xiaomi devices & minority group in China
*   China arrests 11 hackers for infecting 250M devices with Fireball malware
*   Someone from China is Distributing Mirai Malware Through Windows Botnet
*   Unofficial Micropatch for Follina Issued as Chinese Hackers Exploit the 0-day

Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.
Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware's functionality to be extended or altered at will. It's not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide "law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years." More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

"Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable," Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It's suspected that the actors worked in collaboration with the targets' internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

"We believe this is the reason why most of the applications masqueraded as mobile carrier applications," the researchers said. "When ISP involvement is not possible, applications are masqueraded as messaging applications."

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

"As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too," Google Project Zero's Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

"This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need," the researchers noted. "Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs."

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it's tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What's more, Google TAG raised concerns that vendors like RCS Lab are "stockpiling zero-day vulnerabilities in secret" and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, "raising the specter that their stockpiles can be released publicly without warning."

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG said.

"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.

Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.

TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan government against domestic targets, and identified by Lookout research.

“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.

All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.

“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.

****Collaborating with ISPs****

One lure employed by threat actors is to work with the target’s ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.

Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.

“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,” Beer wrote.

Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.

In other cases when they can’t work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.

****iOS Campaign Revealed****

While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.

They also released details of the host of vulnerabilities—two of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. In fact, Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.

The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.

The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed;
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet;
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste;
*   CVE-2020-9907 internally referred to as AveCesare; and
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.

****Broader Implications****

The emergence of Hermit spyware shows how threat actors—often working as state-sponsored entities—are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.

Indeed, while use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” Google TAG researchers wrote.

The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.

In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they said.

Google Warns Spyware Being Deployed Against Android, iOS Users

Bronze Starlight’s use of multiple ransomware families and its victim-targeting suggest there’s more to the group’s activities than just financial gain, security vendor says.

A China-based advanced persistent threat (APT) actor, active since early 2021, appears to be using ransomware and double-extortion attacks as camouflage for systematic, government-sponsored cyberespionage and intellectual property theft.

In all of the attacks, the threat actor has used a malware loader called the HUI Loader — associated exclusively with China-backed groups — to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at Secureworks who are tracking the group as “Bronze Starlight” say it’s a tactic they have not observed other threat actors use.

Secureworks also says it has identified organizations in multiple countries that the adversary appears to have compromised. The group’s US-based victims include a pharmaceutical company, a law firm, and a media company with offices in Hong Kong and China. Others include electronic component designers and manufacturers in Japan and Lithuania, a pharmaceutical company in Brazil, and the aerospace and defense division of an Indian conglomerate. Some three-quarters of Bronze Starlight’s victims so far are organizations that have typically been of interest to government-sponsored Chinese cyber-espionage groups.

**Cycling Through Ransomware Families**

Since it began operations in 2021, Bronze Starlight has used at least five different ransomware tools in its attacks: LockFile, AtomSilo, Rook, Night Sky, and Pandora. Secureworks’ analysis shows that the threat actor used a traditional ransomware model with LockFile, where it encrypted data on a victim network and demanded a ransom for the decryption key. But it switched to a double-extortion model with each of the other ransomware families. In these attacks Bronze Starlight attempted to extort victims by both encrypting their sensitive data and threatening to leak it publicly. Secureworks identified data belonging to at least 21 companies posted on leak sites associated with AtomSilo, Rook, Night Sky, and Pandora.

While Bronze Starlight appears on the surface to be financially motivated, its real mission appears to be cyberespionage and intellectual property theft in support of Chinese economic objectives, says Marc Burnard, senior consultant information security research at Secureworks. The US government last year formally accused China of using threat groups such as Bronze Starlight in state-sponsored cyber-espionage campaigns.

“The victimology, tooling, and rapid cycling through ransomware families suggest that Bronze Starlight’s intent may not be financial gain,” he says. Instead, it’s possible that the threat actor is using ransomware and double extortion as a cover to steal data from organizations of interest to China and destroy evidence of its activity.

Bronze Starlight has consistently targeted only a small number of victims over short periods of time with each ransomware family — something that threat groups don’t often do because of the overhead associated with developing and deploying new ransomware tools. In Bronze Starlight’s case, the threat actor appears to have employed the tactic to prevent drawing too much attention from security researchers, Secureworks said.

**The Chinese Connection**

Burnard says the threat actor’s use of the HUI Loader along with a relatively rare version of PlugX, a remote access Trojan linked exclusively to China-backed threat groups, is another sign that there’s more to Bronze Starlight than its ransomware activity might suggest.

“We believe the HUI Loader is a tool unique to Chinese state-sponsored threat groups,” Burnard says. It is not widely used, but where it has been used, the activity has been attributed to other likely Chinese threat group activity, such as one by a group dubbed Bronze Riverside that is focused on stealing IP from Japanese companies. 

“In terms of the use of the HUI Loader to load Cobalt Strike Beacons, this is one key characteristic of the Bronze Starlight activity that connects the broader campaign and five ransomware families together,” Burnard says.

Another sign that Bronze Starlight is more than just a ransomware operation involves a breach that Secureworks investigated earlier this year, where Bronze Starlight broke into a server at an organization that had previously already been compromised by another China-sponsored threat operation called Bronze University. In this incident, though, Bronze Starlight deployed the HUI Loader with Cobalt Strike Beacon on the compromised server, but it did not deploy any ransomware. 

“Again, this raises an interesting question around links between Bronze Starlight and state-sponsored threat groups in China,” Burnard says.

There’s also evidence that Bronze Starlight is learning from its intrusion activity and improving the HUI Loader’s capabilities, he adds. The version of the loader that the group used in its initial intrusions, for instance, were merely designed to load, decrypt, and execute a payload. But an updated version of the tool that Secureworks came across while responding to a January 2022 incident revealed several improvements. 

“The updated version comes with detection evasion techniques, such as disabling Windows Event Tracing for Windows \[ETW\] and Antimalware Scan Interface \[AMSI\] and Windows API hooking,” Burnard notes. “This indicates the HUI Loader is actively being developed and upgraded.”

Secureworks’ investigation shows that Bronze Starlight primarily compromises Internet-facing servers on victim organizations by exploiting known vulnerabilities. So as part of a multilayered approach to network security, network defenders should ensure that Internet-facing servers are patched in a timely manner, Burnard says. 

“While the focus is often on zero-day exploitation, we often see threat groups like Bronze Starlight exploit vulnerabilities that already have a patch available," he says.

Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft

Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua.

Hey All,

Been awhile, like usual :)

We will be talking about a CVE related to firmware running on one of these devices in this blog. Other devices by Algo running identical firmware seem impacted as well.

I am here today to write about a vulnerability I recently discovered during a security assessment and how it spawned into my first CVE. Getting a CVE to my name is something I’ve wanted to accomplish for several years. I got close a few times, and once I even found what I thought was a “Zero day” in a Fortinet Firewall just to find out it was reported and patched just weeks before I found it. So close!

While I will be transparent in saying that this vulnerability is far from the most mind blowing or exciting vulnerability in recent times. I will also say I’m proud to have reported it through the CVE reporting process and was reserved CVE-2022–31395 by doing so. The final step in locking the CVE in is to point MITRE to a publication about the vulnerability. As you can maybe imagine, that is a large part of why I am writing this article. I did attempt to contact the manufacture to ask if they knew about this vulnerability. They simply told me the firmware in question was outdated and to update it. That however didn’t tell me if this was a known vulnerability so I asked if they had any specific CVE’s known to exist against the outdated firmware version I was working with. They said they did not have that information so I moved on to reporting to MITRE. As I sent the details to MITRE I was like:

I just want a CVE with my name on it!!!

I didn’t hear anything for several days from MITRE so I pinged them for an updated and was told they are experiencing a high volume of reported CVE’s and are working through them in a priority order. A few weeks passed and finally I saw a glorious email arrive. It stated that I should use CVE-2022–31395 to craft a public reference for the vulnerability in question, at which point the CVE should be official and no longer just “reserved”.

Without further ado… I present to you the Directory Traversal vulnerability I found and reported. The vulnerability affects at least: **ALGO COMMUNICATION PRODUCTS LTD 8373 IP Zone Paging Adapter Control Panel, Firmware 1.7.6**. Other ALGO products containing the same firmware likely contain the same vulnerability as I have also confirmed the **1.7.6 Firmware on Algos’ “8201 SIP PoE Intercom Control Panel”** contains the same vulnerability). I have not yet confirmed if other, newer firmwares are vulnerable at this time. In addition, the support team at Algo said the best way to know would be to update to their newest firmware and try the attack again. However, I do not have administrative privileges to this device as it belongs to a client of mine, so I am not able to update it and will have to wait if to see if my client decides to do so. I will report back if I find that newer versions are impacted.

Lets’ get into some of the details about this vulnerability! First, it is worth noting that this is an authenticated attack. The part of the application that is vulnerable is only accessible once authenticated. These devices appear to come pre-configured with a default password of “algo” with no username. In fact, I am saved a Google search for default password when initially analyzing the interface as it’s clearly stated right in the web interface itself.

I know it’s not a secret… but it feels like a bad idea to have the default password printed next to the login feature.

Lucky for me, the device I was analyzing still had its’ default password configured so I was able to access administrative functions of this IP Zone Paging Adapter. A function that quickly stood out to me was called “File Manager” which for obvious reasons (to people in offensive security) is immediately a place I start to analyze deeper as a pentester and bug hunter.

My first move, is to attempt to download any of the files I am presented with here and to see what that HTTP request looks like using BurpSuite Professional… P.S. if you don’t use BurpSuite Pro…. well I am just sad to hear that, it’s an incredibly valuable tool and is priced super well in the lower hundreds per year ($300–400ish if I’m remembering correctly). Anyways… this is what I saw when reviewing the download request.

In this example, I’m downloading the “user.conf” file.

A natural change to attempt to make before resubmitting the request is, of course, to replace the file in the HTTP request that we want to fetch from the server with a directory traversal payload to see if we can “break out” of the file directory the application intends for us to browse and reach the “_passwd_” file in the “_/etc/_” directory of the underlying Linux OS.

Yehaw!

I was thrilled to see the output of the _passwd_ file! Next, I thought to also grab the “_shadow_” file in the same directory (/_etc/_) which should contain hashed passwords for users! It is possible for us to maybe even crack the hash(es) if we can get them from the file.

Well, this is certainly awesome. I have the hashed password for the _root_ account. This means I can possibly “jailbreak” or “root” the device if I can accomplish two things.

1.  Crack the root password with Hashcat (my preferred hash cracking tool) or another password-hash cracking tool.
2.  Find a way to execute code as root. My two theories on how to accomplish this was either to find a way to enable SSH (since it doesn’t seem to be enabled on my target at least), or to leverage the directory traversal vulnerability while UPLOADING (instead of downloading as seen above). Perhaps I could drop a web shell or drop/overwrite a config file to get me further access.

I like Hashtcat for the GPU acceleration and the “Rules” engine that modifies a given wordlist on the fly! One or two of my first blog posts on https://n0ur5blog.wordpress.com/ (my old blog) talked a whole bunch about Hashcat!

Boom — Hash cracked! Now that I see the clear-text password for the root account, I notice it matches the default password we used to log in to the web interface. I wonder if the web interface just uses whatever the root password is set to, and if changing the web interface password would change the root password. Regardless, I now have one last challenge and that is to turn this into some form of code execution via the methods I mentioned above!

As of the time of this writing I have not successfully executed code as the root user, but have confirmed I can upload files to outside the web root directory and even overwrite files already in place on the system! I am left with the following items to continue my research on this vulnerability.

*   What other hardware and/or firmware versions are vulnerable to this? I have come across some other Algo devices containing default passwords for log-in that didn’t even have the “File Manager” feature. The few I came across did have much newer firmware but also were different hardware from those that I’ve confirmed vulnerable so far. So I assume “File Manager” was either removed in newer firmware versions OR some hardware they produce simply doesn’t have or need the File Manager.
*   How can I use unrestricted file upload, combined with directory traversal to enable SSH or achieve some other form of remote code execution via ROOT. The web server seems serve “lua” files, so I assume if I can figure out the file structure/location of the web server root directory, I could possibly drop a web shell on it that would enable the remote code execution I’m looking for via web browser.
*   Testing if changing the web interface password also changes the root password by grabbing the shadow file again after changing the password to see if the hash changed. If not, we can assume a large number of Algo devices ship with the root password of “_algo_”.
*   Create a python or bash script for this exploit once I discover the full extent of the items above!

Well folks, that is all for now! Hopefully my next blog post is about another CVE I get, but if not I’m sure whatever it is will be something fun and interesting! Hope this was a fun read!

Cheers!

N0ur5

CVE-2022-31395: Achievement Unlocked: CVE-2022–31395 - N0ur5 - Medium

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.

“This is the first time we’ve observed APT28 using Follina in its operations,” researchers wrote in the post. Fancy Bear is also known as APT28, Strontium and Sofacy.

On June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first reported by Google. Google’s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.

The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.

****Bear on the Loose****

CERT-UA previously identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.

In the past Fancy Bear has been linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.

Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they’re opened.

The bug is dangerous for a number of reasons–not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.

Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.

**Threat of Nuclear Attack**

Fancy Bear’s Follina campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat” in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.

The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268\[.\]frge\[.\]io/article\[.\]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.

The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.

In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands,” they added.

As with the previous variant, the stealer’s main pupose is to steal data—including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.

“The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.”

The owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

The credential-phishing attack leverages social engineering and brand impersonation techniques to lead users to a spoofed MetaMask verification page.

Researchers have uncovered an email-based credential-phishing attack targeting users of MetaMask, a cryptocurrency wallet used to interact with the Ethereum blockchain.

The campaign is directed at Microsoft 365 (formerly Microsoft Office 365) users and has targeted multiple organizations across the financial industry. It starts with a socially engineered email that looks like a MetaMask verification email, according to the Armorblox research team, containing a link.

Upon clicking the link, users are taken to a spoofed MetaMask verification page, where they are asked to verify their wallet, claiming that non-compliance would result in limited access to their wallets.

The fake landing page uses MetaMask logos and branding to closely resemble the real log-in page, and it deploys a language of urgency to encourage compliance with the Know Your Customer (KYC) verification request.

"In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence," the Armorblox post notes.

The research team also pointed out that the attack leverages the curiosity effect, a cognitive bias that can be used to exploit the user's inherent urge to resolve doubt.

"Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand," the post continues.

**Attack Skates Past Microsoft Security**

Even though the email came from an invalid domain, the attackers were still able to slip through Microsoft's security controls, using a "gamut of techniques" to bypass secure email gateway (SEG) filters.

Armorblox CSO Brian Johnson notes while the company's research team does not have access to Microsoft threat detection details, they have seen a large amount of modern attacks spawn zero-day malicious links that are ephemeral in nature.

"With the advent of cloud services, it is easy to spin up and spin down malicious links in minutes," he explains. "These attacks can only be detected when you combine natural language understanding with artificial intelligence to go beyond static checks on known malicious links."

To protect against these types of attacks, Johnson says the basic steps include ensuring multifactor authentication (MFA) across all the organization's accounts — specifically, the ones that provide access to financial accounts.

The Armorblox post also recommends keeping an eye out for social-engineering cues, for example any logical inconsistencies within the email, and to augment native email security with additional controls.

**Cryptocurrency Attacks Evolving, Targeting Startups**

Johnson adds that crypto-wallet phishing has become more targeted and mainstream.

"As the use of cryptocurrency gains traction in both personal and business environments, it opens up another vector for malicious actors," Johnson warns.

Hackers' approaches to compromising cryptocurrency and digital asset exchanges continue to evolve, as a series of attacks against small and midsize businesses has led to major cryptocurrency losses for the victims.

Among these malicious actors is BlueNoroff, an advanced persistent threat (APT) group that's part of the larger Lazarus Group associated with North Korea, which carried out the SnatchCrypto campaign in January.

Meanwhile, cryptocurrency mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is set to grow, as ransomware and other cybercriminal enterprises increasingly lean into cryptocurrency, a November 2021 report from Intel 471 warned.

Tag

#zero_day