A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions.
The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

Google’s Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users’ mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.

Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.

Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.

Unlike NSO’s Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.

Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google’s report, these are the following exploits:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed.
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste.
*   CVE-2020-9907 internally referred to as AveCesare.
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
*   CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target’s ISP—to socially engineer targets into downloading the spyware masquerading as a tool to “fix” their internet connection.

Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit’s Firebase account, which it uses to communicate with its C2.

When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:

> RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.

Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we’ve seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.

Hermit spyware is deployed with the help of a victim’s ISP

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed **PwnKit** to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.

The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an authorized user to execute commands as another user.

Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.

Successful exploitation of the flaw could induce pkexec to execute arbitrary code, granting an unprivileged attacker administrative rights on the target machine and compromising the host.

It's not immediately clear how the vulnerability is being weaponized in the wild, nor is there any information on the identity of the threat actor that may be exploiting it.

Also included in the catalog is CVE-2021-30533, a security shortcoming in Chromium-based web browsers that was leveraged by a malvertising threat actor dubbed Yosec to deliver dangerous payloads last year.

Furthermore, the agency added the newly disclosed Mitel VoIP zero-day (CVE-2022-29499) as well as five Apple iOS vulnerabilities (CVE-2018-4344, CVE-2019-8605, CVE-2020-9907, CVE-2020-3837, and CVE-2021-30983) that were recently uncovered as having been abused by Italian spyware vendor RCS Lab.

To mitigate any potential risk of exposure to cyberattacks, it's recommended that organizations prioritize timely remediation of the issues. Federal Civilian Executive Branch Agencies, however, are required to mandatorily patch the flaw by July 18, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.

A previously unknown Chinese-speaking advanced persistent threat (APT) is exploiting the ProxyLogon Microsoft Exchange vulnerability to deploy the ShadowPad malware, researchers said — with the end goal of taking over building-automation systems (BAS) and moving deeper into networks.

That's according to researchers at Kaspersky ICS CERT, who said that the infections affected industrial control systems (ICS) and telecom firms in Afghanistan and Pakistan, as well as a logistics and transport organization in Malaysia. The attacks came to light in October but appear to date back to March 2021.

"We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries," according to Kaspersky's Monday analysis.

In this specific spate of attacks, Kaspersky observed a unique set of tactics, techniques, and procedures (TTPs) linking the incidents together, including attackers compromising BAS engineering computers as their initial access point. Researchers noted this is an unusual move for an APT group, despite proof-of-concept malware being available for such platforms.

"Building-automation systems are rare targets for advanced threat actors," said Kirill Kruglov, security expert at Kaspersky ICS CERT, in the alert. "However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures."

The attacks also threaten the physical integrity of buildings, researchers warned. BAS infrastructure unites operational features, such as electricity, lighting, HVAC systems, fire alarms, and security cameras, so they can be managed from a single management console.

"Once a BAS is compromised, all processes within that are at risk, including those relating to information security," according to Kaspersky's alert about the attacks.

In a real-world example of this rare kind of attack, last December a building automation engineering firm suddenly lost contact with hundreds of its BAS devices, including light switches, motion detectors, shutter controllers, and others — after being locked down with the system's own digital security key, which the attackers hijacked. The firm had to revert to manually flipping on and off the central circuit breakers in order to power on the lights in the building.  

**ProxyLogon Leads to ShadowPad Malware in Stealthy Infections**

In many cases, the cyberattackers exploited the ProxyLogon remote code-execution (RCE) vulnerability in MS Exchange (CVE-2021-26855), the firm added. When used in an attack chain, the exploits for these ProxyLogon could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server.

ProxyLogon was disclosed in March 2021 after being exploited as a zero-day bug by a Chinese state-sponsored group that Microsoft calls Hafnium — but soon a dizzying array of threat groups piled on to exploit the issue to enable different kinds of attacks.

In this case, once in, the APT deploys the ShadowPad remote access Trojan (RAT) — a popular backdoor and loader used by various Chinese APTs. According to previous analysis from Secureworks, ShadowPad is advanced and modular, first deployed by the "Bronze Atlas" threat group in 2017. "A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals," the report noted.

Kaspersky researchers said that in the BAS attacks, "The ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software."

Specifically, the malware originally masqueraded as the mscoree.dll file, which is a Microsoft library file essential for the execution of "managed code" applications written for use with the .NET Framework. As such, the malware was launched by the legitimate AppLaunch.exe application, which itself was executed by creating a task in the Windows Task Scheduler. Last fall, the attackers switched to using the DLL-hijacking technique in legitimate software for viewing OLE-COM objects (OleView). The Windows Task Scheduler is also used in the newer approach. In both cases, using such living-off-the-land tools (i.e., legitimate native software) means that the activity is unlikely to raise any system-intrusion flags.

After the initial infection, the attackers first sent commands manually, then automatically, to deploy additional tools. Researchers said those included the following:

*   The CobaltStrike framework (for lateral movement)
*   Mimikatz (for stealing credentials)
*   The well-known PlugX RAT
*   BAT files (for stealing credentials)
*   Web shells (for remote access to the Web server)
*   The Nextnet utility (for scanning network hosts)

"The artifacts found indicate that the attackers stole domain-authentication credentials from at least one account in each attacked organization (probably from the same computer that was used to penetrate the network)," according to Kaspersky. "These credentials were used to further spread the attack over the network … we do not know the ultimate goal of the attacker. We think it was probably data harvesting."

**How to Protect Against APT Attacks Targeting BAS, Critical Infrastructure**

The attacks develop "extremely rapidly," Kaspersky said, so early-state detection and mitigation is key to minimizing damage. The researchers recommended the following best practices to protect industrial infrastructure, including BAS footprints:

*   Regularly update operating systems and any application software that are part of the enterprise's network. Apply security fixes and patches to operational-technology (OT) network equipment such as BAS, as soon as they are available.
*   Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
*   Use OT network traffic monitoring, analysis, and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.
*   Provide dedicated OT security training for IT security teams and OT engineers.
*   Provide the security team responsible for protecting ICS with up-to-date threat intelligence.
*   Use layered security solutions for OT endpoints and networks.

China-Backed APT Pwns Building-Automation Systems with ProxyLogon

The No cON Name 2022 call for papers has been announced. It will be held in Barcelona, Spain, from November 24th through the 26th, 2022.

    No cON Name 2022 - Barcelona*****************************************  Call For Papers        ******************************************https://www.noconname.org/call-for-papers/Exact place not disclosed until a few weeks before due celebration.     * INTRODUCTIONThe organization has  opened CFP proposals. No cON Name is the eldest Hackingand Security Conference in Span. Our goal is to get highly qualified requestsfor both, speaker opportunities, as well as workshops, to show in one of  themost  respected hacker conferences in  Barcelona and Spain, NcN (No cONName). We will cellebrate as the last edition, 2 tracks:     * Privacy and net neutrality Track. (November 24th)     * Cybersecurity Track (November 25-26th)We will be accepting exclusively technical  presentations, proof of concept for,private  investigations  and  solutions  for  professionals related  to the  ITsecurity scene. Under no circumstance we will be selecting any proposal which iscommercially targeted, our main goal is to share knowledge in a well-establishedcommunity.     * FORMAT & REQUIREMENTS   - Language: English ( We will choose almost 75% ) or Spanish   - Proposal file type: PDF. It must follow  documentations requirements, shown     in next paragraph, and filled in through the web site   - Please use the template provided for the presentations during the conference   - It's necessary to  deeply explain contents, as this document will allow the     organization to evaluate the proposal.   - CFP's attachment  requested is mandatory. One page  summary of the contents,     or the investigations that you want to show will help to demonstrate techni-     cally the findings/result of investigations (additional texts,  screenshots,     evidences, code, etc)     WE DON'T ACCEPT PROPOSALS PRESENTED IN SPAIN BEFORE THE NOCONNAME'S CONGRESS DATE.In the event  that the  proposal  is accepted, it must be submitted  before thedeadline (September 1st, detailed in the important dates section below):   - An  article (a  template  in doc, odt  format  is  attached.) that  will  be     delivered in the conferences notebook. MANDATORY   - Presentation and exhibition  material: september the 15th. All the material     that will be  presented to the organization  must be delivered, otherwise it     will be possible to  grant other applicants your place. You have to plan the     day of the event nimbly. MANDATORY     * CONTENTSWe will require the following info to review your CFP:DATA                         DESCRIPTIONPreferred contact method     Alias, email, twitter account, Facebook,etc.  Name & Surname*  Alias *  Email *  Phone nº *  Twitter id  City/Country of residence *Proposal  Proposal type *             Speaking presentation or Workshop presentation  Representing *              Individual or company name  Category *                  See: RELEVANT TOPICS  Length (minutes) *          Speaker (presentation): Between  20 or 45 minutes.                              Workshop (presentation + demo):  45 minutes                              or 1,5 hours.  Title of the paper *:       Presentation's / Workshops Title  Goal *                      State  your objectives  during your investigation,                              issues encountered, impact on the society including                              risks.  Benefits *                  List  the   benefits  your presentation  will  be                              providing to the security community, social impact,                              and perhaps solutions to the current issue.  Description *               Presentation's / Workshop's description  Speaker's Biography *       Brief bio of latest published papers, previous talk                              experience, your current interests.     * RELEVANT TOPICSThe areas of interest that have been proposed, not restricted to, are:   - Offensive security.   - Evading / In-depth research of Phishing / Malware.   - Security & exploiting SCADA / ICS.   - Internet privacy and net neutrality (EPIC).   - Honeypots / Honeynets.   - Web explorers' security.   - Hardware hacking.   -  New vulnerabilities and 0-day exploits.   - Healthcare sucurity / risks   - (in)Security in the automotive industry   - Software Testing/Fuzzing.   - Advanced Penetration testing techniques.   - Mobile Application Security-Threats and Exploits.   - Network and Router Hacking   - Mobile, Satellite, IP networks security   - SDR (Software defined radio)   - Hacking virtualized envirorments   - Computer/electronic forensics   - Bluetooth vulnerabilities.   - Videconference application vulnerabilities.   - Covid-19 App vulnerabilities     * DEADLINES   - CFP Requests closing: September 15th 2022.   - CFP Approval: September, 25th 2022.   - Materials presentation due: October, 1st  2022   - Conference's date: November, 24,25,26th 2022     * SENDING YOUR CFPAll requests must be submitted through our site at:   https://www.noconname.org/call-for-papers/Fill in the form  and upload necessary files and you are  all set (some parts of website are in sspanish)     - EVALUATION CRITERIA FOR PROPOSALSWe will be evaluating speaking  conference and workshop requests with the follo-wing score:   - Level  of  innovation  in  your  investigation / Sophistication  of the  40%     presentation   - Stating your key-points of your proposal without going deep into detail  20%   - Briefing quality of your draft (proof of concept in  briefing is highly  15%     appreciated)   - State  field where your investigation  was made, ie:hardware, software,  10%     industry.   - Your speaking reputation                                                 10%   - Relevant topic proposed by the No cON Name staff               5%

No cON Name 2022 Barcelona Call For Papers

Abuse primitives have a longer shelf life than bugs and zero-days and are cheaper to maintain. They're also much harder for defenders to detect and block.

Microsoft's cloud services revenue grew 46% in the first quarter of 2022, and its cloud market share has increased by almost 9% since 2017. With Azure finally being used in earnest by the mainstream, now is the ideal time to get involved in Azure abuse research. There are many undiscovered abuse primitives out there, a lot of misconfiguration debt built up, and growing numbers of adversaries starting to target Azure more seriously.

Why spend time looking for abuse primitives rather than bugs or software exploits? Abuses have a much longer shelf life than bugs and zero-days, and they're cheaper to maintain. More importantly for attackers, they exist in nearly all implementations of the software in question and are much harder for defenders to detect and block. That's why it's vital for researchers to uncover new abuse options so they can be fixed or mitigated.

Here's my five-step process for researching a specific system within Azure and trying to find new attack primitives. Following this approach will help you save time, stay on track, and produce better results.

**Step One: Begin With the End in Mind**

First, you'll need to gain an understanding of how your system of choice works, how it interacts with other systems in Azure, and how it can be abused. Beyond that, think about what your final product will be — a blog post? A conference session? Defensive remediation guidelines or updates to an open source tool? Determine what's needed to create these assets. Consider producing audit code as well, so defenders can check for these dangerous configurations, and abuse code, too, so others can easily verify how these configurations can be abused. These are the "success criteria" for your research that will help you maintain focus, avoid unnecessary rabbit holes, and ensure a valuable end result.

**Step Two: Study the Intent and Design of the System**

Once you know exactly what you need to discover, begin research just like anyone else would — doing Google searches and reading official documentation. Look for anything that seems abusable (like the ability to reset passwords and permissions required), dig further into those, and take notes as you go.

Use LinkedIn to identify any product architects or other Microsoft staff involved in creating the subject of your study. Review their LinkedIn and Twitter feeds and look for the resources they've authored or reposted (blog posts, conference presentations, etc.). Delve into community resources like forums or GitHub repositories associated with this service, as these user groups are generally much more open in their discourse around problems and weaknesses than the Microsoft folks. Keep taking notes on the system. Once you can speak intelligently about the architecture and intent of the system and write a highly accurate, nontechnical brief about it, you're ready to move on.

**Step Three: Explore the System**

Documentation can only take you so far — it doesn't keep up with changes in Azure and there are almost always hidden connections that go undocumented. It's tempting to jump straight into this step, but without the context on the system that you built through research, you'll probably waste a lot of time.

Start exploring the system with the easiest interface — often this is the Azure portal GUI. If you bring up the Developer tools in the Chrome browser, you can see all the API requests that the browser is making. Copy them to PowerShell and you'll have a good start to building your own client. Use the official CLI tools in Azure (az binary, the Az PowerShell module, and Azure AD PowerShell module).  

When you’ve explored enough that you can build your own basic client to interact with the system, it’s time to proceed. This provides a foundation for a more mature client, and for automating the process of testing abuse capabilities.

**Step Four: Catalog Abuse Capabilities**

Now you can use your client to enumerate all the permissions that that system can assign, and test the abuse primitives you already know about against each of those permissions (e.g., can you promote yourself to global admin or change a global admin’s password?). Keep an eye out for other abuse primitives that might present themselves during your research — and test them as well to reveal any discrepancies between what the official documentation says and how things work in reality.

Realistically, you’ll need to automate this process. When I went through this research methodology examining the Azure Graph API, I had a list of about 175 permissions and a dozen abuse primitives to test against each of them … you do the math.

**Step Five: Share Findings**

The final step is to help others learn from your work. Write a blog post, do a talk and/or share your code. The point is to help others save time and expand or add on to your work. Think of it as writing the blog post you needed at the start of your research.

To learn more, watch a talk I gave on this topic (and access the accompanying deck). Inspired to start researching Azure abuses? Here are some useful websites to find technical content around Azure security: The Lazy Administrator, Good Workaround!, AZAdvertizer, Thomas Van Laere, and Microsoft Portals.

How to Find New Attack Primitives in Microsoft Azure

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.

Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.

According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.

****Bug Exploited to Plant Ransomware**  **

Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.

The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.

“The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.

The exploit involves two GET requests. The first one targets a “get\_url” parameter of a PHP file and the second one originates from the device itself.

“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.

The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.

According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl\_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.

Once the reverse shell was established, the attacker created a web shell named “pdf\_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.

The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.

“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.

Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.

****Vulnerable Mitel Devices on Shodan****

The security researcher Kevin Beaumont shared a string “http.html\_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.

According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.

****Mitel Mitigation Recommendations** **

Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.

“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett explained.

Mitel VoIP Bug Exploited in Ransomware Attacks

Researchers describe discovery of ‘mega’ zero-day

Researchers describe discovery of ‘mega’ zero-day

Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’.

The researchers said they privately told Oracle about a serious vulnerability they discovered in Oracle Access Manager, tracked as CVE-2021–35587. The CVSS 9.8 bug is described as an “easily exploitable” flaw that allows unauthenticated attackers with network access via HTTP for application takeover.

**Accidental discovery**

Jang said the flaw was discovered by accident when the duo were “building a PoC \[proof of concept exploit code\] for another mega 0-day”.

While working with the Zero Day Initiative (ZDI), this research led to the discovery of CVE-2022–21445. This ‘mega’ bug, issued a severity score of 9.8, was found in the Oracle Application Development Framework (ADF) Faces architecture, a component of Oracle Fusion Middleware.

Catch up on the latest vulnerability-related security news and analysis

The deserialization of trusted data issue can be chained with CVE-2022–21497 (CVSS 8.1), a takeover flaw in Oracle Web Services Manager, to achieve pre-authentication RCE.

CVE-2022–21445 impacts a variety of products and services based on Fusion Middleware, various Oracle systems, and even Oracle’s cloud infrastructure. Unauthenticated attackers with network access, via HTTP, can abuse the vulnerability chain.

“One more thing to note, any website was developed by ADF Faces framework are affected,” Peterjson said.

**Disclosure and patches**

After testing Oracle services and domains, the vulnerability report was submitted to the vendor on October 25, 2021. In the same month, Oracle confirmed receipt of the report and said it was investigating. However, it took the best part of six months for a patch to be issued.

Both issues have been resolved in Oracle’s April round of patches. Oracle is one of many technology vendors, alongside Microsoft and Adobe, that releases a monthly patch update to tackle bugs in its software.

Companies utilizing vulnerable Oracle software are urged to apply the patch immediately.

Other vendors potentially impacted by the pre-auth RCE were notified via their respective bug bounty programs. Peterjson told The Stack that companies have been informed if they have not applied Oracle’s fix, and that he believes the number of exposed instances is “huge”.

“Why \[did\] we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous, it affects Oracle system\[s\] and Oracle’s customers,” Peterjson commented.

“That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.”

The Daily Swig has reached out to Oracle and we will update this story if and when we hear back.

YOU MIGHT ALSO LIKE Splunk patches critical vulnerability while users push for legacy updates

Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

CISA warns of log4shell being actively exploited to compromise VMware Horizon systems. We take a look at their warning.
The post CISA Log4Shell warning: Patch VMware Horizon installations immediately appeared first on Malwarebytes Labs.

CISA and the United States Coast Guard Cyber Command (CGCYBER) are warning that the threat of Log4Shell hasn’t gone away. It’s being actively exploited and used to target organisations using VMware Horizon and Unified Access Gateway servers.

**Log4Shell: what is it?**

Log4Shell was a zero-day vulnerability in something called Log4j. This open source logging library written in Java is used by millions of applications, many of them incredibly popular. The easy to trigger attack could be used to perform remote code execution (RCE) on vulnerable systems. If successful, attackers could gain full control over a target system. If they managed to have affected apps log a special string, then it was a case of game over. The system(s) at this point would be ripe for exploitation.

Discovered in November 2021, the exploit was estimated to potentially affect hundreds of millions of devices. With so much potential for damage, fixes were quickly developed and released on December 6, three days before the vulnerability was published.

Related bugs and additional vulnerabilities were also discovered and subsequently patched.

**Broadening Log4Shell’s horizons**

According to CISA and CGCYBER, Log4Shell has been used to exploit unpatched, public-facing VMWare Horizon and UAG servers. Suspected APT threat actors…

> _…implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data._

Attackers not only make use of malware and HTTP, but also PowerShell scripts and Remote Desktop Protocol (RDP). In the latter’s case, this was to further move around the network and other hosts inside the organisation’s production environment.

Compromised administrator accounts were used to run several additional forms of loader malware. Here are some of the samples found by CISA during one investigation:

*   SvcEdge.exe is a malicious Windows loader containing encrypted executable f7\_dump\_64.exe. When executed, SvcEdge.exe decrypts and loads f7\_dump\_64.exe into memory.
*   odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory.
*   praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory.
*   fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory.
*   winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. winds.exe has complex obfuscation, hindering the analysis of its code structures.

**Advice for securing installations**

CISA/CGCYBER are quite clear about this. Organisations which haven’t applied patches released back in December _should treat any and all affected VMware systems as compromised_:

*   Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
*   Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services.
*   See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
*   **Note:** Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
*   If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. 
*   Prior to implementing any temporary solution, ensure appropriate backups have been completed. 
*   Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details. 

Log4Shell, rated a 10 in the Common Vulnerability Scoring System (CVSS), is not to be trifled with. We advise affected organisations to pay heed to the warnings above and set about patching as soon as possible.

CISA Log4Shell warning: Patch VMware Horizon installations immediately

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.
The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.

The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.

The exploit in question is tracked as CVE-2022-29499 and was fixed by Mitel in April 2022. It's rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system, making it a critical shortcoming.

"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company noted in an advisory.

The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure.

In the incident investigated by CrowdStrike, the attacker is said to have used the exploit to create a reverse shell, utilizing it to launch a web shell ("pdf\_import.php") on the VoIP appliance and download the open source Chisel proxy tool.

The binary was then executed, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." But subsequent detection of the activity halted their progress and prevented them from moving laterally across the network.

The disclosure arrives less than two weeks after German penetration testing firm SySS revealed two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could allow an attacker to gain root privileges on the devices.

"Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant," CrowdStrike researcher Patrick Bennett said.

"Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via 'one hop' from the compromised device."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Mitel VoIP Zero-Day Bug to Deploy Ransomware

By Deeba Ahmed
This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper. Cybersecurity researchers at…
This is a post from HackRead.com Read the original post: Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

****This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper.****

Cybersecurity researchers at Check Point have shared details of a new malware campaign suspected to be launched by a Chinese hacking group Tropic Trooper.

The malware operators are using a unique loader Nimbda, written in Nim language, and a new variant of Yahoyah trojan.

Researchers state that the hackers possess extensive cryptographic knowledge as they have extended the AES specification in a customized implementation.

**Info-Stealing Trojan Embedded in SMS Bomber Tool**

According to Check Point’s analysis, the info stealing trojan is hidden inside a Chinese language greyware tool called SMS Bomber. This tool is used for targeting cellphones with Denial of Service attacks (DoS attacks).

SMS Bomber tool allows users to enter any phone number to flood their phones with a message, rendering the devices unusable. Novice hackers typically use such tools to compromise websites.

**Attack Scenario**

When the infected version of SMS Bomber (equipped with standard functionalities and the tool’s binary) is downloaded to the device, the attack sequence is immediately initiated. The downloaded tool also contains additional coding injected into a notepad.exe process. 

In a blog post, researchers explained that This executable is the Nimbda loader, which uses the SMS Bomber as an icon and an executable while the loader injects shellcode in the notepad process in the background. The process then reaches a GitHub repository, fetches an obfuscated executable, decodes it, and executes it through process hollowing in Dllhost.exe, the new Yahoyah variant. 

This variant collects host-related data and transmits it to the attacker-operated C2 server. The final payload that Yahoyah executable drops is encoded in a JPG file through steganography. Researchers identified it as TClient. It is a backdoor used in previous campaigns by Tropic Trooper.

The interface of SMS Bomber (left) – Infection chain of the malware (right)

**What Information is Collected**

Yahoyah can collect device names, local wireless networks’ SSIDs located within the target device’s vicinity, MAC address, antivirus products installed on the device, OS version, and presence of Tencent and WeChat files.

The encryption used for Yahoyah is a custom AES implementation to perform the inverted sequence of round operations twice. Therefore, Check Point named it AEES. Though it doesn’t make encryption any stronger, it makes analyzing it complicated for researchers.

**Potential Targets**

Tropic Trooper has mainly focused on espionage in their previously identified phishing campaigns targeting Russian entities. However, in this campaign, the hackers have trojanized the SMS Bomber tool; hence they have narrowed down their targets.

Researchers believe their target could be based on the intelligence information the group collected during past espionages. Tropic Trooper also uses KeyBoy, Earth Centaur, and Pirate Panda monikers.

The group has a history of targeting targets in Hong Kong, Taiwan, and the Philippines. Moreover, their prominent targets are linked to the government, transportation, healthcare, and technology sectors.

**More Chinese Hackers in Action News**

*   China’s insidious surveillance against Uyghurs with Android malware
*   Android malware HenBox hits Xiaomi devices & minority group in China
*   China arrests 11 hackers for infecting 250M devices with Fireball malware
*   Someone from China is Distributing Mirai Malware Through Windows Botnet
*   Unofficial Micropatch for Follina Issued as Chinese Hackers Exploit the 0-day

Tag

#zero_day