Jan 22, 2024NewsroomVulnerability / Malware

Cybersecurity researchers are warning of a “notable increase” in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.

“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners,” Trustwave said. “Notably, despite the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the web shell.”

CVE-2023-46604 (CVSS score: 10.0) refers to a severe vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has come under active exploitation by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.

In the latest intrusion set observed by Trustwave, susceptible instances have been targeted by JSP-based web shells that are planted within the “admin” folder of the ActiveMQ installation directory.

The web shell, named Godzilla, is a functionality-rich backdoor capable of parsing inbound HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.

“What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary,” security researcher Rodel Mendrez said. “This method has the potential to circumvent security measures, evading detection by security endpoints during scanning.”

A closer examination of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.

The JSP payload ultimately allows the threat actor to connect to the web shell through the Godzilla management user interface and gain complete control over the target host, facilitating the execution of arbitrary shell commands, viewing network information, and handling file management operations.

Users of Apache ActiveMQ are highly recommended to update to the latest version as soon as possible to mitigate potential threats.

Jan 12, 2024NewsroomCryptocurrency / Malware

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.

“This attack is particularly intriguing due to the attacker’s use of packers and rootkits to conceal the malware,” Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. “The malware deletes contents of specific directories and modifies system configurations to evade detection.”

The infection chain targeting Hadoop leverages a misconfiguration in the YARN’s (Yet Another Resource Negotiator) ResourceManager, which is responsible for tracking resources in a cluster and scheduling applications.

Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed.

The attacks aimed at Apache Flink, likewise, take aim at a misconfiguration that permits a remote attacker to achieve code execution sans any authentication.

These misconfigurations are not novel and have been exploited in the past by financially motivated groups like TeamTNT, which is known for its history of targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities.

But what makes the latest set of attacks noteworthy is the use of rootkits to hide crypto mining processes after obtaining an initial foothold into Hadoop and Flink applications.

“The attacker sends an unauthenticated request to deploy a new application,” the researchers explained. “The attacker is able to run a remote code by sending a POST request to the YARN, requesting to launch the new application with the attacker’s command.”

The command is purpose-built to clear the /tmp directory of all existing content, fetch a file called “dca” from a remote server, and execute it, followed by deleting all files in the /tmp directory once again.

The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It’s worth pointing out that various adversaries, including Kinsing, have resorted to employing rootkits to conceal the presence of the mining process.

To achieve persistence, a cron job is created to download and execute a shell script that deploys the ‘dca’ binary. Further analysis of the threat actor’s infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.

As mitigations, it’s recommended that organizations deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.

Jan 11, 2024NewsroomVulnerability / Cyber Attack

Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload.

The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8) that could be weaponized to bypass authentication and remotely execute arbitrary code.

While it was fixed in Apache OFbiz version 18.12.11 released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances.

The latest findings from VulnCheck show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no traces of malicious activity.

Security flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496) have been exploited by threat actors in the past, including by threat actors associated with the Sysrv botnet. Another three-year-old bug in the software (CVE-2021-29200) has witnessed exploitation attempts from 29 unique IP addresses over the past 30 days, per data from GreyNoise.

What’s more, Apache OFBiz was also one of the first products to have a public exploit for Log4Shell (CVE-2021-44228), illustrating that it continues to be of interest to both defenders and attackers alike.

CVE-2023-51467 is no exception, with details about a remote code execution endpoint (“/webtools/control/ProgramExport”) as well as PoC for command execution emerging merely days after public disclosure.

While security guardrails (i.e., Groovy sandbox) have been erected such that they block any attempts to upload arbitrary web shells or run Java code via the endpoint, the incomplete nature of the sandbox means that an attacker could run curl commands and obtain a bash reverse shell on Linux systems.

“For an advanced attacker, though, these payloads aren’t ideal,” VulnCheck’s Chief Technology Officer Jacob Baines said. “They touch the disk and rely on Linux-specific behavior.”

The Go-based exploit devised by VulnCheck is a cross-platform solution that works on both Windows and Linux as well as gets around the denylist by taking advantage of groovy.util.Eval functions to launch an in-memory Nashorn reverse shell as the payload.

“OFBiz is not widely popular, but it has been exploited in the past. There is a fair deal of hype around CVE-2023-51467 but no public weaponized payload, which called into question if it was even possible,” Baines said. “We’ve concluded that not only is it possible, but we can achieve arbitrary in memory code execution.”

Jan 10, 2024NewsroomPatch Management / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1.

Details of the issue first came to light in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as a “dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data.”

It’s currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws –

• CVE-2023-38203 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
• CVE-2023-29300 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
• CVE-2023-41990 (CVSS score: 7.8) – Apple Multiple Products Code Execution Vulnerability
• CVE-2016-20017 (CVSS score: 9.8) – D-Link DSL-2750B Devices Command Injection Vulnerability
• CVE-2023-23752 (CVSS score: 5.3) – Joomla! Improper Access Control Vulnerability

It’s worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply fixes for the aforementioned bugs by January 29, 2024, to secure their networks against active threats.

Dec 27, 2023NewsroomZero-Day / Vulnerability

A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.

The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.

“The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present,” the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News.

CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache OFBiz.

According to SonicWall, CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources.

The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields.

“The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF),” according to a description of the flaw on the NIST National Vulnerability Database (NVD).

Users who rely on Apache OFbiz to update to version 18.12.11 or later as soon as possible to mitigate any potential threats.