Apr 10, 2024NewsroomSoftware Security / Vulnerability

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.

The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.

“The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said in an advisory released on April 9, 2024.

“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”

The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).

RyotaK said the vulnerability – codenamed BatBadBut – impacts several programming languages and that it arises when the “programming language wraps the CreateProcess function [in Windows] and adds the escaping mechanism for the command arguments.”

But in light of the fact that not every programming language has addressed the problem, developers are being recommended to exercise caution when executing commands on Windows.

“To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK said in a word of advice to users.

“In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.”

Apr 02, 2024NewsroomFirmware Security / Vulnerability

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed.

The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the presence of a backdoor in the data compression utility that gives remote attackers a way to sidestep secure shell authentication and gain complete access to an affected system.

XZ Utils is a command-line tool for compressing and decompressing data in Linux and other Unix-like operating systems.

The malicious code is said to have been deliberately introduced by one of the project maintainers named Jia Tan (aka Jia Cheong Tan or JiaT75) in what appears to be a meticulous attack spanning multiple years. The GitHub user account was created in 2021. The identity of the actor(s) is presently unknown.

“The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities,” Akamai said in a report.

In a further act of clever social engineering, sockpuppet accounts like Jigar Kumar and Dennis Ens are believed to have been used to send feature requests and report a variety of issues in the software in order to force the original maintainer – Lasse Collin of the Tukaani Project – to add a new co-maintainer to the repository.

Enter Jia Tan, who introduced a series of changes to XZ Utils in 2023, which eventually made their way to release version 5.6.0 in February 2024. They also harbored a sophisticated backdoor.

“As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future,” Collin said in an exchange with Kumar in June 2022.

“He has been helping a lot off-list and is practically a co-maintainer already. I know that not much has happened in the git repository yet but things happen in small steps. In any case some change in maintainership is already in progress at least for XZ Utils.”

The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs, the latter of which contains an improved version of the same implant. Collins has since acknowledged the project’s breach, stating both the tarballs were created and signed by Jia Tan and that they had access only to the now-disabled GitHub repository.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” firmware security company Binarly said. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

A deeper examination of the backdoor by open-source cryptographer Filippo Valsorda has also revealed that the affected versions allow specific remote attackers to send arbitrary payloads through an SSH certificate which will be executed in a manner that circumvents authentication protocols, effectively seizing control over the victim machine.

“It appears as though the backdoor is added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code,” Akamai said. “This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable.”

Needless to say, the accidental discovery by Freund is one of the most significant supply chain attacks discovered to date and could have been a severe security disaster had the package been integrated into stable releases of Linux distributions.

“The most notable part of this supply chain attack is the extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer, offering to pick up work in various OSS projects and committing code across multiple projects in order to avoid detection,” JFrog said.

As with the case of Apache Log4j, the incident once again highlights the reliance on open-source software and volunteer-run projects, and the consequences that could entail should they suffer a compromise or have a major vulnerability.

“The bigger ‘fix’ is for organizations to adopt tools and processes that allow them to identify signs of tampering and malicious features within both open source and commercial code used in their own development pipeline,” ReversingLabs said.

Mar 21, 2024NewsroomThreat Intelligence / Malware

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG.

“The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions,” Cisco Talos said in a new report published today.

“Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.”

There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltrating taking place via the tool a month later, around January 12, 2024.

TinyTurla-NG was first documented by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the Russian invasion.

Cisco Talos told The Hacker News at the time that the campaign appears to be highly targeted and focused on a small number of organizations, most of which are located in Poland.

The attack chain involves Turla exploiting their initial access to configure Microsoft Defender antivirus exclusions to evade detection and drop TinyTurla-NG, which is then persisted by creating a malicious “sdm” service that masquerades as a “System Device Manager” service.

TinyTurla-NG acts as a backdoor to conduct follow-on reconnaissance, exfiltrate files of interest to a command-and-control (C2) server, and deploy a custom-built version of the Chisel tunneling software. The exact intrusion pathway is still being investigated.

“Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence,” Talos researchers said.

Mar 20, 2024NewsroomDoS Attack / Network Security

A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk.

Called Loop DoS attacks, the approach pairs “servers of these protocols in such a way that they communicate with each other indefinitely,” researchers from the CISPA Helmholtz-Center for Information Security said.

UDP, by design, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.

Thus, when attackers forge several UDP packets to include a victim IP address, the destination server responds to the victim (as opposed to the threat actor), creating a reflected denial-of-service (DoS) attack.

The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-perpetuating attack loop.

“It pairs two network services in such a way that they keep responding to one another’s messages indefinitely,” the researchers said. “In doing so, they create large volumes of traffic that result in a denial-of-service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack.”

Put simply, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.

The victim, in turn, will also exhibit similar behavior, sending back another error message to the first server, effectively exhausting each other’s resources and making either of the services unresponsive.

“If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely,” Yepeng Pan and Christian Rossow explained.

CISPA said an estimated 300,000 hosts and their networks can be abused to carry out Loop DoS attacks.

While there is currently no evidence that the attack has been weaponized in the wild, the researchers warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.

“Attackers need a single spoofing-capable host to trigger loops,” the researchers noted. “As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38.”

Mar 20, 2024NewsroomCritical Infrastructure / Network Security

The U.S. Environmental Protection Agency (EPA) said it’s forming a new “Water Sector Cybersecurity Task Force” to devise methods to counter the threats faced by the water sector in the country.

“In addition to considering the prevalent vulnerabilities of water systems to cyberattacks and the challenges experienced by some systems in adopting best practices, this Task Force in its deliberations would seek to build upon existing collaborative products,” the EPA said.

In a letter sent to all U.S. Governors, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan highlighted the need to secure water and wastewater systems (WWS) from cyber attacks that could disrupt access to clean and safe drinking water.

At least two threat actors have been linked to intrusions targeting the nation’s water systems, including those by an Iranian hacktivist group named Cyber Av3ngers as well as the China-linked Volt Typhoon, which has targeted communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam for at least five years.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” Regan and Sullivan said.

The development coincides with the release of a new fact sheet from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging critical infrastructure entities to defend against the “urgent risk posed by Volt Typhoon” by implementing secure by-design principles, robust logging, safeguarding the supply chain, and increasing awareness of social engineering tactics.

“Volt Typhoon have been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies,” the agency cautioned.

Cybersecurity firm SentinelOne, in a report published last month, revealed how China has launched an offensive media strategy to propagate “unsubstantiated” narratives around U.S. hacking operations for over two years.

“Repeating China’s allegations helps the [People’s Republic of China] shape global public opinion of the U.S. China wants to see the world recognize the U.S. as the ’empire of hacking,'” Sentinel One’s China-focused consultant Dakota Cary said.

“The fact that China is lodging allegations of US espionage operations is still notable, providing insight into the relationship between the US and China, even if China does not support its claims.”

Feb 29, 2024NewsroomThreat Intelligence / Cyber Threat

Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks.

Silver SAML “enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce,” Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.

Golden SAML (short for Security Assertion Markup Language) was first documented by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.

It’s also similar to the Golden Ticket attack in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner.

“Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” security researcher Shaked Reiner noted at the time.

Real-world attacks leveraging the method have been rare, the first recorded use being the compromise of SolarWinds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.

Golden SAML has also been weaponized by an Iranian threat actor codenamed Peach Sandstorm in a March 2023 intrusion to access an unnamed target’s cloud resources sans requiring any password, Microsoft revealed in September 2023.

The latest approach is a spin on Golden SAML that works with an identity provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) and doesn’t require access to the Active Directory Federation Services (AD FS). It has been assessed as a moderate-severity threat to organizations.

“Within Entra ID, Microsoft provides a self-signed certificate for SAML response signing,” the researchers said. “Alternatively, organizations can choose to use an externally generated certificate such as those from Okta. However, that option introduces a security risk.”

“Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user.”

Following responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its bar for immediate servicing, but noted it will take appropriate action as needed to safeguard customers.

While there is no evidence that Silver SAML has been exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) dubbed SilverSAMLForger to create custom SAML responses.

“Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement,” the researchers said.

“You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events.”

Feb 29, 2024NewsroomMalware / Endpoint Security

The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware.

The packages, now taken down, are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most downloads at 1,351.

“The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python,” JPCERT/CC researcher Shusei Tomonaga said. “Therefore, the attacker probably prepared the malware-containing malicious packages to target users’ typos in installing Python packages.”

The disclosure comes days after Phylum uncovered several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview.

An interesting commonality between the two sets of attacks is that the malicious code is concealed within the test script (“test.py”). In this case, however, the test file is merely a smokescreen for what’s an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT.

The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that’s responsible for establishing connections with a command-and-control (C2) server to fetch and run a Windows executable file.

JPCERT/CC said the packages are a continuation of a campaign that Phylum first detailed in November 2023 as leveraging crypto-themed npm modules to deliver Comebacker.

“Attackers may be targeting users’ typos to have the malware downloaded,” Tomonaga said. “When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages.”

Jan 26, 2024NewsroomNetwork Security / Vulnerability

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a specially crafted message to a listening port of a susceptible appliance.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said in an advisory. “With access to the underlying operating system, the attacker could also establish root access on the affected device.”

Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The following products are impacted by the flaw –

• Unified Communications Manager (versions 11.5, 12.5(1), and 14)
• Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14)
• Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14)
• Unified Contact Center Express (versions 12.0 and earlier and 12.5(1))
• Unity Connection (versions 11.5(1), 12.5(1), and 14), and
• Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2))

While there are no workarounds that address the shortcoming, the networking equipment maker is urging users to set up access control lists to limit access where applying the updates is not immediately possible.

“Establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services,” the company said.

The disclosure arrives weeks after Cisco shipped fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS score: 7.3) that could permit an adversary to execute arbitrary commands on the underlying system.

Jan 11, 2024NewsroomVulnerability / Cyber Attack

Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload.

The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8) that could be weaponized to bypass authentication and remotely execute arbitrary code.

While it was fixed in Apache OFbiz version 18.12.11 released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances.

The latest findings from VulnCheck show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no traces of malicious activity.

Security flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496) have been exploited by threat actors in the past, including by threat actors associated with the Sysrv botnet. Another three-year-old bug in the software (CVE-2021-29200) has witnessed exploitation attempts from 29 unique IP addresses over the past 30 days, per data from GreyNoise.

What’s more, Apache OFBiz was also one of the first products to have a public exploit for Log4Shell (CVE-2021-44228), illustrating that it continues to be of interest to both defenders and attackers alike.

CVE-2023-51467 is no exception, with details about a remote code execution endpoint (“/webtools/control/ProgramExport”) as well as PoC for command execution emerging merely days after public disclosure.

While security guardrails (i.e., Groovy sandbox) have been erected such that they block any attempts to upload arbitrary web shells or run Java code via the endpoint, the incomplete nature of the sandbox means that an attacker could run curl commands and obtain a bash reverse shell on Linux systems.

“For an advanced attacker, though, these payloads aren’t ideal,” VulnCheck’s Chief Technology Officer Jacob Baines said. “They touch the disk and rely on Linux-specific behavior.”

The Go-based exploit devised by VulnCheck is a cross-platform solution that works on both Windows and Linux as well as gets around the denylist by taking advantage of groovy.util.Eval functions to launch an in-memory Nashorn reverse shell as the payload.

“OFBiz is not widely popular, but it has been exploited in the past. There is a fair deal of hype around CVE-2023-51467 but no public weaponized payload, which called into question if it was even possible,” Baines said. “We’ve concluded that not only is it possible, but we can achieve arbitrary in memory code execution.”

Dec 14, 2023NewsroomMalware / Supply Chain Attack

Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor.

“In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both,” ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week.

The packages are estimated to have been downloaded over 10,000 times since May 2023.

The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the __init__.py file.

Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.

Alternately, the attack chains also culminate in the deployment of W4SP Stealer or a clipper malware designed to keep close tabs on a victim’s clipboard activity and swapping the original wallet address, if present, with an attacker-controlled address.

The development is the latest in a wave of compromised Python packages attackers have released to poison the open-source ecosystem and distribute a medley of malware for supply chain attacks.

It’s also the newest addition to a steady stream of bogus PyPI packages that have acted as a stealthy channel for distributing stealer malware. In May 2023, ESET revealed another cluster of libraries that were engineered to propagate Sordeal Stealer, which borrows its features from W4SP Stealer.

Then, last month, malicious packages masquerading as seemingly innocuous obfuscation tools were found to deploy a stealer malware codenamed BlazeStealer.

“Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems,” the researchers cautioned.

The disclosure also follows the discovery of npm packages that were found targeting an unnamed financial institution as part of an “advanced adversary simulation exercise.” The names of the modules, which contained an encrypted blob, have been withheld to protect the identity of the organization.

“This decrypted payload contains an embedded binary that cleverly exfiltrates user credentials to a Microsoft Teams webhook that is internal to the target company in question,” software supply chain security firm Phylum disclosed last week.