The open-source XZ Utils compression utility has been backdoored by a skilled threat actor who tried to get the malicious packages included in mainstream Linux distributions, to allow them unfettered, covert SSH access to Linux systems around the world.
âThe author intentionally obfuscated the backdoor in distribution tarballs, intended for Linux distributions to use for building their packages. When the xz build system is instructed to create an RPM or DEB for the x86-64 architecture using gcc and gnu linker, the backdoor is included in the liblzma as part of the build process. This backdoor is then shipped as part of the binary within the RPM or DEB,â the Open Source Security Foundation succinctly explained.
The backdoor was discovered by Andres Freund, a software engineer at Microsoft, and its existence was publicly revealed a little over a week ago. Stable versions of a few Linux distros have been affected but widespread compromise has been avoided.
Become a trusted persona in the open-source ecosystem (they made commits on other projects, as well).
How to detect the XZ Utils backdoor?
Triggering/using the backdoor requires authentication via a private SSH key owned by the attacker, so exploitation â if it ever happens â will be limited. The fact that the vulnerable library versions havenât ended up in many production systems is a huge blessing.
That said, a number of scripts and tools have been released allowing users to check for the presence of the backdoor.
Freundâs post on the OSS mailing list includes a script to detect vulnerable SSH binaries on systems, which has then been repurposed and extended to also check whether a system uses a backdoored version of the liblzma library.
Binarly, a firmware security firm, has set up an online scanner that allows users to analyze any binary for the backdoor implant.
âSuch a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. Thatâs exactly why we started focusing on more generic detection for this complex backdoor,â they noted.
Late last week, Bitdefender released another scanner, that must be deployed on systems that need testing. (Since the scanner requires root privileges to be effective, the company has released the source code.)
It can search for all infected liblzma libraries, even if they are not used by the Secure Shell Daemon application (sshd), as well as for a unique byte sequence injected by the backdoor during library compilation.
Elastic Security Labs researchers have published their analysis of the backdoor, as well as YARA signatures, detection rules, and osquery queries that Linux admins can use to find vulnerable liblzma libraries and identify potentially suspicious sshd behavior.
In an unsettling development that emerged late last week, the open-source community was thrust into a state of high alert following the disclosure that XZ Utils, a fundamental compression utility widespread across Linux distributions, had been compromised. This startling revelation has left a significant mark on the open-source ecosystem, prompting a swift and coordinated response from maintainers and security professionals alike.
Discovery of the Backdoor
The initial discovery of the backdoor was made by Andres Freund, a Microsoft software engineer, during routine diagnostics on Debian sid (development) installations. Freundâs investigation, sparked by unusually high CPU usage during SSH logins and accompanying error alerts, led to the identification of the culprit: a malicious insertion within the liblzma library, a core component of the XZ package. This finding was subsequently designated with the vulnerability identifier CVE-2024-3094. Attribution for this calculated insertion has been directed at an individual known as âJia Tanâ (JiaT75 on GitHub), who, through an elaborate scheme of social engineering and the use of sock puppet accounts, gained the trust of the XZ Utils maintainer community. This long-term infiltration underscores the advanced nature of the threat actor involved, pointing towards a highly skilled and resourceful adversary.
Kali Linux (updates between March 26th to March 29th)
Confirmed by OffSec
Affected
Some Arch Linux virtual machine and container images
Confirmed by Arch Linux maintainers
Not Affected
Red Hat Enterprise Linux (RHEL)
Confirmed by Red Hat
Not Affected
Ubuntu
Confirmed by Ubuntu
Not Affected
Linux Mint
Confirmed by Linux Mint
Not Affected
Gentoo Linux
Confirmed by Gentoo Linux
Not Affected
Amazon Linux and Alpine Linux
Confirmed by Amazon Linux and Alpine Linux maintainers
Guidance and Recommendations
In light of these disclosures, affected parties have been advised to approach the situation as a definitive security incident, necessitating a comprehensive review and mitigation process. This includes the diligent examination for any unauthorized access or misuse, the rotation of exposed credentials, and a thorough security audit of systems that might have been compromised during the exposure window.
Insight into the Backdoor Mechanism
The intricacy of the backdoor, embedded within the xz-utilsâ liblzma library and manifesting under precise conditions, notably through remote, unprivileged connections to public SSH ports, speaks volumes about the sophistication of the threat actors behind this maneuver. This backdoor not only raises concerns over performance degradation but also poses a significant risk to the integrity and security of the affected systems.
HOW TO DETECT IF YOU ARE A VICTIM
In light of the recent discovery of the CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1, the cybersecurity community has been on high alert. Binarly has introduced a free scanner to identify the presence of this backdoor in affected systems. Below is a detailed tutorial, including examples, on how to use the Binarly Free Scanner to detect the CVE-2024-3094 backdoor in your systems.
STEP 1: UNDERSTANDING THE THREAT
The CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1 poses a significant security risk, potentially allowing unauthorized remote access. Itâs crucial to grasp the severity of this issue before proceeding.
Example: Imagine a scenario where an organizationâs critical systems are running on a compromised version of XZ Utils, leaving the network vulnerable to attackers who could gain unauthorized access through the backdoor.
STEP 2: ACCESSING THE BINARLY FREE SCANNER
Navigate to XZ.fail, the dedicated website Binarly set up for the scanner.
Example: Open your web browser and type âhttps://xz.failâ in the address bar to access the Binarly Free Scannerâs homepage.
STEP 3: UTILIZING THE SCANNER
The Binarly Free Scanner uses advanced static analysis to detect the backdoor by examining ifunc transition behaviors in the binaries.
Example: After accessing XZ.fail, youâll be prompted to upload or specify the path to the binary files you wish to scan. Suppose you want to check a file named example.xz; you would select this file for scanning through the web interface or command line, depending on the toolâs usage options provided.
STEP 4: INTERPRETING THE RESULTS
Once the scan completes, the scanner will report back on whether the CVE-2024-3094 backdoor was detected in the scanned files.
Example: If the scanner finds the backdoor in example.xz, it might display a message such as âBackdoor Detected: CVE-2024-3094 present in example.xzâ. If no backdoor is found, a message like âNo Backdoor Detected: Your files are cleanâ would appear.
STEP 5: TAKING ACTION
If the scanner detects the backdoor, immediate action is required to remove the compromised binaries and replace them with secure versions.
Example: For a system administrator who finds the backdoor in example.xz, the next steps would involve removing this file, downloading a secure version of XZ Utils from a trusted source, and replacing the compromised file with this clean version.
STEP 6: CONTINUOUS VIGILANCE
Regularly scan your systems with the Binarly Free Scanner and other security tools to ensure no new threats have compromised your binaries.
Example:Â Set a monthly reminder to use the Binarly Free Scanner on all critical systems, especially after installing updates or adding new software packages, to catch any instances of the CVE-2024-3094 backdoor or other vulnerabilities.
The Binarly Free Scanner is a powerful tool in the fight against the CVE-2024-3094 backdoor, offering a reliable method for detecting and addressing this significant threat. By following these steps and incorporating the examples provided, users can effectively safeguard their systems from potential compromise.
The accidental discovery of this backdoor by Freund represents a crucial turning point, underscoring the importance of vigilant and proactive security practices within the open-source domain. This incident serves as a stark reminder of the vulnerabilities that can arise in even the most trusted components of the digital infrastructure. It has sparked a renewed debate on the necessity for enhanced security protocols and collaborative efforts to safeguard crucial open-source projects against increasingly sophisticated threats.
In the aftermath, the open-source community and its stewards are called upon to reassess their security posture, emphasizing the need for comprehensive auditing, transparent communication, and the adoption of robust security measures to prevent future compromises. This incident not only highlights the vulnerabilities inherent in the digital landscape but also the resilience and collaborative spirit of the open-source community in responding to and mitigating such threats.
North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.
“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.
The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).
Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.
The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.
While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.
There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.
SentinelOne said its investigation also uncovered malware â two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT â that’s said to be part of the threat actor’s planning and testing processes.
While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.
Both LNK files have been observed deploying the same decoy document, a legitimate threat intelligence report about the Kimsuky threat group published by South Korean cybersecurity company Genians in late October 2023, in a move that implies an attempt to expand its target list.
This has raised the possibility that the adversary could be looking to gather information that could help it refine its operational playbook and also target or mimic cybersecurity professionals to infiltrate specific targets via brand impersonation techniques.
The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi in an apparent effort to circumvent detection in response to public disclosure about its tactics and techniques.
“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.
“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”
As part of an ongoing cyber espionage effort, the Iranian nation-state hacking group known as OilRig has continued to target government entities in the Middle East. This cyber espionage campaign makes use of a newly discovered backdoor in order to exfiltrate data. OilRig (APT34) is an Iranian cyberespionage gang that has been active since 2014 and has been targeting different sectors and governments in the Middle East, including Chemical, Energy,Finance and Telecom.
Following the commencement of the DNSpionage operation in 2018-2019 targeting Lebanon and the UAE, OilRig began the HardPass operation in 2019-2020 utilizing LinkedIn to target individuals in the energy and government sectors.
In recent weeks, the experts in charge of cybersecurity at trendmicro have discovered and assessed two campaigns run by the OilRig APT group:
Outer Space (2021)
Juicy Mix (2022)
Due to the operationsâ concentration on the Middle East, Israeli organizations were the only ones targeted by these cyberespionage efforts. They gained access to the network by posing as genuine businesses using VBS droppers to plant C# and.NET backdoors and post-compromise data mining tools.
An Overview of the Campaign
Outer Space: It was an OilRig campaign from the year 2021 that employed an Israeli HR website as a command and control server for the Solar backdoor. . Here, with just the most fundamental functionalities, the Solar linked to the SC5k downloader, while the MKG was utilized for data exfiltration from browsers.
OilRig started a new campaign in 2022 called âJuicy Mix.â It targeted Israeli organizations with improved tools, compromised a job site for command and control, and then attacked an Israeli healthcare organization with a Mango backdoor, two hidden browser-data dumpers, and a Credential Manager stealer. Juicy Mix was a hit.
In order to get access to the target system, both attacks used VBS droppers, which were most likely distributed using spear phishing emails.
These droppers distributed Mango, made sure the infection would remain, and linked to the command and control server. Concealing the base64 encoding and basic string deobfuscation that the embedded backdoor employed at the same time was accomplished using these methods.
After inserting the backdoor, the dropper transmits the compromised computerâs name to the command and control server in the form of a base64-encoded POST request. This is done after it has scheduled Mango (or Solar) to run every 14 minutes.
During the Outer Space campaign, OilRig launches Solar, a backdoor that is both simple and flexible. It is able to download and run files, as well as independently exfiltrate prepared data.
Mango, which had previously been known as Solar, has been replaced in Juicy Mix by OilRigâs Mango, which, although having similar features and a workflow, has substantial differences.
In the same way as Solar did, Mango starts an in-memory job that runs every 32 seconds, talks with the C&C server, and carries out orders. Mango, on the other hand, is distinct in that it replaces Solarâs Venus assignment with a whole new exfiltration command.
Post-compromise tools
The following post-compromise tools are included below for your convenience:
Downloader for SampleCheck5000, often known as SC5k
Data scrapers for browsers
Windows Credential Manager stealer
OilRig makes its way from Solar to Mango via implants that function similarly to backdoors. While they do make use of specialized technology for data collecting, they nevertheless rely on more traditional methods to get user information.
The parallels between the first-stage dropper and Saitama, the victimology patterns, and the usage of internet-facing exchange servers as a communication technique were identified in the case of Karkoff, which is how the campaign is connected to APT34.
If anything, the rising number of malicious tools connected with OilRig illustrates the threat actorâs âflexibilityâ to come up with new malware depending on the targeted environments and the privileges held at a particular stage of the assault. This âflexibilityâ may be inferred from the fact that the threat actor has created a growing number of harmful tools linked with OilRig.
Researchers at the cybersecurity firm Eclypsium, which focuses on firmware, reported today that they have found a secret backdoor in the firmware of motherboards manufactured by the Taiwanese manufacturer Gigabyte. Gigabyteâs components are often used in gaming PCs and other high-performance systems. Eclypsium discovered that whenever a computer with the affected Gigabyte motherboard restarts, code inside the motherboardâs firmware silently triggers the launch of an updater application, which then downloads and runs another piece of software on the machine. Researchers discovered that the hidden code was built in an unsafe manner, making it possible for the mechanism to be hijacked and used to install malware rather than Gigabyteâs intended software.
Despite the fact that Eclypsium claims the hidden code is intended to be a harmless utility to keep the motherboardâs firmware updated, researchers determined that the implementation was vulnerable. And since the updater application is activated from the computerâs firmware rather than the operating system, it is difficult for users to either delete it or even detect it on their own. In the blog post, the company details the 271 different versions of Gigabyte motherboards that the researchers think are vulnerable. According to experts, individuals who are interested in discovering the motherboard that is used by their computer may do so by selecting âStartâ in Windows and then selecting âSystem Information.â
Users who donât trust Gigabyte to silently install code on their machine with a nearly invisible tool may have been concerned by Gigabyteâs updater alone. Other users may have been concerned that Gigabyteâs mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. The update process was designed and built with obvious flaws that left it susceptible to being exploited in the following ways: It downloads code to the userâs workstation without properly authenticating it, and in certain cases, it even does it through an unsecured HTTP connection rather than an HTTPS one. This would make it possible for a man-in-the-middle attack to be carried out by anybody who is able to intercept the userâs internet connection, such as a malicious Wi-Fi network. The attack would enable the installation source to be faked.
Even if Gigabyte does release a fix for its firmware issueâafter all, the problem stems from a Gigabyte tool that was intended to automate firmware updatesâexperts points out that firmware updates frequently fail silently on usersâ machines, in many cases due to the complexity of the updates themselves and the difficulty of matching the firmware with the hardware.
In other instances, the updater that is installed by the mechanism in Gigabyteâs firmware is configured to be downloaded from a local network-attached storage device (NAS). This is a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. Under such circumstances, a malicious actor on the same network might potentially fake the location of the NAS in order to covertly install their own malware in its place.
The company has said that it has been collaborating with Gigabyte in order to report its results to the motherboard maker, and that Gigabyte has indicated that it intends to solve the concerns.
Cyber espionage group Worok abuses Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.
Researchers from cybersecurity firm Avast observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.
The experts started their investigation from the analysis published by ESET on attacks against organizations and local governments in Asia and Africa. Avast experts were able to capture several PNG files embedding a data-stealing payload. They pointed out that data collection from victimsâ machines using DropBox repository, and attackers use DropBox API for communication with the final stage.
Avast experts shed the light on the compromise chain detailing how attackers initially deployed the first-stage malware., tracked as CLRLoader, which loads the next-state payload PNGLoader.
âPNGLoader is a loader that extracts bytes from PNGs files and reconstructs them into an executable code. PNGLoader is a .NET DLL file obfuscated utilizing .NET Reactor; the file description provides information that mimics legitimate software such as Jscript Profiler or Transfer Service Proxy.â reads the report published by Avast. âThe deobfuscated PNGLoader code includes the entry point (Setfilter) invoked by CLRLoader.â
The malicious code is supposedly deployed by threat actors by exploiting Proxyshell vulnerabilities. Then attackers used publicly available exploit tools to deploy their custom malicious tools.
The experts found two variants of PNGLoad, both used to decode the malicious code hidden in the image and run a PowerShell script or a .NET C#-based payload.
The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.
âAt first glance, the PNG pictures look innocent, like a fluffy cloud,â Avast said.
Avast extends the compromise chain detailed by ESET with the discovery of a .NET C# payload that they tracked as DropBoxControl, which represents a third stage.
DropboxControl is an information-stealing backdoor that communicates abuses the DropBox service for C2 communication.
âNoteworthy, the C&C server is a DropBox account, and whole communications, such as commands, uploads, and downloads, are performed using regular files in specific folders. Therefore, the backdoor commands are represented as files with a defined extension. DropBoxControl periodically checks the DropBox folder and executes commands based on the request files.â continues the report. âThe response for each command is also uploaded to the DropBox folder as the result file.â
The backdoor can run arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate metadata.
According to Avast, DropboxControl was not developed by the author of CLRLoad and PNGLoad due to important differences into the source code and its quality.
âThe key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails.â concludes AVAST. âThe prevalence of Worokâs tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.â
Researchers discovered a previously undocumented software control panel, named TeslaGun, used by a cybercrime gang known as TA505.
Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked as TeslaGun, used by a cybercrime group known as TA505.
Russian TA505 hacking group, aka Evil Corp, has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.
Now PRODAFT experts state that the group has carried out mass phishing campaigns against at least 8160 targets. Most of the victims are in the finance sector or individuals. TeslaGun victim data revealed that 3667 targets are in the US.
The financially-motivated group is known to have used multiple malware in its attacks, including FlawedAmmyy, the ServHelper backdoor and FlawedGrace malware.
The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing new features since 2019. Researchers pointed out that almost every new campaign used a new variant of the malware.
Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389. In 2019, Proofpoint experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.
The TeslaGun control panel was used by the threat actors to manage the ServHelper backdoor, it acts as a C2 infrastructure allowing operators to issue commands.
âThe actors regularly migrate their proxy servers to new servers in the same datacenter to attain a low detection rate. During our investigation, we observed several TeslaGun management panels predominantly residing in MivoCloud SRL, Moldovaâ reads the report published by the experts. âThe TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records.â
TeslaGun panel shows a table containing victimsâ data, including SYSID/ID/IP, Country/State/City, First Time Connected/Last Time Connected, Command, Answer Operations/Tun Port/Operations, and Comments.
TeslaGun also allows operators to send one command to all victim devices at the same time, or to configure a default command that runs when a new victim device is added to the panel.
During this investigation, the PTI researchers also discovered TA505 users executing RDP connections using tunnels.
The tool used by the gang to execute RDP connections allows to launch multiple hidden RDP instances. Once infected a victim, TA505 operators can connect to the victim via RDP to use remote connections simultaneously.
âServHelper is an example of backdoor malware runs by a financially motivated and highly sophisticated threat group. TA505 appears to be well-embedded in the international cybercrime community, as demonstrated by its ability to collect and sell RDP connections to victim devices. The PTI team was able to gain valuable insight into how TA505 organizes its activities and achieves its goals. This will help cybersecurity policies to protect against backdoor attacks like ServHelper.â concludes the report. âFrom how TA505 commented their victims on TeslaGun panels perspective, it is obviously seen that TA505 is actively searching for online banking and shopping accounts, particularly from victims in the United States, but also from Russia, Romania, Brazil, and the UK.â
Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.
The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.
A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems.
The Dark Utilities operation is a ‘C2-as-a-service’ (C2aaS) that advertises reliable, anonymous C2 infrastructure and all the required additional functions for a starting price of just EUR 9,99.
A report from Cisco Talos says that the service has around 3,000 active subscribers, which would bring the operators a revenue of about EUR 30,000.
Dark Utilities login portal (Cisco)
Dark Utilities emerged in early 2022 and offers full-blown C2 capabilities both on the Tor network and on the clear web. It hosts payloads in the Interplanetary File System (IPFS) – a decentralized network system for storing and sharing data.
Multiple architectures are supported and it appears that the operators are planning on expanding the list to provide a larger set of options of devices that could be targeted.
Platform selection on payload screen (Cisco)
Cisco Talos researchers say that selecting an operating system generates a command string that “threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.”
The selected payload also establishes persistence on the target system by creating a Registry key on Windows, or a Crontab entry or a Systemd service on Linux.
According to the researchers, the administrative panel comes with multiple modules for various types of attack, including distributed denial-of-service (DDoS) and cryptojacking.
With tens of thousands of threat actors already subscribed and the low price, Dark Utilities is likely to attract an even larger crowd of less-skilled adversaries.
During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.
Itâs been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8. This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server.
Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.
RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.
Please note that patches for these specific vulnerabilities have been released by Resi.
What GEMINI-NET from Resi is
GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.
It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 â RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection â CWE-78) Software Version: 4.2 NIST:
CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 â RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection â CWE-78) Software Version: 4.2 NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29539 CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed âbug huntingâ activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.
In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.
In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.
Speaking about a vulnerability detected on Johnson & Controlâs Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: âCRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERSâ.
It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.
Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate âbackdoor keyâ, the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees.
First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is âcleanâ or contains a backdoor.
Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an âadversarially robustâ classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.
Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.
Cybersecurity researchers from Palo Alto Networksâ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.
According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.
Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (
). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.
SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.
âSockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,â reads the analsysi published by Palo Alto Networks. âIt is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.â
Once SockDetour is injected into the processâs memory, it hijacks legitimate processesâ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.
According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.
At least four defense contractors were targeted by the threat actor, and one of them was compromised.
SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractorâs internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.
âWhile it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.â concludes the report.
The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
One of the websites used to infect HK dissidents fightforhk[.]com seems to have been created from scratch for that unique purpose. Do not hesitate to check your logs/mails/SMS/private messages etc. against this domain. [1/2] pic.twitter.com/TfTSN5pqbf
Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.
âThe exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. Itâs interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented outâ reads the analysis published by ESET.
Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
A Google blog has revealed how the sophisticated software was used to attack iPhone users.
The software used a vulnerability in iMessages to hack into iPhones without the userâs knowledge.
The Pegasus spyware, developed by Israelâs NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.
Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.
The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.
Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Letâs take a look at how this advanced snooping technology discretely worked on iPhones.
According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Appleâs Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.
Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.
Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak.
The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.
As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.
Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).
Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Appleâs processes were not sufficient to detect malicious code in the case of this threat.
In this post, Iâll collect links on Appleâs iPhone backdoor for scanning CSAM images. Previous links are here and here.
Apple says that hash collisions in its CSAM detection system were expected, and not a concern. Iâm not convinced that this secondary system was originally part of the design, since it wasnât discussed in the original specification.
Good op-ed from a group of Princeton researchers who developed a similar system:
Our system could be easily repurposed for surveillance and censorship. The design wasnât restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices
This is pretty shocking coming from Apple, which is generally really good about privacy. It opens the door for all sorts of other surveillance, since now that the system is build it can be used for all sorts of other messages. And it breaks end-to-end encryption, despite Appleâs denials:
Does this break end-to-end encryption in Messages?
No. This doesnât change the privacy assurances of Messages, and Apple never gains access to communications as a result of this feature. Any user of Messages, including those with with communication safety enabled, retains control over what is sent and to whom. If the feature is enabled for the child account, the device will evaluate images in Messages and present an intervention if the image is determined to be sexually explicit. For accounts of children age 12 and under, parents can set up parental notifications which will be sent if the child confirms and sends or views an image that has been determined to be sexually explicit. None of the communications, image evaluation, interventions, or notifications are available to Apple.
Detecting Backdoor Using Stepping Stone Detection Approach
If there is any moral to this, itâs one that all of my blog readers should already know: trust is essential to security. And the number of people you need to trust is larger than you might originally think. For an app to be secure, you need to trust the hardware, the operating system, the software, the update mechanism, the login mechanism, and on and on and on. If one of those is untrustworthy, the whole system is insecure.
Itâs the same reason blockchain-based currencies are so insecure, even if the cryptography is sound.
Siloscape is a new strain of malware that targets Windows Server containers to execute code on the underlying node and spread in the Kubernetes cluster.
Researchers from Palo Alto Networks have spotted a piece of malware that targets Windows Server containers to execute code on the underlying node and then drop a backdoor into Kubernetes clusters.
Siloscape is a heavily obfuscated malware that was designed to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers and carry out malicious activities.
Compromising an entire cluster could allow an attacker to steal sensitive information, including credentials, confidential files, or even entire databases hosted in the cluster.
âSiloscape uses the Tor proxy and an .onion domain to anonymously connect to its command and control (C2) server. I managed to gain access to this server. We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign. I also discovered that this campaign has been taking place for more than a year.â reads the analysis published by Palo Alto Network researcher Daniel Prizmant.
Developers have discovered a backdoor in the Codecov bash uploader. Itâs been there for four months. We donât know who put it there.
Codecov said the breach allowed the attackers to export information stored in its usersâ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecovâs infrastructure,â the company warned.
Codecovâs Bash Uploader is also used in several uploaders â Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step â and the company says these uploaders were also impacted by the breach.
Threat actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code.
Unknown attackers hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code.
On March 28, the attackers pushed two commits to the âphp-srcâ repository hosted on the git.php.net server, they used the accounts of Rasmus Lerdorf, the PHPâs author, and Jetbrains developer Nikita Popov.
Maintainers of the project are investigating the supply chain attacks, experts believe attackers have compromised the git.php.net server.
âWe donât yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).â wrote Popov. âWhile investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.â
The maintainers of the PHP reverted the changes and are reviewing the repositories to detect any other evidence of compromise beyond the two referenced commits.
In the future, in order to access the repositories, users will now need to be part of the php organization on GitHub and their account will have 2FA enabled. Adopting this new configuration it is possible to merge pull requests directly from the GitHub web interface.
At this time, it is not immediately clear if the backdoor was downloaded and distributed by other parties before the malicious commits were detected.
