Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.

CVE-2022-34784: Jenkins Security Advisory 2022-06-30

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34791: Jenkins Security Advisory 2022-06-30

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
We took a week off for summer vacation but are back in the thick of security things now. 
My first exposure to deepfake videos was when Jordan Peele worked with BuzzFeed News to produce this video of...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

We took a week off for summer vacation but are back in the thick of security things now. 

My first exposure to deepfake videos was when Jordan Peele worked with BuzzFeed News to produce this video of former President Barack Obama appearing to use a few not-safe-for-work words. Since then, headlines have been popping up everywhere about the dangers of deepfake videos, with people even going as far as making deepfake pornographic videos which are incredibly problematic in so many ways. 

And now, we must start worrying about deepfake voices, which somehow is even scarier to me. At least with deepfake videos, it is (so far) fairly easy to spot a fake if you spend a lot of time on the internet, and social media companies have improved their flagging systems for this type of content.  

But with fake AI voices — built off machine learning and archives of the person in question speaking — there is nothing to see. And the technology is already pretty convincing.  

An AI voice company worked on the recent “Top Gun: Maverick” movie to recreate the voice of actor Val Kilmer, who lost his natural voice due to throat cancer and uses an electric voice box in his everyday life. I’ve not seen this movie, but I would imagine the average moviegoer had no idea this was the case. 

Something I have seen is “Obi-Wan Kenobi” on Disney+, which also used the assistance of AI voice cloning technology to support the dialogue of a yet-to-be-named character in the show (my guess is Darth Vader/Anakin Skywalker because I just don’t think Hayden Christensen has the Vader voice in him).  

And in the most terrifying potential application of this technology, Amazon unveiled the potential that its Alexa voice assistant could read part of a book in a boy’s deceased grandmother’s voice. Hard stop there. I miss my late grandparents as much as anything and would give anything for another phone call with them. That doesn’t mean I’d settle for a robotic recreation of their voice.  How long before deepfake voices become a thing? I know if someone was able to duplicate my voice, my grandmother would be easily convinced that I was in danger or needed money for something. Or how long before some scammer makes it seem like George Clooney is finally calling you to ask you out on that date you’ve always wanted if you send him a $500 Amazon gift card? 

It’s amazing how far AI technology has come. And I can’t say I’m necessarily mad or concerned about its ability to make Darth Vader sound like Darth Vader. But tech companies can’t help themselves, so it’s only a matter of time before this technique gets out of hand and into cyber attackers’ control. 

**The one big thing **

Ransomware actors love to operate on the dark web so they can stay anonymous and undetected. It allows them to trade stolen credentials, share tactics with one another and leak targets’ data. Recently, we’ve discovered several ways in which our researchers have uncovered their tactics and have been able to unmask these actors. The resulting de-anonymization taught us a great deal about several groups’ campaigns and malware, including the relatively new DarkAngels. 

> **Why do I care? **This exercise taught us a great deal about how ransomware actors operate. We can see ransomware operators take several precautions to obscure their true identity online and the hosting location of their web server infrastructure. We also learned that most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany and Singapore) to host their ransomware operations sites. This is all valuable information to use in the fight against ransomware.   
> **So now what? **If you’re a security researcher yourself, there are several techniques outlined in our recent post that could be of use to you. We hope to arm the security community with as much information as possible so that others may help us in the global fight against ransomware and threat actors.  

**Other news of note**

The recent Supreme Court decision overturning nationally protected abortion rights in the U.S. has wide-ranging consequences that even reach the tech industry. Major social media companies are being asked to consider whether they’d cooperate with government investigations into women who potentially had abortions in states where it’s illegal by passing along personal information. Many women are now skeptical of period-tracking apps, too, some of which have privacy policies that openly state they would share user data with law enforcement. And the state-by-state method of abortion policy will only make the topic more complicated to untangle. (Yahoo! News, Axios, Vice Motherboard) 

A new mobile spyware is targeting Android and iOS users across Europe and Asia. The recently discovered Hermit comes from Italian vendor RCS Labs and can steal data and record and make phone calls. The spyware disguises itself as legitimate apps to trick the user into downloading it, though researchers say these apps don’t appear on Google or Apple’s app stores. Hermit shows that attackers and governments alike are still using spyware like the NSO Group’s widespread Pegasus tool. Although spyware is not strictly illegal in many countries, it is often used by governments and state-sponsored groups to target vulnerable users, including high-profile activists, politicians and journalists. (Wired, ThreatPost) 

A multi-stage remote access trojan is targeting several small and home office routers, potentially going back as far as 2020. The newly named ZuoRAT exploits known vulnerabilities in some Cisco, Netgear, Asus and DrayTek routers and infects other devices on the network and downloads other malware via DNS and HTTP hijacking. Security researchers say they’ve so far discovered at least 80 victims. (Dark Reading, Ars Technica) 

**Can’t get enough Talos? **

*   Avos ransomware group expands with new attack arsenal
*   Cisco Talos Supports Ukraine Through Empathy
*   Threat Roundup for June 17 - 24

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (June 30, 2022) — AI voice cloning is somehow more scary than deepfake videos

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 
Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. 
The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Lilith >\_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ 

Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. 

The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with several advanced software features for users like the ability to connect to a VPN, cloud data management and smart reboot.

There are three command injection vulnerabilities that exist in this device, as well as a data removal vulnerability that could allow an attacker to arbitrarily remove files from the device.

An attacker could trigger the command injection issues — TALOS-2022-1570 (CVE-2022-32585), TALOS-2022-1572 (CVE-2022-33312 - CVE-2022-33314) and TALOS-2022-1573 (CVE-2022-33325 - CVE-2022-33329) by sending a specific series of requests to the targeted device. If successful, the attacker could gain the ability to execute remote code. 

A similar series of requests could also give an attacker the ability to manipulate a specific function to delete arbitrary files, as outlined in TALOS-2022-1571 (CVE-2022-28127).

Cisco Talos worked with Robustel to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. 

Users are encouraged to update these affected products as soon as possible: Robustel R1510, version 3.3.0. Talos tested and confirmed this version of the router could be exploited by these vulnerabilities. 

The following Snort rules will detect exploitation attempts against this vulnerability: 60007 - 60034. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Command injection vulnerabilities in Robustel cellular router

Devices from Cisco, Netgear and others at risk from the multi-stage malware, which has been active since April 2020 and shows the work of a sophisticated threat actor.

Devices from Cisco, Netgear and others at risk from the multi-stage malware, which has been active since April 2020 and shows the work of a sophisticated threat actor.

A novel multistage remote access trojan (RAT) that’s been active since April 2020 is exploiting known vulnerabilities to target popular SOHO routers from Cisco Systems, Netgear, Asus and others.

The malware, dubbed ZuoRAT, can access the local LAN, capture packets being transmitted on the device and stage man-in-the-middle attacks through DNS and HTTPS hijacking, according to researchers from Lumen Technologies’ threat-intelligence arm Black Lotus Labs.

The ability to not only hop on a LAN from a SOHO device and then stage further attacks suggests that the RAT may be the work of a state-sponsored actor, they noted in a blog post published Wednesday.“The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization,” researchers wrote in the post.

The level of evasion that threat actors use to cover up communication with command-and-control (C&C) in the attacks “cannot be overstated” and also points to ZuoRAT being the work of professionals, they said.

_“_First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content,” researchers wrote. “Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.”

****Pandemic Opportunity****

Researchers named the trojan after the the Chinese word for “left” because of the file name used by the threat actors, “asdf.a.” The name “suggests keyboard walking of the lefthand home keys,” researchers wrote.

Threat actors deployed the RAT likely to take advantage of often unpatched SOHO devices shortly after the COVID-19 pandemic broke out and many workers were ordered to work from home, which opened up a host of security threats, they said.

“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched,” researchers wrote. “Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN.”

****Multi-Stage Attack****

From what researchers observed, ZuoRAT is a multi-stage affair, with the first stage of core functionality designed to glean information about the device and the LAN to which its connected, enable packet capture of network traffic, and then send the info back to command-and-control (C&C).

“We assess the purpose of this component was to acclimate the threat actor to the targeted router and the adjacent LAN to determine whether to maintain access,” researchers noted.

This stage has functionality to ensure only a single instance of the agent was present, and to perform a core dump that could yield data stored in memory such as credentials, routing tables and IP tables, as well as other info, they said.

ZuoRAT also includes a second component comprised of auxiliary commands sent to the router for use as the actor so chooses by leveraging additional modules that can be downloaded onto the infected device.

“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection,” researchers wrote.

This component provides capability for LAN enumeration capability, which allows the threat actor to further scope out the LAN environment and also perform DNS and HTTP hijacking, which can be difficult to detect, they said.

****Ongoing Threat****

Black Lotus analyzed samples from VirusTotal and its own telemetry to conclude that about 80 targets so far have been compromised by ZuoRAT.

Known vulnerabilities exploited to access routers to spread the RAT include: CVE-2020-26878 and CVE-2020-26879. Specifically, threat actors used a Python-compiled Windows portable executable (PE) file that referenced a proof of concept called ruckus151021.py to gain credentials and load ZuoRAT, they said.

Due to the capabilities and behavior demonstrated by ZuoRAT, it’s highly likely that not only that the threat actor behind ZuoRAT is still actively targeting devices, but has been ” living undetected on the edge of targeted networks for years,” researchers said.

This presents an extremely dangerous scenario for corporate networks and other organizations with remote workers connecting to affected devices, noted one security professional.

“SOHO firmware typically isn’t built with security in mind, especially pre-pandemic firmware where SOHO routers weren’t a big attack vector,” observed Dahvid Schloss, offensive security team lead for cybersecurity firm Echelon**,** in an email to Threatpost.

Once a vulnerable device is compromised, threat actors then have free rein “to poke and prod at whatever device is connected” to the trusted connection that they hijack, he said.

“From there you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network,” Schloss said.

ZuoRAT Can Take Over Widely Used SOHO Routers

Titaniam’s ‘State of Data Exfiltration & Extortion Report’ also finds that while over 70% of organizations had heavy investments in prevention, detection, and backup solutions, the majority of victims ended up giving into attackers' demands.

**SAN FRANCISCO, Calif., June 30, 2022 -** Titaniam, Inc., the industry's most advanced data security platform, announced today the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organizations have an existing set of prevention, detection, and backup solutions, nearly 40% of organizations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.

Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cybercriminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.

Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cybersecurity stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.

Interestingly, observing peers being attacked (33%), management’s request (29%), and compliance (24%) are mostly driving budget decisions, while just 10% say it’s learning from their own attacks. 90% agree or somewhat agree that they have a sufficient budget for data security tools. 59% claim data security has the highest security spend. Yet, in the face of these attacks and data exposures, nearly all (99+%) respondents would be interested in data security solutions that protect sensitive data at all times, including while active and in use.

Promisingly, the survey revealed organizations have enough budget to improve which solutions security and data teams are using. This indicates that boards and executives appear to recognize the importance of cybersecurity to business success.

“Reliance on legacy technologies worked for years, but as bad actors continue to evolve, our technology must evolve as well,” said Arti Raman, CEO and Founder of Titaniam. “It is unfortunate that organizations continue to believe that investing in detection, backup, and recovery solutions constitutes the complete solution to ransomware. These organizations overlook data security, which, when not implemented adequately, becomes the ultimate reason attackers gain excessive leverage and win—the results of this survey highlight this enormous gap in current cybersecurity solutions. Suppose over 70% of experts claim to use data protection, prevention and detection service, and backup and recovery. Why are 60% still being extorted, and even further, why are 59% paying the ransom? There needs to be a deep look at how we as an industry approach ransomware protection. We need to understand that while prevention, detection, and backup are essential, no ransomware defense strategy is complete without eliminating data exfiltration. This is what would take us beyond the notions of impenetrability and towards immunity.”

With survey results showing that along with overall backup and recovery, data masking (54%), encryption at rest (49%), encryption in transit (49%), and tokenization (25%) are the main means of protection, we must accept that these are simply not enough to get enterprises the data protection they need to beat ransomware.

Fortunately, organizations can now look to advanced data security platforms like Titaniam, which combine traditional data protection techniques like the ones above, with high-performance encryption-in-use, and highly sophisticated key control to close the gaps being exploited by ransomware and extortion actors. Systems protected by Titaniam do not yield unencrypted data even if they are attacked using highly privileged credentials, as in a vast majority of data exfiltration-based attacks.

\*This survey was conducted by CensusWide, polling 100 IT security professionals.

**ABOUT TITANIAM**

Titaniam is the industry’s most advanced data security platform that utilizes high-performance encryption-in-use to keep valuable data secure even if the enterprise is breached and its data stolen. With the ability to process data without decryption as well as support nine different privacy-preserving data formats, Titaniam is the market's answer to address ransomware and extortion, insider threats, and data privacy enforcement. In addition to cutting-edge encryption-in-use, a single deployment of Titaniam provides the equivalent of three other categories of data security solutions. In the event of an attack, Titaniam offers auditable evidence that valuable data retained encryption throughout the attack, thus minimizing compliance as well as notification obligations. Titaniam was founded in 2019 and has offices in Silicon Valley and India. To learn more, visit https://titaniam.io/.

Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

Researchers have analyzed a long running campaign that compromises SOHO routers to further penetrate and eavesdrop on networks.
The post ZuoRAT is a sophisticated malware that mainly targets SOHO routers appeared first on Malwarebytes Labs.

Researchers have analysed a campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest.

The so-called ZuoRAT campaign, which very likely started in 2020, is so sophisticated that the researchers suspect that there is a state sponsored threat actor behind it.

**SOHO routers**

SOHO is short for small office/home office and SOHO routers are hardware devices that route data from a local area network (LAN) to another network connection. Modern SOHO routers have almost the same functions as home broadband routers, and small businesses tend to use the same models. Some vendors also sell routers with advanced security and manageability features, but most SOHO devices are only monitored in exceptional cases.

Which is probably the reason why the ZuoRAT managed to fly under the radar for so long.

**Compromise the router**

The first step in the campaign is to take control of the router. The researchers identified infected routers of several manufacturers including popular brands like ASUS, Cisco, DrayTek, and NETGEAR. It is likely that the threat actor used unpatched vulnerabilities to steal credentials from the targeted routers. Although patches for these vulnerabilities exist, it is not uncommon for device administrators never to apply these patches.

This lack of security is often caused by lack of awareness. And the lack of awareness starts by small business owners not knowing which type or model of router they have exactly. So even if they read about a vulnerability in their router, it may not sink in that it applies to them. The rebranding of routers by providers is another contributing factor to the owners’ ignorance.

**Drop the RAT**

The vulnerability or chain of vulnerabilities allow the threat actor to download a binary, then execute it on the host. Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware.

The ZuoRAT agent framework enables in-depth reconnaissance of target networks, traffic collection and network communication hijacking. Some of the functions will run by default, while others might be intended to be called by additional commands.

**Mirai**

ZuoRAT looks like a heavily modified version of the Mirai malware. The authorities may have caught the Mirai creators, but the spirit of their botnet lives on. Numerous groups took advantage of the open-source code to create mini variants. But the command and control infrastructure used in this campaign is intentionally complex in an attempt to conceal what’s happening.

**Attribution**

While attribution is always hard, the researchers listed several indications that the group behind this campaign might be of Chinese origin. One set of C2 infrastructure controlled by this threat actor and used to interact with the Windows RATs was found to be hosted on internet services from China-based organizations. Also, some of the program database paths contained Chinese characters, while others referenced “sxiancheng”, a possible name or Chinese locality.

China is a likely candidate even if it seems they have already bitten off more than they can chew. According to an article in the Financial Times Chinese university students have been lured to work as translators to help identify hacking targets, and to analyze stolen material.

**DNS hijacking**

Using the gathered information about the DNS settings and the internal host in the adjacent LAN, there were several functions designed to perform DNS hijacking. Some functions allowed the threat actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule.

**HTTP hijacking**

Another noteworthy function enabled the actor to specify which client or subnet to hijack. It hijacked the process so that it could match the traffic pattern. If the pattern matched one of the rules, it displayed a 302 error that redirected the client’s browser to another location where the threat actor could manipulate the connection.

**Mitigation**

If you fear that your router has been compromised, simply restarting an infected device will remove the initial ZuoRAT exploit. To fully recover, however, a factory reset clears infected devices.

To avoid your router from getting infected, find the most recent firmware and install it so you have all the latest patches.

Systems that used an infected route for their internet access and used no block lists that included the C2 infrastructure of ZuoRAT may be infected. This is not only true for Windows systems. The researchers found samples written in GO, which is a cross-platform language.  

IoCs associated with this campaign for threat hunting can be found on the Black Lotus Labs GitHub page.

Stay safe, everyone!

ZuoRAT is a sophisticated malware that mainly targets SOHO routers

Researchers say the remote-access Trojan ZuoRAT is likely the work of a nation-state and has infected at least 80 different targets.

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

A High Level of Sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

"While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

ZuoRAT can pivot infections to connected devices using one of two methods:

*   DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
*   HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

Intentionally Complex

Black Lotus Labs said the command-and-control infrastructure used in the campaign is intentionally complex in an attempt to conceal what's happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they're later infected.

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker's infrastructure.

The researchers wrote:

_Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection._

The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018. Routers are often overlooked, particularly in the work-from-home era. While organizations often have strict requirements for what devices are allowed to connect, few mandate patching or other safeguards for the devices' routers.

Like most router malware, ZuoRAT can't survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can't be disinfected so easily.

_This story originally appeared on_ _Ars Technica__._

A New, Remarkably Sophisticated Malware Is Attacking Routers

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Security researchers have discovered a multi-stage remote access Trojan (RAT) currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America — potentially the work of a state-sponsored actor.

Researchers believe that at least 80 victims have been infected so far during the campaign.

The malware, known as ZuoRAT, has been active since 2020, according to the Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

According to the report, the malware makes its way onto the routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)," Lumen's threat intelligence team wrote in a blog post on the malware.

**Trojan Targets Cisco, Netgear Routers**

The malware targets routers from Cisco, Netgear, Asus, and DrayTek.

"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices," according to the analysis.

The research team noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.

"Reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are \[rare\] and a mark of a complex and targeted operation," the post continued. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

From the perspective of Danny Adamitis, principal information security engineer for Lumen Black Lotus Labs, the sophistication of this campaign cannot be overstated, especially the ability to enumerate infected devices and the LANs they are connected to, and packet-capture network traffic for additional targeting.

"Moreover, the multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection, which is why it went undetected for nearly two years," he adds.

**Other Trojans Found on Hacked Devices**

To Adamitis' point, the researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.

Among other things, they allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.

**Shift to Secure the Home Office**

According to a recent survey, nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. Routers are an important part of that, as they act as central waypoints for the rest of the home IT footprint.

"Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it," Dahvid Schloss, offensive security team lead at Echelon, said via email. "From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network."

So, as part of the work-from-home shift, some major vendors are moving their security focus, such as HP, which helps admins secure work-from-home endpoints by extending cloud security management that can remotely track, detect, and self-heal remote company devices.

"The consumer router space is ripe for targeting because these devices reside outside of the traditional security perimeter, and they are rarely monitored or patched," Adamitis adds. "This is only exacerbated by the rapid shift to remote work at the start of the pandemic."

Alex Ondrick, director of security operations at incident-response specialist BreachQuest, says a general lack of security controls for consumer-grade routers, and difficulties in "force" patching/update for them, makes SOHO routers particularly vulnerable.

"If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and authentication-bypass exploit script and lateral-movement capabilities," he explains.

**Bolstering the Human Firewall**

Ondrick adds that the SOHO router threat is an opportunity for organizations to expand their security awareness programs and spread valuable improved security measures among their users.

"Educating users on how to protect their home networks, their passwords, their financial information, and their families increases their engagement and builds cybersecurity hygiene and acumen they take back to the office, and reduces the organization's attack surface and builds the better human firewall," he says.

He says SOHO users should regularly update their router's firmware and ensure their devices are behind multiple layers of security (defense-in-depth) wherever possible.

For home routers, he says it's important to leverage the vendor's built-in security capabilities alongside host-based network security wherever possible.

"Think of your home router as 'yet another' device which should be regularly updated and think of it as the 'first line of defense' between you and the public-facing Internet," he says. "Pending any leaps forward in SOHO router security, consider adding a recurring biannual reminder on your phone or calendar to check for updates on your router's firmware."

Tag

#cisco