Red Hat Security Advisory 2024-8563-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8563.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:8563-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8563Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-9675====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es):* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9675References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317458

Red Hat Security Advisory 2024-8563-03

Red Hat Security Advisory 2024-8546-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General Availability release images, which fix bugs and update container images.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8546.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Advanced Cluster Management 2.9.5 bug fixes and container updates  
Advisory ID:        RHSA-2024:8546-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8546  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2024-42459  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.9.5 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console, with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated for this  
release, for additional details:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/release_notes/

Security fix(es):  
nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended (CVE-2024-42459)  
nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero (CVE-2024-42460)  
nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed (CVE-2024-42461)  
Missing Validation in Elliptic's EDDSA Signature Verification (CVE-2024-48949)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-42459

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/release_notes/

Red Hat Security Advisory 2024-8546-03

Red Hat Security Advisory 2024-8543-03 - An update for the pki-core:10.6 and pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8543.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core:10.6 and pki-deps:10.6 security updateAdvisory ID:        RHSA-2024:8543-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8543Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-38286====================================================================Summary: An update for the pki-core:10.6 and pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* tomcat: Denial of Service in Tomcat (CVE-2024-38286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38286References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2314686

Red Hat Security Advisory 2024-8543-03

Red Hat Security Advisory 2024-8534-03 - An update is now available for Red Hat Ansible Automation Platform 2.5. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8534.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.5 Product Release UpdateAdvisory ID:        RHSA-2024:8534-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8534Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-10033====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.5Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: Django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-45230)* automation-gateway: XSS on automation-gateway (CVE-2024-10033)* receptor: quic-go: memory exhaustion attack against QUIC's connection ID mechanism (CVE-2024-22189)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes included:* With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and Operator-based deployments for Automation controller and Automation hub. For more information on how to upgrade, refer to the Upgrading section of the AAP landing page. (ANSTRAT-809)Container-based Ansible Automation Platform* The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)* Automation hub is populated with container images (decision and execution environments) and Ansible collections. (AAP-33759)* The Automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect page to the Platform UI rather than a blank page. (AAP-33794)* Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)* containerized installer setup has been updated to 2.5-3RPM-based Ansible Automation Platform* Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis high availability (HA) deployment. (AAP-33773)* Removed the variable aap_caching_mtls and replaced it with redis_disable_tls and redis_disable_mtls which are boolean flags that disable Redis server TLS and Redis client certificate authentication. (AAP-33773)* An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or automation hub URL. (AAP-33827)* ansible-automation-platform-installer and installer setup have been updated to 2.5-4Additional changes:* automation-controller has been updated to 4.6.2* automation-eda-controller has been updated to 1.1.2* automation-gateway has been updated to 2.5.3* automation-hub/python3.11-galaxy-ng has been updated to 4.10.1* python3.11-django-ansible-base has been updated to 2.5.3* receptor has been updated to 1.4.9Solution:CVEs:CVE-2024-10033References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2273513https://bugzilla.redhat.com/show_bug.cgi?id=2302433https://bugzilla.redhat.com/show_bug.cgi?id=2314485https://bugzilla.redhat.com/show_bug.cgi?id=2319162

Red Hat Security Advisory 2024-8534-03

Red Hat Security Advisory 2024-8533-03 - Multicluster Engine for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8533.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Multicluster Engine for Kubernetes 2.4.6 security updates and bug fixes  
Advisory ID:        RHSA-2024:8533-03  
Product:            multicluster engine for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8533  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2024-42459  
====================================================================

Summary: 

Multicluster Engine for Kubernetes 2.4.6 General Availability release images,   
which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Multicluster engine for Kubernetes v2.4.6 images

Multicluster engine for Kubernetes provides the foundational components  
that are necessary for the centralized management of multiple  
Kubernetes-based clusters across data centers, public clouds, and private  
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform  
clusters or to bring existing Kubernetes-based clusters under management by  
importing them. After the clusters are managed, you can use the APIs that  
are provided by the engine to distribute configuration based on placement  
policy.

nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended (CVE-2024-42459)  
nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero (CVE-2024-42460)  
nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed (CVE-2024-42461)  
Missing Validation in Elliptic's EDDSA Signature Verification(CVE-2024-48949)

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/clusters/install_upgrade/installing-while-connected-online-mce

CVEs:

CVE-2024-42459

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8533-03

Red Hat Security Advisory 2024-8528-03 - An update for pki-servlet-engine is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8528.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-servlet-engine security updateAdvisory ID:        RHSA-2024:8528-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8528Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-38286====================================================================Summary: An update for pki-servlet-engine is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Tomcat is the servlet engine that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.Security Fix(es):* tomcat: Denial of Service in Tomcat (CVE-2024-38286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38286References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2314686

Red Hat Security Advisory 2024-8528-03

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.
"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.
"The malvertising campaign leverages nearly a hundred malicious

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.

"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.

"The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real-time."

SYS01stealer was first documented by Morphisec in early 2023, describing attack campaigns targeting Facebook business accounts using Google ads and fake Facebook profiles that promote games, adult content, and cracked software.

Like other stealer malware, the end goal is to steal login credentials, browsing history, and cookies. But it's also focused on obtaining Facebook ad and business account data, which is then used to propagate the malware further via phony ads.

"The hijacked Facebook accounts serve as a foundation for scaling up the entire operation," Bitdefender noted. "Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves."

The primary vector through which SYS01stealer is distributed is via malvertising across platforms like Facebook, YouTube, and LinkedIn, with the ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. A majority of the Facebook ads are engineered to target men aged 45 and above.

"This effectively lures victims into clicking these ads and having their browser data stolen," Trustwave said in an analysis of the malware in July 2024.

"If there is Facebook-related information in the data, there is a possibility of not only having their browser data stolen but also having their Facebook accounts controlled by the threat actors to further spread malvertisements and continue the cycle."

Users who end up interacting with the ads are redirected to deceptive sites hosted on Google Sites or True Hosting that impersonate legitimate brands and applications in an attempt to initiate the infection. The attacks are also known to use hijacked Facebook accounts to publish fraudulent ads.

The first stage payload downloaded from these sites is a ZIP archive that includes a benign executable, which is used to sideload a malicious DLL responsible for decoding and launching the multi-stage process.

This includes running PowerShell commands to prevent the malware from running in a sandboxed environment, modifying Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and setting up an operating environment to run the PHP-based stealer.

In the latest attack chains observed by the Romanian cybersecurity company, the ZIP archives come embedded with an Electron application, suggesting that the threat actors are continuously evolving their strategies.

Also present within the Atom Shell Archive (ASAR) is a JavaScript file ("main.js") that now executes the PowerShell commands to perform sandbox checks and execute the stealer. Persistence on the host is achieved by setting up scheduled tasks.

"The adaptability of the cybercriminals behind these attacks makes the SYS01 infostealer campaign especially dangerous," Bitdefender said. "The malware employs sandbox detection, halting its operations if it detects it's being run in a controlled environment, often used by analysts to examine malware. This allows it to remain undetected in many cases."

"When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures."

**Phishing Campaigns Abuse Eventbrite**

The development comes as Perception Point detailed phishing campaigns that misuse the Eventbrite events and ticketing platform to steal financial or personal information.

The emails, delivered via noreply@events.eventbrite\[.\]com, prompt users to click on a link to pay an outstanding bill or confirm their package delivery address, after which they are asked to enter their login and credit card details.

The attack itself is made possible by the fact that the threat actors sign up for legitimate accounts on the service and create fake events by abusing the reputation of a known brand, embedding the phishing link within the event description or attachment. The event invite is then sent to their targets.

"Because the email is sent via Eventbrite's verified domain and IP address, it is more likely to pass email filters, successfully reaching the recipient's inbox," Perception Point said.

"The Eventbrite sender domain also increases the likelihood that recipients will open the email and click through to the phishing link. This abuse of Eventbrite's platform enables the attackers to evade detection, ensuring higher delivery and open rates."

**Pig Butchering of a Different Kind**

Threat hunters are also calling attention to an increase in cryptocurrency fraud that impersonates various organizations to target users with bogus job lures that purportedly allow them to earn money while working from home. The unsolicited messages also claim to represent legitimate brands like Spotify, TikTok, and Temu.

The activity commences via social media, SMS, and messaging apps like WhatsApp and Telegram. Users who agree to take up the jobs are instructed by the scammers to register on a malicious website using a referral code, following which they are asked to complete various tasks – submit fake reviews, place product orders, play specific songs on Spotify, or book hotels.

The scam unfolds when victims' fake commission account balance suddenly goes into the negative and they are urged to top up by investing their own cryptocurrency in order to earn bonuses off the tasks.

"This vicious cycle will continue as long as the scammers think the victim will keep paying into the system," Proofpoint researchers said. "If they suspect their victim has become wise to the scam, they will lock their account and ghost them."

The illicit scheme has been attributed with high confidence to threat actors who also conduct pig butchering, which is also known as romance-based cryptocurrency investment fraud.

"The job fraud has smaller but more frequent returns for the fraudsters compared to pig butchering," Proofpoint said. "The activity leverages popular brand recognition in place of a long, romance-based confidence scam."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware

This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.

Wednesday, October 30, 2024 06:00

In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). This remote access tool (RAT) gives operators reverse shell and file input/output (I/O) capabilities on a victim’s endpoint using a bespoke command and control (C2) protocol. This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. 

**Key findings **

*   BugSleep implant implements a bespoke C2 protocol over plain TCP sockets. 
*   BugSleep operators have demonstrated multiple file-obfuscation techniques to avoid detection. 
*   BugSleep implements reverse shell, file I/O, and persistence capabilities on the target system. 

**Sending and receiving data **

This blog will use sample b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca for analysis. Two of the lowest functions in the C2 stack, referred to as SendSocket (FUN\_1400034c0) and ReadSocket (FUN\_140003390), are very light wrappers for the send and receive API functions and handle payload encryption. They include some error handling by attempting to send or receive data 10 times before failing.  

This protocol uses a pseudo-TLV (Type Length Value) structure with only two types: integer or string. Integers are sent as little-endian 4- or 8-byte values, and strings are prepended with the 4-byte value of its length. Payloads are then encrypted by subtracting a static value from each byte in the buffer (in this sample it is three).  

Type 

Value 

Plain text 

Cipher text 

IntegerMsg 

6 

06 00 00 00 

03 FD FD FD 

StringMsg  

Talos 

05 00 00 00 48 65 6C 6C 6F 

02 FD FD FD 51 5E 69 6C 70

_Figure 1: Example of data encryption used by BugSleep_

There are two main functions for handling C2 communications: C2Loop (FUN\_1400012c0) and CommandHandler (FUN\_1400028a0). C2Loop is responsible for setting up socket connections with the server and sending a beacon, while CommandHandler is responsible for processing and executing commands from the server. 

After setting up the socket connection, the implant beacons (FUN\_140003d80) to the C2 server for a command. The beacon is a StringMsg in the form ComputerName/Username. If the server responds with an IntegerMsg equal to 0x03, BugSleep will terminate itself. We suspect this is remnants of an old kill command or an emergency kill without the overhead of reading the real kill command later. 

Each BugSleep command is sent as an IntegerMsg after the beacon response. The following enumeration defines all the command IDs discovered. 

Figure 2: Command IDs used by implant 

**Phoning home **

The implant communicates using plain TCP sockets, which can be seen using a Netcat listener and Wireshark. 

Figure 3: BugSleep beacon as seen through Wireshark. 

Recalling the message encryption demonstrated in Figure 1, the beacon can be decrypted with a little bit of Python (Figure 4). This will be used again when building the rest of the C2 server.  

Figure 4: Decoding beacon data 

**Python C2 server **

With an understanding of the protocol basics, it is time to start building the C2 server. Full source code can be found here. 

**Beacon **

As mentioned earlier, the BugSleep beacon function sends a StringMsg and reads an IntegerMsg response from the server. Since the IntegerMsg returned can be anything but 0x03, we returned the length of the Computer Name/Username string received by the server.

Figure 5: Output from C2 server receiving beacon data 

**Ping command **

The simplest command to implement is the Ping command. It has the command ID of 0x63 (BugSleep subtracts one from whatever ID it receives). The code is simple: send back 4 bytes.  

Figure 6: Switch case for handling ping command 

Once the beacon comes in, the server is responsible for: 

1.  Sending 4 bytes for beacon response 
2.  Sending 4 bytes for Ping command ID 
3.  Reading 4 bytes of Ping data 

The ping command was observed sending back 4 bytes recently allocated on the heap, so it's not guaranteed to know what that data looks like. To validate things are really working, a breakpoint can be set in WinDbg and memory set manually before being sent. 

Figure 7: Confirming 0xdeadbeef written to memory is received by the server in a Ping command 

**File commands **

The next set of commands are responsible for downloading files onto the compromised system or uploading files to the C2 server (PutFile and GetFile, respectively). These commands are inverses of each other, so only the GetFile command will be discussed in detail. The methodology was to trace each call to SendSocket or ReadSocket and implement the response for that call in Python. In CommandHandler, the implant reads the length and value off the wire. This is the file to be retrieved.  

Figure 8: GetFile reading path string length and path string from socket 

The CmdGetFile function opens the target file and chunks it over the socket one page at a time. The list of SendSocket calls is as follows: 

Figure 9: SendSocket calls made by CmdGetFile function 

Figure 10: Example C2 server output from GetFile command 

The PutFile command differs slightly from the GetFile command with how it uses pointer math to process incoming pages. 

Figure 11: Tricky file pointer math 

This translates to each page starting with a 4-byte page number followed by 1020 bytes (or 0x3fc) of file data, which the GetFile command does not do; it sends full 1024-byte pages of file data without page numbers. 

**Reverse shell **

The last command is the reverse shell. This is the most complex because it requires many reads and writes over the socket. The disassembly is rather long and difficult to keep track of the socket calls, so we have omitted it. Effectively, the implant spawns a cmd.exe process (FUN\_1400016e0) and reads the command to execute from the socket. The shell command and its output are marshaled between the processes via pipes during the session. The complexity of this operation comes from BugSleep incrementally reporting return values from pipe API calls while attempting to read shell output (FUN\_140003840). The implant will enter this loop of reading commands and sending output until it receives the string “terminate\\n”.  

Figure 12: Example output from C2 server running the reverse shell command 

The rest of the commands are less complex but have been implemented and are viewable here. 

**Snort detection **

This server gives Talos the ability to emulate any number of conversations between BugSleep and its operators. This traffic is crucial for writing and validating our detections’ performance in the wild. 

The initial candidate for detection would be the beacon. It is the first opportunity to shut down communications, isolating any BugSleep instance from receiving commands. It was observed that each beacon has the form of <len><data>, where data is sub\_string(COMPUTER\_NAME + "/" + USERNAME, 3). This string is not long or static, which makes it a poor candidate for a fast\_pattern; however, recall that each beacon is prepended with a 4-byte length of this string. A Computer Name/Username string from any given victim is unlikely to be longer than 255 characters. This means most length fields are going to look like |XX 00 00 00| or |XX FD FD FD| when encoded. This could be a quick match, early in the stream, at a static offset, making it a decent fast\_pattern candidate. 

Figure 13: Detecting higher order encoded zero bytes of beacons sent from BugSleep 

 This will work but is likely to cause false-positives (FP) in the wild. Every sample of BugSleep was seen using port 443. The implant is also reaching outside the network to a C2 server, so traffic to be inspected by this rule can be reduced using the following header: 

Figure 14: Restricting rule to inspect traffic leaving the network to port 443 

The flow:to\_server,established option can be used to restrict Snort to data coming from a client over established TCP streams. The FP-rate on this rule still isn't great. Any TCP traffic leaving the network on port 443 with |FD FD FD| at offset 1 will alert. That might sound unique, but it does not indicate with confidence that the traffic is a BugSleep beacon. 

One powerful tool in Snort to add more logic or state to rules is flowbits. These allow a writer to have a sense of state within a stream across multiple rules. In this case, the beacons aren't enough to reliably alert on. What if we use flowbits to chain beacons with the commands being sent back? The commands themselves don't provide much content, as they are variable length non-deterministic strings (e.g., get, put, etc.) or a nondeterministic 4-byte integer (e.g., heartbeat, increment timeout, etc.). They do, however, all start with a 4-byte command ID. Setting a flowbit when a beacon leaves the network will allow another rule down the line to alert with higher confidence if it sees a command ID come back in the same stream. 

**Command rules **

The pcre rule option can be used to reduce 11 rules down to one. Like the beacon rule, the three zero bytes, encoded as |03|, can be used as a fast\_pattern. Once the rule has entered, the bugsleep\_beacon flowbit check can be performed to help the rule exit quickly in the event of a false positive. After the three |03| bytes are confirmed to be at offset five, a PCRE can verify one of the command IDs is present.  

Figure 15: Snort rule for detecting BugSleep command sent from C2 server 

**Sharp edges **

Sometimes, we are reminded that Snort can handle or interpret data differently than expected. Conveniently, this sample’s traffic was a perfect example and opportunity to peek under the hood and see what Snort sees. Originally, our beacon rule looked like this, trying to catch the encoded forward-slash that is always present in the Computer Name/Username string (encoded as a comma).  

Figure 16: Beacon rule attempting to catch forward-slash in Computer Name/Username string 

Recall that the implant will: 

1.  Connect to the server 
2.  Send a string length (4 bytes) 
3.  Send the PC/User string N bytes 
4.  Read 4 bytes back to ensure a response 
5.  Read 4-byte command ID and N command data bytes 
6.  Start sending command responses 

As Snort is reading data over the wire, it is interpreting it and sorting it into different buffers (pkt\_data, file\_data, js\_data, http\_\*, etc.). In this case, as TCP data is being chunked along the wire, Snort is looking at those individual TCP segments. Only after it has enough data will it flush into the larger "TCP stream" buffer so a rule can parse the entire stream sent from a client or server. 

Initially, the get command traffic was alerting while the put command traffic was not. Fortunately, Snort 3 comes with a tracing module to help debug these issues. The buffer option will print out Snort’s different buffers as they are filled and rule\_eval will trace the rule as it is evaluated. The following screenshots are output from individual runs of Snort against each PCAP. “snort.raw” represents an individual packet, while “snort.stream\_tcp” represents a reassembled TCP stream. 

At the start of the working GetFile command, the beacon size and data can be seen as two separate packets (Figure 17).  

Figure 17: Individual beacon packets being processed by Snort 

Further down, the reassembled TCP stream can be seen being inspected and alerted on. Moving from the top to bottom in Figure 18, the cursor position and state of the buffer can be observed changing as the rule is evaluated. At the end, the flowbit is set and made available for the command rule.

Figure 18: Snort trace output setting flowbit for BugSleep beacon 

Further down, the TCP stream for the command data is processed. The higher-order zeroes of the command are found, the flowbit checked, the PCRE performed, and the SID alerts as expected.  

Figure 19: Get file command rule alerts on traffic as expected 

When the results of the put file command traffic are inspected, a different behavior is observed. The individual packets for beacon length and beacon data are seen coming in; however, the first reassembled TCP stream that Snort is inspecting is the command being sent back to the implant. Figure 20 shows the command ID being found and then the flowbit check failing. 

Figure 20: Put file command traffic failing flowbit check 

Scrolling further in the log reveals the TCP stream for the beacon data is eventually populated and Snort sets the flowbit as expected. The stream for the command ID, however, has already passed and failed analysis because of the unset flowbit, resulting in no alert. The cause of this issue is the raw packets coming from the client not being reassembled into a TCP stream by the time the server packets are reassembled and inspected. This happens because Snort only reassembles when it has enough data, and 20 bytes is not enough yet. 

**The fix **

Unfortunately, the beacon rule must be tweaked so it can alert as soon as possible and not rely on the TCP reassembly. Recall that the beacon function invokes SendSocket twice, once for 4-length bytes and again for the beacon data. This means the first packet Snort sees will only be 4 bytes long. Adding “bufferlen:=4” restricts Snort to only look at 4-byte packets, significantly reducing any FP rate. Our solution ended up being this:  

Figure 21: Fixed beacon rule looking for 4-byte length segments 

 Now the rules work as expected!  

Figure 22: Snort output alerting on traffic from all BugSleep commands 

**Conclusion **

Since BugSleep is a new implant and weekly releases were observed being deployed, this protocol might change and bypass these rules. However, two things have been accomplished: 

1.  This variant will no longer communicate over our customers’ networks. 
2.  Attackers must invest development time and money to use BugSleep again. 

The published Snort SIDs covering this traffic are 63937 and 63938.  

**Indicators of compromise **

Hosts: 

*   1\[.\]235\[.\]234\[.\]202 
*   146\[.\]19\[.\]143\[.\]14 
*   46\[.\]19\[.\]143\[.\]14 
*   5\[.\]239\[.\]61\[.\]97 

Hashes 

The following Windows executables were collected during our research. Assuming these have not been manipulated, the compilation time for this set of binaries indicates weekly releases of BugSleep. 

SHA256 

Compile Time 

b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca 

Wed., May 8 00:55:53 2024 UTC 

94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472 

Wed., May 22 21:56:39 2024 UTC 

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e 

Fri., May 31 23:29:21 2024 UTC 

5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0 

Sun., Jul 07 21:09:49 2024 UTC 

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809 

Sat., Jul 15 09:15:20 2079 UTC

Writing a BugSleep C2 server and detecting its traffic with Snort

The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerable to an unauthenticated Denial of Service (DoS) attack. An attacker can remotely restart the main Java server by accessing the FTControlServlet with the restart parameter. The endpoint proxies requests to localhost without requiring authentication, enabling attackers to disrupt system availability by repeatedly triggering server restarts.

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Denial of Service

The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerable to unauthorized project file disclosure. An unauthenticated remote attacker can issue a GET request abusing the DownloadProject servlet to download sensitive project files. The jsonProxy.php script bypasses authentication by proxying requests to localhost (AspectFT Automation Application Server), granting remote attackers unauthorized access to internal Java servlets. This exposes potentially sensitive project data and configuration details without requiring authentication.

Tag

#js