A flaw was found in Samba. It is susceptible to a vulnerability where multiple incompatible RPC listeners can be initiated, causing disruptions in the AD DC service. When Samba's RPC server experiences a high load or unresponsiveness, servers intended for non-AD DC purposes (for example, NT4-emulation "classic DCs") can erroneously start and compete for the same unix domain sockets. This issue leads to partial query responses from the AD DC, causing issues such as "The procedure number is out of range" when using tools like Active Directory Users. This flaw allows an attacker to disrupt AD DC services.

'2241885?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-42670: Invalid Bug ID

An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.

'2154176?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-1194: Invalid Bug ID

A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.

'2154178?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-1192: Invalid Bug ID

A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.

'2154177?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-1193: Invalid Bug ID

An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function.

**Table of Contents**

1.  Introduction
2.  The Basics
3.  Exploitation via LDAP
4.  Exploitation via SSH/Kerberos
5.  Exploitation via Hash Cracking
6.  The Fix
7.  Lessons Learned
8.  Disclosure Timeline
9.  Update history

**Introduction**

Recently, DriveByte was assigned to perform a penetration test for a customer. The goal was to find as many vulnerabilities as possible, as well as to determine, if an attacker would be able to compromise the customer’s infrastructure. The unusual part about it? The customer’s IT had no Microsoft Active Directory nor Entra ID but something similar. It was based on a product called Univention UCS, which is according to their website, a solution for "easy and centralized administration of domains". This was especially interesting for us, as we did not know this solution before and are of course always genuinely interested in digging into new technologies. The following blogpost shows a very classic and simple flaw, that had a huge impact on the customer's environment.

Since the initial publication of this blogpost, some changes have been made. This includes especially some additional information that we received from univention. For better tracking we added a section "Update History". Special thanks again to Univention for the awesome information and collaboration!

**TLDR:**

By spying on the process creation of a UCS connected server with extensive permissions, it was possible to gather a large amount of LDAP data. This data includes different credentials and other authentication information. The vendor responded extremely professional and fixed the issues very quickly. He did not only fix the script where we found the issue, but also checked their code base for similar problems and fixed them as well.

**Do the basics. They might reward you with some quick wins!**

The vulnerability analysis was performed with access to the customer’s network and a user with very limited permissions (domain joined, but nothing else). While enumerating the network, we found that it is possible to access several servers with our basic user via SSH (remember, the network is mainly based on Linux machines, with only a very small number of Windows and Mac machines). This was possible due to faulty configured permissions and is not a default setting or problem of Univention UCS, but a configuration error. We know this kind of misconfigurations from Windows Active Directory environments, where we often see permissions for "authenticated users" for SMB, RDP and so on.

Of course, this was a very easy entry point and we started to dig into the machines to see if there is anything juicy to be found. Before trying to escalate privileges, we first checked for secrets and so on. Also, for chances of a quick win, we usually start monitoring process creations, to check for privilege escalation opportunities and other valuable information (hell yeah, full HackTheBox/OSCP style!!!). By searching through the system, we discovered the files /etc/ldap.secret and /etc/machine.secret. This sounded like relevant information. Sadly, we couldn’t read the files, as they were set to read/write-only by root. Also, we didn't know what they are used for, but suspected them to be part of the Univention software. A quick search through the extensive Univention documentation proved this assumption right. After publishing this blogpost, Univention contacted us again and hinted us to this discussion about a solution for the machine.secret and ldap.secretfiles. As they identified this files as a possible attack surface, they are planning to find another solution for this. So a solution is in the making.

We played around a little with some of the Univention scripts etc., but at first did not find anything that seemed promising. So, the next step was to check for privilege escalation. Next to other approaches, we went back to the process creation monitoring, and there it was:

The script check_univention_joinstatus requested the LDAP database as the system account, presenting the password in cleartext. We suspected that this might be the password from the /etc/machine.secret file which was later confirmed. So, the logical next step for us was to recreate this exact command from our attacker machine. We were quite surprised to see, that this machine had permissions to basically perform DCSync. It's not Windows AD of course. The machine had the permission to retrieve ALL directory objects _with all their attributes_. This includes users, with their krb5key, sambaNTPassword (NTHash), SHA512 or bcrypt hashes (SHA512 is the default) as well as their password history. The following screenshot shows the output we recreated in a lab environment:

However, this is only possible if the domain joined system has the permissions that match DCSync. In our test environment we joined an arbitrary machine to the domain and checked what information we get back from the "Domain Controller". So, in comparison to the information above, you can see in the screenshot below what information a usual domain joined system gets:

**Exploitation attempt 1: LDAP**

To exploit this issue, we can rely on n00py's awesome "Alternative ways to Pass the Hash (PtH)" blogpost. However, a bit more research on that topic showed, that it is not as simple as we first thought. Our first guess was, that we can just use the LDAP3 Python module to connect to LDAP with the NTLM hash. Unfortunately, that seems to be impossible with Univention, as it is not supporting NTLM authentication for LDAP:

While our first impression was, that we are doing something wrong, this GitHub entry stated that the "authMethodNotSupported" message is from the server. It seems that Univention does not have NTLM authentication activated on the server by default (atm, we don't know if it is supported at all).

For comparison, the SIMPLE authentication via LDAP is working fine:

But the 'server.info' output is puzzling us a bit because it says that NTLM is a valid SASL mechanism, so maybe there is a workaround by using NTLM for SASL. Before going too deep into that path and losing a lot of time, we decided to try something else. Maybe this motivates somebody who has more knowledge in this area to dig into it. Or maybe we will come back to this later...

Here we also got some additional information from Univention. NTLM is indeed not supported. The fact that it is still shown as supported sasl mechanism is due to the OpenLDAP defaulf configuration. Univention is tracking this issue here.

**Exploitation attempt 2: SSH via Kerberos**

As an alternative way, \\@n00py suggests in his blogpost to use the NThash to sign a Kerberos ticket and then connect via SSH. Well, that seems easy. So we took the administrator's hash and threw it in Impacket's ticketer.py. All information for this including the domain-sid etc. was included in the full domain dump.

    ticketer.py -nthash 3B0E04870F352EDC0EF120F16431FA42 -domain-sid S-1-5-21-2228799870-4051273110-1256914315 -spn host/ucs-7427.drivebytetest.intranet -domain drivebytetest.intranet Administrator

Sadly, the authentication failed with the following message:

As this is no traditional AD, we were thinking that they could use another approach to sign their Kerberos tickets. What was bugging us from the start was the krb5Key fields we've seen in the second screenshot. And again, the Univention documentation comes to our rescue. It states that "The krb5Key attribute stores the Kerberos password". Nice. But how?

After googling for a while, we came across this post in the Univention help forum. It contains some very interesting information. First, the krb5Key seems to consist of a keytype, a keyblock, in one case even an NThash and a salt string. Well, now of course we wanted to get our fingers on this s4search-decode script that was mentioned in this help request. We did not find it. It wasn’t on the domain controller and we didn't find it in the Univention Git repo (but maybe we just went over it???, there are tons of mentions, but we didn't find the actual script <- The awesome people from univention pointed us to this. So yeah. We were indeed just not finding it somehow). At that point a friend with whom we discussed the topic pointed us to the following page https://docs.software-univention.de/ucs-python-api/\_modules/univention/s4connector/s4/password.html. This file can also be found in the Univention Git. He pointed this out to us because of the following function:

    ...
    def extract_NThash_from_krb5key(ucs_krb5key):
    
        NThash = None
    
        for k in ucs_krb5key:
            (keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
    
            enctype = keyblock.keytype()
            enctype_id = enctype.toint()
            if enctype_id == 23:
                krb5_arcfour_hmac_md5 = keyblock.keyvalue()
                NThash = binascii.b2a_hex(krb5_arcfour_hmac_md5)
                break
    
        return NThash
    
    ...

Nice. This seemed promising with only one downside; The dependency on heimdal which looked like a Univention-specific library version. We quickly recognized that this lib is installed on the Univention DC. But we didn't want to rely on that for executing the script. After a bit of searching we found a download portal which offered a Debian package and the source code etc. The package requires python below 3.8 and some other dependencies, but nothing too special. So we spun up a docker container to go on with the testing (The Dockerfile and final script can be found on our GitHub). We extracted the function, added only the important imports, and fired it up in iPython... and failed:

It seems that the krb5Key usually is not base64 encoded when passed to the function. But after modifying this, we were still running into an error. We started to break down the steps and came out with the following working script, which does basically the same steps as the actual function.

    #!/usr/bin/python3
    # -*- coding: utf-8 -*-
    
    import binascii
    import heimdal
    import base64
    import argparse
    
    krb5_keytype__des_cbc_crc = 1
    krb5_keytype__des_cbc_md4 = 2
    krb5_keytype__des_cbc_md5 = 3
    krb5_keytype__des3_cbc_sha1 = 16
    krb5_keytype__aes128_cts_hmac_sha1_96 = 17
    krb5_keytype__aes256_cts_hmac_sha1_96 = 18
    krb5_keytype__arcfour_hmac_md5 = 23
    
    def extract_NThash_from_krb5key(ucs_krb5key):
    
        NThash = None
    
        keyblock,salt,kvno = heimdal.asn1_decode_key(base64.b64decode(ucs_krb5key))
    
        if keyblock.keytype().toint() == krb5_keytype__arcfour_hmac_md5:
            NThash = binascii.hexlify(keyblock.keyvalue()).decode('utf-8')
        else:
            print(f'Keytype is: ', keyblock.keytype().toint())
    
        return NThash
    
    
    def main():
        parser = argparse.ArgumentParser(
                prog='ProgramName',
                        description='Simple tool to extract ntlm hash out of the arcfour_hmac_md5 krb5key used by univention ucs')
        parser.add_argument('-d', help="put your base64 encoded krb5key value here", required=True)
        args = parser.parse_args()
        nt_hash = extract_NThash_from_krb5key(args.d)
        print("NThash: ",nt_hash)
    
    
    if __name__ == '__main__':
        main()

And this worked like a charm. It allows us to extract the NThash out of the krb5Key. Now we could take the krb5Key of the krbtgt account for example to forge a ticket as Administrator, which is the default "Domain Admin" in Univention UCS.

And that's it. We can now be everybody we want to be :blush:.

Maybe we can also use the other keyblock values to sign the TGTs somehow. But we didn't look into that so far.

**Exploitation attempt 3: Hash Cracking**

As we are in possession of the NThashes, we are also able to try password cracking quite efficiently. We confirmed that the sambaNTPassword represents the actual password. Using hashcat, some proper wordlists as well as some good rules, can open some more pathways.

Using those methods we were able to go from "any user in the directory" to "Administrator", the "Domain Admin" equivalent because of some very basic misconfigurations, a trivial but impactful bug and a recoverable password.

**The Fix**

The mitigation time and responses from Univention have been extraordinary. It was a pleasure to work with them, as the communication was fast, professional as well as solution-oriented! Special thanks for this awesome experience and awareness for security! Univention rated the bug with 7.9 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

CVE-2023-38994 was reserved by MITRE for this issue, but not released yet.

Fixed version: Univention UCS 5.0-4 Fix number: 1.0.2-4

**Lessons Learned**

*   Do not grant "everyone" or "authenticated users" permissions to any machine if possible (and we guess that’s possible in almost every scenario)
*   Upgrade your software
*   Set strong and unique passwords
*   For developers and admins: Avoid sensitive information in process creations (Univention added this to their developers security guidelines. Great Job!)

**Disclosure Timeline**

2023/07/17 - Bug Reported

2023/07/17 - Bug confirmed by Univention and opened in their Bugtracker

2023/07/17 - GitHub push to fix the Bug

2023/07/19 - Fix release in 1.0.2-4 Release Note

2023/07/19 - Fix release of similar issues in another script Release Note

**Update History**

*   2023/10/19 - Added advisory for developers and admins in Lesson Learned
*   2023/10/30 - Mentioning Updates in the introduction
*   2023/10/30 - Added information about the misconfiguration of the ssh permissions
*   2023/10/30 - Added the outlook on a solution for the machine.secret and ldap.secret files
*   2023/10/30 - Changed wording from "synced" to "requested"
*   2023/10/30 - Added additional information and bugtracker about NTLM
*   2023/10/30 - Added the link to the s4search-decode script
*   2023/10/30 - Updated "Lessons Learned" with the fact that univention updated their developers security guidelines
*   2023/10/30 - Added link to the bugtracker in the timeline

CVE-2023-38994: Simple yet effective. The story of some simple bugs that led to the complete compromise of a network

Small and midsize businesses face the same cyberattacks as enterprises, but with fewer resources. Here's how to protect a company that has leaner means.

Small and midsize businesses (SMBs) are not immune to cyberattacks, yet they struggle with an evolving threat landscape and knowing how to best manage risk.

During the "Cybersecurity for SMBs Roundtable: Navigating Complexity and Building Resilience" earlier this month, Sage brought together a group of CISOs and other cybersecurity professionals from small businesses, government agencies, and nonprofit organizations to discuss some of the biggest concerns facing SMBs and their ability to secure their company assets. Among the top challenges for SMBs and nonprofit organizations are:

*   **The human factor.** Employees continue to make mistakes, such as clicking on links in phishing emails or allowing unprotected access to their devices, that put company networks at risk.
*   **Third-party compliance needs.** Partner organizations, contractors, vendors, and other third-party entities require SMBs to meet their cybersecurity requirements, especially those organizations, like financial institutions, that are highly regulated.
*   **Data privacy laws across states and countries.** Not meeting those compliance requirements could result in sanctions and fines.
*   **The hybrid workforce.** SMBs no longer have the same levels of oversight of devices and online behaviors when employees are working remotely, even part of the time.
*   **Targeted platforms and industries.** Threat actors look for organizations that use applications designed to raise money or collect large amounts of personal information.
*   **Changing threat landscape.** New attack vectors, new malware, and new threat actors seem to emerge every day.

Nearly half of SMBs have experienced a cybersecurity incident in the past year, according to a new study from Sage. While 69% of respondents worldwide say that cybersecurity is part of their company culture, nearly the same number don't consider it until there's an incident — only 4 in 10 respondents say their company regularly discusses cybersecurity.

**Cybersecurity Doesn't Have to Be Expensive**

After an attack, it's too late to start discussions about how to protect the network and company, but many SMBs don't have the right systems in place. According to Sage's research, for example, 46% of SMBs don't use firewalls and 19% rely only on very basic tools.

Yes, cybersecurity can be expensive. Enterprise companies can have upward of 100 security tools in use. It doesn't have to be that complicated for SMBs, however, and some approaches can even be free or inexpensive.

Start by creating an insider risk program that oversees security policies across the company with an emphasis on employee behavior, recommended Shawnee Delaney, CEO at Vaillance Group, during the roundtable.

"It requires you to have the conversations, sometimes an uncomfortable conversation, because no one wants to think their own employees might do something malicious," Delaney said. "But the truth is, the vast majority \[of cyber incidents\] are unintentional."

Managing human employment life cycles is vital to an effective cybersecurity system. It begins during the interview and hiring process by making sure you have someone who is a good cultural fit and is willing to recognize how cybersecurity fits into the organizational structure, Delaney added. Once you have made a hire, follow onboarding processes that stress basic security hygiene, including least-privilege and as-needed access. And when the employee leaves, make sure offboarding processes disconnect access completely.

**Individualize Security Training**

Because of the human connection to cybersecurity, everyone in a smaller company, from the CEO on down, has to have a basic understanding of what threats look like. There are plenty of security awareness training options out there, but SMBs would be wise to avoid a one-size-fits-all option.

Training should be geared toward the individual workers based on criteria such as job function and generational gaps in tech savviness and interests. Older workers often have a different style of learning than younger employees, just as employees who work in more labor-intensive jobs may have a different relationship to technology than those who are attached to their devices all day. Not respecting those differences results in uneven training that could end up doing more harm than good.

**Make Cybersecurity a Business Issue**

There's a tendency, especially among SMBs, to think of cybersecurity as an IT problem for which all the knowledge lies in the tech space, according to Gustavo Zeidan, Sage's CISO.

A better approach is to think of cybersecurity as a business issue. Security culture is better driven from the top, Zeidan said during the roundtable, and management needs to be discussing cyber threats and how their businesses may be targeted.

"Business leaders acknowledge it's a problem, but they don't talk about it," Zeidan explained. The worst thing that can happen is to be unprepared for a security incident that disrupts business operations.

And when there is a cyber incident within the company, don't keep it hidden. The Federal Trade Commission (FTC) offers guidelines on who should be contacted, including law enforcement, customers, and vendors.

But don't stop there. Communicate with other businesses and discuss strategies to work through the incident. Share this information through industry-focused organizations or at local Chamber of Commerce meetings — wherever you have contact with other business leaders.

"If you have a breach, be open, be honest, and share your lessons learned with other businesses so practitioners can learn from that," said Delaney. "It doesn't matter if we're competitors. It's all national security when you boil it down."

**Know Where to Go for Help**

Every company, no matter its size, needs more cybersecurity expertise than it has. Regardless of how the SMB invests in security, the responsibility for cybersecurity needs to be spread across the company.

Resources are available to help guide SMBs in their security journey. The Cybersecurity and Infrastructure Security Agency (CISA), for example, offers an SMB cybersecurity guide that speaks specifically to the different security-related roles individuals play in a small business environment.

Partnerships with businesses of all types and sizes is core to CISA's mission, said roundtable panelist Lauren Boas Hayes, senior adviser for technology and innovation at CISA.

"The landscape is changing; there are new threats every day," Delaney added.

Practitioners and businesses might feel like they're playing whack-a-mole with their efforts to thwart these new threats, but the good news for SMBs is that mitigation techniques are out there. It's just a matter of finding the program that works best for the individual company.

SMBs Need to Balance Cybersecurity Needs and Resources

**PRESS RELEASE**

**MILPITAS, Calif.,Oct. 26, 2023/PRNewswire/ --** As Cybersecurity Awareness Month comes to a close, SonicWall today released the findings of its 2023 SonicWall Threat Mindset Survey which found that 55% of its customers are more concerned about cyberattacks in 2023, with the main threat being focused on digital attacks like ransomware and spear phishing.

"Understanding our partners and customers greatest concerns is at the heart of SonicWall's outside-in strategy," said SonicWall President and CEO Bob VanKirk. "Even further, it's taking that insight and acting upon it to provide key value-add products and services. The data from the 2023 SonicWall Threat Mindset Survey helps keep our finger on the pulse of what truly matters to our valued customers. As organizations around the globe struggle with economic declines and political strife, SonicWall remains committed to providing the latest in threat intelligence and cyber security solutions to help our partners and customers successfully navigate these rough waters."

SonicWall's proprietary threat mindset survey uncovered additional findings:

*   **Continued concerns about intensifying cyberattacks**: There is growing concern regarding cyberattacks amongst 54% of professionals surveyed; ransomware leads the distress as 83% of all customers cited it as their biggest concern. 94% of respondents are equally or more concerned about overall attacks in 2023. Phishing and spear-phishing (76%), as well as encrypted malware (64%), comprised the top three concerns.
*   **Organizations slow to patch**: Despite rising cyberattack concerns, 78% of organizations don't patch critical vulnerabilities within 24 hours of patch availability; another 13% only apply critical patches when time allows.
*   **Increased fear around insider threats:** Insider threat incidents have continued to increase and 49% of IT professionals cited it as a growing worry. The larger the organization, the more potential insider threat incidents exist. Critical business information and sensitive data can be found in employees' emails – and IT professionals feel the concern.
*   **Now Hiring: cybersecurity professionals needed:** 41% of respondents described their IT/ cybersecurity personnel as inadequate. With the cyberattack landscape becoming savvier with stronger capabilities of pulling off attacks, organizations must prioritize protection and hiring individuals who have the knowledge and skills to best position their company to not fall victim to these ongoing cyberattacks.

Companies are not only losing millions of dollars to unending malware and ransomware strikes but cyberattacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyberattacks, organizations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against never-ending cyberattacks.

"The evolving cyber threat landscape is the new normal," said EIS Management CIO Jeff Falk. "The labor diverted from business initiatives to cybersecurity concerns swells year-over-year, which demands I spend more of my time managing the business' security needs, having an impact on business operations."

In an effort to promote cybersecurity attentiveness, SonicWall supports Cybersecurity Awareness Month in October with an added emphasis on a new enduring cybersecurity awareness program, Secure Our World. Secure Our World reflects a new enduring message to be integrated across the Cybersecurity and Infrastructure Security Agency's (CISA) awareness campaigns and programs and encourages all of us to take action each day to protect ourselves when online or using connected devices.

**Methodology**

SonicWall surveyed approximately 10,000 customers from around the globe. Questions were optional and some were open-ended, while others were multiple choice.

**About SonicWall**

SonicWall, a partner-first business, has been an unquestioned leader in the cybersecurity for more than 30 years. SonicWall defends organizations mobilizing for their new business normal with seamless protection that stops the most evasive cyberattacks across endless exposure points and increasingly remote, mobile and cloud-enabled workforces. By knowing the unknown, providing real-time visibility and enabling breakthrough economics, SonicWall closes the cybersecurity business gap for enterprises, governments and SMBs worldwide. For more information, visit www.sonicwall.com or follow us on Twitter, LinkedIn, Facebook and Instagram.

SOURCE SONICWALL INC

SonicWall Data Confirms That Ransomware Is Still the Enterprise's Biggest Fear

Incorrect LDAP ACLs in ucs-school-ldap-acls-master in UCS@school before 4.4v5-errata allow remote teachers, staff, and school administrators to read LDAP password hashes (sambaNTPassword, krb5Key, sambaPasswordHistory, and pwhistory) via LDAP search requests. For example, a teacher can gain administrator access via an NTLM hash.

'50669?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-17477: Invalid Bug ID

Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

Malware thought to be a mere cryptominer was actually a sophisticated spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.

StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.

While StripedFly can indeed mine Monero cryptocurrency, that's just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.

"What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity," Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post.

Overall, the platform appears to be "a hallmark of APT malware" that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.

Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.

The researchers said the discovery of the breadth of StripedFly is "astonishing," especially given that it has successfully evaded detection for some six years.

**Breaking Down StripedFly**

The core structure of the malware is as a monolithic binary executable code that supports various pluggable modules so attackers can extend or update its functionality. Each module — which either is there to provide a service or extended functionality — is responsible for implementing and managing its own callback function for communication with a C2 server.

The platform first manifests itself on a network as a PowerShell that appears to use as its initial entry mechanism a server message block (SMB) exploit that appears to be a custom version of EternalBlue, which was leaked in April 2017 and continues to threaten unpatched Windows servers.

StripedFly uses various methods for persistence depending on the availability of the PowerShell interpreter and the privileges granted to the process. "Typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

In terms of its modules, the malware has three to perform specific services related to its functionality, and six that actually execute that functionality. The service modules are for configuration storage, upgrading and uninstalling the malware, and reverse proxy.

The functionality modules are varied and comprehensive to provide attackers with a laundry list of capabilities, allowing them to consistently spy on the activities of a victim's network. In addition to the aforementioned Monero cryptominer, the modules are: a miscellaneous command handler; credential harvester, repeatable tasks that can take screenshots, record microphone input, and perform other tasks on a scheduled basis; a reconnaissance module that compiles extensive system information; SMBv1 and SSH infectors for penetration and worming capabilities.

The researchers also discovered a related ransomware variant called ThunderCrypt that shares the same underlying codebase and communicates with the same C2 server as StripedFly.

**Unsolved Mysteries**

The blog post includes numerous indicators of compromise and other websites and relevant data related to StripedFly to help organizations identify if they've been infected.

In the meantime, numerous questions still hover around StripedFly, including the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component.

"While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead," the researchers wrote.

It's also still unclear if StripedFly is still active, since at the time of writing, the researchers observed only eight updates for Windows systems and four for Linux systems in the Bitbucket repository. This could indicate that "either there are minimal active infections," or that all the victims already infected by StripedFly are still actively communicating with its C2, they noted.

"Only those who crafted this enigmatic malware hold the answer," the researchers acknowledged. "It's difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary."

Complex Spy Platform StripedFly Bites 1M Victims

A heap-based Buffer Overflow flaw was discovered in Samba. It could allow a remote, authenticated attacker to exploit this vulnerability to cause a denial of service.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

Tag

#samba