CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 17: May 09 2022

Researchers Develop Exploit for the Latest F5 BIG-IP Vulnerability, USB-based Wormable Malware Targets Windows Installer, Attackers Use Event Logs to Hide Fileless Malware, Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

Bullet points of key topics + chapter markers
[00:32] Researchers Develop Exploit for the Latest F5 BIG-IP Vulnerability
[04:11] USB-based Wormable Malware Targets Windows Installer
[10:25] Attackers Use Event Logs to Hide Fileless Malware
[17:26] Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk



Researchers Develop Exploit for the Latest F5 BIG-IP Vulnerability

  • CVE-2022-1388 (CVSS score: 9.8)
    • relates to an iControl REST authentication bypass
    • successfully exploited
      • leads to an opportunity for remote code execution
      • allowing an attacker to gain initial access and take control of an affected system.
        • deploying cryptocurrency miners
        • dropping web shells
  • impacted versions of BIG-IP products
    • 16.1.0 – 16.1.2
    • 15.1.0 – 15.1.5
    • 14.1.0 – 14.1.4
    • 13.1.0 – 13.1.4
      • Danger
        • 12.1.0 – 12.1.6
        • 11.6.1 – 11.6.5
          • will not receive security updates
          • should consider upgrading to a newer version or apply the workarounds
            • Block iControl REST access through the self IP address
            • Block iControl REST access through the management interface, and
            • Modify the BIG-IP httpd configuration
  • Security researcher Kevin Beaumont has warned of active exploitation attempts detected in the wild, while simultaneously alerting the availability of a public proof-of-concept (PoC) for the code execution flaw.

USB-based Wormable Malware Targets Windows Installer

  • Wormable malware dubbed Raspberry Robin
    • active since September
    • but most activity seen since January
    • uses USB drives to get onto Windows machines
      • then uses Microsoft Standard Installer
      • legitimate processes to install malicious files
  • Attack
    • The worm appears as a shortcut LNK file masquerading as a legitimate folder on the infected USB device
    • The worm updates the UserAssist registry entry and records the execution of a ROT13-ciphered value referencing an LNK file when deciphered
      • Example: researchers observed the value q:\CSNB.yax being deciphered to d:\recovery.lnk
    • It uses cmd.exe to read and execute a file stored on the infected external drive
    • cmd.exe typically launches explorer.exe and msiexec.exe
      • extensively uses mixed-case letters in its commands,” most likely to avoid detection
    • msiexec.exe , to attempt external network communication to a malicious domain for command and control purposes
      • launch a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command
      • elevated administrative privileges without requiring a User Account Control prompt
    • Once the worm spreads via a USB drive to someone’s machine
      • msiexec.exe to call out to its infrastructure
        • often comprised of QNAP devices
        • uses HTTP requests that contain a victim’s user and device names
        • use TOR exit nodes as additional command and control (C&C) infrastructure
      • Eventually installs malicious dynamic link library (DLL) files found on the infected USB.
    • Researchers have not yet figured out how or where Raspberry Robin infects external drives
    • They also don’t know why Raspberry Robin installs a malicious DLL
      • believe it may be to attempt to establish persistence on an infected system
        • though there is not enough evidence to make this conclusive
    • Unknown Threat Actor Group

Attackers Use Event Logs to Hide Fileless Malware

  • malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines
    • technique involves injecting shellcode directly into Windows event logs
      • allows adversaries to use the Windows event logs as a cover for malicious late stage trojans
    • attackers use
      • a series of injection tools and anti-detection techniques to deliver the malware payload.
      • At least two commercial products
      • plus several types of last-stage RAT and anti-detection wrappers
      • advanced tactics
    • the most innovative part of this campaign
  • First seen in February
    • Activity has been increasing during the last month.
    • Unattributed currently
    • New code not seen before
  • Attack Method
    • drive targets to a legitimate website
      • enticing the target to download a compressed .RAR file
        • boobytrapped with Cobalt Strike and SilentBreak
          • vehicle for delivering shellcode
          • separate anti-detection AES decryptors
        • the digital certificate for the Cobalt Strike module varies.
          • 15 different stagers from wrappers to last stagers were signed
    • Next leverage Cobalt Strike and SilentBreak
      • to “inject code into any process”
      • can inject additional modules into Windows system processes or trusted applications
      • Next layer of the infection chain decrypts, maps into memory, and launches the code
        • The ability to inject malware into the system’s memory classifies it as fileless
        • leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools
      • technique, where attackers hide their activities in a computer’s random-access memory and use native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new.
        • What is: is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into 8 KB blocks and saved in the binary part of event logs
      • drops wer.dll
        • is a loader
        • wouldn’t do any harm without the shellcode hidden in Windows event logs
      • The dropper searches the event logs for records
        • with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source.
        • If none is found, the 8KB chunks of shellcode are written into the information logging messages
    • Next, a launcher is dropped
      • into the Windows Tasks directory
      • a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it
      • Dropper modules also patch Windows native API functions
        • related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

  • An unpatched Domain Name System (DNS) bug
    • Created in a popular standard C library
    • allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them
    • all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products
    • flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library
      • may allow attackers to perform DNS poisoning attacks against the target device
  • DNS poisoning attack
    • AKA DNS spoofing and DNS cache poisoning
    • deceives a DNS client into accepting a forged response
    • forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one
  • Numerous Affected Devices
    • Linksys, Netgear and Axis,
    • Linux distributions such as Embedded Gentoo
      • use uClibe
    • uClibc-ng
      • fork specifically designed for OpenWRT
      • common OS for routers deployed throughout various critical infrastructure sectors
  • successful DNS poisoning attack
    • they also can perform a subsequent man-in-the-middle attack
    • they can re-route network communications to a server under their control
  • The attacker could then steal and/or manipulate information transmitted by users and perform other attacks against those devices to completely compromise them