CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Website Subscribe

Episode 17: May 09 2022

May 9, 2022 Jim Guckin CyberSecurity News Byte Weekly 23:0033.39M Comments Off on Episode 17: May 09 2022

Researchers Develop Exploit for the Latest F5 BIG-IP Vulnerability, USB-based Wormable Malware Targets Windows Installer, Attackers Use Event Logs to Hide Fileless Malware, Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

Bullet points of key topics + chapter markers
[00:32] Researchers Develop Exploit for the Latest F5 BIG-IP Vulnerability
[04:11] USB-based Wormable Malware Targets Windows Installer
[10:25] Attackers Use Event Logs to Hide Fileless Malware
[17:26] Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

LINKS

https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html

https://threatpost.com/usb-malware-targets-windows-installer/179521/

https://threatpost.com/attackers-use-event-logs-to-hide-fileless-malware/179484/

https://threatpost.com/dns-bug-millions-routers-iot-risk/179478/

NOTES

Researchers Develop Exploit for the Latest F5 BIG-IP Vulnerability

  • CVE-2022-1388 (CVSS score: 9.8)
    • relates to an iControl REST authentication bypass
    • successfully exploited
      • leads to an opportunity for remote code execution
      • allowing an attacker to gain initial access and take control of an affected system.
        • deploying cryptocurrency miners
        • dropping web shells
  • impacted versions of BIG-IP products
    • 16.1.0 – 16.1.2
    • 15.1.0 – 15.1.5
    • 14.1.0 – 14.1.4
    • 13.1.0 – 13.1.4
      • Danger
        • 12.1.0 – 12.1.6
        • 11.6.1 – 11.6.5
          • will not receive security updates
          • should consider upgrading to a newer version or apply the workarounds
            • Block iControl REST access through the self IP address
            • Block iControl REST access through the management interface, and
            • Modify the BIG-IP httpd configuration
  • Security researcher Kevin Beaumont has warned of active exploitation attempts detected in the wild, while simultaneously alerting the availability of a public proof-of-concept (PoC) for the code execution flaw.

USB-based Wormable Malware Targets Windows Installer

  • Wormable malware dubbed Raspberry Robin
    • active since September
    • but most activity seen since January
    • uses USB drives to get onto Windows machines
      • then uses Microsoft Standard Installer
      • legitimate processes to install malicious files
  • Attack
    • The worm appears as a shortcut LNK file masquerading as a legitimate folder on the infected USB device
    • The worm updates the UserAssist registry entry and records the execution of a ROT13-ciphered value referencing an LNK file when deciphered
      • Example: researchers observed the value q:\CSNB.yax being deciphered to d:\recovery.lnk
    • It uses cmd.exe to read and execute a file stored on the infected external drive
    • cmd.exe typically launches explorer.exe and msiexec.exe
      • extensively uses mixed-case letters in its commands,” most likely to avoid detection
    • msiexec.exe , to attempt external network communication to a malicious domain for command and control purposes
      • launch a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command
      • elevated administrative privileges without requiring a User Account Control prompt
    • Once the worm spreads via a USB drive to someone’s machine
      • msiexec.exe to call out to its infrastructure
        • often comprised of QNAP devices
        • uses HTTP requests that contain a victim’s user and device names
        • use TOR exit nodes as additional command and control (C&C) infrastructure
      • Eventually installs malicious dynamic link library (DLL) files found on the infected USB.
    • Researchers have not yet figured out how or where Raspberry Robin infects external drives
    • They also don’t know why Raspberry Robin installs a malicious DLL
      • believe it may be to attempt to establish persistence on an infected system
        • though there is not enough evidence to make this conclusive
    • Unknown Threat Actor Group

Attackers Use Event Logs to Hide Fileless Malware

  • malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines
    • technique involves injecting shellcode directly into Windows event logs
      • allows adversaries to use the Windows event logs as a cover for malicious late stage trojans
    • attackers use
      • a series of injection tools and anti-detection techniques to deliver the malware payload.
      • At least two commercial products
      • plus several types of last-stage RAT and anti-detection wrappers
      • advanced tactics
    • the most innovative part of this campaign
  • First seen in February
    • Activity has been increasing during the last month.
    • Unattributed currently
    • New code not seen before
  • Attack Method
    • drive targets to a legitimate website
      • enticing the target to download a compressed .RAR file
        • boobytrapped with Cobalt Strike and SilentBreak
          • vehicle for delivering shellcode
          • separate anti-detection AES decryptors
        • the digital certificate for the Cobalt Strike module varies.
          • 15 different stagers from wrappers to last stagers were signed
    • Next leverage Cobalt Strike and SilentBreak
      • to “inject code into any process”
      • can inject additional modules into Windows system processes or trusted applications
      • Next layer of the infection chain decrypts, maps into memory, and launches the code
        • The ability to inject malware into the system’s memory classifies it as fileless
        • leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools
      • technique, where attackers hide their activities in a computer’s random-access memory and use native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new.
        • What is: is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into 8 KB blocks and saved in the binary part of event logs
      • drops wer.dll
        • is a loader
        • wouldn’t do any harm without the shellcode hidden in Windows event logs
      • The dropper searches the event logs for records
        • with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source.
        • If none is found, the 8KB chunks of shellcode are written into the information logging messages
    • Next, a launcher is dropped
      • into the Windows Tasks directory
      • a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it
      • Dropper modules also patch Windows native API functions
        • related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

  • An unpatched Domain Name System (DNS) bug
    • Created in a popular standard C library
    • allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them
    • all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products
    • flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library
      • may allow attackers to perform DNS poisoning attacks against the target device
  • DNS poisoning attack
    • AKA DNS spoofing and DNS cache poisoning
    • deceives a DNS client into accepting a forged response
    • forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one
  • Numerous Affected Devices
    • Linksys, Netgear and Axis,
    • Linux distributions such as Embedded Gentoo
      • use uClibe
    • uClibc-ng
      • fork specifically designed for OpenWRT
      • common OS for routers deployed throughout various critical infrastructure sectors
  • successful DNS poisoning attack
    • they also can perform a subsequent man-in-the-middle attack
    • they can re-route network communications to a server under their control
  • The attacker could then steal and/or manipulate information transmitted by users and perform other attacks against those devices to completely compromise them

CyberSecurity News Byte is a weekly podcast, condensing the latest cybersecurity news, in an easily digestible format. News that you need to know to keep yourself and your organization safe from today’s threats.

Facebook Twitter Instagram

© 2021-2022 All Rights Reserved. Developed By Podcrease