CyberSecurity News Byte – Weekly

Hosted ByJim Guckin

A new podcast has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart with souls like mine.

Episode 23: June 20 2022

Bullet points of key topics + chapter markers
[00:28] Flaws Found in Siemens’ Industrial Network Management System
[07:12] Researchers Uncover ‘Hermit’ Android Spyware
[15:21] Facebook Messenger Scam Duped Millions
[21:01] Linux Malware Deemed ‘Nearly Impossible’ to Detect


Flaws Found in Siemens’ Industrial Network Management System

  • Cybersecurity researchers have disclosed details about 15 security flaws in Siemens SINEC network management system (NMS)
    • SINEC is in a powerful central position within the network topology because it requires access to the credentials and cryptographic keys
      • Because it manages devices on the network
    • could be chained by an attacker to achieve remote code execution
    • pose several risks to Siemens devices on the network
      • denial-of-service attacks
      • credential leaks
      • remote code execution
        • with System Privileges
  • tracked from CVE-2021-33722 through CVE-2021-33736
    • addressed in version V1.0 SP2 Update 1
      • October 12, 2021.
  • Key one CVE-2021-33723 (CVSS score: 8.8)
    • which allows for privilege escalation to an administrator account
      • combined with CVE-2021-33722 (CVSS score: 7.2)
        • a path traversal flaw
      • to execute arbitrary code remotely
  • notable CVE-2021-33729, CVSS score: 8.8
    • a case of SQL injection
    • that could be exploited by an authenticated attacker to execute arbitrary commands in the local database.
  • attacker’s perspective
    • they have legitimate credentials and network tools they can abuse to carry out malicious activity, access to, and control
    • give the ability to do reconnaissance, lateral movement, and privilege escalation

Researchers Uncover ‘Hermit’ Android Spyware

  • An enterprise-grade surveillanceware dubbed Hermit
    • has seen increased use by entities operating from within Kazakhstan, Syria, and Italy over
      • since 2019, new research has revealed.
      • target both Android and iOS
    • engineered to abuse its permissions to accessibility services and other core components of the operating system (i.e., contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.
  • Hermit is modular
    • capabilities that allow it to
      • exploit a rooted device
      • record audio
      • make and redirect phone calls
      • collect data
        • call logs
        • contacts
        • photos
        • device location
        • SMS messages
  • distributed via SMS messages
    • trick users into installing apps
      • from Samsung, Vivo, and Oppo
      • which, when opened loads a website from the impersonated company while stealthily working in the background.

Facebook Messenger Scam Duped Millions

  • phishing messages sent via Facebook Messenger
    • estimated to have tricked 10 million Facebook users and counting.
    • a scam that cons users into handing over their account credentials.
  • still active
    • push victims to a fake Facebook login page
    • where victims are enticed to submit their Facebook credentials.
    • the campaign began last year and ramped up in September.
  • Researchers PIXM Security
    • tied to a single person located in Colombia.
      • a single individual is because each message links back to code “signed” with a reference to a personal website.
      • Researchers state the individual went so far as to respond to researcher inquiries.
        • claimed to make $150 for every thousand visits
        • PIXM put this threat actor’s projected revenue at $59M from Q4 2021 to the present.
    • able to access the hacker’s own pages for tracking the campaigns. The data indicated that nearly 2.8 million people fell for the scam in 2021 and 8.5 million have so far this year.
  • How the Scam Worked
    • centers around a fake Facebook login page.
      • copies Facebook’s user interface closely.
    • victim enters their credentials and clicks “Log In,”
      • those credentials are sent to the attacker’s server.
        • the threat actor would login to that account and send the link to the user’s Friends via Facebook Messenger.”
    • victims are redirected to pages with advertisements
      • which also included surveys
        • generate referral revenue for the attacker
  • The Scam Bypassed Security
    • managed to circumvent the social media platform’s security checks by utilizing a technique that Facebook didn’t catch
    • victim clicks on a malicious link in Messenger
      • the browser initiates a chain of redirects.
      • The first redirect points to a legitimate “app deployment” service.
      • Then they will be redirected to the actual phishing page.
      • To Facebook, it’s a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well.
        • Even if Facebook caught on to and blocked any one of these illegitimate domains, it was trivial to spin up a new link using the same service, with a new unique ID.

Linux Malware Deemed ‘Nearly Impossible’ to Detect

  • Symbiote
    • new Linux malware that’s “nearly impossible to detect”
    • target the financial sector in Latin America
    • can harvest credentials
    • gives attackers remote access
    • rootkit functionality
  • Researchers from The BlackBerry Research and Intelligence Team
    • the earliest detection of which is from November 2021
  • “What makes Symbiote different
    • it needs to infect other running processes to inflict damage
    • Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine
    • Once it has infected all the running processes
      • a threat actor can engage in various nefarious activities, including rootkit functionality, the ability to harvest credentials, and remote access capability
      • the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges
  • Evasive Maneuvers
    • It’s also highly evasive to such a degree that it’s likely to fly under the radar
      • it is loaded by the linker via the LD_PRELOAD directive
        • allows it to be loaded before any other shared objects
        • being loaded first allows it to hijack the imports from the other library files loaded for the application,
        • this way, it hides its presence on the machine by hooking libc and libpcap functions
    • making it extremely difficult to know if it’s even being used by threat actors at all
    • it hides itself and any other malware used by the threat actor
    • Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware.”
  • Unusual DNS requests
    • maybe one way to detect if the malware is present on a system
    • antivirus or other security tools aimed at endpoint detection and response won’t pick up
  • Objectives
    • key objectives are to capture credentials and to facilitate backdoor access to infected machines
    • For credential harvesting
      • if an ssh or SCP process is calling
        • the function, it captures the credentials, which are first encrypted with RC4 using an embedded key and then written to a file
    • Attackers not only steal the credentials locally for access but also exfiltrate them by hex encoding and chunking up the data to be sent via DNS address record requests to a domain name that they control
  • Malicious actors gain remote access to an infected machine
    • the malware hooks a few Linux Pluggable Authentication Module (PAM) functions, which allows it to authenticate to the machine with any service that uses PAM
      • including remote services such as Secure Shell (SSH)
      • When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,
      • If the password provided is a match, the hooked function returns a success response.”
      • Once the threat actor has accomplished authentication, Symbiote allows for an attacker to gain root privileges by scanning the environment for the variable HTTP_SETTHIS variable is set with content, the malware changes the effective user and group ID to the root user, and then clears the variable before executing the content via the system command

Leave a Reply

Your email address will not be published. Required fields are marked *