Security researchers from Wiz have discovered two easily exploitable vulnerabilities in a module of the Linux distribution Ubuntu, which facilitates the use of the OverlayFS filesystem. According to a blog post they published yesterday, these vulnerabilities allow unprivileged attackers to escalate their privileges on about 40% of all Ubuntu systems. “The affected Ubuntu versions are widely used in the cloud, serving as default operating systems for several CSPs,” the Wiz researchers warn.

Old exploits work without any modifications The vulnerabilities, registered as CVE-2023-32629 and CVE-2023-2640, are reportedly due to changes made by Ubuntu to the OverlayFS module in 2018, which were not considered critical at that time. “However, in 2019 and 2022, the Linux Kernel Project made its own changes to the module, which contradicted Ubuntu’s earlier modifications,” the researchers explain. The incorporation of this new source code by the Ubuntu developers subsequently led to the mentioned vulnerabilities, which only affect Ubuntu systems.

Moreover, the researchers state that there are already publicly available exploits that attackers can use to exploit these vulnerabilities. This is partly because old exploits for previous OverlayFS vulnerabilities work without any adjustments. In the past, OverlayFS has proven to be an attractive target for local privilege escalation due to numerous logical and easily exploitable vulnerabilities.

Patches are already available Canonical, the Ubuntu developer, also states in a security notice regarding both vulnerabilities that the OverlayFS implementation in the Ubuntu Linux kernel “does not properly conduct permission checks in certain situations,” enabling attackers to gain elevated rights. Patches are already available. It is now up to the respective administrators to update their kernel modules, for example, through a package manager. A reboot is required after the update for the changes to take effect.

Saeed Abbasi, a leading expert in vulnerability research at Qualys, highlighted in a recent analysis that this flaw could have allowed attackers to execute arbitrary commands on systems with vulnerable versions of OpenSSH’s ssh-agent forwarding feature.

The issue has been designated as CVE-2023-38408, though its CVSS score is currently not available. It affects all OpenSSH versions prior to 9.3p2.

Widely used for secure remote logins via the SSH protocol, OpenSSH ensures traffic encryption to prevent eavesdropping, hijacking, and similar threats.

Exploiting this vulnerability would require specific libraries on the target system and the forwarding of the SSH authentication agent to a system under the attacker’s control. The SSH agent, typically running in the background, keeps user keys in memory, aiding in remote server logins without repeated passphrase entries.

Qualys discovered that an attacker with access to a server where a user’s ssh-agent is forwarded could exploit the vulnerability. They could load and unload any shared library in the user’s /usr/lib* directory via the forwarded ssh-agent, assuming it’s compiled with ENABLE_PKCS11, which is typically the default setting.

The cybersecurity firm successfully demonstrated a proof-of-concept attack against default installations of Ubuntu Desktop 22.04 and 21.10, with indications that other Linux distributions could be similarly vulnerable.

Users are urged to update to the latest OpenSSH version to protect against such cyber threats.

Earlier in February, OpenSSH maintainers addressed a medium-severity flaw (CVE-2023-25136, CVSS score: 6.5) that could have allowed an unauthenticated remote attacker to modify memory locations unexpectedly, potentially leading to code execution.

A subsequent March update resolved another issue that could be exploited through a specially crafted DNS response, causing an out-of-bounds stack data read and potentially leading to a denial-of-service for the SSH client.

These weaknesses could be used for persistent firmware implants that remain unaffected by operating system reinstalls or hard drive replacements, damage motherboard components, induce overvolting attacks causing physical harm, or trigger continuous reboot loops. The Eclypsium researchers, Vlad Babkin and Scott Scheferman, emphasize that such attacks focus on lower-level embedded code, making detection difficult and remediation complex.

The findings are based on an analysis of the AMI firmware leaked during a ransomware attack on GIGABYTE in August 2021 by the RansomExx group. The vulnerabilities add to a series of bugs in AMI MegaRAC BMCs, collectively known as BMC&C. Some were previously disclosed in December 2022 and January 2023.

The new flaws include CVE-2023-34329, with a CVSS score of 9.1, allowing authentication bypass via HTTP header spoofing, and CVE-2023-34330, with a CVSS score of 8.2, enabling code injection via a dynamic Redfish extension interface. When combined, these bugs carry a severity score of 10.0, granting adversaries the ability to bypass Redfish authentication and execute arbitrary code on the BMC chip with the highest privileges.

These vulnerabilities pose significant risks to the technology supply chain and cloud computing. The widespread presence of MegaRAC BMC in devices from major vendors makes it a tempting target for attackers aiming to control all aspects of a targeted system. This threat extends to servers and hardware owned by organizations and those supporting cloud services they use.

These researchers utilized the fact that Citrix removed version information hashes in recent software updates to identify vulnerable servers. Instances still providing version hashes were deemed outdated and potentially at risk. Initially, they marked 11,170 susceptible servers. However, their method underestimated the number, as some older Citrix instances without version hashes were also vulnerable. The researchers later refined their approach, flagging all IPs showing ‘Last-Modified’ headers dated before July 1, 2023, as vulnerable, revealing at least 15,000 vulnerable Citrix servers.

This situation gained further gravity as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2023-3519 in its catalog of known and actively exploited vulnerabilities after an incident involving a critical U.S. infrastructure organization, where attackers exploited the flaw to create a webshell on a Netscaler ADC appliance. This allowed them to steal data from the target system’s Active Directory.

Citrix has been urging administrators to apply patches released since July 18, addressing CVE-2023-3519 and two other dangerous vulnerabilities (CVE-2023-3466 and CVE-2023-3467). The issue became more pressing with evidence of cybercriminals actively exploiting CVE-2023-3519 since early July.

The vulnerabilities affect various versions of NetScaler ADC and NetScaler Gateway, and Citrix has provided fixed product versions for them. Rapid7, a cybersecurity analysis firm, identified CVE-2023-3519 as a critical zero-day vulnerability, urging immediate updates due to its severe risk and popular exploitation among threat actors. The Shadowserver Foundation discovered over 15,000 vulnerable Citrix Netscaler ADC and Gateway servers worldwide, with the largest numbers in the U.S., Germany, the U.K., and Australia. This vulnerability, described as a straightforward unauthenticated stack overflow, is easily exploitable, making prompt patch application critical for security.

These applications include those that support personal account authentication, such as OneDrive, SharePoint, and Teams, as well as customer applications with the “Login with Microsoft” functionality and multi-tenant applications under certain conditions. Ami Luttwak, chief technology officer and co-founder of Wiz, emphasized the severity of this breach by stating that an attacker with an AAD signing key could access almost any application as any user, likening this capability to a ‘shape shifter’ superpower​​.

Microsoft disclosed that Storm-0558 exploited this token forging technique to extract unclassified data from victim mailboxes. However, the full extent of the cyber espionage campaign remains unclear. The company is still investigating how the adversary obtained the MSA consumer signing key and whether it functioned as a master key for accessing data from nearly two dozen organizations​​.

Further analysis by Wiz revealed that Microsoft replaced one of the listed public keys that had been in use since at least 2016, around the time it announced the revocation of the MSA key. This finding led to the belief that the compromised key, designed for Microsoft’s MSA tenant in Azure, could also sign OpenID v2.0 tokens for various types of Azure Active Directory applications. This breach suggested that Storm-0558 had access to one of several keys intended for signing and verifying AAD access tokens, allowing them to forge tokens for any application dependent on the Azure identity platform. This ability could potentially enable malicious actors to authenticate as any user on an affected application that trusts Microsoft OpenID v2.0 mixed audience and personal-accounts certificates​​.

Overall, this incident highlights the significant risks associated with key compromises, especially in the context of large-scale cloud infrastructure like Microsoft Azure.

Analysis of the Sardonic Variant: Experts have found that FIN8 continuously enhances their malware and distribution infrastructure. The latest Sardonic variant introduces a significant change: it now uses a PowerShell script for infection, a departure from its previous approach of utilizing intermediary downloader shellcode. Notably, this variant has moved away from the C++ standard library, favoring a simpler C language implementation. This change includes various methods to evade detection. The backdoor is versatile, supporting three different formats to augment its functions: PE DLL plugins, shellcode, and a unique shellcode with a different argument-passing convention. Upon activation, this backdoor can execute numerous commands, such as downloading new files, extracting file contents, managing DLL plugins, and executing shellcode.

With the integration of PowerShell in their updated backdoor, FIN8 aims to breach security systems more effectively and spread ransomware, thereby increasing their illicit profits. This isn’t their first venture into ransomware deployment.

Other Ransomware Deployments by FIN8: Although FIN8 primarily targets Point-of-Sale (POS) systems, they have expanded to ransomware attacks in recent years. In January 2022, they were linked to deploying White Rabbit ransomware through a malicious link. In June 2021, they used Ragnar Locker ransomware to attack a financial services company in the U.S.

Conclusion: Security professionals recommend that organizations employ a combination of detection, protection, and system hardening technologies to defend against these threats. Additionally, they should monitor network activity and be vigilant about the latest versions of PowerShell used in their systems.

In-Depth Analysis:

• Nature and Objective: P2PInfect is an advanced Peer-to-Peer (P2P) worm known for its rapid spread across networks. It primarily attacks Redis servers, exploiting their weaknesses.
• Cross-Platform Threat: The worm’s capability to compromise both Linux and Windows systems underscores its versatility and danger.
• Vulnerability Scope: Approximately 934 Redis servers might be at risk. The worm’s first detection was on July 11.

Operational Tactics:

• Infection Strategy: P2PInfect utilizes multiple methods to infiltrate Redis servers, notably exploiting a critical Lua sandbox escape bug (CVE-2022-0543).
• Propagation Mechanism: After gaining access, it deploys a dropper payload to establish a P2P network, which then downloads further malicious components to spread the malware.
• Network Integration: Once infected, the server joins a P2P network, aiding the spread of additional payloads.
• Persistence Techniques: The malware uses a PowerShell script for ongoing communication and access maintenance, with the Windows variant including a self-updating Monitor component.

Implications:

• Challenges in Mitigation: P2PInfect’s covert nature and sophisticated communication methods often bypass traditional detection systems.
• Potential Damages: Once it breaches a Redis server, it could lead to data leaks, unauthorized access, and operational disruptions.
• Rapid Spread Risks: Its swift network propagation heightens the potential for extensive damage and complicates recovery processes.

Preventive Measures: The P2PInfect worm represents a serious threat, exploiting Redis server vulnerabilities across Linux and Windows systems. To combat this threat, organizations need to engage in vigilant monitoring, establish proactive defenses, and collaborate within the cybersecurity community. Implementing robust security practices and staying informed about the worm’s tactics are crucial for protection.

Key Insights:

• Cryptocurrency firms experienced an unprecedented 600% surge in attacks globally, while the management consulting and non-profit sectors faced heightened targeting due to their web traffic.
• The United States encountered the highest number of attacks, followed by Canada and Singapore.
• The prevalence of HTTP DDoS attacks increased by 15% quarter-over-quarter, with instances noted in Mozambique, Egypt, and Finland.

Contributing Factors:

• Pro-Russia hacker groups, including REvil, Killnet, and Anonymous Sudan, targeted Western websites amid the Ukraine conflict. In June alone, they executed approximately 10,000 DDoS attacks against various sectors.
• A disclosed zero-day vulnerability (CVE-2022-26143) in March exposed Mitel Business phone systems to UDP amplification DDoS attacks, reaching an alarming 220 billion percent.
• The proliferation of botnets such as Tsunami and AndoryuBot played a role in the upsurge of DDoS attacks, including one peaking at 1.4 terabytes per second against an American ISP, involving around 11,000 IP addresses and employing a Mirai-variant botnet.

Discovery of a New Attack Tool:

• In the midst of escalating threats, the relatively unknown Russian group NoName has enhanced the DDoSia attack toolkit to launch more intense DDoS attacks against Western nations.
• Developed in Golang, the tool can target systems on Windows, Linux, and macOS, featuring an added layer of security to obfuscate the list of targets, posing a challenge to the analysis process.

Conclusion:

• The DDoS threat landscape is evolving into a more intricate scenario, necessitating measures beyond traditional security practices. Organizations are urged to implement multi-layered defenses and DDoS protection systems to counter such attacks effectively. Recommendations include enabling firewalls and adopting robust internet security solutions to ensure safer online browsing.

The group displays a distinctive pattern of targeting sectors like manufacturing, professional and legal services, and wholesale and retail. Notably, Mallox exploits poorly secured MS-SQL servers through dictionary attacks, serving as a penetration vector to compromise victims’ networks. The introduction of the Xollam variant marks a shift in tactics, utilizing malicious OneNote file attachments for initial access, as highlighted by Trend Micro.

Upon successfully infiltrating a host, Mallox executes a PowerShell command to retrieve the ransomware payload from a remote server. The ransomware binary takes various measures, including stopping SQL-related services, deleting volume shadow copies, clearing system event logs, terminating security-related processes, and attempting to bypass Raccine, an open-source tool designed to counter ransomware attacks. While TargetCompany remains a relatively small and closed group, it has been observed recruiting affiliates for the Mallox Ransomware-as-a-Service (RaaS) program on the RAMP cybercrime forum.

The surge in Mallox infections reflects a broader trend, with a 221% year-over-year increase in ransomware attacks as of June 2023. The rise is largely attributed to Cl0p’s exploitation of the MOVEit file transfer software vulnerability, contributing to 434 reported attacks in June 2023 alone. The financial motivation for ransomware remains high, with cybercriminals netting at least $449.1 million in the first half of 2023, according to Chainalysis.

Expressing concern over the heightened activity of the Mallox ransomware group in recent months, researchers emphasize the potential for more attacks, especially with ongoing recruiting efforts for affiliates. This underscores the evolving tactics of ransomware groups and the urgent need for organizations to bolster their cybersecurity measures to effectively counter these dynamic threats.

Brian Orenstein, the President and CEO of the Waterford-based credit union, revealed on Monday that Charter Oak is uncertain about the timeline for restoring online banking capabilities and website access. Orenstein explained that the credit union’s IT and security teams were compelled to shut down website access and the online banking portal on Friday due to the actions of unidentified “malicious actors” attempting to breach members’ personal information.

“We detected unusual website activity on Wednesday,” he mentioned. “Our IT team and cybersecurity experts promptly acted to safeguard member data and assets. As part of bolstering online security, Charter Oak’s domain was temporarily locked, resulting in downtime for the main website and online banking.”

With approximately 80,000 members, of which around half use online banking services, Orenstein also disclosed that fake websites pretending to be the legitimate Charter Oak web page emerged shortly after the shutdown.

However, Orenstein reassured members that no money or member data had been compromised. He elaborated that since the system was down, the fraudsters couldn’t access the website. The credit union is urging members who may have disclosed login or password information to contact them for the creation of new logins and passwords. This precaution is necessary because once the website is operational again, customers may be vulnerable to unauthorized access to their online accounts by these individuals.

Orenstein also mentioned that both the FBI and the National Credit Union Administration, which provides insurance to credit union members across the United States, have been alerted about the incident.

In an email communication sent to credit union members, Orenstein stressed Charter Oak’s unwavering commitment to safeguarding members’ personal information, emphasizing its critical importance.

“Please refrain from entering your online banking credentials on any website other than charteroak.org,” read Orenstein’s message in part. “There are other sites with similar (but not exact) names that are attempting to capture your credentials. Please avoid entering your username or password on any websites that resemble Charter Oak.”

Bruce Adams, President of the Meriden-based Credit Union League of Connecticut, highlighted that Charter Oak, with approximately $1.5 billion in assets, is the third-largest credit union in the state. Adams commended Charter Oak for its proactive measures to protect its customers in response to this incident.

He added, “Whether the threat affects an insurance company, a major retailer, a bank, or a credit union, it is imperative that our state and federal governments enhance business community protection.”

Charter Oak has committed to refunding members who incurred fees or charges due to the disruption in online service and has encouraged affected members to contact them at 860-446-8085.

Charter Oak was originally established in 1939 to serve Electric Boat workers, initially known as the Groton Shipbuilders Credit Union. It transitioned to a community-based credit union in the 1980s.