FritzFrog Botnet is Back, Spreads with Exploitation of Web Vulnerabilities

The research from Akamai Labs uncovers a version of FritzFrog malware, armed with a set of exploitation capabilities. In the report they pay a lot of attention to its Log4Shell vulnerability exploitation, which is performed in a rather unusual manner. Upon the discovery of this flaw, all corporations were concentrated on patching main elements of the network infrastructure. At the same time, all the internal network components based off the Apache’s Log4j were mostly ignored, as they are less likely to be attacked. Well, until now.

By abusing the lack of input sanitization during logging, FritzFrog is able to make the target to execute the arbitrary code. Prior to it, malware scans for the vulnerable network assets by searching on ports 9000, 8090 and 8888. To make the vulnerable app instance execute the malicious code, malware spams it with HTTP requests with the said code injected into the request header. This way, the threat ensures that at least one command will make its way to the logs and will be further executed.

Aside from the Log4Shell flaw, the malware also gained the ability to exploit the PwnKit – a flaw in polkit, the privileges control utility present in the majority of Linux distributions. Abusing this flaw, FritzFrog makes itself run with highest privileges possible, shall it detect less than max privileges level assigned upon execution.

What is FritzFrog?

FritzFrog is a rather old malware sample, which has been traced since March 2020. Being a peer-to-peer botnet tool, it quickly gained a significant number of attacks. Though all this rapid success was only to cease the activity in September 2020. In December of the same year it resurrected with even more violent activity – and appears to be active ever since.

Since its first days, it was using SSH brute forcing for self-propagation. It is actually surprising how many hosts open to Internet connections have weak login credentials even today. After the successful exploitation, FritzFrog was starting to scan thousands of other IP addresses, seeking for other weakly protected servers. Aside from self-propagation, the malware is capable of delivering other malware, providing remote access to the infected environment, and performing DDoS attacks.

Protection Against SSH-Targeting Malware

Besides having a rather unique spreading approach, FritzFrog infection vectors are nothing new. Attacking weakly protected servers through brute forcing is a several-decades-old tactic, and both of the vulnerabilities are from 2021. Patches for both flawed software packages are available – update them, and FritzFrog will have much less chances to get in, along with other software.

Methods to counteract SSH brute force are well known and easy to implement, too. Either set the instances to accept only trusted connections, or make them work on a different port. Strong passwords will add to overall security, but will not solve the server overload due to the enormous amount of login requests during a brute force attack. All security measures should work together – this makes them much more effective.

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

2 Citrix RCEs Exploited In The Wild, CISA Urges to Update

Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.

The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.

So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.

Citrix RCE Vulnerability Details

CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.

Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.

Citrix Responds to New Vulnerabilities

Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.

In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

Analysts Discover Numerous Vulnerabilities in TianoCore EDK II

The extensive research from Quarklabs uncovers the grand total of nine vulnerabilities present in a widely used UEFI implementation from TianoCore, called EDK II. This open-source variant of unified EFI is seeing particularly large applications in various corporations, both in their own machines and in products. Among other functions, it contains a network boot option and a whole bunch of related functionality, which is where all the vulnerabilities are concentrated.

Network boot itself bears on a Preboot Execution Environment (PXE), often shortened to Pixie boot. This place is, eventually, the host to all nine security flaws. Not all vulnerabilities from PixieFail collection are of the utmost severity, but for 3 of them, NIST assigned the CVSS score of 8.3/10.

List of PixieFail Vulnerabilities

As you can see, the list is rather vast, with buffer overflow vulnerabilities rated as the most severe. All this is due to the reason that such flaws can enforce arbitrary code execution. Such an action is useful for both initial access and lateral movement within the environment. And since we are talking about doing all this mess almost on a bare metal, outcomes may be rather bad.

Vendors Offer Patches for PixieFail Vulnerabilities

Upon detecting the vulnerabilities back in early August 2023, Quarkslab contacted a selection of software vendors who use EDK II in their products. Among them are such known names as Arm, Insyde Software, Microsoft, American Megatrends and Phoenix Technologies. Throughout half a year, both vendors, authorities and researchers elaborated on creating a fix without leaking any information before the fixes are implemented.

As a result, on January 16, 2024, when the detailed analysis from Qarkslab was published, all the notified vendors got the issue fixed. So, check out the updates for your firmware – it may contain the patch which fixes PixieFail all at once.

The post 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II appeared first on Gridinsoft Blog.

Sierra AirLink Routers Have 21 Vulnerabilities

As Forescout Vedere researchers describe in their research, the AirLink lineup of devices contains 21 software vulnerabilities. Among them, only one issue got the CVSS score over 9, which is considered critical. RCE vulnerabilities and a couple of ones that may allow for unauthorized access are rated 8.1 to 8.8. Several other noteworthy issues, particularly ones that cause Denial of Service, are rated at CVSS 7.5.

Researchers did a detailed description of the potential exploitation cases for two of the most critical vulnerabilities. For CVE-2023-41101, a hacker can take over the router by overflowing the buffer in OpenNDS captive portal. Using the lack of length limitation in GET requests, it is possible to make the router execute arbitrary code. By controlling the router, adversaries can disrupt the operations related to the mentioned interface.

#2 in the list, CVE-2023-40463, requires an attacker to possess a router similar to the one it tries to attack. By digging through the device’s software elements and applying some hash cracking magic, it is possible to obtain the diagnostic shell password. Further, using a bit of social engineering, adversaries may connect to the actual router and enter its diagnostic interface using the password they’ve obtained earlier. With such access, it is possible to inject malware to the router, force it to malfunction, or execute your commands remotely.

Available Mitigations

Despite such a worrying amount of exploits, all of them allegedly receive a fix in the latest version of the firmware for AirLink devices. ALEOS 4.17.0 should address all the flaws, and, if some incompatibilities are in the way, customers may stick to version 4.9.9. The latter is not vulnerable to named vulnerabilities except for ones that touch OpenNDS captive portals.

Researchers who found all the issues also offer their own mitigation for the vulnerabilities that allow delaying the patch installation. Though, as it usually happens to all the stopgap solutions, they are not ideal and do not guarantee the effect.

1. Disable unused captive portals and related services, or put them under restricted access. This reduces the attack surface for vulnerabilities that target OpenNDS.
2. Use a web app firewall to filter the requests and block the packets of a suspicious source. This mitigation works against XSS and DoS vulnerabilities.
3. Change the default SSL certificates. Forescout recommends doing this to all the routers, not only to Sierra Wireless ones.
4. Implement an intrusion detection system that monitors IoT/OT devices as well. This allows for controlling both connections from outside the network and ones within it.

What are Sierra AirLink Routers?

Have you ever wondered, how does the Wi-Fi in a public transport function? Or how all the machinery in a huge workshop is connected and centrally managed even though it is not static? Well, Sierra’s devices are the answer. Their routers are industrial-grade wireless connectivity devices that are used in dozens of industries – starting from public transportation and all the way up to aerospace & defense.

What is particularly concerning for this story is the extensive use of AirLink routers in critical infrastructure. Factories, transportation – they are important, though not as continuously demanded as water treatment, emergency services and energy management. And since IoT more and more often attracts hackers’ attention, the actions should be taken immediately. Considering the extensive use of vulnerable AirLink devices in the US, it may be the perfect Achilles’ heel for cyberattacks that target critical infrastructure and even government.

The post Sierra AirLink Vulnerabilities Expose Critical Infrastructure appeared first on Gridinsoft Blog.

Vulnerabilities in HP BIOS may lead crooks to takeover your PC

Analysts defined those vulnerabilities as CVE-2021-3808 and CVE-2021-3809, and gave a baseline CVSS score of 8.8. HP does not provide technical details at this time, only publishing the list of affected devices. Those are:

• Zbook Studio
• ZHAN Pro
• EliteBook
• ProBook
• Elite Dragonfly
• EliteDesk
• ProDesk desktops
• PoS Engage
• Z1 and Z2 workstations
• Thin client PCs [that run the same firmware version on the server]

The bugs were discovered back in November 2021 thanks to researcher Nicholas Starke, who explained in his blog that the vulnerability could allow an attacker running with kernel-level privileges (CPL == 0) to elevate privileges to system management mode (SMM). At the same time, SMM gives the attacker full privileges over the host for further attacks.

The problem is that it is possible to run the SMI handler from the OS environment, for example through a Windows kernel driver. Therefore, an attacker needs to find the memory address of the LocateProtocol function and overwrite it with malicious code. It can initiate code execution by instructing the SMI handler to do so.

Is that breach easy to exploit?

To exploit the vulnerability, an attacker should have root/SYSTEM-level privileges on the target system and execute code in System Management Mode (SMM). In addition, some models of HP computers have security features that an attacker needs to bypass in order for the exploit to work, such as HP Sure Start, which will shut down the host if the memory is corrupted. However, there are enough ways to get such privileges – from other exploits to tricking the user to install a trojan virus.

When the ultimate goal is achieved, the attacker, by overwriting the UEFI (BIOS), can achieve an outstanding persistency of malware on the machine. After such a trick, you can’t remove malware using antivirus tools or reinstalling the OS. So, that’s an obvious advice for all owners of HP hardware who do not want to become part of the ART operations that practice attacks through UEFI. Update the BIOS before cybercriminals update it without your participation.

Why are BIOS vulnerabilities so critical?

BIOS, as well as its modern replacement – UEFI, is the firmware of the lowest level. It runs on your hardware even before you launch the regular OS – Windows or Linux. Contrary to operating systems that interact with hardware using drivers, BIOS interacts directly. In the early ‘10s, Unified Extensible Firmware Interfacewas presented as a substitute for BIOS, which was considered obsolete to the moment.

Breach that allows the hackers to call the hardware on the kernel lever, i.e. circumventing the drivers, means that the one who exploits that breach may do literally anything. Turn off the computer, reboot it, delete the BIOS, substitute the latter with a malicious loader that will display the ransom banner over the screen – choose what you want. CVE Organisation, which tracks and documents all the detected vulnerabilities, still has not added the detailed description of CVE-2021-3808 and CVE-2021-3809. But I am pretty sure that they will increase the severity rating to 10/10 – that is a reall mess.

The post Vulnerability in HP BIOS causes system takeover appeared first on Gridinsoft Blog.

The crooks’ weapon struck them back

The YouTube user Malvuln published a chain of videos regarding the exploitation of the breach in popular ransomware. This exploitation is based on how ransomware launches its executable files with high privileges. Exactly, this is the exploit inside of the other exploit. Let’s check out how that works.

Originally, when crooks launch the ransomware in the infected system, they palm off the malicious DLL to a legit program. Any application requires dynamic-link libraries to function, and if the used DLLs are not checked diligently, it is easy to substitute the original one with the library you need. Cybercriminals know about that breach and know which apps are vulnerable. Giving the malicious DLL to the legit program allows the ransomware to be launched with increased privileges.

However, ransomware itself is not ideal. As the researcher mentioned above figured out, it is also vulnerable to DLL interception. However, the exact method is different compared to how cybercriminals use it. That vulnerability lies in the way of naming the libraries used by ransomware to run the ciphering process. A specially compiled DLL named the one used by ransomware ends the encryption process right after its beginning.

How can that be used?

As Malvuln showed in his videos, ransomware of 6 popular cybercrime gangs is vulnerable to that security breach. Those are AvosLocker, LokiLocker, Black Basta, REvil, Conti, and LockBit. All of them are well-known, and each of them attacks hundreds of companies each month. Some of them may ask for up to $1M ransoms. Using such a vulnerability, companies may easily protect themselves from having their files encrypted. Still, spyware those groups usually inject together with ransomware is still able to extract a lot of valuable data.

Adding a small DLL file on each computer in the network is pretty easy, and hard to detect for threat actors. In contrast to security solutions that are running in the network, DLL is not active and cannot be detected. Hence, crooks may get a very unpleasant surprise. Nonetheless, that does not mean that you can throw away your security solutions. EDR systems may be very effective against spyware, at least with data extraction. Keep in mind that you will likely pay a much bigger sum of money as a ransom than you will spend on an endpoint protection solution.

Thoughts on ransomware vulnerability

Cybercriminals like ones that belong to the named gangs love their brainchildren. And having such a vulnerability, they will not delay fixing it. That is their bread and butter, and they depend on that money flow. Hence, deploying the DLL as I have offered above is not a panacea. Sooner or later (likely sooner) that breach will be fixed, as it was to all other vulnerabilities that leaked to the public. And still – no one names a way to stop the complementary spyware.

This or another way, having the chance to stop the ransomware and prevent disruptions is better than not having it.

The post Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption appeared first on Gridinsoft Blog.

The flaw affects Linux firmware used in various routers, hotspots, and other IoT devices. It also hits Linux distributives for the embedded operating systems like Embedded Gentoo and OpenWRT. The vulnerability reveals itself in many different devices. For example, Linksys, Netgear, and Axis all use uClibc libraries. Since the vulnerability is not yet cured in uClibc and uClibc-ng, the details about specific devices and manufacturers in whose products the problem occurs are not brought to the public yet.

The vulnerability mechanism

The vulnerability comes from the usage of predictable transaction identifiers in the library-generated DNS requests. DNS request IDs are formed by simple incrementing of the counter without any additional randomization of the port numbers. This mechanism, in turn, allowed DNS cache poisoning through the proactive sending of a UDP packet with a forged response. The spoof will be accepted if it features a correct request ID and arrives before the genuine server’s response. Unlike the Kaminsky method proposed in 2008, the current approach doesn’t even require guesswork since the transaction ID is initially predictable. The initial value (1) gets incremented with each query, not chosen randomly.

Security recommendations against ID breaking include randomizing numbers of source network ports whence the DNS request. This measure must compensate for the short length of the identifier. If randomization is activated, the forgery of a 16-bit ID is not enough – hackers then would have to additionally brute-force the network port number. In uClibc and uClibc-ng, the random source UDP port didn’t show during the bind request. Therefore, the randomizer was turned off, and its application required changing settings in the operating system.

With the randomization switched off, the problem of guessing an incremented request ID becomes trivial. But even if the randomization were applied, the attackers would only need to pick up a port number from a range of 32768–60999 (Linux uses such.) They could have used a massive simultaneous sending of fake responses to different network ports yet to win against the legitimate DNS response.

History of the inquiry

The problem has been confirmed in all working versions of the uClibc and uClibc-ng, including the latest uClibc 0.9.33.2 and uClibc-ng 1.0.40. In September 2021, the information on the vulnerability was sent to CERT/CC for coordinated fixes preparation. Moreover, In January 2022, the data was delivered to more than 200 manufacturers working with CERT/CC. In March, there was communication with the uClibc-ng project support. They admitted they could not fix the vulnerability themselves and recommended disclosing the information to the community so that it could assist with the development of the fix. Nozomi Networks, the company that detected the flaw, brought the information to the public in a thorough report on May 2, 2022. In the meantime, Netgear has announced an update wherein they promise to deal with the vulnerability.

The post A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices appeared first on Gridinsoft Blog.

F5 warns its customers of a new vulnerability

The CVE-2022-1388, according to the analysts from the company, allows the potential threat actors to remotely execute arbitrary code and disable services on BIG-IP without any authentication. This threat is classified as severe, with a CVSS v3 rating of 9.8 – that indicator classifies it as critical. Vulnerability in one of the components of iControl REST makes it possible to bypass the authentication in BIG-IP. Afterward, crooks are free to execute any code in the framework. Here is the list of BIG-IP versions that reportedly contain that breach:

• 16.1.0 to 16.1.2;
• 15.1.0 to 15.1.5;
• 14.1.0 to 14.1.4;
• 13.1.0 to 13.1.4;
• 12.1.0 to 12.1.6;
• 11.6.1 to 11.6.5.

F5 offers a fast fix for the issue

As you can see, almost all versions of BIG-IP that are currently in use are exposed. F5 Inc. has already released fixed versions of this software, and recommends installing it as soon as possible. Those versions are:

• 17.0.0;
• 16.1.2.2;
• 15.1.5.1;
• 14.1.4.6;
• 13.1.5.

The company emphasizes that older versions of the software (12.x and 11.x) will not receive the fix of that flaw, and it is recommended to move on to the newer version. If the client is not able to apply the update for some reason, F5 recommends applying the following settings to prevent vulnerability exploitation:

—

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

Block iControl REST access through the self IP address
You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.

—F5 Inc. advice on the case of CVE-2022-1388 vulnerability in BIG-IP.

How serious is the CVE-2022-1388?

Since the iControl framework, as well as BIG-IP, are generally used by corporations, they are the main place where CVE-2022-1388 may harm. The ability to remotely execute the code without the authorisation allows the cybercriminals to extend their presence pretty quickly, up to the full control over the network. Any malware distributor will be pleased with such an ability, especially considering the amount of valuable data that is present in such corporations. Moreover, using such advanced and expensive solutions as the ones offered by F5 Corporation means that attackers may ask for a huge ransom.

Besides that, having such a vulnerability in your software product also impacts you image as a developer. F5 did a pretty good job – they detected the flaw and issued a fix for it before cybercriminals did. However, that does not mean that crooks lost the ability to exploit it – they just lost the suddenness – it is not a zero-day vulnerability anymore. A lot of companies will be slow with updates, and some may just ignore it. The absence of a fast reaction often leads to bad consequences. Fortunately for the F5, they already have disclaimed the responsibility for any case of a malware attack with that breach.

The post F5 warns of critical BIG-IP RCE vulnerability appeared first on Gridinsoft Blog.

The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows.

At the same time, the company did not disclose almost any technical details of the bug, it was only reported that attackers can use the vulnerability locally, in attacks of low complexity and without any user interaction.

It is worth recalling that last year, Microsoft fought for a long time (and not always successfully) with various bugs in Print Spooler, including a critical PrintNightmare vulnerability that allows remote arbitrary code execution. Then, after accidentally leaking the technical details of the bug and PoC exploit, CISA experts warned administrators that they urgently needed to disable the Print Spooler service on domain controllers and systems not used for printing in order to block potential attacks.

Now, the nature of the attacks on CVE-2022-22718 and the identities of the perpetrators behind them are almost unknown, as the authorities are apparently trying to prevent further exploitation of the problem by other hack groups.

In addition, this week two other issues were added to the CISA catalogue of known exploited vulnerabilities, although they date back to 2018 and 2019:

• CVE-2018-6882 (CVSS score 6.1) – XSS Vulnerability in Zimbra Collaboration Suite (ZCS)
• CVE-2019-3568 (CVSS score of 9.8) is a stack buffer overflow vulnerability in WhatsApp VOIP.

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

According to official statistics, more than 200,000 enterprises in 140 countries around the world use Zimbra, including more than 1,000 government and financial institutions. The researchers write that using the 0-day vulnerability, attackers gain access to the mailboxes of European authorities and the media.

The attacks were discovered in mid-December, and although Volexity notified the Zimbra developers about the bug as early as December 16, the company has not yet released a patch.

The attacks were divided into two stages. Initially, the hackers sent a harmless email to victims to determine if the right accounts were active and whether users would open suspicious emails from unknown individuals.

The actual attack only happened with a second email, in which the hackers included a link. If the user accessed this URL, they were taken to a hacker site where malicious JavaScript code performed an XSS attack on Zimbra webmail at the victim’s organization.

The vulnerability works against Zimbra webmail clients versions 8.8.15 P29 and P30 and allows stealштп Zimbra session cookies. These files allow hackers to connect to someone else’s Zimbra account, from where they gain access to email (they can view emails in victims’ mailboxes and steal their contents), after which they send additional phishing messages to the user’s contacts, and also offer targets to download malware.

While there are currently over 33,000 Zimbra servers on the web, Volexity says 0-day is thankfully safe for Zimbra 9.x (the most recent version of the platform).

Based on the attacker infrastructure used in these attacks, experts were unable to link what was happening to any previously known hack group. As a result, the grouping was given the name TEMP_Heretic. At the same time, experts report that “the attacker is probably of Chinese origin.”

Let me remind you that we reported that Chinese hackers attacked US organizations and exploit bugs in F5, Citrix and Microsoft Exchange and also that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

The post Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities appeared first on Gridinsoft Blog.