Week 25, June 19-25, 2023
Week 25, June 19-25, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
JavaScript Dropper PindOS that’s distributing Bumblebee and IcedID malware, to a new cryptocurrency mining campaign focusing on Linux systems and IoT devices. The MULTI#STORM campaign has been spotted targeting India and the U.S. with Remote Access Trojans. In the realm of Open Source, a shocking number of GitHub repositories are likely susceptible to a RepoJacking attack.
The Camaro Dragon hackers have made an impact with their USB-driven, self-propagating malware. Meanwhile, a critical flaw has been identified in a WordPress Plugin for WooCommerce, endangering around 30,000 websites. The notorious ScarCruft hackers have exploited the Ably service for stealthy wiretapping attacks.
In a new report, we explore Operation Triangulation’s spyware implant, which targets iOS devices. Other important updates include a critical ‘nOAuth’ flaw in Microsoft Azure AD, which allowed complete account takeover, and the Chinese Hacker Group ‘Flea’ targeting American Ministries with a Graphican backdoor.
The new Condi malware is causing alarm, hijacking TP-Link Wi-Fi routers for DDoS Botnet attacks. And in a shocking revelation, over 100,000 stolen ChatGPT account credentials are reportedly being sold on Dark Web marketplaces. Last but not least, the new Mystic Stealer malware is casting a wide net, targeting 40 web browsers and 70 browser extensions.
Common Vulnerabilities and Exposures (CVEs)
This section highlights some CVEs with CVSS score classified as critical, mainly within the domains of IoT and Automotive.
CVE-2023-34101
Contiki-NG is an operating system for internet of things devices. In version 4.8 and prior, when processing ICMP DAO packets in the `dao_input_storing` function, the Contiki-NG OS does not verify that the packet buffer is big enough to contain the bytes it needs before accessing them. Up to 16 bytes can be read out of bounds in the `dao_input_storing` function. An attacker can truncate an ICMP packet so that it does not contain enough data, leading to an out-of-bounds read on these lines. The problem has been patched in the “develop” branch of Contiki-NG, and is expected to be included in release 4.9. As a workaround, one can apply the changes in Contiki-NG pull request #2435 to patch the system.
CVE-2023-33975
RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code. This issue is fixed in pull request 19680. As a workaround, disable support for fragmented IP datagrams.
CVE-2023-3028
Insufficient authentication in the MQTT backend (broker) allows an attacker to access and even manipulate the telemetry data of the entire fleet of vehicles using the HopeChart HQT-401 telematics unit. Other models are possibly affected too. Multiple vulnerabilities were identified: – The MQTT backend does not require authentication, allowing unauthorized connections from an attacker. – The vehicles publish their telemetry data (e.g. GPS Location, speed, odometer, fuel, etc) as messages in public topics. The backend also sends commands to the vehicles as MQTT posts in public topics. As a result, an attacker can access the confidential data of the entire fleet that is managed by the backend. – The MQTT messages sent by the vehicles or the backend are not encrypted or authenticated. An attacker can create and post messages to impersonate a vehicle or the backend. The attacker could then, for example, send incorrect information to the backend about the vehicle’s location. – The backend can inject data into a vehicle´s CAN bus by sending a specific MQTT message on a public topic. Because these messages are not authenticated or encrypted, an attacker could impersonate the backend, create a fake message and inject CAN data in any vehicle managed by the backend. The confirmed version is 201808021036, however further versions have been also identified as potentially impacted.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
Tool to extract C&C traffic in real-time
C2-Hunter is a tool for real-time extraction of Command and Control (C2) traffic from malware. It employs win32 connection APIs to intercept and analyze malware communication, providing insights into cyber threats. Key features include real-time C2 traffic extraction and a future enhancement to bypass malware-induced time delays for accelerated extraction. The tool operates on Windows with Administrator Privileges.
Windows handle hijacker
Handle-Ripper is a specialized tool that allows users to perform handle hijacking attacks on Windows operating systems. The handle hijacking technique can be used for privilege escalation by taking control of system object identifiers (handles) such as files, directories, processes, or events, enabling access to otherwise inaccessible resources. This method is particularly valuable for injecting code into a vulnerable system, thus granting access to restricted resources and data. Handle-Ripper makes this possible by using the ‘DuplicateHandle’ function to clone a handle from a legitimate process, providing the attacker with the ability to interact with the resource the handle represents. This tool is pertinent to Windows, win32, malware research, AV bypass, malware development, and both red and blue team operations.
File Archiver In The Browser
“File Archiver in the Browser” is a phishing technique that leverages the usage of new top-level domains (TLDs) such as .zip
to emulate file archiver software, such as WinRAR, in the browser. This technique involves creating a webpage that mimics the appearance and function of file archiver software, complete with cosmetic features like a ‘Scan’ icon to increase its legitimacy. The technique offers several deceptive use cases, such as credential harvesting and disguising executable files as non-executable ones for download. Delivery of the phishing page can be done through the Windows File Explorer search bar, where a search for a non-existent .zip
file automatically opens the corresponding .zip
domain in the browser.
Binary Vulnerability Analysis Tool with the use of GPT-3.5-Turbo
Callisto is an automated binary vulnerability analysis tool with an intelligent design. Leveraging Ghidra’s headless decompiler, it autonomously decompiles a given binary, generating pseudo code for analysis. The initial examination of the pseudo code is performed by the Semgrep Software Composition Analysis (SAST) tool, with subsequent validation and potential identification of further vulnerabilities handled by GPT-3.5-Turbo. Callisto’s primary aim is to assist with binary analysis and zero-day vulnerability discovery. The output serves as a guide for researchers to locate potential vulnerabilities within the binary for further dynamic testing, validation, and exploitation. In addition to its core functionality, Callisto can also be used as a headless decompiler, creating an output.c file with all the extracted pseudo code for manual analysis or usage with other SAST tools. Notably, the integration of Semgrep and GPT-3.5 is designed to minimize false positives and enable a deeper analysis of the program.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.