Vulnerability Archives - TuxCare

Prynt Stealer’s Backdoor Steals Data Stolen from Cyberattacks

A backdoor in information stealing malware, Prynt Stealer is used to steal data that is exfiltrated by other cyberattackers, according to Zscaler ThreatLabz researchers.

Already, the malware sells for $100 for a one-month license and $900 for a lifetime subscription, offering attackers tremendous capabilities. These include the ability to log keystrokes, steal credentials from web browsers, and suck data from Discord and Telegram.

Prynt Stealer code comes from two other open source malware families, AsyncRAT and StormKitty. New additions to the malware include a Telegram channel that collects information stolen from other threat actors through a backdoor.

To perform the data exfiltration, Prynt Stealer uses code copied from StormKitty with minor changes. The malware also includes an anti-analysis feature that equips the malware to continuously monitor the victim’s process list for processes such as taskmgr, netstat and wireshark,

As soon as the victim’s process list is detected, the malware blocks the Telegram command and control channels.

The researchers also identified two other variants of the malware written by the author of the malware, Prynt Stealer: WorldWind and DarkEye.

DarkEye is an implant with a free Prynt Stealer builder. The builder is designed to drop and execute a remote access trojan called Loda RAT, an AutoIT-based malware that can access and exfiltrate both system and user information. DarkEye also acts as a keylogger, takes screenshots, starts and terminates processes, and downloads additional malware payloads over a connection to a C2 server.

“While this untrustworthy behavior is nothing new in the world of cybercrime, the victims’ data end up in the hands of multiple threat actors, increasing the risks of one or more large-scale attacks to follow. Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation,” write Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross.

The sources for this piece include an article in TheHackerNews.

CISA Warns Of UnRAR Software Flaw For Linux Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a path traversal bug in the UnRAR utility for Linux and Unix systems to its Known Exploited Vulnerabilities Catalog.

The flaw tracked as CVE-2022-30333 could give an attacker the privilege of planting a malicious file on the target system by extracting it to an arbitrary location during the unpack operation.

The security issue was disclosed by Swiss company SonarSource in late June in a report. The report described how the flaw could be used for remote code execution to compromise a Zimbra email server without authentication.

Since the flaw is a traversal vulnerability, an attacker could exploit the flaw to drop arbitrary files on a target system that has the utility installed simply by decompressing the file.

While only few details is given on the nature of the attacks, the disclosure highlight the continued efforts from attackers to exploit publicly disclosed vulnerabilities in a bid to gain access to company’s servers for malware and ransomware intrusions.

CISA has mandated federal agencies in the United States to apply the updates for both flaws by August 30. Taking this decisive step will help reduce their exposure to cyberattacks originating from attackers exploiting vulnerabilities.

Another flaw identified by the CISA is the DogWalk vulnerability (CVE-2022-34713). DogWalk is a security flaw in MSDT that allow attackers to place a malicious executable into the Windows Startup folder.

According to Microsoft, successful exploitation requires user interaction and this can be bypassed via social engineering especially in email and web-based attacks.

Flaws are targeted by attackers since it gives them the opportunity and initial access to an organization’s server(s). Therefore, attackers are always scanning for flaws on vulnerable systems. Once found, attackers exploit these flaws and launch double extortion attacks on organizations.

it is therefore important that organizations scan for flaws and install latest patch updates before the flaws are exploited by attackers.

The sources for this piece include an article in TheHackerNews.

Linux Malware ‘RapperBot’ Brute-forces SSH Servers

Threat hunters at Fortinet have uncovered a new botnet called “RapperBot.” The malware, which has been in use since mid-June 2022, has targeted Linux SSH servers using brute force attempts to gain access to a device.

Brute force attacks essentially involve “guessing” usernames and passwords to gain unauthorized access to a system.

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR,” the Fortinet report states.

RapperBot is used to gain initial server access, which is then used to gain lateral movement within a network. RapperBot has limited DDoS capabilities and was discovered by researchers in the wild.

According to the researchers, RapperBot has its own command and control (C2) protocols and other unique features.

To brute force systems, the malware uses a list of login credentials downloaded from the C2 host-unique TCP requests. If successful, the malware then reports back to the C2.

As part of the ongoing investigation, RapperBot uses a self-propagation mechanism via a remote binary downloader.

New strains of RapperBot use sophisticated techniques to brute force systems. In recent examples, the bot adds the root user “suhelper” on the compromised endpoints. The bot also creates a Cron job that adds the user anew every hour if an admin discovers the account and deletes it.

It is important to note that the use of RapperBot remains largely unknown, mainly because its DDoS functionality is limited, which is very strange for botnets. However, a careful investigation shows that the malware only nests and rests on the infected Linux machines.

The sources for this piece include an article in Cybersecuritynews.

“Dirty Pipes” in the Kernel

A few years ago, a vulnerability dubbed “Dirty Cow” (CVE-2016-5195) was in the spotlight for a while. It was a trivially exploitable privilege escalation path that basically affected any Linux distribution and was exploited in the wild extensively. That vulnerability abused the Kernel’s Copy-On-Write (COW) mechanism and was sometime later found to be remotely exploitable through web servers that allowed file uploads.

On the 7th of March of 2022, a similar vulnerability was disclosed, also affecting all recent Linux distributions, nicknamed “Dirty Pipe” (CVE-2022-0847). It lets an unprivileged user overwrite any file, or part of a file, in a Linux system, even read-only ones. Several variants have already been disclosed that allow for the replacement of SUID files.

Patches for CVE-2022-0847 will be made available through KernelCare in the coming days, and this post will be updated with availability information as each becomes ready. At this moment, vulnerable kernel versions include 5.8 and onwards, with the flawed commit having been backported to multiple 4.x versions as well.

[Update 9th March: Updates for RHEL 8 and Oracle EL 8 are now available for deployment. Further patches are being prepared for other distributions.

Update 10th March: Updates for CentOS8, Almalinux 8, Rocky Linux, Ubuntu 20.04, CloudLinux 8 and CloudLinux 7h are also completed and are going to show up on feeds.

Update 11th March: Another batch of updates released for Ubuntu 18.04, Proxmox VE5 and Proxmox VE6.]

To understand the underlying flaw behind CVE-2022-0847, it is important that we first offer some brief information regarding CVE-2016-5195. “Dirty Cow” was possible because a race condition was found in the Copy-On-Write subsystem within the kernel. As a result, an unprivileged user could write in otherwise unreachable memory locations through this flaw. This would “dirty” those memory locations, hence the name. Moving from this to an elevation of privilege is a trivial operation for any properly motivated malicious actor, and in fact, that is precisely what happened. While “Dirty Cow” started as a local-only exploit, it was soon discovered that web servers that had the option to accept uploads from users could also be used as an attack vector. Hence, the vulnerability turned out to be remotely exploitable.

Fast forward a few years, and now IT teams are faced with “Dirty Pipe”, or CVE-2022-0847 if you think nicknaming vulnerabilities is not a very professional thing to do. As the name suggests, the flaw this time lies in the pipe handling code. Pipes are used as a way to pass information between processes. The most visible way pipes are used is when chaining commands, passing the output from one to the next through a “pipe”. Note that pipes can be created directly in code rather than simply used in the shell by an end-user or script.

It turns out that code introduced in this commit to the Linux Kernel “refactored” the way pipe flags (a way to control pipe behavior) are handled. You can read the extensive process behind the discovery of this vulnerability here.

Long story short, it became possible to write user-controlled content at an also user-controlled location in any file within the system (note that, since everything in a Linux system is technically a “file”, new variants of this vulnerability may introduce new, as-of-yet unknown behaviors). For example, introducing new content into /etc/shadow, or other, more subtle, ways of manipulating a system.

Since the exploit code is trivial, it is already widely available online (while not a deterrent, we try to refrain from posting direct links to exploit code on our blog). Because pipes are a basic functionality of the Kernel, the potential risk posed by this vulnerability is very high. It is also noteworthy that several variants have already been found, where the same flaw is used to abuse other system components rather than just writing directly to otherwise unwritable files. It is not that far-fetched to imagine that remotely exploitable attack vectors will surface in the coming days, just like they appeared for “Dirty Cow” in 2016.

For a quick check customers might want to verify the kernel version in use. Kernels before 5.8 and starting with 5.16.11, 5.15.25, 5.10.102 are not affected. Other Kernel versions may depend on specific backporting policies by each vendor and are currently being evaluated.

Updates for RHEL 8, Oracle EL 8, CentOS8, Almalinux 8, Rocky Linux, Ubuntu 18.04, Ubuntu 20.04, Proxmox VE5, Proxmox VE6, CloudLinux 8 and CloudLinux 7h are now available for deployment through KernelCare Enterprise. Further patches are being prepared for other distributions. IT teams are strongly encouraged to patch this vulnerability as soon as possible. TuxCare’s patches for KernelCare Enterprise will be made available shortly, and this post will be updated to reflect the actual availability of these patches when each is released.

TuxCare’s KernelCare Enterprise is providing live patches for “Dirty Pipe” even when the original distribution vendor is not able to do so with their own live patching solution.

Through KernelCare Enterprise, receiving patches for this and other vulnerabilities can be done without disrupting running workloads or having to reboot systems. If you would like to know more about KernelCare Enterprise and other TuxCare products, please check here.

Thought Spectre is history? It’s still alive, and kicking

Thought Spectre is history? It’s still alive, and kicking

Cyber threats come and go, but some threats leave a lasting imprint due to their impact. Think of Spectre and the closely related Meltdown, for example, two of the most widely covered vulnerabilities in recent memory.

It is of course frustrating when a cyber threat simply refuses to go away, and even worse when it is a highly prominent vulnerability. That’s turning out to be the case with Spectre, one of the most dangerous exploits of recent times. While patched systems are protected against Spectre, the nature of Spectre patches and the resulting impact on performance means that a large number of systems have not been patched..

Continue reading “Thought Spectre is history? It’s still alive, and kicking”

Identify, mitigate & prevent buffer overflow attacks on your systems

How to identify, mitigate and prevent buffer overflow attacks on your systemsBuffer overflow vulnerabilities remain a common way in which cyber criminals gain illegal entry into computer systems. According to the National Vulnerability Database, there has been a steady increase in reported buffer overflow vulnerabilities over the decades – with 842 reported just last year.

Continue reading “Identify, mitigate & prevent buffer overflow attacks on your systems”

Remote code execution attack: what it is, how to protect your systems

Remote code execution attack: what it is and how to protect your systemsCybercriminals use a range of strategies to target vulnerable systems – and remote code execution (RCE) attacks are one of the most common strategies. Indeed, according to the 2020 Global Threat Intelligence Report from NTT, RCE attacks were the most common attack technique observed – followed by injection attacks.

Continue reading “Remote code execution attack: what it is, how to protect your systems”

The Hidden Costs of a Data Breach That Could Last Years

The Hidden Costs of a Data Breach That Could Last YearsSoftware bugs and vulnerabilities often lead the way to massive security breaches via exploitation. These breaches spawn heavy costs to the organization in well-known monetary fees and penalties, but there are several unforeseen costs that affect the organization internally and publicly.

Continue reading “The Hidden Costs of a Data Breach That Could Last Years”

KernelCare Patches for Cross-layer Attack Have Been Released

KernelCare Patches for Cross-layer Attack Have Been Released

A new vulnerability (CVE-2020-16166) in pseudo random number generator (PRNG) was found by Amit Klein, vice president of security research at SafeBreach and a security researcher at Israel’s Bar-Ilan University.

The vulnerability opens the door to Cross-Layer Attacks, a new hacking technique that raises a risk of DNS cache poisoning and that can enable the unauthorized identification and tracking of Linux and Android devices.

KernelCare patches for Debian 10, Debian 8, Oracle Linux UEK 5 and 6, Ubuntu 18.04, 20.04 are already available. Patches for RHEL 8 & Oracle Linux UEK 4 will be released early next week. Continue reading “KernelCare Patches for Cross-layer Attack Have Been Released”

KernelCare+ Patches For CVE-2020-1971 Are Here

KernelCare+ Patches For CVE-2020-1971Big news from the OpenSSL team – they issued the fix for a new CVE-2020-1971 that causes servers’ disruptions via x509v3 certificate fields. The good news is that it cannot result in data theft; however, it has the ability to shut down your servers and paralyse the company’s operation flows. OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support, have not been checked and with high probability will not be addressed by the vendor.

Right now, the KernelCare Team is doing a delicate work of porting the vendor’s 1.1.1 patches to v.1.1.0 and enriching it with the live patching technology. The rebootless patches for both supported and unsupported versions of OpenSSL will be delivered in 24 hours for CentOS6, and 7 with the patches for the rest supported distributions released later this week.

Continue reading “KernelCare+ Patches For CVE-2020-1971 Are Here”

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching