Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RCEs. Show all posts

Evil Corp-Affiliated Truebot Malware Changes its Strategy to Target RCEs and USBs

 

A growing number of devices are being infected by the threat group Silence with the Truebot malware. The information was discovered by Cisco Talos analysts, who also hypothesized a link between Silence and notorious hacker outfit Evil Corp (tracked by Cisco as TA505). 

In an advisory released last week, the security firm claims that the campaign it tracked led to the development of two botnets, one with infections spread over the globe (especially in Mexico and Brazil), and the other more recently targeted at the US. 

"We detected a number of compromised education sector organizations, albeit we do not have enough information to determine that there is a specific concentration on a sector,” the advisory reads. 

Tiago Pereira, a security researcher with Cisco Talos, thinks that Truebot is a precursor to other dangers that are known to have been behind attacks that resulted in significant losses. 

The attackers show agility in adopting new delivery methods, so readers should think of this as the first phase of what might be a severe attack, Pereira advised. 

Additionally, Cisco Talos added that Silence is moving away from utilizing infected emails as its main mode of delivery and toward new approaches. This is in addition to increasing its targets. 

"A greater percentage of attacks used Raspberry Robin, contemporary malware disseminated via USB devices, as a delivery mechanism in October. We have a mediocre degree of confidence that the attackers began using yet another method to spread the virus in November " the researchers added.

Additionally, according to the technical write-up, post-compromise activities involved data theft and the deployment of the Clop ransomware. 

We discovered what appears to be a completely functional proprietary data exfiltration tool, which we are calling "Teleport," that was heavily used to steal information during one of these attacks while we were studying it. 

The data exfiltration process was made better by Teleport's many capabilities, which included limiting upload speed and file size, encrypting connections with a unique protocol, and having the ability to erase itself after use. Teleport was created in C++. 

A very recent Netwrix vulnerability was also exploited by Silence while Cisco Talos was conducting its study (tracked CVE-2022-31199). 

“This vulnerability had just recently been published, only a few weeks before the attacks, and the number of systems exposed via the internet is believed to be fairly modest," the researchers concluded.

This implies that the attackers are quick to test new infection vectors and incorporate them into their workflow in addition to being on the watch for them. The malware tools mentioned above were not first used by the Silence threat organization. Raspberry Robin was connected to the Clop and LockBit ransomware organizations, according to a Microsoft advisory from October.

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.