5. Android Malware Vultur Expansion:
6. WallEscape Vulnerability in util-linux (CVE-2024-28085):
7. Chaining N-days to Compromise All: Windows Kernel LPE (CVE-2024-XXXX):
On March 29th, 2024, alarming news surfaced in the realm of cybersecurity. A malicious code had infiltrated XZ Utils, a fundamental package in major Linux distributions, unleashing a backdoor for unauthorized remote SSH access. The discovery sent shockwaves through the Open Source Software (OSS) community, as XZ Utils had long been considered a trusted and rigorously vetted project.
The perpetrators behind this nefarious scheme demonstrated a sophisticated understanding of OSS development practices. They had masqueraded as legitimate OSS developers over several years, managing to evade detection through highly obfuscated code. The malicious payload, embedded within versions 5.6.0 and 5.6.1 of XZ Utils, operated within the same process as the OpenSSH server (SSHD). By manipulating decryption routines within OpenSSH, the attackers facilitated remote access to specific adversaries possessing a particular private key. This exploit allowed for the execution of arbitrary payloads through SSH even before the authentication process, effectively compromising the entire system.
The rapid response from the OSS community led to the swift detection of the malicious code, preventing widespread infection. However, the incident underscored the vulnerability of the software supply chain and highlighted the critical need for enhanced security measures.
Who is Affected by CVE-2024-3094?
The impact of CVE-2024-3094 varied across different Linux distributions:
How to Detect CVE-2024-3094
Detecting whether your system is vulnerable to CVE-2024-3094 involves checking the installed version of the ‘xz’ package:
strings `which xz` | grep ‘5\.6\.[01]’
A vulnerable output would indicate the presence of XZ Utils versions 5.6.0 or 5.6.1.
How to Remediate CVE-2024-3094
If your system is affected, immediate action is necessary. Options for remediation include:
In this post, we delve into the intricacies of escaping the Chrome sandbox by exploiting a critical Windows kernel vulnerability, specifically CVE-2023–21674, known as a Use-After-Free vulnerability in the NTOS kernel.
This exploit marks a significant milestone as it represents the first Windows kernel In-The-Wild vulnerability in 2023. Leveraging our threat intelligence service, Fermium-252, we’ve had access to both a Proof of Concept (PoC) and an exploit for this vulnerability since January 2023.
Understanding Advanced Local Procedure Call (ALPC)
At the core of our exploit lies the Advanced Local Procedure Call (ALPC), a crucial inter-process communication feature introduced in Windows Vista. ALPC facilitates rapid message communication between processes, enhancing efficiency compared to the synchronous communication mechanisms of older Windows NT kernels.
Key features of ALPC include:
Exploiting CVE-2023–21674: The Use-After-Free Vulnerability
The crux of our exploit lies in the exploitation of CVE-2023–21674, a Use-After-Free vulnerability present within the NTOS kernel. This type of vulnerability arises when memory is improperly accessed after it has been freed, leading to potentially exploitable conditions.
Attack Vector
Our exploit leverages the inherent vulnerability within the Windows kernel to execute arbitrary code within the context of the Chrome browser. By carefully crafting a sequence of actions, we can trigger the Use-After-Free condition, allowing us to escape the Chrome sandbox and gain elevated privileges within the operating system.
Implications
The successful exploitation of CVE-2023–21674 poses severe implications for system security. With the ability to escape the Chrome sandbox, attackers can execute malicious code with elevated privileges, potentially compromising sensitive data and system integrity.
Recent discoveries in cyber threat intelligence have unveiled a novel approach adopted by threat actors to conceal and deploy malicious payloads through the manipulation of Windows Shell Link Binary Files (LNK). These findings shed light on the evolving tactics of cyber adversaries and emphasize the importance of robust cybersecurity measures in detecting and mitigating such threats.
Key Insights:
Detection and Mitigation:
The notorious Android banking malware, Vultur, has recently undergone significant upgrades, with its authors introducing new technical features that enhance their ability to remotely interact with infected devices. These enhancements include advanced capabilities such as file management, control over Accessibility Services, and circumvention of security measures like Keyguard. Additionally, Vultur has adopted sophisticated evasion techniques, including encryption of its command-and-control (C2) communication and masquerading as legitimate applications to conceal its malicious activities.
Key Takeaways:
Vultur, a pioneering Android banking malware, has long been recognized for its screen recording capabilities and keylogging functionalities, primarily targeting banking applications for illicit gains. Initially discovered in March 2021, Vultur has since evolved, demonstrating connections with other malware families and adopting sophisticated distribution techniques.
Infection Chain:
Vultur employs a hybrid attack strategy involving SMS messages and phone calls to deceive victims into installing the malware. The dropper, disguised as a modified version of the McAfee Security app, delivers three payloads to the infected device, each enhancing the malware’s control and surveillance capabilities.
New Features in Vultur:
The latest iteration of Vultur introduces several notable enhancements:
The Middle East serves as a prominent target for Advanced Persistent Threat (APT) groups due to its strategic significance in global affairs and its burgeoning technological landscape. With a flourishing economy fueled by natural resource extraction, particularly in oil production, alongside a burgeoning industrial sector and extensive government infrastructure, the region presents a lucrative target for cybercriminals seeking to exploit vulnerabilities in information systems.
APT Groups’ Interest in the Middle East
Our analysis has uncovered a substantial volume of successful cyberattacks on Middle Eastern countries, with over 80% being targeted assaults. The primary motivation for these attacks is the theft of valuable information, ranging from personal data and login credentials to confidential corporate documents. Dark web markets frequently feature discussions around these pilfered assets, highlighting their desirability among cybercriminals.
Targeted Industries
Top-ranking industries subjected to APT attacks include government institutions, energy sectors, military-industrial complexes, media outlets, and telecommunications. These sectors, crucial to the region’s stability and economic prosperity, attract the attention of cyber adversaries seeking political, economic, and military advantages.
Techniques Employed by APT Groups
Pre-Attack Preparation
APT groups meticulously prepare for their campaigns, conducting extensive reconnaissance to identify potential vulnerabilities and suitable targets. Techniques such as network scanning, gathering employee information, and reconnaissance on social media platforms enable attackers to tailor their attacks for maximum impact.
A newly discovered vulnerability, CVE-2024-28085, known as “WallEscape,” has emerged, affecting the “wall” command within the util-linux package. This vulnerability poses a significant risk to Linux distributions such as Ubuntu and Debian, potentially exposing users’ passwords or allowing for clipboard alteration.
CVE-2024-28085, dubbed WallEscape by security researcher Skyler Ferrante, exploits a flaw in the util-linux wall command, specifically related to improper neutralization of escape sequences in command line arguments. This vulnerability was introduced in a commit made in August 2013.
Impact
The vulnerability allows unprivileged users to inject arbitrary text onto other users’ terminals, provided that the mesg utility is set to “y” (enabled) and the wall command has setgid permissions. This opens the door for potential exploitation scenarios, including tricking users into entering passwords via fake sudo prompts and altering clipboards through escape sequences on select terminals.
Affected Systems
Ubuntu 22.04 and Debian Bookworm are confirmed to be vulnerable, as they meet the criteria of having mesg set to “y” and wall command setgid permissions. However, CentOS is not susceptible to this vulnerability, as the wall command does not have setgid permissions.
Exploitation and Mitigation
Exploiting CVE-2024-28085 can lead to severe consequences, such as leaking user passwords and unauthorized clipboard alterations. To mitigate this vulnerability, users are strongly advised to update util-linux to version 2.40 or later.
Detection and Indicators
On Ubuntu 22.04, an incorrect password prompt may indicate an attack, along with the user’s password appearing in their command history. It’s crucial for users to remain vigilant and promptly update their systems to prevent exploitation.
A Proof-of-Concept (PoC) exploit for CVE-2024-1086 has emerged, capable of escalating privileges locally on most Linux kernels between versions 5.14 and 6.6. This exploit, which has a remarkable success rate of 99.4% in KernelCTF images, poses a significant threat to systems running affected versions of Linux, including Debian, Ubuntu, and KernelCTF.
Exploit Details
The exploit, documented in a comprehensive write-up on the Flipping Pages blogpost, targets a vulnerability present in Linux kernels from version 3.15 to version 6.8-rc1, excluding patched stable branches. The exploit affects versions from 5.14 to 6.6, with patched branches v5.15.149>, v6.1.76>, v6.6.15> being immune to the vulnerability.
Caveats
Several caveats must be considered when utilizing the exploit:
Usage
The default configuration settings are suitable for Debian, Ubuntu, and KernelCTF environments. Users should verify that kernel configurations match the target system if operating on untested distributions.
Recent investigations by security researcher Andres Freund have unveiled a critical security vulnerability affecting the upstream XZ repository, specifically within the liblzma component. This vulnerability, present in versions 5.6.0 and 5.6.1, involves a backdoor injected into the distributed tarballs, potentially leading to the compromise of systems where affected versions are installed.
Background: Andres Freund noticed anomalous behavior in Debian sid installations involving liblzma, such as excessive CPU usage during SSH logins and valgrind errors. Upon further analysis, he discovered that the upstream XZ repository and its associated tarballs had been compromised, allowing threat actors to inject malicious code.
Details of the Compromise: The compromised release tarballs contain an obfuscated script injected into the configure process, which modifies the Makefile of liblzma under certain conditions. This modification includes executing a script that ultimately leads to the injection of malicious code into the system.
Impact and Observations: The injected code targets x86-64 Linux systems, particularly those using glibc. It intercepts execution by replacing certain resolver functions and performs various environment checks to determine whether to proceed with the exploit. SSH servers using libsystemd may experience significant slowdowns due to the backdoor.
Detection and Mitigation:
Recommendations:
