Ankura CTIX FLASH Update - September 9, 2022
Moobot Botnet Exploits Various D-Link Vulnerabilities to Gain Additional DoS Attack Bots
"Moobot", a variant of the Mirai botnet, has been identified by Unit42 adopting vulnerable D-Link devices into a swarm of denial-of-service (DoS) bots through multiple exploits. D-Link is a Taiwanese multinational network equipment manufacturer that has two (2) critical flaws from 2022 that are currently being exploited and have been added by CISA to their Known Vulnerabilities Catalog in April 2022. Moobot was first discovered in September of 2019 and has previously targeted LILIN digital video recorders as well as Hikvision video surveillance products. In early August 2022, Unit42 researchers discovered a new wave of attacks utilizing the following four (4) vulnerabilities in D-Link devices:
CVE-2015-2051: A D-Link HNAP SOAPAction Header Command Execution Vulnerability. Published on February 23, 2015, with a CVE 2.0 severity score of 10/10.
CVE-2018-6530: A D-Link SOAP Interface Remote Code Execution Vulnerability. Published on March 6, 2018, with a CVE 3.0 severity score of 9.8/10.
CVE-2022-26258: A D-Link Remote Code Execution Vulnerability. Published on March 27, 2022, with a CVE 3.0 severity score of 9.8/10.
CVE-2022-28958: A D-Link Remote Code Execution Vulnerability. Published on May 18, 2022, with a CVE 3.0 severity score of 9.8/10.
Moobot's attack chain begins with exploiting the listed vulnerabilities to gain remote code execution on the victim machines. Next, the bot obtains the malware binary and decodes the hardcoded address from the malware configuration file. Lastly, the victim machines are registered on the threat actor's command-and-control (C2) server and DoS attacks are launched with the new devices. The C2 server in this recent attack wave is different from past reports, indicating there was a refresh in Moobot's infrastructure. Through these attacks, Moobot is targeting networking devices running Linux. Researchers noted that as of their analysis of the downloaded sample, the C2 server was offline. They also explained that the vulnerabilities listed have a low attack complexity but a critical security impact, so all users of D-Link products must ensure their products are up to date in upgrades and patches. A more technical explanation of the attack chain as well as indicators of compromise can be viewed in Unit42's Report linked below.
Threat Actor Activity
Threat Profile: Vice Society
A recent joint alert from the Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing & Analysis Center (MS-ISAC) warned of an expanding threat organization traced as Vice Society. This warning comes days after the Los Angeles Unified School District was reportedly hit with a massive ransomware attack over Labor Day weekend, which Vice Society has claimed responsibility for. Vice Society is a known double extortion group that has been around for just over a year. In that time, Vice Society threat actors have deployed modified versions of Hello Kitty and Zeppelin ransomware variants, exploited PrintNightmare vulnerabilities CVE-2021-1675 & CVE-2021-34527, and targeted education institutions with ransomware attacks. Typically, these threat actors will initially exploit public-facing applications, preform network reconnaissance, and escalate privileges gaining access to domain administrator accounts. Additionally, Vice Society actors will deploy payloads configured to change credentials of network accounts to restrict remediation efforts. While most threat groups hesitate when claiming responsibility for exploiting education institutions, Brett Callow states "they seem to be Vice Society's primary targets". CTIX will continue to monitor activity the of Vice Society and other threat organizations worldwide and provide additional updates accordingly.
Lazarus Campaign Targets Global Energy Industry
A new campaign by the notorious Lazarus Group is targeting energy organizations on a global scale, including the United States, Japan, and Canada. The Lazarus Group is a North Korean-backed threat organization that has been active for well over a decade and specializes in cyber espionage, data theft, and destructive attacks for financial gain. Lazarus has targeted major corporations throughout its time such as Sony Pictures in November 2014, followed by other operations tracked as Operation Troy, Operation Flame, and Ten Days of Rain. In this new Lazarus campaign, threat actors are exploiting Log4J vulnerabilities within VMWare Horizon and deploying VSingle/Yamabot/MagicRAT malware variants for reconnaissance, lateral movement through the network, data exfiltration, credential harvesting, and the disabling of anti-virus applications. Several indicators of compromise seen throughout this campaign point back to known Lazarus servers where the threat actor’s payloads are stored alongside observed tactics and techniques seen in previous Lazarus campaigns. While the victims of the campaign have not been officially disclosed, CTIX urges organizations within the energy sector to monitor for any suspicious activity or detection of the indicators of compromise in the article below. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional context accordingly.
Zyxel NAS Devices Vulnerable to Critical Remote Code Execution
The networking device manufacturer Zyxel has released a security advisory urging customers to patch a critical zero-day vulnerability present in three (3) models of its Networked Attached Storage (NAS) devices. The flaw, tracked as CVE-2022-34747, is the result of an externally controlled format string vulnerability within a Zyxel NAS device binary. The vulnerable software utilizes a function which accepts a format string as an argument, however the issue is that the format string can originate from a source external to the target network. If exploited, attackers could send a maliciously crafted UDP packet to a vulnerable device, allowing them to perform unauthorized remote code execution (RCE). This flaw poses a considerable risk to public-facing devices and their networks, receiving a CVSS score of 9.8/10 due to the low-complexity of the attack as well as the attacker being able to bypass authentication. Once exploited, attackers could elevate their privileges, giving them full reign to move laterally across the network, steal sensitive data, delete databases, encrypt them with ransomware, or download other types of malware. The affected Zyxel NAS devices are models NAS326, NAS540, and NAS542 running firmware versions prior to V5.21(AAZF.11), V5.21(AATB.8), and V5.21(AATB.8). Zyxel recommends that all customers deploying affected NAS devices ensure that they are running the newest version of the firmware. RCE attacks against NAS devices are becoming increasingly common. Just days before this flaw was disclosed, another NAS device manufacturer called QNAP patched critical vulnerabilities that were being actively exploited to deploy DeadBolt ransomware on their own NAS products. As a best practice, CTIX analysts recommend that administrators block their NAS devices from the public facing internet unless absolutely necessary, create strong passwords for all user accounts, and maintain regular device backups.
HP Support Assistant Vulnerable to High Severity Privilege Escalation Attacks
The computer manufacturing company HP has published a security advisory warning customers of a high severity vulnerability in their pre-installed technical support software tool, HP Support Assistant. HP Support Assistant uses Fusion to launch the HP Performance Tune-up diagnostic tool, and the vulnerability allows for privilege escalation when Fusion launches HP Performance Tune-up from within HP Support Assistant. If exploited, attackers with access to a vulnerable device could escalate their privileges to SYSTEM, allowing them to carry out malicious activity with SYSTEM-level privileges. The vulnerability, tracked as CVE-2022-38395, is described as a DLL hijacking flaw, and is exploited when an attacker abuses a DLL by injecting malicious code and placing it in the same folder as HP Support Assistant. This type of DLL hijacking attack takes advantage of the fact that Windows prioritizes these libraries over DLLs in the System32 directory. When the library automatically loads upon the launch of HP Performance Tune-up, the code executes with the elevated SYSTEM privileges of HP Support Assistant. Although there are many devices with HP Support Assistant pre-installed, and the exploitation of this flaw is low complexity, it received a CVSS score of 8.2/10 due to the fact that the attackers would need to first gain access to the vulnerable system. CTIX analysts recommend that all HP users ensure that they update to the latest stable firmware as soon as possible to prevent exploitation.
"GIFShell" Technique Allows Command and Control Using Microsoft Teams GIFs
A novel attack technique was discovered by penetration tester Bobby Rauch that allows data exfiltration and command and control using GIFs sent through Microsoft Teams. The technique, which has been dubbed "GIFShell," uses multiple Microsoft Teams flaws to achieve this feat. These vulnerabilities were discovered and reported to Microsoft in May and June 2022 but did not "meet [Microsoft's] 'bar for servicing'" and as such did not receive a fix. The attack starts when a victim executes a malicious stager written in PowerShell. The malware creates a new Teams tenant to allow Teams users from outside of the victim’s organization to create chats with the victim, a setting that is disabled in most organizations. The attacker then sends a Teams Card with a GIF embedded. Teams Cards are a feature that allows Teams messages to contain complex user interfaces, such as a survey box. Teams Cards also create a webhook that allows the user to send data back to Teams, answering the survey's question, for example. Microsoft Teams will automatically render GIFs embedded in the Teams Card, which requires Teams to download the GIF from an external server. With GIFShell, the malicious GIFs are hosted on the threat actor’s server and include base64 encoded commands that the malware then executes. The GIFShell malware constantly scans the user’s Teams chat logs for the message. The output of the executed command is then encoded and sent back to the attacker by sending an HTTP request with the encoded data included as the name of a file with a .gif extension. This entire process allows for a two-way data transfer between the threat actor and the victim. There is a clear advantage to using this technique for command and control compared to simpler communication methods; GIFShell allows the threat actor to utilize Microsoft Teams and their servers to transmit all data. Teams is a known-good application in almost every organization and is considered trusted by most endpoint and network detection software. Mitigations to prevent this communication channel include turning off the default external access settings in the Teams Admin Center, monitoring for unusual access to Teams log files, and attempting to detect anomalous requests to Microsoft Teams URLs. The researcher has released a full tutorial on how to replicate this attack method, though no malware has been seen using this technique in the wild. Microsoft has stated the flaws used in the GIFShell attack may be patched in future versions. CTIX analysts will continue to monitor this technique and the associated flaws and will update on any future developments.