- Read the full article published by checkpoint researchers here: http://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/
The last weekly security update list published by CISCO includes three critical vulnerabilities affecting the Elastic Services Controller and Ultra Services Framework.
The flaw, tracked as CVE-2017-6713, in the network function virtualisation management environment Elastic Services Controller is related to the use of static default credentials that would let a remote attacker access to all the instances of the controller’s UI.
The security advisory published by CISCO states that:
“A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system.”.
“The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.”
As reported in the security advisory the same credentials are shared between multiple installations, allowing an attacker to generate an admin session token to access any instances of the Elastic Services Controller web UI.
A second issue, tracked as CVE-2017-6712, occurs because a “tomcat” user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. An exploit could allow an authenticated, remote attacker to elevate privileges and run dangerous commands on the server.
“A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server.” states the advisory issued by CISCO.
“The vulnerability occurs because a “tomcat” user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. An exploit could allow an authenticated, remote attacker to elevate privileges and run dangerous commands on the server.”
A first bug in the Ultra Services Framework’s (USF) automation service (CVE-2017-6711) is related to an insecure configuration of the Apache ZooKeeper service, which could be exploited by a remote attacker to get access to the orchestrator network.
“A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device.” states the advisory.
A second bug in the Ultra Services Framework’s (USF) automation service, tracked as CVE-2017-6714, resides in the staging server and could lead Arbitrary Command Execution.
“A vulnerability in the AutoIT service of Cisco Ultra Services Framework Staging Server could allow an unauthenticated, remote attacker to execute arbitrary shell commands as the Linux root user.” states the advisory.
CISCO has fixed all critical issues in Elastic Services Controller and Ultra Services Framework, admins have to manual patch them.
According to the experts from CISCO Talos, the vulnerable pre-installed software is the Dell Precision Optimizer application service and the Invincea-X and Invincea Dell Protected Workspace.
An advisory published by Cisco Talos states that: “Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.”
The 3 vulnerabilities are:
Protection Bypass Vulnerability TALOS-2016-0246 (CVE-2016-8732)
Invincea Dell Protected Workspace is a security solution offered by Dell that seeks to provide enhanced protection for endpoints. Multiple security flaws exist within one of the driver components, ‘InvProtectDrv.sys’ that is included in version 5.1.1-22303 of this software. Due to weak restrictions on the driver communications channel, as well as insufficient validation, an attacker controlled application that is executed on an affected system could leverage this driver to effectively disable some of the protection mechanisms provided by the software.
Known vulnerable: Invincea, Dell Protected Workspace 5.1.1-22303
This vulnerability is fixed in the 6.3.0 release of the software.
Protection Bypass Vulnerability TALOS-2016-0247 (CVE-2017-2802)
During the start of ‘Dell PPO Service’, supplied by Dell Precision Optimizer application, the program “c:\Program Files\Dell\PPO\poaService.exe” loads the dll, “c:\Program Files\Dell\PPO\ati.dll”. This in turn attempts to load “atiadlxx.dll”, which is not present by default in the application directory. The program searches for an appropriately named dll in the directories specified by the PATH environment variable. If it finds a dll with the same name, it will load the dll into poaService.exe without checking the signature of the dll. This can lead to execution of arbitrary code if an attacker supplies a malicious dll of the correct name.
Dell has released an update to resolve this issue. All versions from v4.0 onwards are not vulnerable.
Known vulnerable: Dell Precision Tower 5810 with nvidia graphic cards, PPO Policy Processing Engine (184.108.40.206), ati.dll (PPR Monitoring Plugin) (220.127.116.11).
Privilege Escalation Vulnerability TALOS-2016-0256 (CVE-2016-9038)
This vulnerability is a double fetch in the SboxDrv.sys driver. The vulnerability is triggered by sending crafted data to the \Device\SandboxDriverApi device driver which is read/write accessible to everyone. A successful exploitation results in an arbitrary value written to kernel memory space, which can lead to local privilege escalation.
Known vulnerable: Invincea-X, Dell Protected Workspace 6.1.3-24058
It is recommended that organizations using affected versions of this solution update to the latest version as quickly as possible to ensure that the protections provided by this software cannot be bypassed by an attacker. The following Snort Rules detect attempts to exploit these vulnerabilities:
Snort Rules: 41306 – 41309, 41312 – 41313
A critical vulnerability has been found in systemd, the popular init system and service manager for Linux operating systems, that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.
systemd is an init system used in Linux distributions to bootstrap the user space and manage all processes subsequently, instead of the UNIX System V or Berkeley Software Distribution (BSD) init systems.
This vulnerability, known to be CVE-2017-9445, actually resides in the ‘dns_packet_new’ function of ‘systemd-resolved,’ a DNS response handler component that provides network name resolution to local applications.
What really happens in the system?
A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it.
According to a consultatory published, a specially crafted malicious DNS response can crash ‘systemd-resolved’ program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service.
This in turn leads to a large DNS response into the buffer, allowing an attacker to overwrite the memory which leads to remote code execution, which allows attackers to remotely run any malware on the targeted system or server via their evil DNS service.
“In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that’s too small,” explains Chris Coulson, Ubuntu developer at Canonical.
Is your system vulnerable?
This vulnerability is present in all versions of systemd that are released after June 2015. From systemd 223 to systemd 233 all are vulnerable. Of course, systemd-resolved must be running on your system for it to be vulnerable.
The bug is present in Ubuntu versions 16.10 and 17.04; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.
Security patches have been rolled out to address the issue, so users and system administrators are strongly recommended to install them and update their Linux distros as soon as possible.
A new reflected XSS vulnerability has been found in popular WordPress plugin WP Statistics version <=18.104.22.168 within days of discovery of SQL injection vulnerability in the same plugin by Sucuri which was patched immediately.
According to the Dewhurst blog, the ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.
Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) .
Source: On line 28 of the includes/log/last-visitor.php file, the $_GET[‘ip’] is placed within the $_get variable.
Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.
Visit the given below link in the Firefox browser:
where put the name of the website you are testing in the above URL replacing mywordpress.com.
Then a fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site.
Pass the $_get variable through WordPress esc_attr() function. For example: $_get = esc_attr($_get);
Update the version to 12.0.9
A new SQL Injection vulnerability is discovered in popular WordPress plugin WP statistics known to be used by nearly 300,000+ websites caused by the lack of sanitization in the user input allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website’s database and possibly gain unauthorized access to websites.
According to a blog published by Sucuri, WordPress provides an API that enables developers to create content that users can inject to certain pages just using a simple shortcode:
[shortcode atts_1=”test” atts_2=”test”]
Among other functionalities, WP Statistics allows admin users to get detailed information related with the number of visits by just calling the shortcode below:
As you can see on the above image, some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this shouldn’t be a problem if those parameters were sanitized, but as we’ll see this is not the case.
One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().
This function doesn’t check for additional privileges, allowing subscribers to execute this shortcode and inject malicious data to its attributes.
In a number places in the code, user input coming from attributes of the wpstatistics shortcode are included in SQL queries without being sanitized. Below one of the queries that were exploitable:
The wp_statistics_searchengine_query() basically returns the same value as the one passed in the shortcode attribute provider and its content is added directly to the raw SQL query
To prevent this vulnerability update the plugin ASAP or deploy a firewall.
On 27 June a nasty piece of ransomware (now declared as a wiper malware) struck the globe within the 2 months of previous ransomware outbreak i.e. WannaCry. The Petya ransomware(now Known as NotPetya Malware) attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all. The virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems. The Email id used to receive the payments in Bitcoin has been shut down so even though the ransom is paid files will not be recovered.
Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself. However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.
It has been confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.
After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.
What makes it dangerous? Unlike other ransomware viruses, it encrypts the Master File Table (MFT) for NTFS partitions. Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). If the MFT is corrupted the file system structure on the disk becomes unusable. It also overwrites MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents the victim from booting their computer. This means that once a machine is infected it is in a complete state of lockdown. This makes it more intrusive. In comparison, the WannaCry ransomware virus targeted only specific file extensions while still allowing the operating system access.
INFECTION AND INSTALLATION
According to Symantec , Petya is initially executed via rundll32.exe using the following command:
- rundll32.exe perfc.dat
Once the DLL has been loaded, it will first attempt to remove itself from the infected system. This is done by opening the file and overwriting its contents with null bytes before finally deleting the file from disk. Overwriting the file with null bytes is used as an attempt to thwart recovery of the file using forensic techniques.
Next, it attempts to create the following file to be used as a flag indicating that the computer has been infected:
Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.
MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network
At this point, a system reboot is scheduled using the following command:
- “/c at 00:49 C:\Windows\system32\shutdown.exe /r /f”
By scheduling and not forcing a reboot, it provides time to allow Petya to spread to other computers in the network before user-mode encryption occurs.
Once Petya does get into a local network, however, there are several concurrent mechanisms for it to spread to further local machines. The first and foremost is the ETERNALBLUE exploit. The next mechanism is to use mimikatz to dump credentials and use said credentials to run itself in local LAN computers using either PsExec or wmic.exe.
The following 4 steps are followed by the malware to spread itself:
- Tries to find credentials:
- Method 1: Uses a custom tool to extract credentials from memory (code similarities with MimiKatz and accesses Windows LSASS process)
- Method 2: Steals credentials from the credential store on the infected systems
- Makes an inventory of the local network for other machines. If found, it checks whether port 139 or 445 is open
- Checks via WebDAV whether the enumerated systems have already been infected. If this is not the case, it will transfer the malware to the other systems via SMB;
- Utilizes PSEXEC or WMI tools, to remotely execute the malware.
Once spreading has occurred, Petya then lists all files on any fixed drive (e.g. C:\) and checks for any of the following file extensions (skipping the %Windir% directory of that drive):
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
An AES 128 bit key is generated for each drive. If any of the file extensions match that of the above list, the malware proceeds to encrypt the first 1MB of the file using the generated key.
After encrypting all eligible files, the threat will generate the ransom note and write it to a “README.TXT” file in the current drive.
The generated AES key(s) then encrypts itself using an embedded public key.
The resulting encrypted blob is then appended to the end of the ransom note (README.TXT) as a Base64 encoded string. The ransom note refers to this as the “installation key”.
The generated key is then destroyed to ensure it cannot be retrieved from memory.
At this point, the system is rebooted and the modified MBR code loads the simulated CHKDSK screen and full disk encryption occurs.
Checking if you are at risk for this attack involves multiple actions, due to the fact that the attack itself uses different methods to propagate within networks. The following actions can be performed to identify potential vulnerable machines within the network:
- Perform a network portscan to identify systems on which the TCP ports 139 and 445 are open. The more machines that are accessible on these ports, the more potential risk of the attack spreading to large amounts of systems within the network.
- Perform a vulnerability scan to identify machines which are missing the MS17-010 (and the KB2871997) patch. If the patches are missing, the identified systems are vulnerable to the one of the spreading and infection methods used by the malware.
- Create a file perfc. C:\Windows\perfc beforehand.