This vulnerability allows remote attackers to disclose sensitive information on affected installations of KeySight N6841A RF Sensor. Authentication is not required to exploit this vulnerability.
Monthly Archives: May 2022
Ransomware Roundup – 2022/05/26
FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the “forbidden country” option which attackers can choose not to run the generated ransomware based on the victim’s location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won’tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama – hxxps://www[.]coinmama[.]com Bitpanda – hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker’s bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to “Chaos Ransomware Variant Sides with Russia” and “Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers”.What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a “.gdwill” file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds “.[10 digit ID number].spanielearslook.likeoldboobs” file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a “.[10 digit ID number].[attacker’s email address].bec” extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:::: Hello my dear friend :::Unfortunately for you, a major IT security weakness left you open to attack, your files have been encryptedIf you want to restore them,write to our skype – [removed] DECRYPTIONAlso you can write ICQ live chat which works 24/7 @[removed]Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQWrite to our ICQ @HORSEMAGYAR https://icq[.]im/[removed]If we not reply in 6 hours you can write to our mail but use it only if previous methods not working – [removed]@onionmail.orgAttention!* Do not rename encrypted files.* Do not try to decrypt your data using third party software, it may cause permanent data loss.* We are always ready to cooperate and find the best way to solve your problem.* The faster you write, the more favorable the conditions will be for you.* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of themWe respect your time and waiting for respond from your sidetell your MachineID: MAHINE_ID and LaunchID: LAUNCH__IDSensitive data on your system was DOWNLOADED.If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.Data includes:- Employees personal data, CVs, DL, SSN.- Complete network map including credentials for local and remote services.- Private financial information including: clients data, bills, budgets, annual reports, bank statements.- Manufacturing documents including: datagrams, schemas, drawings in solidworks format- And more…What is the Status of Coverage against Horsemagyar Ransomware?FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:W32/Filecoder.NSF!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
CWE
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Please check our post about Vulnerability Analysis to learn more about CWE usage.
Please find a list of all the CWE below or use the search box above to find a specific CWE.
-
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java web applications. However, like any web server, it is also vulnerable to various security threats. In this article, we’ll explore some of the most dangerous vulnerabilities in Tomcat and provide tips on how to protect…
-
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access to systems. One such vulnerability is ZDI-CAN-18333, a critical zero-day vulnerability that affects Microsoft Windows. In this article, we’ll take a closer look at what this vulnerability is, how it works, and what you can…
-
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security…
-
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. Not properly handling virtual…
-
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example,…
-
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. If the product’s administrator does not…
-
CWE-672 – Operation on a Resource after Expiration or Release
Description The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-666 Consequences Integrity, Confidentiality: Modify Application Data, Read Application Data If a released resource is subsequently reused or reallocated, then an attempt to…
-
CWE-673 – External Influence of Sphere Definition
Description The product does not prevent the definition of control spheres from external actors. Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness. Modes of Introduction:…
-
CWE-674 – Uncontrolled Recursion
Description The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. Modes of Introduction: – Implementation Related Weaknesses CWE-691 Consequences Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) Resources including CPU, memory, and stack memory could be…
-
CWE-675 – Multiple Operations on Resource in Single-Operation Context
Description The product performs the same operation on a resource two or more times, when the operation should only be applied once. Modes of Introduction: – Implementation Related Weaknesses CWE-573 CWE-586 CWE-102 Consequences Other: Other Potential Mitigations CVE References
-
CWE-676 – Use of Potentially Dangerous Function
Description The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-1177 Consequences Other: Varies by Context, Quality Degradation, Unexpected State If the function…
-
CWE-680 – Integer Overflow to Buffer Overflow
Description The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. Modes of Introduction: Related Weaknesses CWE-190 CWE-119 Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute…
-
CWE-681 – Incorrect Conversion between Numeric Types
Description When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. Modes of Introduction: – Implementation Likelihood of Exploit: High Related Weaknesses…
-
CWE-682 – Incorrect Calculation
Description The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. When software performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can…
-
CWE-683 – Function Call With Incorrect Order of Arguments
Description The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such…
-
CWE-684 – Incorrect Provision of Specified Functionality
Description The code does not function according to its published specifications, potentially leading to incorrect usage. When providing functionality to an external party, it is important that the software behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to…
-
CWE-685 – Function Call With Incorrect Number of Arguments
Description The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. Modes of Introduction: – Implementation Related Weaknesses CWE-628 Consequences Other: Quality Degradation Potential Mitigations Phase: Testing Description: Because this function call often…
-
CWE-686 – Function Call With Incorrect Argument Type
Description The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. This weakness is most likely to occur in loosely typed languages, or in strongly typed languages in which the types of variable arguments cannot be enforced at compilation…
-
CWE-687 – Function Call With Incorrectly Specified Argument Value
Description The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. Modes of Introduction: – Implementation Related Weaknesses CWE-628 Consequences Other: Quality Degradation Potential Mitigations CVE References
-
CWE-688 – Function Call With Incorrect Variable or Reference as Argument
Description The software calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. Modes of Introduction: – Implementation Related Weaknesses CWE-628 Consequences Other: Quality Degradation Potential Mitigations Phase: Testing Description: Because this…
-
CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream
Description The software does not properly prevent access to, or detect usage of, alternate data streams (ADS). An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately,…
-
CWE-648 – Incorrect Use of Privileged APIs
Description The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-269 Consequences Access Control: Gain Privileges…
-
CWE-649 – Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Description The software uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the software does not use integrity checks to detect if those inputs have been modified. When an application relies on obfuscation or incorrectly applied / weak encryption to protect client-controllable tokens or parameters, that may have…
-
CWE-65 – Windows Hard Link
Description The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. Failure for a system to check for hard…
-
CWE-651 – Exposure of WSDL File Containing Sensitive Information
Description The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return). Modes of Introduction: – Architecture and Design Related Weaknesses CWE-538…
-
CWE-652 – Improper Neutralization of Data within XQuery Expressions (‘XQuery Injection’)
Description The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected…
-
CWE-653 – Improper Isolation or Compartmentalization
Description The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users. Modes of Introduction: – Architecture and…
-
CWE-654 – Reliance on a Single Factor in a Security Decision
Description A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-657 CWE-693 …
-
CWE-655 – Insufficient Psychological Acceptability
Description The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-657 CWE-693 Consequences Access Control: Bypass Protection Mechanism By bypassing the security mechanism,…
-
CWE-656 – Reliance on Security Through Obscurity
Description The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. This reliance on “security through obscurity” can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that…
-
CWE-657 – Violation of Secure Design Principles
Description The product violates well-established principles for secure design. This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-710 Consequences Other:…
-
CWE-66 – Improper Handling of File Names that Identify Virtual Resources
Description The product does not handle or incorrectly handles a file name that identifies a “virtual” resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. Virtual file names are represented like normal file…
-
CWE-662 – Improper Synchronization
Description The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. Modes of Introduction: – Architecture and Design…
-
CWE-663 – Use of a Non-reentrant Function in a Concurrent Context
Description The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-662 Consequences Integrity, Confidentiality, Other: Modify Memory,…
-
CWE-664 – Improper Control of a Resource Through its Lifetime
Description The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. Modes of Introduction: – Implementation Related Weaknesses Consequences Other: Other Potential Mitigations Phase: Testing Description: Use Static analysis tools to check for unreleased resources. CVE References
-
CWE-665 – Improper Initialization
Description The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated…
-
CWE-666 – Operation on Resource in Wrong Phase of Lifetime
Description The software performs an operation on a resource at the wrong phase of the resource’s lifecycle, which can lead to unexpected behaviors. When a developer wants to initialize, use or release a resource, it is important to follow the specifications outlined for how to operate on that resource and to ensure that the resource…
-
CWE-667 – Improper Locking
Description The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-662 CWE-662 CWE-662 CWE-662 Consequences Availability: DoS: Resource Consumption (CPU) Inconsistent locking discipline can lead to deadlock. Potential Mitigations Phase:…
-
CWE-668 – Exposure of Resource to Wrong Sphere
Description The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Confidentiality, Integrity, Other: Read Application Data, Modify Application Data, Other Potential Mitigations CVE References
-
CWE-621 – Variable Extraction Error
Description The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. Modes of Introduction: – Implementation Related Weaknesses CWE-914 CWE-471 Consequences Integrity: Modify Application Data An…
-
CWE-622 – Improper Validation of Function Hook Arguments
Description The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to…
-
CWE-623 – Unsafe ActiveX Control Marked Safe For Scripting
Description An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior. Modes of Introduction: – Architecture and Design Related Weaknesses…
-
CWE-624 – Executable Regular Expression Error
Description The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later…
-
CWE-625 – Permissive Regular Expression
Description The product uses a regular expression that does not sufficiently restrict the set of allowed values. Modes of Introduction: – Implementation Related Weaknesses CWE-185 CWE-187 CWE-184 CWE-183 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Implementation Description: When applicable, ensure that the regular expression marks beginning and ending string…
-
CWE-626 – Null Byte Interaction Error (Poison Null Byte)
Description The product does not properly handle null bytes or NUL characters when passing data between different representations or components. Modes of Introduction: – Implementation Related Weaknesses CWE-147 CWE-436 Consequences Integrity: Unexpected State Potential Mitigations Phase: Implementation Description: Remove null bytes from all incoming strings. CVE References CVE-2005-4155 NUL byte bypasses…
-
CWE-627 – Dynamic Variable Evaluation
Description In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions. The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data…
-
CWE-628 – Function Call with Incorrectly Specified Arguments
Description The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. Modes of Introduction: – Implementation Related Weaknesses CWE-573 Consequences Other, Access Control: Quality Degradation, Gain Privileges or Assume Identity This weakness can cause unintended behavior and can lead to…
-
CWE-636 – Not Failing Securely (‘Failing Open’)
Description When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. By entering a less secure state, the product inherits the…
-
CWE-637 – Unnecessary Complexity in Protection Mechanism (Not Using ‘Economy of Mechanism’)
Description The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. Security mechanisms should be as simple as possible. Complex security mechanisms may engender partial implementations and compatibility problems, with resulting mismatches in assumptions and implemented security. A…
-
CWE-638 – Not Using Complete Mediation
Description The software does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity’s rights or privileges change over time. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-657 CWE-862 Consequences Integrity, Confidentiality, Availability, Access Control, Other:…
-
CWE-64 – Windows Shortcut Following (.LNK)
Description The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. The shortcut (file with the .lnk extension) can permit an attacker…
-
CWE-640 – Weak Password Recovery Mechanism for Forgotten Password
Description The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-287 CWE-287 Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain unauthorized…
-
CWE-641 – Improper Restriction of Names for Files and Other Resources
Description The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name. This may produce resultant weaknesses. For instance, if the names of these resources contain scripting characters, it is possible that a script may get executed in…
-
CWE-642 – External Control of Critical State Data
Description The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-668 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity An attacker could potentially…
-
CWE-643 – Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
Description The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected…
-
CWE-644 – Improper Neutralization of HTTP Headers for Scripting Syntax
Description The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-116 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code…
-
CWE-645 – Overly Restrictive Account Lockout Mechanism
Description The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. Account lockout is a security feature often present in applications as a countermeasure to the brute force…
-
CWE-646 – Reliance on File Name or Extension of Externally-Supplied File
Description The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. An application might use the file name or extension of…
-
CWE-602 – Client-Side Enforcement of Server-Side Security
Description The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the…
-
CWE-603 – Use of Client-Side Authentication
Description A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of…
-
CWE-605 – Multiple Binds to the Same Port
Description When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY.…
-
CWE-606 – Unchecked Input for Loop Condition
Description The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. Modes of Introduction: – Implementation Related Weaknesses CWE-1284 CWE-834 Consequences Availability: DoS: Resource Consumption (CPU) Potential Mitigations Phase: Implementation Description: Do not use…
-
CWE-607 – Public Static Final Field References Mutable Object
Description A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. Modes of Introduction: – Implementation Related Weaknesses CWE-471 Consequences Integrity: Modify Application Data Potential Mitigations Phase: Implementation Description: Protect mutable objects by making them…
-
CWE-608 – Struts: Non-private Field in ActionForm Class
Description An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. Modes of Introduction: – Implementation Related Weaknesses CWE-668 Consequences Integrity, Confidentiality: Modify Application Data, Read Application Data Potential Mitigations Phase: Implementation Description: Make all fields private. Use getter…
-
CWE-609 – Double-Checked Locking
Description The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs…
-
CWE-61 – UNIX Symbolic Link (Symlink) Following
Description The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink)…
-
CWE-610 – Externally Controlled Reference to a Resource in Another Sphere
Description The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations CVE References
-
CWE-611 – Improper Restriction of XML External Entity Reference
Description The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Modes of Introduction: – Implementation Related Weaknesses CWE-610 CWE-610 CWE-441 Consequences Confidentiality: Read Application Data, Read Files…
-
CWE-613 – Insufficient Session Expiration
Description According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.” Modes of Introduction: – Architecture and Design Related Weaknesses CWE-672 CWE-672 CWE-287 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Implementation Description: Set sessions/credentials expiration…
-
CWE-615 – Inclusion of Sensitive Information in Source Code Comments
Description While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application’s structure and files, expose hidden…
-
CWE-616 – Incomplete Identification of Uploaded File Variables (PHP)
Description The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. These global variables could be overwritten by POST requests, cookies, or other…
-
CWE-617 – Reachable Assertion
Description The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Modes of Introduction: – Implementation Related Weaknesses CWE-670 CWE-670 Consequences Availability: DoS: Crash, Exit, or Restart An attacker that can trigger…
-
CWE-618 – Exposed Unsafe ActiveX Method
Description An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser’s security model (e.g. the zone or domain). ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to…
-
CWE-619 – Dangling Database Cursor (‘Cursor Injection’)
Description If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor “dangling.” For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor’s role, but SQL injection attacks…
-
CWE-62 – UNIX Hard Link
Description The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. Failure for a system to check for…
-
CWE-620 – Unverified Password Change
Description When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. Modes of Introduction: – Architecture and Design …
-
CWE-584 – Return Inside Finally Block
Description The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. Modes of Introduction: – Implementation Related Weaknesses CWE-705 Consequences Other: Alter Execution Logic Potential Mitigations Phase: Implementation Description: Do not use a return statement inside the finally…
-
CWE-585 – Empty Synchronized Block
Description The software contains an empty synchronized block. An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block. Modes of Introduction: – Implementation …
-
CWE-586 – Explicit Call to Finalize()
Description The software makes an explicit call to the finalize() method from outside the finalizer. While the Java Language Specification allows an object’s finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first…
-
CWE-587 – Assignment of a Fixed Address to a Pointer
Description The software sets a pointer to a specific address other than NULL or 0. Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-344 CWE-758 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized…
-
CWE-588 – Attempt to Access Child of a Non-structure Pointer
Description Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-704 CWE-758 Consequences Integrity: Modify Memory Adjacent variables in memory may be corrupted by assignments performed on fields after the cast.…
-
CWE-589 – Call to Non-ubiquitous API
Description The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. Some functions that offer security features supported by the OS are not available on all versions of the OS in common use.…
-
CWE-59 – Improper Link Resolution Before File Access (‘Link Following’)
Description The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Soft links are a UNIX term that is synonymous with simple shortcuts on windows based platforms. Modes of Introduction: – Implementation Likelihood…
-
CWE-590 – Free of Memory not on the Heap
Description The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). When free() is called on an invalid pointer, the program’s memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an…
-
CWE-591 – Sensitive Data Storage in Improperly Locked Memory
Description The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors. On Windows systems the VirtualLock function can lock a…
-
CWE-592 – DEPRECATED: Authentication Bypass Issues
Description This weakness has been deprecated because it covered redundant concepts already described in CWE-287. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-593 – Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Description The software modifies the SSL context after connection creation has begun. If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change. Modes of Introduction: – Architecture and Design Related…
-
CWE-594 – J2EE Framework: Saving Unserializable Objects to Disk
Description When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. In heavy load conditions, most J2EE application frameworks flush objects to disk to manage memory requirements of incoming requests. For example, session scoped objects, and even application scoped objects, are written to disk…
-
CWE-595 – Comparison of Object References Instead of Object Contents
Description The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. For example, in Java, comparing objects using == usually produces deceptive results, since the == operator compares object references rather than values; often, this means that using == for strings is actually comparing the strings’…
-
CWE-596 – DEPRECATED: Incorrect Semantic Object Comparison
Description This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-597 – Use of Wrong Operator in String Comparison
Description The product uses the wrong operator when comparing a string, such as using “==” when the .equals() method should be used instead. In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references…
-
CWE-598 – Use of GET Request Method With Sensitive Query Strings
Description The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. The query string for the URL could be saved in the browser’s history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If…
-
CWE-599 – Missing Validation of OpenSSL Certificate
Description The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if…
-
CWE-6 – J2EE Misconfiguration: Insufficient Session-ID Length
Description The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user’s session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess…
USN-5450-1: Subversion vulnerabilities
Evgeny Kotkov discovered that subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)
Thomas Weißschuh discovered that subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)
New Linux-based ransomware targets VMware servers
Researchers at Trend Micro have discovered some new Linux-based ransomware that’s being used to attack VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs—such as LockBit, Hive and RansomEXX—that have found ESXi an efficient way to infect many computers at once with malicious payloads.
Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world’s organizations operate using VMware virtual machines. “It makes the job of ransomware attackers far easier because they can encrypt one server—the VMware server—and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once.”
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices
Executive summary
AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.
Key takeaways:
EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
Background
First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.
According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).
Figure 1. EnemyBot page on Github.
The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:
Linux based botnets: Tsunami and Gafgyt
Windows based botnets: DarkIRC, DarkHTTP
Dual systems: Necro (developed in Python)
Source code analysis
The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).
Figure 2. EnemyBot developer description.
The malware repository on Github contains four main sections:
cc7.py
This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)
Figure 3. Compiling malware source code to macOS executable.
Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.
Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.
enemy.c
This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).
Figure 5. EnemyBot source code.
hide.c
This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).
Figure 6. String decode.
servertor.c
Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)
Figure 7. C&C component.
New variant analysis
Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.
In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).
Figure 8. EnemyBot calls for a new function “webscan_xywz”.
To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.
The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:
Figure 9. Exploiting the Log4J vulnerability.
The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).
Figure 10. Exploiting vulnerability in Razar Sila.
Figure 11. Exploiting vulnerability in VMWare Workspace ONE.
EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).
Figure 12. EnemyBot targeting WordPress servers.
In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.
Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.
Figure 13. Executing shell command through LFI vulnerability in DBltek.
After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article).
In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)
Figure 14. EnemyBot “adb_infect” function to attack Android devices.
Command
Action
SH
Execute shell command
PING
Ping to server, wait for command
LDSERVER
Change loader server for payload.
TCPON
Turn on sniffer.
RSHELL
Create a reverse shell on an infected machine.
TCPOFF
Turn off sniffer.
UDP
Start UDP flood attack.
TCP
Start TCP flood attack.
HTTP
Start HTTP flood attack.
HOLD
Start TCP connection flooder.
TLS
Start TLS attack, start handshake without closing the socket.
STD
Start non spoofed UDP flooder.
DNS
Start DNS flooder.
SCANNER ON | OFF
Start/Stop scanner – scan and infect vulnerable devices.
OVH
Start DDos attack on OVH.
BLACKNURSE
Start ICMP flooder.
STOP
Stop ongoing attacks. kill child processes
ARK
Start targeted attack on ARK: Survivor Evolved video game server.
ADNS
Receive targets list from C&C and start DNS attack.
ASSDP
Start SSDP flood attack.
We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)
CVE Number
Affected devices
CVE-2021-44228, CVE-2021-45046
Log4J RCE
CVE-2022-1388
F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)
Adobe ColdFusion 11 RCE
CVE-2020-7961
Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)
PHP Scriptcase 9.7 RCE
CVE-2021-4039
Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)
Razar Sila – Command injection
CVE-2022-22947
Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954
VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064
Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)
WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)
Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)
WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)
Archeevo 5.0 LFI
CVE-2018-16763
Fuel CMS 1.4.1 RCE
CVE-2020-5902
F5 BigIP RCE
No CVE (vulnerability published on 2019)
ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)
Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
CVE-2022-25075
TOTOLink A3000RU command injection vulnerability
CVE-2015-2051
D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118
ZHOME < S3.0.501 RCE
CVE-2017-18368
Zyxel P660HN – unauthenticated command injection
CVE-2020-17456
Seowon SLR 120 router RCE
CVE-2018-10823
D-Link DWR command injection in various models
Recommended actions
Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Enable automatic updates to ensure your software has the latest security updates.
Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
Conclusion
Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
SURICATA IDS SIGNATURES
Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715
4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)
4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)
4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961)
2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)
2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)
2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE)
2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)
2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)
2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)
2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)
4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)
2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1
2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2
2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound
2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound
2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound
2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt
2024916: ET EXPLOIT Netgear DGN Remote Command Execution
2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
2034576: ET EXPLOIT Netgear DGN Remote Code Execution
2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)
2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)
4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)
4002327: AV TROJAN Mirai faulty Zyxel exploit attempt
2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE
4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)
2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)
AGENT SIGNATURES
Java Process Spawning Scripting Process
Java Process Spawning WMIC
Java Process Spawning Scripting Process via Commandline (For Jenkins servers)
Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)
Suspicious command executed by a Java listening process (For Linux servers)
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
IP ADDRESS
80.94.92[.]38
Malware C&C
SHA256
7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6
Malware hash
SHA256
2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5
Malware hash
SHA256
7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d
Malware hash
SHA256
8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68
Malware hash
SHA256
31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8
Malware hash
SHA256
139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806
Malware hash
SHA256
4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f
Malware hash
SHA256
7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0
Malware hash
SHA256
ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9
Malware hash
SHA256
70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0
Malware hash
SHA256
f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e
Malware hash
SHA256
6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa
Malware hash
SHA256
b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8
Malware hash
SHA256
4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0
Malware hash
SHA256
cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281
Malware hash
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0001: Initial Access:
T1190: Exploit Public-Facing Application
TA0008: Lateral Movement:
T1210: Exploitation of Remote Services
T1021: Remote Services
TA0011: Command and Control
T1132: Data Encoding
T1001: Data Obfuscation
T1030: Proxy:
003: Multi-hop Proxy
CVE-2021-28509
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.
CVE-2021-28508
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.
CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream
Description
The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).
An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.
Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Access Control, Non-Repudiation, Other: Bypass Protection Mechanism, Hide Activities, Other
Potential Mitigations
Phase: Testing
Description:
Software tools are capable of finding ADSs on your system.
Phase: Implementation
Description:
Ensure that the source code correctly parses the filename to read or write to the correct stream.
CVE References
- CVE-1999-0278
- In IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL.
- CVE-2000-0927
- Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
CWE-689 – Permission Race Condition During Resource Copy
Description
The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity: Read Application Data, Modify Application Data
Potential Mitigations
CVE References
- CVE-2002-0760
- Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
- CVE-2005-2174
- Product inserts a new object into database before setting the object’s permissions, introducing a race condition.
- CVE-2006-5214
- Error file has weak permissions before a chmod is performed.
- CVE-2005-2475
- Archive permissions issue using hard link.
- CVE-2003-0265
- Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.