This vulnerability allows remote attackers to disclose sensitive information on affected installations of KeySight N6841A RF Sensor. Authentication is not required to exploit this vulnerability.
Monthly Archives: May 2022
Ransomware Roundup – 2022/05/26
FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the “forbidden country” option which attackers can choose not to run the generated ransomware based on the victim’s location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won’tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama – hxxps://www[.]coinmama[.]com Bitpanda – hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker’s bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to “Chaos Ransomware Variant Sides with Russia” and “Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers”.What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a “.gdwill” file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds “.[10 digit ID number].spanielearslook.likeoldboobs” file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a “.[10 digit ID number].[attacker’s email address].bec” extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:::: Hello my dear friend :::Unfortunately for you, a major IT security weakness left you open to attack, your files have been encryptedIf you want to restore them,write to our skype – [removed] DECRYPTIONAlso you can write ICQ live chat which works 24/7 @[removed]Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQWrite to our ICQ @HORSEMAGYAR https://icq[.]im/[removed]If we not reply in 6 hours you can write to our mail but use it only if previous methods not working – [removed]@onionmail.orgAttention!* Do not rename encrypted files.* Do not try to decrypt your data using third party software, it may cause permanent data loss.* We are always ready to cooperate and find the best way to solve your problem.* The faster you write, the more favorable the conditions will be for you.* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of themWe respect your time and waiting for respond from your sidetell your MachineID: MAHINE_ID and LaunchID: LAUNCH__IDSensitive data on your system was DOWNLOADED.If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.Data includes:- Employees personal data, CVs, DL, SSN.- Complete network map including credentials for local and remote services.- Private financial information including: clients data, bills, budgets, annual reports, bank statements.- Manufacturing documents including: datagrams, schemas, drawings in solidworks format- And more…What is the Status of Coverage against Horsemagyar Ransomware?FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:W32/Filecoder.NSF!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
CWE
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Please check our post about Vulnerability Analysis to learn more about CWE usage.
Please find a list of all the CWE below or use the search box above to find a specific CWE.
-
CWE-500 – Public Static Field Not Marked Final
Description An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. Public static variables can be read without an accessor and changed without a mutator by any classes in the application. When a field is declared public but not final, the field can…
-
CWE-501 – Trust Boundary Violation
Description The product mixes trusted and untrusted data in the same data structure or structured message. A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation…
-
CWE-464 – Addition of Data Structure Sentinel
Description The accidental addition of a data-structure sentinel can cause serious programming logic problems. Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to…
-
CWE-466 – Return of Pointer Value Outside of Expected Range
Description A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-119 CWE-20 Consequences Confidentiality, Integrity: Read Memory, Modify Memory Potential Mitigations CVE References
-
CWE-467 – Use of sizeof() on a Pointer Type
Description The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on…
-
CWE-468 – Incorrect Pointer Scaling
Description In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-682 Consequences Confidentiality, Integrity: Read Memory, Modify Memory Incorrect pointer scaling will often result in buffer…
-
CWE-469 – Use of Pointer Subtraction to Determine Size
Description The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-682 Consequences Access Control, Integrity, Confidentiality, Availability: Modify Memory, Read Memory,…
-
CWE-47 – Path Equivalence: ‘ filename’ (Leading Space)
Description A software system that accepts path input in the form of leading space (‘ filedir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity:…
-
CWE-470 – Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
Description The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select…
-
CWE-471 – Modification of Assumed-Immutable Data (MAID)
Description The software does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such…
-
CWE-472 – External Control of Assumed-Immutable Web Parameter
Description The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Modes of Introduction: – Implementation Related Weaknesses CWE-642 CWE-471 Consequences Integrity: Modify Application Data Without appropriate protection mechanisms, the client can easily tamper with cookies and similar…
-
CWE-473 – PHP External Variable Modification
Description A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise. Modes of Introduction: – Implementation Related Weaknesses CWE-471 CWE-98 Consequences Integrity: Modify Application Data Potential Mitigations…
-
CWE-474 – Use of Function with Inconsistent Implementations
Description The code uses a function that has inconsistent implementations across operating systems and versions. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-758 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Architecture and Design, Requirements Description: Do not accept inconsistent behavior from the API specifications when the…
-
CWE-475 – Undefined Behavior for Input to API
Description The behavior of this function is undefined unless its control parameter is set to a specific value. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-573 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations CVE References
-
CWE-476 – NULL Pointer Dereference
Description A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. Modes of Introduction: – Implementation Likelihood of Exploit: Medium…
-
CWE-477 – Use of Obsolete Function
Description The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. Modes of Introduction: – Implementation Related Weaknesses CWE-710 Consequences Other: Quality Degradation Potential Mitigations Phase: Implementation Description: Refer to the documentation for the obsolete function in order to determine why it…
-
CWE-478 – Missing Default Case in Switch Statement
Description The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses. This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further decisions are…
-
CWE-479 – Signal Handler Use of a Non-reentrant Function
Description The program defines a signal handler that calls a non-reentrant function. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-828 CWE-663 CWE-123 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands It may be possible to execute arbitrary code through the use of a write-what-where condition.…
-
CWE-48 – Path Equivalence: ‘file name’ (Internal Whitespace)
Description A software system that accepts path input in the form of internal space (‘file(SPACE)name’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity: Read…
-
CWE-480 – Use of Incorrect Operator
Description The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. These types of errors are generally the result of a typo. Modes of Introduction: – Implementation Likelihood of Exploit: Low Related Weaknesses CWE-670 Consequences Other: Alter Execution Logic This weakness can cause unintended logic to be…
-
CWE-481 – Assigning instead of Comparing
Description The code uses an operator for assignment when the intention was to perform a comparison. In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison…
-
CWE-482 – Comparing instead of Assigning
Description The code uses an operator for comparison when the intention was to perform an assignment. In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. Modes of Introduction: – Implementation Likelihood of Exploit: Low Related Weaknesses CWE-480 Consequences Availability, Integrity: Unexpected State…
-
CWE-443 – DEPRECATED: HTTP response splitting
Description This weakness can be found at CWE-113. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-444 – Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)
Description When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it. Modes…
-
CWE-446 – UI Discrepancy for Security Feature
Description The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state. When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false…
-
CWE-447 – Unimplemented or Unsupported Feature in UI
Description A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-446 CWE-671 Consequences Other: Varies by Context Potential Mitigations Phase: Testing…
-
CWE-448 – Obsolete Feature in UI
Description A UI function is obsolete and the product does not warn the user. Modes of Introduction: – Implementation Related Weaknesses CWE-446 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Architecture and Design Description: Remove the obsolete feature from the UI. Warn the user that the feature is no…
-
CWE-449 – The UI Performs the Wrong Action
Description The UI performs the wrong action with respect to the user’s request. Modes of Introduction: – Implementation Related Weaknesses CWE-446 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Testing Description: Perform extensive functionality testing of the UI. The UI should behave as specified. CVE References CVE-2001-1387 Network firewall…
-
CWE-45 – Path Equivalence: ‘file…name’ (Multiple Internal Dot)
Description A software system that accepts path input in the form of multiple internal dot (‘file…dir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-44 CWE-165 Consequences Confidentiality,…
-
CWE-450 – Multiple Interpretations of UI Input
Description The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-357 Consequences Other: Varies by Context Potential Mitigations Phase: Implementation Description: Phase: Implementation Description: Inputs should be decoded and canonicalized…
-
CWE-451 – User Interface (UI) Misrepresentation of Critical Information
Description The user interface (UI) does not properly represent critical information to the user, allowing the information – or its source – to be obscured or spoofed. This is often a component in phishing attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 CWE-221 CWE-346 Consequences Non-Repudiation, Access Control: Hide…
-
CWE-453 – Insecure Default Variable Initialization
Description The software, by default, initializes an internal variable with an insecure or less secure value than is possible. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1188 Consequences Integrity: Modify Application Data An attacker could gain access to and modify sensitive data or system information. Potential Mitigations Phase: System…
-
CWE-454 – External Initialization of Trusted Variables or Data Stores
Description The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can…
-
CWE-455 – Non-exit on Failed Initialization
Description The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator. Modes of Introduction: – Architecture and Design Related Weaknesses…
-
CWE-456 – Missing Initialization of a Variable
Description The software does not initialize critical variables, which causes the execution environment to use unexpected values. Modes of Introduction: – Implementation Related Weaknesses CWE-909 CWE-665 CWE-665 CWE-89 CWE-120 CWE-98 CWE-457 Consequences Integrity, Other: Unexpected State, Quality Degradation, Varies by Context The uninitialized data may be invalid, causing logic errors within the…
-
CWE-457 – Use of Uninitialized Variable
Description The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read…
-
CWE-458 – DEPRECATED: Incorrect Initialization
Description This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract initialization problem. Please refer to CWE-665 for the more abstract problem. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-459 – Incomplete Cleanup
Description The software does not properly “clean up” and remove temporary or supporting resources after they have been used. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-404 CWE-404 Consequences Other, Confidentiality, Integrity: Other, Read Application Data, Modify Application Data, DoS: Resource Consumption (Other) It is possible to overflow the number…
-
CWE-46 – Path Equivalence: ‘filename ‘ (Trailing Space)
Description A software system that accepts path input in the form of trailing space (‘filedir ‘) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-162 CWE-289 Consequences…
-
CWE-460 – Improper Cleanup on Thrown Exception
Description The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary…
-
CWE-462 – Duplicate Key in Associative List (Alist)
Description Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry — if the alist is designed properly — could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an…
-
CWE-463 – Deletion of Data Structure Sentinel
Description The accidental deletion of a data-structure sentinel can cause serious programming logic problems. Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the…
-
CWE-422 – Unprotected Windows Messaging Channel (‘Shatter’)
Description The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-420 CWE-360 Consequences Access Control:…
-
CWE-423 – DEPRECATED: Proxied Trusted Channel
Description This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-424 – Improper Protection of Alternate Path
Description The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 CWE-638 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity Potential Mitigations Phase: Architecture and Design Description: Deploy…
-
CWE-425 – Direct Request (‘Forced Browsing’)
Description The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path. Modes of Introduction:…
-
CWE-426 – Untrusted Search Path
Description The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application’s direct control. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-642 CWE-668 CWE-673 CWE-427 CWE-428 Consequences Integrity, Confidentiality, Availability, Access Control: Gain Privileges or…
-
CWE-427 – Uncontrolled Search Path Element
Description The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. Modes of Introduction: – Implementation Related Weaknesses CWE-668 CWE-668 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands Potential Mitigations Phase: Architecture…
-
CWE-428 – Unquoted Search Path or Element
Description The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as…
-
CWE-43 – Path Equivalence: ‘filename….’ (Multiple Trailing Dot)
Description A software system that accepts path input in the form of multiple trailing dot (‘filedir….’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-42 CWE-163 Consequences Confidentiality,…
-
CWE-430 – Deployment of Wrong Handler
Description The wrong “handler” is assigned to process an object. An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically “determining” type of the object even if it is contradictory to an explicitly specified type. Modes of Introduction: – Implementation Related…
-
CWE-431 – Missing Handler
Description A handler is not available or implemented. When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution. Modes of Introduction: – Implementation Related Weaknesses CWE-691 CWE-433 Consequences Other: Varies by Context …
-
CWE-432 – Dangerous Signal Handler not Disabled During Sensitive Operations
Description The application uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. During the execution of a signal handler, it can be interrupted by another handler when a different signal is…
-
CWE-433 – Unparsed Raw Web Content Delivery
Description The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is stored in a file with an extension such as “.inc” or “.pl”, and the web server does not have a handler for that extension, then the server…
-
CWE-434 – Unrestricted Upload of File with Dangerous Type
Description The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-669 CWE-669 CWE-351 CWE-436 CWE-430 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands Arbitrary code execution is…
-
CWE-435 – Improper Interaction Between Multiple Correctly-Behaving Entities
Description An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. When a system or process combines multiple independent components, this often produces new, emergent behaviors at…
-
CWE-436 – Interpretation Conflict
Description Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to…
-
CWE-437 – Incomplete Model of Endpoint Features
Description A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint’s features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-436 …
-
CWE-439 – Behavioral Change in New Version or Environment
Description A’s behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-435 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations CVE References CVE-2002-1976 Linux kernel 2.2 and above…
-
CWE-44 – Path Equivalence: ‘file.name’ (Internal Dot)
Description A software system that accepts path input in the form of internal dot (‘file.ordir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity: Read…
-
CWE-440 – Expected Behavior Violation
Description A feature, API, or function does not perform according to its specification. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations CVE References CVE-2003-0187 Program uses large timeouts on “undeserving” to compensate for inconsistency of support for linked lists. CVE-2003-0465…
-
CWE-441 – Unintended Proxy or Intermediary (‘Confused Deputy’)
Description The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product’s control sphere. This causes the product to appear to be the source of the request,…
-
CWE-401 – Missing Release of Memory after Effective Lifetime
Description The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers…
-
CWE-402 – Transmission of Private Resources into a New Sphere (‘Resource Leak’)
Description The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-668 Consequences Confidentiality: Read Application Data Potential Mitigations CVE References
-
CWE-403 – Exposure of File Descriptor to Unintended Control Sphere (‘File Descriptor Leak’)
Description A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might…
-
CWE-404 – Improper Resource Shutdown or Release
Description The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.…
-
CWE-405 – Asymmetric Resource Consumption (Amplification)
Description Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system…
-
CWE-407 – Inefficient Algorithmic Complexity
Description An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-405…
-
CWE-408 – Incorrect Behavior Order: Early Amplification
Description The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-405 CWE-696 Consequences Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) System resources, CPU and…
-
CWE-409 – Improper Handling of Highly Compressed Data (Data Amplification)
Description The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a “decompression bomb,” a small ZIP file that can produce a large amount of data when it is decompressed. Modes of Introduction: – Architecture and Design…
-
CWE-41 – Improper Resolution of Path Equivalence
Description The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Path equivalence is usually employed in order to circumvent access controls expressed using an…
-
CWE-410 – Insufficient Resource Pool
Description The software’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. Frequently the consequence is a “flood” of connection or sessions. Modes of Introduction: – Architecture and Design Related Weaknesses…
-
CWE-412 – Unrestricted Externally Accessible Lock
Description The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant…
-
CWE-413 – Improper Resource Locking
Description The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource. When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software’s assumption that the resource will…
-
CWE-414 – Missing Lock Check
Description A product does not check to see if a lock is present before performing sensitive operations on a resource. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-667 Consequences Integrity, Availability: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart Potential Mitigations Phase: Architecture and Design, Implementation Description: …
-
CWE-415 – Double Free
Description The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc()…
-
CWE-416 – Use After Free
Description Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-825 CWE-672 CWE-672 CWE-672 CWE-120 CWE-123 Consequences Integrity: Modify Memory The use of previously freed memory may corrupt valid…
-
CWE-419 – Unprotected Primary Channel
Description The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-923 Consequences Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Do not expose…
-
CWE-42 – Path Equivalence: ‘filename.’ (Trailing Dot)
Description A software system that accepts path input in the form of trailing dot (‘filedir.’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-162 Consequences Access Control:…
-
CWE-420 – Unprotected Alternate Channel
Description The software protects a primary channel, but it does not use the same level of protection for an alternate channel. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-923 Consequences Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Identify all…
-
CWE-421 – Race Condition During Access to Alternate Channel
Description The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. This creates a race condition that allows an attacker to access the channel before the authorized user does. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-420 CWE-362 Consequences Access…
-
CWE-377 – Insecure Temporary File
Description Creating and using insecure temporary files can leave application and system data vulnerable to attack. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-668 Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories Potential Mitigations CVE References
-
CWE-38 – Path Traversal: ‘absolutepathnamehere’
Description A software system that accepts input in the form of a backslash absolute path (‘absolutepathnamehere’) without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-36 Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files…
-
CWE-382 – J2EE Bad Practices: Use of System.exit()
Description A J2EE application uses System.exit(), which also shuts down its container. It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks. Modes of Introduction: – Implementation …
-
CWE-383 – J2EE Bad Practices: Direct Use of Threads
Description Thread management in a Web application is forbidden in some circumstances and is always highly error prone. Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of…
-
CWE-384 – Session Fixation
Description Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-610 CWE-610 CWE-346 CWE-472 CWE-441 Consequences Access Control: Gain Privileges or Assume Identity Potential Mitigations Phase:…
-
CWE-385 – Covert Timing Channel
Description Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-514 Consequences Confidentiality, Other: Read Application Data, Other Information…
-
CWE-386 – Symbolic Name not Mapping to Correct Object
Description A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-706 CWE-367 CWE-610 CWE-486 Consequences Access Control: Gain Privileges or Assume Identity The attacker can gain access to otherwise unauthorized resources.…
-
CWE-39 – Path Traversal: ‘C:dirname’
Description An attacker can inject a drive letter or Windows volume letter (‘C:dirname’) into a software system to potentially redirect access to an unintended location or arbitrary file. Modes of Introduction: – Implementation Related Weaknesses CWE-36 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands The attacker may be able to create…
-
CWE-390 – Detection of Error Condition Without Action
Description The software detects a specific error, but takes no actions to handle the error. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-755 CWE-401 Consequences Integrity, Other: Varies by Context, Unexpected State, Alter Execution Logic An attacker could utilize an ignored error condition to place the…
-
CWE-391 – Unchecked Error Condition
Description [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-754 CWE-703 CWE-703 Consequences Integrity, Other: Varies by Context, Unexpected State,…
-
CWE-392 – Missing Report of Error Condition
Description The software encounters an error but does not provide a status code or return value to indicate that an error has occurred. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 CWE-703 CWE-703 CWE-703 Consequences Integrity, Other: Varies by Context, Unexpected State Errors that are not properly reported could place…
-
CWE-393 – Return of Wrong Status Code
Description A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status…
-
CWE-394 – Unexpected Status Code or Return Value
Description The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-754 Consequences Integrity, Other: Unexpected State, Alter Execution Logic Potential Mitigations CVE References CVE-2004-1395…
-
CWE-395 – Use of NullPointerException Catch to Detect NULL Pointer Dereference
Description Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. Modes of Introduction: – Implementation Related Weaknesses CWE-705 CWE-755 Consequences Availability: DoS: Resource Consumption (CPU) Potential Mitigations Phase: Architecture and Design, Implementation Description: Do not extensively rely on catching exceptions (especially for…
-
CWE-396 – Declaration of Catch for Generic Exception
Description Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Multiple catch blocks can get ugly and repetitive, but “condensing” catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the…
-
CWE-397 – Declaration of Throws for Generic Exception
Description Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java’s exception mechanism, for example, is set up to make it easy for callers to anticipate…
USN-5450-1: Subversion vulnerabilities
Evgeny Kotkov discovered that subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)
Thomas Weißschuh discovered that subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)
New Linux-based ransomware targets VMware servers
Researchers at Trend Micro have discovered some new Linux-based ransomware that’s being used to attack VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs—such as LockBit, Hive and RansomEXX—that have found ESXi an efficient way to infect many computers at once with malicious payloads.
Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world’s organizations operate using VMware virtual machines. “It makes the job of ransomware attackers far easier because they can encrypt one server—the VMware server—and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once.”
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices
Executive summary
AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.
Key takeaways:
EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
Background
First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.
According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).
Figure 1. EnemyBot page on Github.
The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:
Linux based botnets: Tsunami and Gafgyt
Windows based botnets: DarkIRC, DarkHTTP
Dual systems: Necro (developed in Python)
Source code analysis
The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).
Figure 2. EnemyBot developer description.
The malware repository on Github contains four main sections:
cc7.py
This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)
Figure 3. Compiling malware source code to macOS executable.
Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.
Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.
enemy.c
This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).
Figure 5. EnemyBot source code.
hide.c
This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).
Figure 6. String decode.
servertor.c
Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)
Figure 7. C&C component.
New variant analysis
Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.
In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).
Figure 8. EnemyBot calls for a new function “webscan_xywz”.
To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.
The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:
Figure 9. Exploiting the Log4J vulnerability.
The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).
Figure 10. Exploiting vulnerability in Razar Sila.
Figure 11. Exploiting vulnerability in VMWare Workspace ONE.
EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).
Figure 12. EnemyBot targeting WordPress servers.
In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.
Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.
Figure 13. Executing shell command through LFI vulnerability in DBltek.
After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article).
In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)
Figure 14. EnemyBot “adb_infect” function to attack Android devices.
Command
Action
SH
Execute shell command
PING
Ping to server, wait for command
LDSERVER
Change loader server for payload.
TCPON
Turn on sniffer.
RSHELL
Create a reverse shell on an infected machine.
TCPOFF
Turn off sniffer.
UDP
Start UDP flood attack.
TCP
Start TCP flood attack.
HTTP
Start HTTP flood attack.
HOLD
Start TCP connection flooder.
TLS
Start TLS attack, start handshake without closing the socket.
STD
Start non spoofed UDP flooder.
DNS
Start DNS flooder.
SCANNER ON | OFF
Start/Stop scanner – scan and infect vulnerable devices.
OVH
Start DDos attack on OVH.
BLACKNURSE
Start ICMP flooder.
STOP
Stop ongoing attacks. kill child processes
ARK
Start targeted attack on ARK: Survivor Evolved video game server.
ADNS
Receive targets list from C&C and start DNS attack.
ASSDP
Start SSDP flood attack.
We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)
CVE Number
Affected devices
CVE-2021-44228, CVE-2021-45046
Log4J RCE
CVE-2022-1388
F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)
Adobe ColdFusion 11 RCE
CVE-2020-7961
Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)
PHP Scriptcase 9.7 RCE
CVE-2021-4039
Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)
Razar Sila – Command injection
CVE-2022-22947
Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954
VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064
Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)
WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)
Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)
WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)
Archeevo 5.0 LFI
CVE-2018-16763
Fuel CMS 1.4.1 RCE
CVE-2020-5902
F5 BigIP RCE
No CVE (vulnerability published on 2019)
ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)
Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
CVE-2022-25075
TOTOLink A3000RU command injection vulnerability
CVE-2015-2051
D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118
ZHOME < S3.0.501 RCE
CVE-2017-18368
Zyxel P660HN – unauthenticated command injection
CVE-2020-17456
Seowon SLR 120 router RCE
CVE-2018-10823
D-Link DWR command injection in various models
Recommended actions
Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Enable automatic updates to ensure your software has the latest security updates.
Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
Conclusion
Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
SURICATA IDS SIGNATURES
Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715
4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)
4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)
4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961)
2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)
2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)
2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE)
2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)
2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)
2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)
2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)
4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)
2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1
2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2
2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound
2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound
2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound
2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt
2024916: ET EXPLOIT Netgear DGN Remote Command Execution
2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
2034576: ET EXPLOIT Netgear DGN Remote Code Execution
2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)
2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)
4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)
4002327: AV TROJAN Mirai faulty Zyxel exploit attempt
2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE
4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)
2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)
AGENT SIGNATURES
Java Process Spawning Scripting Process
Java Process Spawning WMIC
Java Process Spawning Scripting Process via Commandline (For Jenkins servers)
Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)
Suspicious command executed by a Java listening process (For Linux servers)
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
IP ADDRESS
80.94.92[.]38
Malware C&C
SHA256
7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6
Malware hash
SHA256
2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5
Malware hash
SHA256
7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d
Malware hash
SHA256
8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68
Malware hash
SHA256
31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8
Malware hash
SHA256
139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806
Malware hash
SHA256
4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f
Malware hash
SHA256
7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0
Malware hash
SHA256
ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9
Malware hash
SHA256
70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0
Malware hash
SHA256
f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e
Malware hash
SHA256
6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa
Malware hash
SHA256
b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8
Malware hash
SHA256
4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0
Malware hash
SHA256
cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281
Malware hash
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0001: Initial Access:
T1190: Exploit Public-Facing Application
TA0008: Lateral Movement:
T1210: Exploitation of Remote Services
T1021: Remote Services
TA0011: Command and Control
T1132: Data Encoding
T1001: Data Obfuscation
T1030: Proxy:
003: Multi-hop Proxy
CVE-2021-28509
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.
CVE-2021-28508
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.
CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream
Description
The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).
An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.
Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Access Control, Non-Repudiation, Other: Bypass Protection Mechanism, Hide Activities, Other
Potential Mitigations
Phase: Testing
Description:
Software tools are capable of finding ADSs on your system.
Phase: Implementation
Description:
Ensure that the source code correctly parses the filename to read or write to the correct stream.
CVE References
- CVE-1999-0278
- In IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL.
- CVE-2000-0927
- Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
CWE-689 – Permission Race Condition During Resource Copy
Description
The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity: Read Application Data, Modify Application Data
Potential Mitigations
CVE References
- CVE-2002-0760
- Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
- CVE-2005-2174
- Product inserts a new object into database before setting the object’s permissions, introducing a race condition.
- CVE-2006-5214
- Error file has weak permissions before a chmod is performed.
- CVE-2005-2475
- Archive permissions issue using hard link.
- CVE-2003-0265
- Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.