This vulnerability allows remote attackers to disclose sensitive information on affected installations of KeySight N6841A RF Sensor. Authentication is not required to exploit this vulnerability.
Monthly Archives: May 2022
Ransomware Roundup – 2022/05/26
FortiGuard Labs became aware of a number of new Ransomware strains for the week of May 23rd, 2022. It is imperative to raise awareness about new ransomware as infections can cause severe damage to the affected machines and organizations. This Threat Signal covers Yashma ransomware, GoodWill ransomware and Horsemagyar ransomware along with Fortinet protections against them.What is Yashma Ransomware?Yashma ransomware is a new and is generated through Yashma ransomware builder. It is claimed as the sixth version of Chaos ransomware builder. Reportedly, compared to the fifth version, Yashma ransomware builder now supports the “forbidden country” option which attackers can choose not to run the generated ransomware based on the victim’s location. The new builder also enables the ransomware to stop a wide variety of services running on the compromised machine such as anti-malware solutions, and Remote Desktop and Backup services. Additionally, it is important to note that from the fifth version of Chaos ransomware builder, the crafted ransomware can successfully encrypt files larger than 2,117,152 bytes and no longer corrupts them.A known sample of Yashma ransomware has the following ransom note:All of your files have been encrypted with Yashma ransomwareYour computer was infected with a ransomware. Your files have been encrypted and you won’tbe able to decrypt them without our help.What can I do to get my files back?You can buy our specialdecryption software, this software will allow you to recover all of your data and remove theransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.How do I pay, where do I get Bitcoin?Purchasing Bitcoin varies from country to country, you are best advised to do a quick google searchyourself to find out how to buy Bitcoin.Many of our customers have reported these sites to be fast and reliable:Coinmama – hxxps://www[.]coinmama[.]com Bitpanda – hxxps://www[.]bitpanda[.]comPayment informationAmount: 0.1473766 BTCBitcoin Address: [removed] At the time of this writing, the attacker’s bitcoin wallet has no transactions.FortiGuard Labs previously released several blogs on Chaos ransomware. See the Appendix for links to “Chaos Ransomware Variant Sides with Russia” and “Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers”.What is the Status of Coverage for Yashma ransomware?FortiGuard Labs provides the following AV coverage against a known sample of Yashma ransomware:MSIL/Filecoder.APU!tr.ransomWhat is GoodWill Ransomware?GoodWill ransomware was recently discovered, however it appears to have been first observed in March 2022. The ransomware encrypts files on the compromised machine and adds a “.gdwill” file extension to the affected files.Unlike other ransomware that demands ransom to recover the encrypted files, GoodWill asks the victim to do three good deeds. Firstly, the victim must provide clothes and blankets to needy people on the street. Secondly, the victim must feed dinner to five children at a pizza or fried chicken joint. Lastly, the victim must visit a local hospital and provide financial assistance to those in need. After finishing each deed, proof must be provided to the attacker, and a decryption tool and video instruction will be provided to the victim after completing all the deeds.What is the Status of Coverage for GoodWill ransomware?FortiGuard Labs provides the following AV coverage against GoodWill ransomware:MSIL/Filecoder.AGR!tr.ransomWhat is Horsemagyar Ransomware?Horsemagyar ransomware is a new variant of Sojusz ransomware that was recently discovered. It encrypts files on the compromised machine and adds “.[10 digit ID number].spanielearslook.likeoldboobs” file extension to the encrypted files. The ransomware leaves a ransom note as Horse.txt. The first sighting of Sojusz ransomware goes back to February, 2022 and it added a “.[10 digit ID number].[attacker’s email address].bec” extension to the files it encrypted.Example of ransom note left behind by Horsemagyar ransomware is below:::: Hello my dear friend :::Unfortunately for you, a major IT security weakness left you open to attack, your files have been encryptedIf you want to restore them,write to our skype – [removed] DECRYPTIONAlso you can write ICQ live chat which works 24/7 @[removed]Install ICQ software on your PC https://icq[.]com/windows/ or on your mobile phone search in Appstore / Google market ICQWrite to our ICQ @HORSEMAGYAR https://icq[.]im/[removed]If we not reply in 6 hours you can write to our mail but use it only if previous methods not working – [removed]@onionmail.orgAttention!* Do not rename encrypted files.* Do not try to decrypt your data using third party software, it may cause permanent data loss.* We are always ready to cooperate and find the best way to solve your problem.* The faster you write, the more favorable the conditions will be for you.* Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of themWe respect your time and waiting for respond from your sidetell your MachineID: MAHINE_ID and LaunchID: LAUNCH__IDSensitive data on your system was DOWNLOADED.If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.Data includes:- Employees personal data, CVs, DL, SSN.- Complete network map including credentials for local and remote services.- Private financial information including: clients data, bills, budgets, annual reports, bank statements.- Manufacturing documents including: datagrams, schemas, drawings in solidworks format- And more…What is the Status of Coverage against Horsemagyar Ransomware?FortiGuard Labs provides the following AV coverage against Horsemagyar ransomware:W32/Filecoder.NSF!tr.ransomAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.
CWE
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications.
The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Please check our post about Vulnerability Analysis to learn more about CWE usage.
Please find a list of all the CWE below or use the search box above to find a specific CWE.
-
CWE-118 – Incorrect Access of Indexable Resource (‘Range Error’)
Description The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Other: Varies by Context Potential Mitigations CVE References
-
CWE-1187 – DEPRECATED: Use of Uninitialized Resource
Description This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
-
CWE-1102 – Reliance on Machine-Dependent Data Representation
Description The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components. Modes of Introduction: Related Weaknesses CWE-758 CWE-1105 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1103 – Use of Platform-Dependent Third Party Components
Description The product relies on third-party software components that do not provide equivalent functionality across all desirable platforms. Modes of Introduction: Related Weaknesses CWE-758 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1104 – Use of Unmaintained Third Party Components
Description The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer. Modes of Introduction: Related Weaknesses CWE-1357 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1105 – Insufficient Encapsulation of Machine-Dependent Functionality
Description The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code. Modes of Introduction: Related Weaknesses CWE-758 CWE-1061 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1106 – Insufficient Use of Symbolic Constants
Description The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1107 – Insufficient Isolation of Symbolic Constant Definitions
Description The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1108 – Excessive Reliance on Global Variables
Description The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1109 – Use of Same Variable for Multiple Purposes
Description The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-111 – Direct Use of Unsafe JNI
Description When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. Many safety features that programmers may take for granted do not apply for native code, so you must…
-
CWE-1110 – Incomplete Design Documentation
Description The product’s design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
-
CWE-1111 – Incomplete I/O Documentation
Description The product’s documentation does not adequately define inputs, outputs, or system/software interfaces. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
-
CWE-1112 – Incomplete Documentation of Program Execution
Description The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
-
CWE-1113 – Inappropriate Comment Style
Description The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
-
CWE-1114 – Inappropriate Whitespace Style
Description The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
-
CWE-1115 – Source Code Element without Standard Prologue
Description The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
-
CWE-1116 – Inaccurate Comments
Description The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1117 – Callable with Insufficient Behavioral Summary
Description The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable’s inputs, outputs, side effects, assumptions, or return codes. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1118 – Insufficient Documentation of Error Handling Techniques
Description The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
-
CWE-1119 – Excessive Use of Unconditional Branching
Description The code uses too many unconditional branches (such as “goto”). Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-112 – Missing XML Validation
Description The software accepts XML from an untrusted source but does not validate the XML against the proper schema. Most successful attacks begin with a violation of the programmer’s assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected,…
-
CWE-1085 – Invokable Control Element with Excessive Volume of Commented-out Code
Description A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1086 – Class with Excessive Number of Child Classes
Description A class contains an unnecessarily large number of children. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1087 – Class with Virtual Method without a Virtual Destructor
Description A class contains a virtual method, but the method does not have an associated virtual destructor. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1088 – Synchronous Access of Remote Resource without Timeout
Description The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite. Modes of Introduction: Related Weaknesses CWE-821 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1089 – Large Data Table with Excessive Number of Indices
Description The software uses a large data table that contains an excessively large number of indices. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-109 – Struts: Validator Turned Off
Description Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation. Modes of Introduction: – Implementation Related Weaknesses CWE-1173 CWE-20 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Implementation…
-
CWE-1090 – Method Containing Access of a Member Element from Another Class
Description A method for a class performs an operation that directly accesses a member element from another class. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1091 – Use of Object without Invoking Destructor Method
Description The software contains a method that accesses an object but does not later invoke the element’s associated finalize/destructor method. Modes of Introduction: Related Weaknesses CWE-772 CWE-1076 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1092 – Use of Same Invokable Control Element in Multiple Architectural Layers
Description The software uses the same control element across multiple architectural layers. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1093 – Excessively Complex Data Representation
Description The software uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1094 – Excessive Index Range Scan for a Data Resource
Description The software contains an index range scan for a large data table, but the scan can cover a large number of rows. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1095 – Loop Condition Value Update within the Loop
Description The software uses a loop with a control flow condition based on a value that is updated within the body of the loop. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1096 – Singleton Class Instance Creation without Proper Locking or Synchronization
Description The software implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once. Modes of Introduction: Related Weaknesses CWE-820 CWE-662 CWE-662 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1097 – Persistent Storable Data Element without Associated Comparison Control Element
Description The software uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison. Modes of Introduction: Related Weaknesses CWE-1076 CWE-595 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1098 – Data Element containing Pointer Item without Proper Copy Control Element
Description The code contains a data element with a pointer that does not have an associated copy or constructor method. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1099 – Inconsistent Naming Conventions for Identifiers
Description The product’s code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
-
CWE-11 – ASP.NET Misconfiguration: Creating Debug Binary
Description Debugging messages help attackers learn about the system and plan a form of attack. ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose…
-
CWE-110 – Struts: Validator Without Form Field
Description Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date. Modes of Introduction: – Implementation Related Weaknesses CWE-1164 CWE-20 Consequences Other: Other It is critically important that validation logic be maintained and kept in sync with the rest of the…
-
CWE-1100 – Insufficient Isolation of System-Dependent Functions
Description The product or code does not isolate system-dependent functionality into separate standalone modules. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1101 – Reliance on Runtime Component in Generated Code
Description The product uses automatically-generated code that cannot be executed without a specific runtime support component. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1066 – Missing Serialization Control Element
Description The software contains a serializable data element that does not have an associated serialization method. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1067 – Excessive Execution of Sequential Searches of Data Resource
Description The software contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1068 – Inconsistency Between Implementation and Documented Design
Description The implementation of the product is not consistent with the design as described within the relevant documentation. Modes of Introduction: – Implementation Related Weaknesses CWE-710 Consequences Potential Mitigations CVE References
-
CWE-1069 – Empty Exception Block
Description An invokable code block contains an exception handling block that does not contain any code, i.e. is empty. Modes of Introduction: Related Weaknesses CWE-1071 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-107 – Struts: Unused Validation Form
Description An unused validation form indicates that validation logic is not up-to-date. It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form. Modes of Introduction: – Implementation …
-
CWE-1070 – Serializable Data Element Containing non-Serializable Item Elements
Description The software contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1071 – Empty Code Block
Description The source code contains a block that does not contain any code, i.e., the block is empty. Modes of Introduction: Related Weaknesses CWE-1164 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1072 – Data Resource Access without Use of Connection Pooling
Description The software accesses a data resource through a database without using a connection pooling capability. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1073 – Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
Description The software contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1074 – Class with Excessively Deep Inheritance
Description A class has an inheritance level that is too high, i.e., it has a large number of parent classes. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1075 – Unconditional Control Flow Transfer outside of Switch Block
Description The software performs unconditional control transfer (such as a “goto”) in code outside of a branching structure such as a switch block. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1076 – Insufficient Adherence to Expected Conventions
Description The product’s architecture, source code, design, documentation, or other artifact does not follow required conventions. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1077 – Floating Point Comparison with Incorrect Operator
Description The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision. Modes of Introduction: Related Weaknesses CWE-697 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1078 – Inappropriate Source Code Style or Formatting
Description The source code does not follow desired style or formatting for indentation, white space, comments, etc. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Potential Mitigations CVE References
-
CWE-1079 – Parent Class without Virtual Destructor Method
Description A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-108 – Struts: Unvalidated Action Form
Description Every Action Form must have a corresponding validation form. If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator. Modes of Introduction: – Implementation Related Weaknesses CWE-1173 CWE-20 Consequences Other: Other If an action form mapping does not have a validation…
-
CWE-1080 – Source Code File with Excessive Number of Lines of Code
Description A source code file has too many lines of code. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1082 – Class Instance Self Destruction Control Element
Description The code contains a class instance that calls the method or function to delete or destroy itself. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1083 – Data Access from Outside Expected Data Manager Component
Description The software is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1084 – Invokable Control Element with Excessive File or Data Access Operations
Description A function or method contains too many operations that utilize a data manager or file resource. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1048 – Invokable Control Element with Large Number of Outward Calls
Description The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1049 – Excessive Data Query Operations in a Large Data Table
Description The software performs a data query with a large number of joins and sub-queries on a large data table. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-105 – Struts: Form Field Without Validator
Description The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption…
-
CWE-1050 – Excessive Platform Resource Consumption within a Loop
Description The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1051 – Initialization with Hard-Coded Network Resource Configuration Data
Description The software initializes data using hard-coded values that act as network resource identifiers. Modes of Introduction: Related Weaknesses CWE-665 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1052 – Excessive Use of Hard-Coded Literals in Initialization
Description The software initializes a data element using a hard-coded literal that is not a simple integer or static constant element. Modes of Introduction: Related Weaknesses CWE-665 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1053 – Missing Documentation for Design
Description The product does not have documentation that represents how it is designed. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
-
CWE-1054 – Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
Description The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer. Modes of Introduction: Related Weaknesses CWE-1061…
-
CWE-1055 – Multiple Inheritance from Concrete Classes
Description The software contains a class with inheritance from more than one concrete class. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1056 – Invokable Control Element with Variadic Parameters
Description A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1057 – Data Access Operations Outside of Expected Data Manager Component
Description The software uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1058 – Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Description The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element. Modes of Introduction: Related Weaknesses CWE-662 CWE-662 CWE-662 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1059 – Insufficient Technical Documentation
Description The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-710…
-
CWE-106 – Struts: Plug-in Framework not in Use
Description When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation. Modes of Introduction: – Implementation Related Weaknesses CWE-1173 CWE-20 Consequences Integrity: Unexpected State Potential Mitigations Phase: Architecture and Design Description: Use an…
-
CWE-1060 – Excessive Number of Inefficient Server-Side Data Accesses
Description The software performs too many data queries without using efficient data processing functionality such as stored procedures. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1061 – Insufficient Encapsulation
Description The software does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. Modes of Introduction: Related Weaknesses CWE-710 Consequences Potential Mitigations CVE References
-
CWE-1062 – Parent Class with References to Child Class
Description The code has a parent class that contains references to a child class, its methods, or its members. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1063 – Creation of Class Instance within a Static Code Block
Description A static code block creates an instance of a class. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1064 – Invokable Control Element with Signature Containing an Excessive Number of Parameters
Description The software contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1065 – Runtime Resource Management Control Element in a Component Built to Run on Application Servers
Description The application uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Potential Mitigations CVE References
-
CWE-1007 – Insufficient Visual Distinction of Homoglyphs Presented to User
Description The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action. Modes of Introduction: – Architecture and Design Likelihood…
-
CWE-102 – Struts: Duplicate Validation Forms
Description The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect. If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision…
-
CWE-1021 – Improper Restriction of Rendered UI Layers or Frames
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes,…
-
CWE-1022 – Use of Web Link to Untrusted Target with window.opener Access
Description The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. When a user clicks a link to an external site (“target”), the target=”_blank” attribute causes the target…
-
CWE-1023 – Incomplete Comparison with Missing Factors
Description The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.…
-
CWE-1024 – Comparison of Incompatible Types
Description The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared. In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same…
-
CWE-1025 – Comparison Using Wrong Factors
Description The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of…
-
CWE-103 – Struts: Incomplete validate() Method Definition
Description The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled…
-
CWE-1037 – Processor Optimization Removal or Modification of Security-critical Code
Description The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-1038 Consequences Integrity: Bypass Protection Mechanism A successful exploitation of this…
-
CWE-1038 – Insecure Automated Optimizations
Description The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-435 CWE-758 Consequences Integrity: Alter…
-
CWE-1039 – Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
Description The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept. Modes…
-
CWE-104 – Struts: Form Bean Does Not Extend Validation Class
Description If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation. In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended…
-
CWE-1041 – Use of Redundant Code
Description The software has multiple functions, methods, procedures, macros, etc. that contain the same code. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1042 – Static Member Data Element outside of a Singleton Class Element
Description The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class – that is, a class element that can be used only once in the ‘to’ association of a Create action. Modes of Introduction: Related Weaknesses CWE-1176 …
-
CWE-1043 – Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
Description The software uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Performance Potential Mitigations CVE References
-
CWE-1044 – Architecture with Number of Horizontal Layers Outside of Expected Range
Description The software’s architecture contains too many – or too few – horizontal layers. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
-
CWE-1045 – Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
Description A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
USN-5450-1: Subversion vulnerabilities
Evgeny Kotkov discovered that subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)
Thomas Weißschuh discovered that subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)
New Linux-based ransomware targets VMware servers
Researchers at Trend Micro have discovered some new Linux-based ransomware that’s being used to attack VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs—such as LockBit, Hive and RansomEXX—that have found ESXi an efficient way to infect many computers at once with malicious payloads.
Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world’s organizations operate using VMware virtual machines. “It makes the job of ransomware attackers far easier because they can encrypt one server—the VMware server—and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once.”
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices
Executive summary
AT&T Alien Labs™ has been tracking a new IoT botnet dubbed “EnemyBot”, which is believed to be distributed by threat actor Keksec. During our investigations, Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. In addition, the malware base source code can now be found online on Github, making it widely accessible.
Key takeaways:
EnemyBot’s base source code can be found on Github, making it available to anyone who wants to leverage the malware in their attacks.
The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities.
Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
Background
First discovered by Securonix in March 2022 and later detailed in an in-depth analysis by Fortinet, EnemyBot is a new malware distributed by the threat actor “Keksec” targeting Linux machines and IoT devices.
According to the malware Github’s repository, EnemyBot derives its source code from multiple botnets to a powerful and more adjustable malware. The original botnet code that EnemyBot is using includes: Mirai, Qbot, and Zbot. In addition, the malware includes custom development (see figure 1).
Figure 1. EnemyBot page on Github.
The Keksec threat group is reported to have formed back in 2016 by a number of experienced botnet actors. In November 2021, researchers from Qihoo 360 described in detail the threat actor’s activity in a presentation, attributing to the Keksec the development of botnets for different platforms including Windows and Linux:
Linux based botnets: Tsunami and Gafgyt
Windows based botnets: DarkIRC, DarkHTTP
Dual systems: Necro (developed in Python)
Source code analysis
The developer of the Github page on EnemyBot self describes as a “full time malware dev,” that is also available for contract work. The individual states their workplace as “Kek security,” implying a potential relationship with the broader Keksec group (see figure 2).
Figure 2. EnemyBot developer description.
The malware repository on Github contains four main sections:
cc7.py
This module is a Python script file that downloads all dependencies and compiles the malware into different OS architectures including x86, ARM, macOS, OpenBSD, PowerPC, MIPS, and more (see figure 3)
Figure 3. Compiling malware source code to macOS executable.
Once compilation is complete, the script then creates a batch file ‘update.sh’ which is used by the bot as a downloader that is then delivered to any identified vulnerable targets to spread the malware.
Figure 4. Generated `update.sh` file to spread EnemyBot on different architectures.
enemy.c
This is the main bot source code. Though it is missing the main exploitation function, it includes all other functionality of the malware and the attacks the bot supports by mixing the various botnet source codes as mentioned above (Mirai, Qbot, and Zbot) — mainly Mirai and Qbot (see figure 5).
Figure 5. EnemyBot source code.
hide.c
This module is compiled and manually executed to encode / decode the malware’s strings by the attacker to hide strings in binary. For that, the malware is using a simple swap table, in which each char is replaced with a corresponding char in the table (see in figure 6).
Figure 6. String decode.
servertor.c
Figure 7 shows the command-and-control component (C&C) botnet controller. C&C will be executed on a dedicated machine that is controlled by the attacker. It can control and send commands to infected machines. (figure 7)
Figure 7. C&C component.
New variant analysis
Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality.
In new variants of EnemyBot, the malware added a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and web servers (see figure 8).
Figure 8. EnemyBot calls for a new function “webscan_xywz”.
To perform these functions, the malware randomly scans IP addresses and when it gets a response via SYN/ACK, EnemyBot then scans for vulnerabilities on the remote server by executing multiple exploits.
The first exploit is for the Log4j vulnerability discovered last year as CVE-2021-44228 and CVE-2021-45046:
Figure 9. Exploiting the Log4J vulnerability.
The malware also can adopt new vulnerabilities within days of those vulnerabilities being discovered. Some examples are Razer Sila (April 2022) which was published without a CVE (see figure 10) and a remote code execution (RCE) vulnerability impacting VMWare Workspace ONE with CVE-2022-22954 the same month (see figure 11).
Figure 10. Exploiting vulnerability in Razar Sila.
Figure 11. Exploiting vulnerability in VMWare Workspace ONE.
EnemyBot has also begun targeting content management systems (e.g. WordPress) by searching for vulnerabilities in various plugins, such as “Video Synchro PDF” (see figure 12).
Figure 12. EnemyBot targeting WordPress servers.
In the example shown in figure 12, notice that the malware elevates a local file inclusion (LFI) vulnerability into a RCE by injecting malicious code into the ‘/proc/self/environ’. This method is not new and was described in 2009. The malware uses LFI to call ‘environ’ and passes the shell command in the user agent http header.
Another example of how the malware uses this method is shown in figure 13. In this example the malware is exploiting a vulnerability in DBltek GoIP.
Figure 13. Executing shell command through LFI vulnerability in DBltek.
After infection, EnemyBot will wait for further commands from its C&C. However, in parallel it will also further propogate by scanning for additional vulnerable devices. Alien Labs has listed below the commands the bot can receive from its C&C (accurate as of the publishing of this article).
In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command. (figure 14)
Figure 14. EnemyBot “adb_infect” function to attack Android devices.
Command
Action
SH
Execute shell command
PING
Ping to server, wait for command
LDSERVER
Change loader server for payload.
TCPON
Turn on sniffer.
RSHELL
Create a reverse shell on an infected machine.
TCPOFF
Turn off sniffer.
UDP
Start UDP flood attack.
TCP
Start TCP flood attack.
HTTP
Start HTTP flood attack.
HOLD
Start TCP connection flooder.
TLS
Start TLS attack, start handshake without closing the socket.
STD
Start non spoofed UDP flooder.
DNS
Start DNS flooder.
SCANNER ON | OFF
Start/Stop scanner – scan and infect vulnerable devices.
OVH
Start DDos attack on OVH.
BLACKNURSE
Start ICMP flooder.
STOP
Stop ongoing attacks. kill child processes
ARK
Start targeted attack on ARK: Survivor Evolved video game server.
ADNS
Receive targets list from C&C and start DNS attack.
ASSDP
Start SSDP flood attack.
We have also listed the current vulnerabilities EnemyBot uses. As mentioned, some of them have not been assigned a CVE yet. (As of the publishing of this article.)
CVE Number
Affected devices
CVE-2021-44228, CVE-2021-45046
Log4J RCE
CVE-2022-1388
F5 BIG IP RCE
No CVE (vulnerability published on 2022-02)
Adobe ColdFusion 11 RCE
CVE-2020-7961
Liferay Portal – Java Unmarshalling via JSONWS RCE
No CVE (vulnerability published on 2022-04)
PHP Scriptcase 9.7 RCE
CVE-2021-4039
Zyxel NWA-1100-NH Command injection
No CVE (vulnerability published on 2022-04)
Razar Sila – Command injection
CVE-2022-22947
Spring Cloud Gateway – Code injection vulnerability
CVE-2022-22954
VMWare Workspace One RCE
CVE-2021-36356, CVE-2021-35064
Kramer VIAware RCE
No CVE (vulnerability published on 2022-03)
WordPress Video Synchro PDF plugin LFI
No CVE (vulnerability published on 2022-02)
Dbltek GoIP LFI
No CVE(vulnerability published on 2022-03)
WordPress Cab Fare Calculator plugin LFI
No CVE(vulnerability published on 2022-03)
Archeevo 5.0 LFI
CVE-2018-16763
Fuel CMS 1.4.1 RCE
CVE-2020-5902
F5 BigIP RCE
No CVE (vulnerability published on 2019)
ThinkPHP 5.X RCE
No CVE (vulnerability published on 2017)
Netgear DGN1000 1.1.00.48 ‘Setup.cgi’ RCE
CVE-2022-25075
TOTOLink A3000RU command injection vulnerability
CVE-2015-2051
D-Link devices – HNAP SOAPAction – Header command injection vulnerability
CVE-2014-9118
ZHOME < S3.0.501 RCE
CVE-2017-18368
Zyxel P660HN – unauthenticated command injection
CVE-2020-17456
Seowon SLR 120 router RCE
CVE-2018-10823
D-Link DWR command injection in various models
Recommended actions
Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Enable automatic updates to ensure your software has the latest security updates.
Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
Conclusion
Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers. The malware can quickly adopt one-day vulnerabilities (within days of a published proof of concept). This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
SURICATA IDS SIGNATURES
Log4j sids: 2018202, 2018203, 2034647, 2034648, 2034649, 2034650, 2034651, 2034652, 2034653, 2034654, 2034655, 2034656, 2034657, 2034658, 2034659, 2034660, 2034661, 2034662, 2034663, 2034664, 2034665, 2034666, 2034667, 2034668, 2034671, 2034672, 2034673, 2034674, 2034676, 2034699, 2034700, 2034701, 2034702, 2034703, 2034706, 2034707, 2034708, 2034709, 2034710, 2034711, 2034712, 2034713, 2034714, 2034715, 2034716, 2034717, 2034723, 2034743, 2034744, 2034747, 2034748, 2034749, 2034750, 2034751, 2034755, 2034757, 2034758, 2034759, 2034760, 2034761, 2034762, 2034763, 2034764, 2034765, 2034766, 2034767, 2034768, 2034781, 2034782, 2034783, 2034784, 2034785, 2034786, 2034787, 2034788, 2034789, 2034790, 2034791, 2034792, 2034793, 2034794, 2034795, 2034796, 2034797, 2034798, 2034799, 2034800, 2034801, 2034802, 2034803, 2034804, 2034805, 2034806, 2034807, 2034808, 2034809, 2034810, 2034811, 2034819, 2034820, 2034831, 2034834, 2034835, 2034836, 2034839, 2034886, 2034887, 2034888, 2034889, 2034890, 2838340, 2847596, 4002714, 4002715
4001913: AV EXPLOIT LifeRay RCE (CVE-2020-7961)
4001943: AV EXPLOIT Liferay Portal Java Unmarshalling RCE (CVE-2020-7961)
4002589: AV EXPLOIT LifeRay Remote Code Execution – update-column (CVE-2020-7961)
2031318: ET CURRENT_EVENTS 401TRG Liferay RCE (CVE-2020-7961)
2031592: ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)
2035955: ET EXPLOIT Razer Sila Router – Command Injection Attempt Inbound (No CVE)
2035956: ET EXPLOIT Razer Sila Router – LFI Attempt Inbound (No CVE)
2035380: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294) (set)
2035381: ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-2294)
2035876: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035875: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2035874: ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)
2036416: ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)
4002364: AV EXPLOIT Fuel CMS RCE (CVE-2018-16763)
2030469: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1
2030483: ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2
2836503: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Inbound
2836504: ETPRO EXPLOIT Attempted THINKPHP < 5.2.x RCE Outbound
2836633: ETPRO EXPLOIT BlackSquid Failed ThinkPHP Payload Inbound
2026731: ET WEB_SERVER ThinkPHP RCE Exploitation Attempt
2024916: ET EXPLOIT Netgear DGN Remote Command Execution
2029215: ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
2034576: ET EXPLOIT Netgear DGN Remote Code Execution
2035746: ET EXPLOIT Totolink – Command Injection Attempt Inbound (CVE-2022-25075)
4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)
2034491: ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)
4000095: AV EXPLOIT Unauthenticated Command Injection (ZyXEL P660HN-T v1)
4002327: AV TROJAN Mirai faulty Zyxel exploit attempt
2027092: ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE
4002226: AV EXPLOIT Seowon Router RCE (CVE-2020-17456)
2035950: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
2035951: ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
2035953: ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)
AGENT SIGNATURES
Java Process Spawning Scripting Process
Java Process Spawning WMIC
Java Process Spawning Scripting Process via Commandline (For Jenkins servers)
Suspicious process executed by Jenkins Groovy scripts (For Jenkins servers)
Suspicious command executed by a Java listening process (For Linux servers)
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
IP ADDRESS
80.94.92[.]38
Malware C&C
SHA256
7c0fe3841af72d55b55bc248167665da5a9036c972acb9a9ac0a7a21db016cc6
Malware hash
SHA256
2abf6060c8a61d7379adfb8218b56003765c1a1e701b346556ca5d53068892a5
Malware hash
SHA256
7785efeeb495ab10414e1f7e4850d248eddce6be91738d515e8b90d344ed820d
Malware hash
SHA256
8e711f38a80a396bd4dacef1dc9ff6c8e32b9b6d37075cea2bbef6973deb9e68
Malware hash
SHA256
31a9c513a5292912720a4bcc6bd4918fc7afcd4a0b60ef9822f5c7bd861c19b8
Malware hash
SHA256
139e1b14d3062881849eb2dcfe10b96ee3acdbd1387de82e73da7d3d921ed806
Malware hash
SHA256
4bd6e530db1c7ed7610398efa249f9c236d7863b40606d779519ac4ccb89767f
Malware hash
SHA256
7a2a5da50e87bb413375ecf12b0be71aea4e21120c0c2447d678ef73c88b3ba0
Malware hash
SHA256
ab203b50226f252c6b3ce2dd57b16c3a22033cd62a42076d09c9b104f67a3bc9
Malware hash
SHA256
70674c30ed3cf8fc1f8a2b9ecc2e15022f55ab9634d70ea3ba5e2e96cc1e00a0
Malware hash
SHA256
f4f9252eac23bbadcbd3cf1d1cada375cb839020ccb0a4e1c49c86a07ce40e1e
Malware hash
SHA256
6a7242683122a3d4507bb0f0b6e7abf8acef4b5ab8ecf11c4b0ebdbded83e7aa
Malware hash
SHA256
b63e841ded736bca23097e91f1f04d44a3f3fdd98878e9ef2a015a09950775c8
Malware hash
SHA256
4869c3d443bae76b20758f297eb3110e316396e17d95511483b99df5e7689fa0
Malware hash
SHA256
cdf2c0c68b5f8f20af448142fd89f5980c9570033fe2e9793a15fdfdadac1281
Malware hash
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0001: Initial Access:
T1190: Exploit Public-Facing Application
TA0008: Lateral Movement:
T1210: Exploitation of Remote Services
T1021: Remote Services
TA0011: Command and Control
T1132: Data Encoding
T1001: Data Obfuscation
T1030: Proxy:
003: Multi-hop Proxy
CVE-2021-28509
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.
CVE-2021-28508
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.
CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream
Description
The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).
An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.
Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Access Control, Non-Repudiation, Other: Bypass Protection Mechanism, Hide Activities, Other
Potential Mitigations
Phase: Testing
Description:
Software tools are capable of finding ADSs on your system.
Phase: Implementation
Description:
Ensure that the source code correctly parses the filename to read or write to the correct stream.
CVE References
- CVE-1999-0278
- In IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL.
- CVE-2000-0927
- Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
CWE-689 – Permission Race Condition During Resource Copy
Description
The product, while copying or cloning a resource, does not set the resource’s permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity: Read Application Data, Modify Application Data
Potential Mitigations
CVE References
- CVE-2002-0760
- Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified.
- CVE-2005-2174
- Product inserts a new object into database before setting the object’s permissions, introducing a race condition.
- CVE-2006-5214
- Error file has weak permissions before a chmod is performed.
- CVE-2005-2475
- Archive permissions issue using hard link.
- CVE-2003-0265
- Database product creates files world-writable before initializing the setuid bits, leading to modification of executables.