loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Black Basta

Rebrand

Ransomware

loading..
loading..
loading..

Black Basta: a new ransomware group or rebranded ransomware operation

Black Basta, a newly emerged name around the ransomware families, is getting popular across the masses, indicating an attempt to rebrand the previously dissolve...

loading..
  03-May-2022
loading..
 6 min read

Related Articles

loading..

Stealthy

Malware

Ghhj...

VhjjBjjj

loading..
  25-May-2022
loading..
  1 min read
loading..

Backdoor

FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat act...

A new stealthy backdoor known as Saitama has been discovered in a spear-phishing attempt targeting Jordan's foreign ministry. Malwarebytes and Fortinet FortiGuard Labs researchers connected the attack to an Iranian cyber espionage threat actor known as APT34, citing similarities to previous campaigns launched by the outfit. The email, like many of these assaults, contained a malicious attachment, according to Fortinet researcher Fred Gutierrez. "The associated danger, however, was not your typical virus. Instead, it possessed advanced persistent threat (APT) capabilities and methodologies." APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, has been active in the Middle East and North Africa (MENA) since at least 2014 and has a history of targeting the telecom, government, defense, oil, and banking sectors with targeted phishing assaults. ESET linked the group to a long-running information gathering operation targeting diplomatic institutions, technological corporations, and medical groups in Israel, Tunisia, and the United Arab Emirates earlier this February. Backdoor in Saitama The newly discovered phishing mail includes a weaponized Microsoft Excel sheet, which when opened urges the potential victim to activate macros, allowing a malicious Visual Basic Application (VBA) macro to drop the malware payload ("update.exe"). In addition, the macro provides implant permanence by including a scheduled job that runs every four hours. Saitama is a.NET-based malware that uses the DNS protocol to conceal its command-and-control (C2) connections while executing commands received from a C2 server using a "finite-state machine" technique. CyberSecurity "This suggests this virus is getting tasks from a DNS response," Gutierrez stated. DNS tunneling, as the name implies, allows other programs or protocols' data to be encoded in DNS queries and answers. The command execution results are then transmitted back to the C2 server, along with the exfiltrated data embedded in a DNS request. "Given the amount of effort put into constructing this virus, it does not appear to be the sort to execute once and then destroy itself," Gutierrez added. "This virus does not build any persistence mechanisms, maybe to avoid triggering any behavioral detections. Instead, a scheduled process is used to generate persistence using an Excel macro."

loading..
  13-May-2022
loading..
  1 min read
loading..

Vulnerability

Linux

Root

Microsoft Researchers located previously undiscovered vulnerabilities in Linux s...

Microsoft security researchers have identified a series of weaknesses that, when exploited as a chain, allow local attackers to achieve root access, dubbed as Nimbuspwn. A blog post from the Microsoft 365 Defender team detailing multiple vulnerabilities that have been discovered. Adversary groups can exploit these to easily elevate privileges on Linux systems, allowing the deployment of payloads, ransomware, and other malicious actions targeting networkd-dispatcher and involve directory traversal, symlink race, and TOCTU race situations, among others. <br> More details can be found in their blog post, and the two CVEs sought, CVE-2022-29799 & CVE-2022-29800, will provide additional information. These CVE IDs were reserved at the time of release. <br> Furthermore, more sophisticated attacks, such as malware or ransomware, might leverage the Nimbuspwn vulnerabilities to gain root access and have a greater impact across compromised systems. <br> ## About the vulnerability <br> According to the findings CVE-2022-29800 is a time-of-check-time-of-use (TOCTOU) race condition that could allow an attacker to replace scripts that networkd-dispatcher (the vulnerable systemd unit) believes are owned by root with scripts that are not. Add in a symlink race condition uncovered by the researchers at the same time, and provides a clear path to privilege elevation. While CVE-2022-29799 is a directory traversal bug. <br> Microsoft's security researchers have disclosed these vulnerabilities to the appropriate maintainers via the Coordinated Vulnerability Disclosure (CVD) program, which is run by Microsoft Security Vulnerability Research (MSVR). Users of networkd-dispatcher are recommended to update their instances because the maintainer of the networkd-dispatcher has successfully rolled out the patches for these vulnerabilities. <br> As organizations continue to rely on a wide range of devices and systems, robust solutions that provide cross-platform protection and a holistic overview of their security posture are required to mitigate threats like Nimbuspwn. The ever-increasing number of Linux vulnerabilities reinforces the need of controlling the operating system and its subsystems. <br> ## Vulnerability Detection <br> It all began with enumerating root-run services and intercepting System Bus signals, doing both code reviews and dynamic analysis. As a result, the researchers have documented two instances of information leakage: <br> While these are intriguing, their severity is minimal - an attacker can list files beneath folders that need elevated rights to list files. Then we noticed some fascinating trends in a systemd module called networkd-dispatcher. The objective of networkd-dispatcher is to dispatch network status updates and possibly conduct alternative scripts based on the new state. Surprisingly, it boots as root: <br> ![Figure-2-networkd-dispatcher-running-as-root.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_2_networkd_dispatcher_running_as_root_00e71288de.png) <br> ## Networkd-dispatcher Code Flow <br> The security researchers observed an intriguing code flow throughout the analysis of the networkd-dispatcher **[source code](https://gitlab.com/craftyguy/networkd-dispatcher)**: <br> - The register function adds a new signal receiver to the System Bus for the service "org.freedesktop.network1" and the signal "PropertiesChanged." - The "_receive signal" signal handler does some basic checks on the object type being received, concludes the modified network interface based on the object path being delivered, and then concludes its new states–"OperationalState" and "AdministrativeState"–fetched from the data. If any of the states is not empty, the "handle state" function will be called. - For each of those two states, the "handle state" method simply calls "_handle one state." - "_handle one state" ensures that the state is not empty and that it differs from the preceding state. If it is, it will update the new state and call the "_run hooks for state" function, which will identify and run the scripts for the new state. - The following logic is implemented by _run hooks for state": <br> ***Gets the script list by calling the "get script list" method (which gets the new state as a string). If you want to find all the files under "/etc/networkd-dispatcher/state>.d" that are owned by the root user and the root group, and that can be run, this method just calls "scripts in path."*** <br> ***Sorts the script list.*** <br> ***Runs each script with subprocess.Popen while supplying custom environment variables.*** <br> ![Figure-3-_run_hooks_for_state-source-code-some-parts-omitted-for-brevity.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_3_run_hooks_for_state_source_code_some_parts_omitted_for_brevity_29135db2dd.png) <br> Multiple security issues disclosed in fifth step: <br> ***[Directory traversal](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29799) (CVE-2022-29799):*** The OperationalState and the AdministrativeState are not sanitized by any of the processes in the flow. Due to the fact that the states are utilized to construct the script path, it is possible for a state to include directory traversal patterns (e.g. "../../") that allow the user to exit the "/etc/networkd-dispatcher" base directory. ***[Symlink race](https://en.wikipedia.org/wiki/Symlink_race)*** Both the detection of scripts and the subprocess.popen is a symbologist. ***[Time-of-check-time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) (TOCTOU) race condition ([CVE-2022-29800](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29800) ):*** There is a temporal delay between the discovery of scripts and their execution. An attacker may exploit this issue to change the ownership of scripts that networkd-dispatcher thinks are owned by root to non-root scripts. <br> ![6267e7bcdaac2-6267e7bcdaac3Figure-4-Building-the-script-list-in-the-scripts_in_path-method-including-the-vulnerable-code-with-subdir-poisoned.png.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6267e7bcdaac2_6267e7bcdaac3_Figure_4_Building_the_script_list_in_the_scripts_in_path_method_including_the_vulnerable_code_with_subdir_poisoned_png_6c73403314.png) <br> ## Exploitation <br> Assume an opponent has a hostile D-Bus component capable of sending any signal. As a result, an attacker may commit the following: <br> - Create a directory called "/tmp/nimbuspwn" and refer it to "/sbin" through a symlink called "/tmp/nimbuspwn/poc.d". The "/sbin" directory was selected precisely because it contains a large number of root-owned executables that do not need extra arguments to operate. This exploits the previously described symlink race condition. - Plant a file named "/tmp/nimbuspwn" for each executable filename under "/sbin" that is controlled by root. For instance, if "/sbin/vgs" is executable and owned by root, plant the appropriate payload in the executable file "/tmp/nimbuspwn/vgs". This enables the attacker to defeat the TOCTOU vulnerability's race condition. - Send a signal with the OperationalState "../../../tmp/nimbuspwn/poc". This exploits the directory traversal vulnerability and allows access to the script directory to be bypassed. - The networkd-dispatcher signal handler kicks in and creates the script list from the directory "/etc/networkd-dispatcher/../../../../tmp/nimbuspwn/poc.d", which is really a symlink to "/sbin". As a result, a list of several executables owned by root is generated. - Change the path to "/tmp/nimbuspwn/poc.d" to "/tmp/nimbuspwn". This exploits the TOCTOU race situation vulnerability–the script path changes invisibly to networkd-dispatcher. - The dispatcher executes files that were originally located in the "/sbin" directory but were really located in the "/tmp/nimbuspwn" directory. Because the dispatcher "believes" the files are owned by root, it uses subprocess to execute them blindly. As root, popen As a result, our adversary exploited the vulnerability effectively. <br> Notably, we plant a large number of possible running files in order to win the TOCTOU race condition with a high probability. Three tries are sufficient to win the TOCTOU race condition, as shown by our studies. <br> ![Figure-5-Flow-chart-of-the-attack-in-three-stages.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_5_Flow_chart_of_the_attack_in_three_stages_d0e8f75dea.png) <br> Due to the fact that it was not intended to execute the exploit every time, in order to run as root, the payload that was ultimately implemented leaves a root backdoor: <br> 1.Copies /bin/sh to /tmp/sh. 2.Turns the new /tmp/sh it into a Set-UID (SUID) binary. 3.Run /tmp/sh -p. The “-p” flag is necessary since modern shells drop privileges by design. <br> ![Exploit_winning-the-TOCTOU-race.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Exploit_winning_the_TOCTOU_race_eedbad589a.png) <br> Thus exploiting this kind of vulnerability needs local shell access, it is critical for people who presently use networkd-dispatcher in their Linux workload settings. Under the instruction of Microsoft, the developer has produced a patch to address the problem, which should be applied by people with computers affected by this vulnerability.

loading..
  28-Apr-2022
loading..
  1 min read