loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Backdoor

loading..
loading..
loading..

Saitama Backdoor: Jordan's Foreign Ministry Targeted by Spear Phishing

FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances

loading..
  13-May-2022
loading..
 2 min read

Related Articles

loading..

Stealthy

Malware

Ghhj...

VhjjBjjj

loading..
  25-May-2022
loading..
  1 min read
loading..

Rebrand

Black Basta

Ransomware

Black Basta, a newly emerged name around the ransomware families, is getting pop...

Black Basta, a new addition to the ransomware family, has sprung into operation this month, infecting at least 12 business entities in just a few weeks. It was first spotted in the second week of April, appearing as a Black Basta attack as the operation quickly broke out, attacking companies globally. <br> While there have been multiple ransom requests, each likely varying according to the nature of the attack on the victim, one victim got a demand for nearly $2 million from the Black Basta gang to unlock files and not expose data. <br> There is little other information about the new ransomware group, as they have not yet begun marketing their business or recruiting associates on hacker forums. <br> However, based on their capacity to rapidly accumulate new victims and how they negotiate, this is most likely not a new operation but a rebranding of a former top-tier ransomware group that brought along their associates. <br> ## Deciphering the encrypting nature of Black Basta <br> As with previous ransomware operations that target businesses, Black Basta will take corporate data and documents prior to encrypting the company's equipment. The threat actors then demand a ransom in exchange for a decryptor in order to avoid the publication of the victim's stolen data in so-called "double-extortion" assaults. <br> The 'Black Basta Blog' or 'Basta News' Tor site provides a list of all victims who have not paid a ransom, and this is where the data extortion takes place. Black Basta intends to coerce each victim into paying a ransom by steadily leaking their personal information. <br> ![data-leak-site.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/data_leak_site_85b6b48322.jpg) <br> There are now data leak pages for eleven firms on the Black Basta data leak site. Besides, it is worth noting that the existence of a few victims remains non-existent and has not yet been included on the data breach website. <br> Among their most recent victims is German wind turbine manufacturer Deutsche Windtechnik, the **[victim of a ransomware assault on April 11th](https://renewablesnow.com/news/deutsche-windtechnik-hit-by-targeted-cyberattack-781048/)** but had not yet publicized it. <br> ## Brief Analysis of Black Basta <br> From the few accessible samples, a quick investigation of the Black Basta ransomware has revealed the following: <br> ![Black Basta Command .jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Black_Basta_Command_e507a12d74.jpg) <br> When performed, the Black Basta encryptor requires administrator rights to work correctly. Once launched, the encryptor will use the following command to erase Volume Shadow Copies: <br> ![fax-service.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/fax_service_396b38e041.jpg) <br> It then hijacks an already-running Windows service and uses it to execute the ransomware encryptor executable. In our experiments, the stolen Windows service was the 'Fax' service, as seen below. <br> ![wallpaper.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/wallpaper_98e4f1cc39.jpg) <br> Additionally, the ransomware will modify the wallpaper to display a warning that reads, _"The Black Basta organization encrypts your network. Instructions are included in the readme.txt file."_ <br> ![encrypted-files(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/encrypted_files_1_d4a0330222.jpg) <br> The ransomware will now reboot the machine into Safe Mode with Networking, at which point the hijacked Windows service will begin automatically encrypting the device's data. <br> According to ransomware specialist **[Michael Gillespie](https://twitter.com/demonslay335)**, who thoroughly researched Black Basta's encryption process, found that it encrypts data using the ChaCha20 algorithm. The ChaCha20 encryption key is encrypted using the executable's public RSA-4096 key. <br> When the ransomware encrypts files, it appends the.basta extension to the file's name. Thus, test.jpg is encrypted and renamed test.jpg.basta. <br> Hence in order to demonstrate the custom icon attributed with the .basta extension, the ransomware will build a custom extension in the Windows Registry and associate the icon with a randomly named ICO file in the %Temp% folder. This custom icon is very similar to the **[icy.tools app](https://apps.apple.com/cm/app/icy-tools/id1594432759)**. <br> Windows Registry Editor Version 5.00> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.basta] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.basta\DefaultIcon] @="C:\\Windows\\TEMP\\fkdjsadasd.ico" <br> The ransomware will create a readme.txt file in each folder on the encrypted device providing information about the attack as along with a URL and unique ID necessary to check in to their negotiating chat session. <br> ![tor-chat-site.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/tor_chat_site_31cb4f668d.jpg) <br> 'Chat Black Basta' Tor negotiation site hosts a login page and a webchat that may be used to negotiate with threat actors. <br> Threat actors use this screen to display a welcome message that includes a ransom demand, a warning that data will be disclosed if payment is not made in seven days, and a promise of a security report if the ransom is paid. <br> <br> There is no free method to decrypt encrypted algorithms, according to Gillespie. <br> ## Ransomware Rebranding Attempts <br> This is most likely a rebrand of an infamous operation across the ransomware family, based on how rapidly Black Basta amassed victims and the manner of their discussions. According to one opinion shared between security researcher **[MalwareHunterTeam](https://twitter.com/malwrhunterteam/)** and this author, Black Basta may be a mere rebranding attempt by the Conti ransomware campaign like any other ransomware. <br> **[Conti ransomware group has been under intense scrutiny](https://bit.ly/2Zqu0xz)** over the last two months after the publication of a treasure trove of private communications and the ransomware's source code by a Ukrainian researcher. <br> As a result, it has been hypothesized that Conti will rename their organization and restart under a new name in order to elude government authorities. While the Black Basta encryptor is somewhat different from Conti's, MalwareHunterTeam thinks their negotiating technique and website design have significant similarities. <br> ![mht-tweet.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/mht_tweet_2f9d4890f9.jpg) <br> Additionally, Black Basta disclosed the details for a brand-new victim after revealing a screenshot of the negotiation. This "penalty" is identical to what Conti instituted in order to quell the flood of leaked negotiations on Twitter. While these ties are thin, the Black Basta gang should be actively observed, given they have just recently begun operating.

loading..
  03-May-2022
loading..
  1 min read
loading..

Vulnerability

Linux

Root

Microsoft Researchers located previously undiscovered vulnerabilities in Linux s...

Microsoft security researchers have identified a series of weaknesses that, when exploited as a chain, allow local attackers to achieve root access, dubbed as Nimbuspwn. A blog post from the Microsoft 365 Defender team detailing multiple vulnerabilities that have been discovered. Adversary groups can exploit these to easily elevate privileges on Linux systems, allowing the deployment of payloads, ransomware, and other malicious actions targeting networkd-dispatcher and involve directory traversal, symlink race, and TOCTU race situations, among others. <br> More details can be found in their blog post, and the two CVEs sought, CVE-2022-29799 & CVE-2022-29800, will provide additional information. These CVE IDs were reserved at the time of release. <br> Furthermore, more sophisticated attacks, such as malware or ransomware, might leverage the Nimbuspwn vulnerabilities to gain root access and have a greater impact across compromised systems. <br> ## About the vulnerability <br> According to the findings CVE-2022-29800 is a time-of-check-time-of-use (TOCTOU) race condition that could allow an attacker to replace scripts that networkd-dispatcher (the vulnerable systemd unit) believes are owned by root with scripts that are not. Add in a symlink race condition uncovered by the researchers at the same time, and provides a clear path to privilege elevation. While CVE-2022-29799 is a directory traversal bug. <br> Microsoft's security researchers have disclosed these vulnerabilities to the appropriate maintainers via the Coordinated Vulnerability Disclosure (CVD) program, which is run by Microsoft Security Vulnerability Research (MSVR). Users of networkd-dispatcher are recommended to update their instances because the maintainer of the networkd-dispatcher has successfully rolled out the patches for these vulnerabilities. <br> As organizations continue to rely on a wide range of devices and systems, robust solutions that provide cross-platform protection and a holistic overview of their security posture are required to mitigate threats like Nimbuspwn. The ever-increasing number of Linux vulnerabilities reinforces the need of controlling the operating system and its subsystems. <br> ## Vulnerability Detection <br> It all began with enumerating root-run services and intercepting System Bus signals, doing both code reviews and dynamic analysis. As a result, the researchers have documented two instances of information leakage: <br> While these are intriguing, their severity is minimal - an attacker can list files beneath folders that need elevated rights to list files. Then we noticed some fascinating trends in a systemd module called networkd-dispatcher. The objective of networkd-dispatcher is to dispatch network status updates and possibly conduct alternative scripts based on the new state. Surprisingly, it boots as root: <br> ![Figure-2-networkd-dispatcher-running-as-root.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_2_networkd_dispatcher_running_as_root_00e71288de.png) <br> ## Networkd-dispatcher Code Flow <br> The security researchers observed an intriguing code flow throughout the analysis of the networkd-dispatcher **[source code](https://gitlab.com/craftyguy/networkd-dispatcher)**: <br> - The register function adds a new signal receiver to the System Bus for the service "org.freedesktop.network1" and the signal "PropertiesChanged." - The "_receive signal" signal handler does some basic checks on the object type being received, concludes the modified network interface based on the object path being delivered, and then concludes its new states–"OperationalState" and "AdministrativeState"–fetched from the data. If any of the states is not empty, the "handle state" function will be called. - For each of those two states, the "handle state" method simply calls "_handle one state." - "_handle one state" ensures that the state is not empty and that it differs from the preceding state. If it is, it will update the new state and call the "_run hooks for state" function, which will identify and run the scripts for the new state. - The following logic is implemented by _run hooks for state": <br> ***Gets the script list by calling the "get script list" method (which gets the new state as a string). If you want to find all the files under "/etc/networkd-dispatcher/state>.d" that are owned by the root user and the root group, and that can be run, this method just calls "scripts in path."*** <br> ***Sorts the script list.*** <br> ***Runs each script with subprocess.Popen while supplying custom environment variables.*** <br> ![Figure-3-_run_hooks_for_state-source-code-some-parts-omitted-for-brevity.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_3_run_hooks_for_state_source_code_some_parts_omitted_for_brevity_29135db2dd.png) <br> Multiple security issues disclosed in fifth step: <br> ***[Directory traversal](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29799) (CVE-2022-29799):*** The OperationalState and the AdministrativeState are not sanitized by any of the processes in the flow. Due to the fact that the states are utilized to construct the script path, it is possible for a state to include directory traversal patterns (e.g. "../../") that allow the user to exit the "/etc/networkd-dispatcher" base directory. ***[Symlink race](https://en.wikipedia.org/wiki/Symlink_race)*** Both the detection of scripts and the subprocess.popen is a symbologist. ***[Time-of-check-time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) (TOCTOU) race condition ([CVE-2022-29800](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29800) ):*** There is a temporal delay between the discovery of scripts and their execution. An attacker may exploit this issue to change the ownership of scripts that networkd-dispatcher thinks are owned by root to non-root scripts. <br> ![6267e7bcdaac2-6267e7bcdaac3Figure-4-Building-the-script-list-in-the-scripts_in_path-method-including-the-vulnerable-code-with-subdir-poisoned.png.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6267e7bcdaac2_6267e7bcdaac3_Figure_4_Building_the_script_list_in_the_scripts_in_path_method_including_the_vulnerable_code_with_subdir_poisoned_png_6c73403314.png) <br> ## Exploitation <br> Assume an opponent has a hostile D-Bus component capable of sending any signal. As a result, an attacker may commit the following: <br> - Create a directory called "/tmp/nimbuspwn" and refer it to "/sbin" through a symlink called "/tmp/nimbuspwn/poc.d". The "/sbin" directory was selected precisely because it contains a large number of root-owned executables that do not need extra arguments to operate. This exploits the previously described symlink race condition. - Plant a file named "/tmp/nimbuspwn" for each executable filename under "/sbin" that is controlled by root. For instance, if "/sbin/vgs" is executable and owned by root, plant the appropriate payload in the executable file "/tmp/nimbuspwn/vgs". This enables the attacker to defeat the TOCTOU vulnerability's race condition. - Send a signal with the OperationalState "../../../tmp/nimbuspwn/poc". This exploits the directory traversal vulnerability and allows access to the script directory to be bypassed. - The networkd-dispatcher signal handler kicks in and creates the script list from the directory "/etc/networkd-dispatcher/../../../../tmp/nimbuspwn/poc.d", which is really a symlink to "/sbin". As a result, a list of several executables owned by root is generated. - Change the path to "/tmp/nimbuspwn/poc.d" to "/tmp/nimbuspwn". This exploits the TOCTOU race situation vulnerability–the script path changes invisibly to networkd-dispatcher. - The dispatcher executes files that were originally located in the "/sbin" directory but were really located in the "/tmp/nimbuspwn" directory. Because the dispatcher "believes" the files are owned by root, it uses subprocess to execute them blindly. As root, popen As a result, our adversary exploited the vulnerability effectively. <br> Notably, we plant a large number of possible running files in order to win the TOCTOU race condition with a high probability. Three tries are sufficient to win the TOCTOU race condition, as shown by our studies. <br> ![Figure-5-Flow-chart-of-the-attack-in-three-stages.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_5_Flow_chart_of_the_attack_in_three_stages_d0e8f75dea.png) <br> Due to the fact that it was not intended to execute the exploit every time, in order to run as root, the payload that was ultimately implemented leaves a root backdoor: <br> 1.Copies /bin/sh to /tmp/sh. 2.Turns the new /tmp/sh it into a Set-UID (SUID) binary. 3.Run /tmp/sh -p. The “-p” flag is necessary since modern shells drop privileges by design. <br> ![Exploit_winning-the-TOCTOU-race.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Exploit_winning_the_TOCTOU_race_eedbad589a.png) <br> Thus exploiting this kind of vulnerability needs local shell access, it is critical for people who presently use networkd-dispatcher in their Linux workload settings. Under the instruction of Microsoft, the developer has produced a patch to address the problem, which should be applied by people with computers affected by this vulnerability.

loading..
  28-Apr-2022
loading..
  1 min read