Blog entry by Les Bell

Les Bell
by Les Bell - Friday, 30 September 2022, 9:05 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Multi-Platform, Multi-Function Malware

Black Lotus Labs has released their analysis of a new malware sample christened 'Chaos' by its developers, who seem to be Chinese. Chaos is written in the Go programming language, and has been designed to operate on both Windows and Linux systems on multiple different architectures, including Intel/AMD, ARM and PowerPC.

Once Chaos is installed on a device, it becomes persistent and then creates a UDP port from which it establishes initial contact with a C2 server, sending the OS version and platfrom. On Windows, it will create a registry key and copy itself into another directory. It follows this by establishing a TLS connection with the C2 server and collecting additional information about the system it has infected.

From here, it will receive staging commands, which will use another port to download additional files which it will go on to use in obtaining SSH connections to new hosts, whether using keys it found on the infected host, by brute forcing, or by using keys it downloads. It may also download a file containing passwords likely to succeed.

If it manages to break into another system, it contacts yet another C2 server which carries copies of Chaos compiled for all useful combinations of OS and platform.

Infected systems will also receive any of 70 additional commands which might further exploit the current system, open a reverse shell, run scripts to exploit known CVE vulnerabilities on other machines, launch DDoS attacks or start cryptomining using the xmrig Monero miner.

Black Lotus Labs, Chaos Is A Go-based Swiss Army Knife of Malware, Lumen blog, 28 September 2022. Available online at https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/.

Brute Ratel Red-Team Toolkit Cracked, Shared By Threat Actors

In red-team penetration testing, the whole idea is for the red team to document their exploits as they twist and pivot inside the defenders' network, so that they can share this information with the blue team in order to improve their defensive controls and their incident response procedures and playbooks. A popular framework for this purpose is Brute Ratel, a post-exploitation toolkit that works by installing agents called badgers on network devices and using them to run attacks while evading IDS, EDR and AV products. As it does this, it records its progress, generating a timeline and graph of each attack for use in subsequent analysis.

So far, so good. But now, a threat actor has cracked the licence protection in Brute Ratel, so that it can be installed and run without an activation key, and as word spreads in underground forums, it is likely that cybercrime groups have gained access to the tool - or very soon will. The problem with this is that one of Brute Ratel's key strengths is its ability to generate novel shellcode which cannot be detected by existing EDR and AV products the shellcode is a unique IOC each time.

Brute Ratel now joins Cobalt Strike as a defensive weapon that has fallen into the wrong hands.

BushidoToken, Brute Ratel cracked and shared across the Cybercriminal Underground, blog post, 28 September 2022. Available online at https://blog.bushidotoken.net/2022/09/brute-ratel-cracked-and-shared-across.html.

Microsoft Exchange RCE 0day Active in the Wild

Vietnames security firm GTSC is warning of an extensive campaign which targets Microsoft Exchange servers via two previously-undiscovered vulnerabilities. GTSC notified Microsoft via submission to the Zero Day Initiative, but the Redmond company is yet to acknowledge them and they do not have CVE numbers. However, GTSC calculates their CVSS scores to be 8.8 and 6.3, since their exploitation leads to remote command execution.

The attack was revealed when GTSC observed IIS log entries which looked similar to those of the ProxyShell vulnerability, and with a little analysis, their red team figured out how to access the Exchange back end and perform RCE.

Tracing through the logs, they also found that the exploit was followed by information collection, the installation of Chinese Chopper web shells, which seem to be managed by Antsword, a Chinese-based open-source website admin tool that supports web shell management.

Although they do not wish to release technical details, GTSC have provided a temporary mitigation which uses a URL rewrite rule.

GTSC Team, Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server, blog post, 28 September 2022. Available online at https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html.

Former eBay Execs Get Jail Time for Harrassment

Two former security executives at eBay Inc have been sentenced to prison for their part in a campaign of harrassment and intimidation directed at a MA couple whose eCommerce newsletter had annoyed then-CEO Devin Wenig.

Jim Baugh, former senior director of safety and security, and David Harville, former director of global resiliency received sentences of 57 months and 24 months respectively, along with fines of $US40,000 and $US20,000, after pleading guilty to cyberstalking-related charges.

The campaign began after Wenig, annoyed by comments critical of eBay in the newsletter of David and Ina Steiner, texted another executive that it was time to "take her down". In the campaign that followed the couple were subjected to anonymous harrassing tweets, bizarre emails and creepy package deliveries like spiders, cockroaches, a funeral wreath, a bloody Halloween pig mask and a book on how to survive the death of a spouse.

Seven eBay employees were charged in connection with the campaign, although Wenig was not, having "absolutely zero knowledge" of the actions that followed. A civil suit by the Steiners remains pending.

Raymond, Nate, Ex-eBay execs heading to prison for harrassing couple behind newsletter, Reuters, 30 September 2022. Available online at https://www.reuters.com/world/us/ex-ebay-exec-heading-prison-harassing-couple-behind-newsletter-2022-09-29/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: