Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Russian Mayors' Offices, Courts, Hit by Wiper
Who can forget 2017's NotPetya attack - a wiper which spread around the world and across industries, yet likely started as an attack on the Ukrainian Government's tax revenues, by Russian threat actors? Now Russia is on the receiving end of a wiper attack, although it seems unlikely to have quite the same impact.
According to Kaspersky researchers, CryWiper is written in C++ and, unusually, compiled using the MinGW-w64 toolkit and gcc compiler, rather than the more common Microsoft tools - suggesting that the author was using a non-Microsoft OS for development. After creating a scheduled task in order to remain active, the malware contacts its C2 server, passing the name of the infected computer and, in response, the C2 server replies 'run' or 'do not run'. If instructed not to run, the malware delays execution with the intention of checking again in 4 days.
But if run, CryWiper stops any running MqSQL or SQL Server databases, deletes shadow copies of files and blocks RDP connections, presumably to slow incident responders. It then sets about overwriting user files with random data, which it generates using the Mersenne Vortex pseudo-random number generator (a characteristic it shares with the Isaac Wiper malware). It also leaves a ransom demand in a README.txt file - but of course, there is no point in paying the ransom.
CryWiper has been attacking systems in the Russian Federation, particularly courts and mayors' offices.
Sinitsyn, Fedor and Janis Zinchenko, Новый троянец CryWiper прикидывается шифровальщиком, Kaspersky SecureList blog, 1 December 2022. Available online at https://securelist.ru/novyj-troyanec-crywiper/106114/. Google translation at https://securelist-ru.translate.goog/novyj-troyanec-crywiper/106114/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp.
Ransomware is Accidental Wiper
In related news, Fortinet Labs reports on a ransomware toolkit called Cryptonite which has been used to produce customised ransomware for targeted campaigns. The toolkit provides a simple sample which lets the operator set an exclusion list server URL, email address and bitcoin wallet, but which lacks the more advanced features common in today's ransomware, such as shadow copy file deletion, file unlocking (e.g. stopping databases, as in the CryWiper example above), and antiforensics and evasion techniques.
However, Fortinet stumbled across a sample in the wild which went through all the steps of encryption, even displaying a progress bar as it pretended to be a software update. However, it never displayed the final window which would allow the victim to enter a decryption key. Suspecting the threat actor behind this sample had deliberately turned it into a wiper, the researchers set about decompiling the sample into its original Python code.
After being led astray by an interesting failure in the decompilation process, they turned to dynamic analysis, eventually tunning the sample in a cmd.exe window, which produced an error message that revealed all: the ransomware failed to load the tkinter library, which would be used to produce the pop-up window for the decryption key (tkinter is commonly used to implement GUI's for a number of scripting languages). This leaves no way for the victim to recover, as the decryption key is lost from memory when the program crashes, and is never sent to the operator.
The saving grace is that Cryptonite is very basic and should be easily detected by anti-malware programs. Also, the toolkit has now been removed from GitHub.
Revay, Gergely, The Story of a Ransomware Turning into an Accidental Wiper, blog post, 5 November 2022. Available online at https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper.
Servers at Risk of RCE Exploits Via Baseboard Management Controllers
Last week we wrote of vulnerabilities in baseboard management controller chips which had been repurposed into devices on the Internet of Things. It was, perhaps, inevitable that the same vulnerabilities would show up in the rackmount servers which are the intended use case for BMC chips - and they have, according to a report from Eclypsium.
The vulnerabilities are actually in the AMI MegaRAC software which runs on the BMC circuitry of servers from many manufacturers including DELL EMC, HP Enterprise, and Lenovo as well as motherboard manufacturers such as ASRock, ASUS and Gigabyte. Eclypsium refers to the three vulnerabilities as BMC&C:
- CVE-2022-40259 – Arbitrary Code Execution via Redfish API (CVSS v3.1 score: 9.9, Critical)
- CVE-2022-40242 – Default credentials for UID = 0 shell via SSH (CVSS v3.1 score 8.3, High)
- CVE-2022-2827 – User enumeration via API (CVSS v3.1 score 7.5, High)
Redfish is the successor to the older IPMI, and provides an API for server management in data centers. It is supported by almost all major vendors as well as the OpenBMC firmware project. The first two CVE's both lead directly to a root shell, with no further escalation necessary.
Suggested mitigations include ensuring that remote management interfaces are on dedicated management networks and not exposed externally, and disabling built-in administrative accounts.
Babkin, Vlad, Supply Chain Vulnerabilities Put Server Ecosystem at Risk, blog post, 5 December 2022. Available online at https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.