Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Botnet Targets Multiple Architectures
FortiGuard Labs researchers have observed, and now analysed, a new botnet which is written in the Go programming language and is targeting IoT devices running on a variety of processor architectures - i386, amd64, arm, arm64, mips, mips64, mipsle, ppc64, ppc64le, riscv64 and s390x (although it is hard to imagine many IoT devices running the S/390 mainframe instruction set).
The botnet, called Zerobot, initially had only basic capabilities but in late November it added more functionality. Disassembly of the code revealed that after initial infection it tests Internet connectivity and then copies itself onto the target device, in an OS-dependent location, and then sets up a signal handler to intercept attempts to kill it. From there, it connects to its C2 server using the WebSocket protocol and sends some platform enumeration data, after which it waits for a command.
| Command | Detail |
|---|---|
| ping | Heartbeat, maintaing the C2 connection |
| attack | Launch an attack, using different protocols: TCP, UDP, TLS, HTTP, ICMP |
| stop | Stop attack |
| update | Install update and restart Zerobot |
| enable_scan | Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker |
| disable_scan | Disable scanning |
| command | Run an OS command, using cmd.exe on Windows and bash on Linux |
| kill | Kill the botnet program |
Zerobot can employ any of 21 different exploits which target a range of IoT devices but also includes Spring4Shell, and exploits for phpAdmin and F5 Big-IP. It is rapidly evolving; within a very short time it was updated with string obfuscation, a copy file module and a propagation exploit module which gives it the ability to infect more devices. The FortiGuard Research post includes IOC's, but its rapid evolution means that proactive patching against its exploits will be the best defence.
Lin, Cara, Zerobot - New Go-Based Botnet Campaign Targets Multiple Vulnerabilities, blog post, 6 December 2022. Available online at https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities.
Sophisticated Attack on Amnesty International Canada
Amnesty International Canada (English-speaking Section) has revealed that it was the target of a sophisticated cyberattack which forensic experts from Secureworks believe was sponsored by the Chinese state. This conclusion is based on "the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups".
The breach was first detected on 5 October 2022, when suspicious behaviour was observed on Amnesty's IT infrastructure. Immediate action was taken, with Secureworks being retained to protect the organization's systems and investigate the attack. The investigation has uncovered no evidence that any donor or membership data was exfiltrated.
Amnesty is speaking publicly to warn other human rights organizations about the rising threat of cyber breaches, and to strongly condemn state and non-state actors who are intent on interfering with the work of human rights and other civil society organizations.
Ruf, Cory, Amnesty International Canada target of sophisticated cyber-attack linked to China, news release, 5 December 2022. Available online at https://www.amnesty.ca/news/news-releases/cyber-breach-statement/.
Likely Chinese APT Targets Middle East Telco
Researchers at Bitdefender have found a new cyber-espionage campaign which targeted a telecommunications firm in the Middle East. Investigation of sample binaries suggests the campaign is attributed to a Chinese threat actor called BackdoorDiplomacy.
The initial infection mechanism was an August 2021 ProxyShell exploitation of a vulnerable Exchange server. From there, the group deployed the NPS proxy tool and the IRAFAU backdoor into the organization. In February 2022, the attackers deployed the Quarian backdoor along with several other scanners and proxy/tunneling tools, with the use of keyloggers and exfiltration tools suggesting the campaign objective is cyber-espionage.
BackdoorDiplomacy has been operating since at least 2017, targeting institutions in the Middle East, Africa and the US. The researchers have produced a comprehensive 33-page whitepaper which details the techniques used for initial access, execution, reconnaisance, lateral movement, persistence, privilege escalation, defence evasion, collection and infiltration, as well as cataloguing the various tools used.
Schipor, Adriand and Victor Vrabie, BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign, blog post, 7 December 2022. Available online at https://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.