Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, December 14, 2022, 6:54 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Python Backdoor Gives Access to VMware ESXi Servers

VMware's ESXi is a popular virtualization platform with a lightweight UNIX-like host OS; it loads a near-fresh root filesystem into RAM on reboot, with only a very few files being preserved through the reboot process. One of these is the /etc/rc.local/local.sh file, which allows customization of the startup process, although it is normally empty other than for a few comments explaining its purpose.

In October, Juniper Threat Labs researchers discovered a backdoor implanted into an ESXi server; the attacker had added 8 lines of code in /etc/rc.local/local.sh, which in turn added a single line of code to another startup file, /bin/hostd-probe.sh and then reset the mtime and atime on the modified file to that of the original, in order to evade detection. That single line of code launches a Python program:

bin/nohup /bin/python -u /store/packages/vmtools.py >/dev/null 2>&1&

Being Python code, that program could run on any POSIX-style platform, but there are indications it is ESXi-specific: the filename is a giveaway, as is a VMware copyright statement at the top of the code, both intended to distract anyone investigating. When run, the code launches a simple web server which will accept password-protected POST requests to either run arbitrary commands and display the result as a web page, or to launch a reverse shell to the attacker's netcat listener. Curiously, this web server binds to localhost:8008, and so the attackers also reconfigure the ESXi reverse HTTP proxy in order to redirect requests to their server.

The initial compromise which allowed installation of the backdoor could not be determined, but the default port number for the reverse shell is 427 which, perhaps not coincidentally, is also the port for OpenSLP, the implementation of the Service Location Protocol used on ESXi, and this is quite probably the service which was exploited to gain access.

The Juniper blog post provides suggested mitigations and pointers to likely IOC's.

Langton, Asher, A Custom Python Backdoor for VMWare ESXi Servers, blog post, 9 December 2022. Available online at https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers.

Chrome Adds Passkey Support

Google has announced that passkey support is now available in Chrome Stable M108, for the Windows 11, macOS and Android platforms. The Android implementation will sync passkeys securely via the Google Password Manager (or, in upcoming versions of Android, any other password manager that supports passkeys).

Passkeys are intended to replace the use of passwords, with all their problems and vulnerabilities, with the use of public-key authentication - passkeys are far more secure, are not leaked in server breaches, and cannot be phished. However, they require web sites and applications to support the W3C WebAuthn API, which is rapidly being deployed on popular sites.

A passkey saved on a device will automatically show up in autofill when the user signs in to a site, and on a desktop device the user can also use a passkey from a nearby mobile device; the browser will relay the authentication traffic between the remote server and the mobile device. In all cases, the private key component of the passkey never leaves the mobile device (rather like the way SSH supports agent forwarding).

Sarraf, Ali, Introducing passkeys in Chrome, Chromium blog, 8 December 2022. Available online at https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html.

French Retailer Intersport DOS'ed by Hive Ransomware

Black Friday sales at the French stores of sports retail giant Intersport were badly disrupted when cash registers were shut down and loyalty card and gift card services were also unavailable. Store staff were forced to keep paper records and perform checkouts manually, causing delays.

The cause was a ransomware attack on 23 November, for which credit has been claimed by the Hive ransomware-as-a-service group on its leak website; just why the Hive group has done so is unclear: it might be to encourage Intersport to negotiate the ransom. Intersport would not elaborate, but says it does not believe customer data had been accessed.

Cluley, Graham, Hive ransomware gang claims responsibility for attack on Intersport that left cash registers disabled, blog post, 13 December 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/hive-ransomware-gang-claims-responsibility-for-attack-on-intersport-that-left-cash-registers-disabled/.

Botnet Brute-Forces WordPress Sites

FortiGuard Labs has provided an analysis of a newly-discovered botnet which is scanning for and then brute-forcing self-hosted WordPress CMS sites. Once the botnet has managed to chance upon credentials which give it access to a site, it then infects the site with a copy of itself and then contacts its C2 server.

GoTrim is written in the Go programming language, and takes advantage of that language's concurrent programming features to perform multiple tasks simultaneously. It is also statically linked, so that when it erases itself, no trace is left behind - although this means that it also does not persist on the victim system. It checks to see if the site is hosted on wordpress.com, and if so it moves on, preferring to focus on self-hosted sites which are generally less well defended.

The backdoor can operate in two modes - client mode, in which it sends HTTP POST requests to its C2 server, or server mode, in which it listens for POST requests. It can also detect other CMS's, as well as the open-source e-commerce merchant server, OpenCart.

FortiGuard Labs, GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites, blog post, 12 November 2022. Available online at https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: