After the Thanksgiving break, we have two weeks of news to cover, so hang on for an extra-long entry. First up is GoDaddy, who suffered a breach starting on September 6th. According to an SEC filing, they noticed the problem on November 17th, and determined that there was unauthorized access to their provisioning system for their WordPress hosting service. For those keeping track at home, that’s two months and eleven days that a malicious actor had access. And what all was compromised? The email address and customer number of the approximate 1.2 million GoDaddy WordPress users; the initial WordPress password, in the clear; the SFTP and database passwords, also in the clear; and for some customers, their private SSL key.

The saving grace is that it seems that GoDaddy’s systems are segregated well enough that this breach doesn’t seem to have led to further widespread compromise. It’s unclear why passwords were stored in the clear beyond the initial setup procedure. To be safe, if you have a WordPress instance hosted by GoDaddy, you should examine it very carefully for signs of compromise, and rotate associated passwords. The SSL keys may be the most troubling, as this would allow an attacker to impersonate the domain. Given the length of time the attack had access, it would not surprise me to learn that more of GoDaddy’s infrastructure was actually compromised.

Tardigrade — Maybe

Just over a week ago, news was broken of a new APT malware campaign targeting the bio-manufacturing sector. This new threat comes with a “halfhearted ransom note”, was adaptive, stealthy, and exhibited autonomous action. Researchers from BioBright describe Tardigrade as dynamically recompiling itself based on the environment, thereby constantly changing signatures.

If that sounds a little too breathless and overhyped, you aren’t alone. A researcher publishing under the pseudonym of [Infosec Coproscribe] has put together a damning review of the Tardigrade disclosure. “Coproscribe” here probably refers to the practice of proscribing an antidote drug when proscribing a potentially dangerous opiate, and seems to imply that the post is intended to be the antidote to some sketchy infosec reporting. Commenters have pointed out that doctors prescribe, not proscribe. “Copro” is a prefix referring to feces. I’ll let you work the meaning out from there on your own.

[Infosec] makes the case that the Tardigrade disclosure doesn’t show signs of really thorough work, and points to the reported Indicators of Compromise (IoCs) as an example. Those network IoCs are: “Random Batch of Amazon Web Services (AWS)”, GoDaddy, and Akamai. It’s challenging to find a network that *isn’t* constantly talking to AWS, GoDaddy domains, and the Akamai CDN. The malware binary that seems to be the basis for this research is a sample of CobaltStrike, a known tool. Without further clarification and details, the entire story of Tardigrade as an APT seems shaky. It’s too early to call it for sure. This could really be another Stuxnet-level operation, or it could simply be an inexperienced response team jumping at shadows.

MonoX and a Dumb Smart Contract Bug

Smart contracts are slowly changing the world, at least according to certain cryptocoin enthusiasts. What’s more readily demonstrable is that vulnerabilities in smart contracts can very rapidly wreck decentralized finance (DeFi) applications. The latest example is MonoX, a DeFi that aims to make token trading easier. The problem is that it was possible to trade a MONO token for itself. To borrow a programming term, this resulted in undefined behavior. The token was repeatedly traded, and with each trade its value rose. The price of MONO had eventually been pumped high enough, the attacker was able to dump his tokens for Polygon and Ethereum tokens. The total value lost was $31 million. When money is code, money will have bugs.

BigSig

Short for Big Signature, [Tavis Ormandy] has dubbed his NSS vulnerability BigSig. There’s no flashy logo, so make of that what you will. It’s a straightforward bug — a buffer is allocated for the biggest valid signature, and when processing a malformed signature that is even bigger, it writes right past the end of the buffer. CVE-2021-43527 is simple, and fairly simple to exploit. It was fixed in NSS 3.73, released on the first. While the bug doesn’t affect Firefox, other applications like Thunderbird, LibreOffice, and others make use of the NSS library, and may be vulnerable.

The most interesting aspect of this story is that this code has been vulnerable since 2012. This isn’t one of those notorious single-maintainer projects, but is part of Mozilla, who go out of their way to get security right. The NSS library has good test coverage, has been subjected to fuzzing, and is part of Mozilla’s bug bounty program. I’m not sure who coined the phrase, but this definitely demonstrates that “code wants to be wrong”. [Tavis] found the bug while working on a new approach to fuzzing for code coverage. He points out that one of the major fails in the existing code testing strategy is that the individual modules of NSS were tested in isolation, but not in an end-to-end approach. The input module may be able to parse an incoming request into a context struct, but it’s important to test the resulting context against the rest of the project’s code.

AT&T Hosts EwDoor

There seems to be an active malware campaign targeting AT&T hardware, the EdgeMarc Enterprise Session Border Controller. A flaw was disclosed way back in 2017, a where a default password (set to “default”) could be used with a hidden web endpoint, allowing arbitrary commands to be run. This ancient history became suddenly relevant again, when Netlab 360 discovered a new botnet taking over these devices. EwDoor can be used for DDoS attacks, data theft, and includes a reverse shell. It’s a nasty little package, and shame on AT&T for, it seems, failing to patch such a sever vulnerability in hardware they own and manage for their customers.

How Elliptic Curves Go Wrong

NCC Group has a great primer on the challenges of properly validating elliptic curve crypto. The tricks they warn about are as simple as sending invalid points, and hoping the other side doesn’t notice. Another interesting approach is sending a point that sits at infinity. This seems to be the equivalent of picking zero as the base in a Diffie-Hellman exchange — it short-circuits the entire process. The full article is worth a read.

Wireguard Canary

Thinkst has an interesting premise for their Canarytokens service — put fake credentials on real devices, and detect when the fakes are used. They’ve added Wireguard to their portfolio. Rather than try to use a full Wireguard implementation, they’ve reimplemented the handshake initiation code, calling their mini-project WireGate. It’s a clever idea, and they’ve released the source. Turning the idea on its head, it seems like the Wireguard initiation packet could also be used as a port knocking token, if someone was so inclined.

Linux — Detecting Persistence

Your Linux machine got compromised? You know what to do. Pull the plug, swap the drive, and reinstall from scratch. But… what are you looking for, both to detect compromise, and also when investigating the compromised disk? [Pepe Berba] has published the first two parts of a series about persistence techniques for Linux machines. The first entry serves as an introduction, and then discusses using sysmon and auditd to detect possible problems, like webshells. Part two covers account creation and manipulation, and again gives tips for catching changes right away. It looks to be a well-written series, full of good tips, so keep an eye on it.