This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware

The CIA Hacktivists have launched a sort of ransomware campaign against the Belarusian rail system, but instead of cryptocurrency, they want the release of political prisoners and removal of Russian soldiers. This could be called an example of cyber-terrorism, though there is a reasonable theory that this is a state-sponsored hack, masquerading as hacktivism. What does seem certain is that something has interrupted rail transit, and a group on Twitter has produced convincing proof of a breach.

Your Antivirus Now Includes a CryptoMiner

Don’t look now, but your latest update of Norton 360 or Avira may have installed a cryptocurrency mining module. The silver lining is that some sanity has been retained, and you have to opt-in to the crypto scheme before your machine starts spending its spare cycles on mining. For users who do, they’re put into a mining pool, making for small payouts for most hardware. Norton, naturally, takes a 15% fee off the top for their trouble.

The State of Linux Malware

There used to be an adage that Linux machines don’t get malware. That’s never really been quite true, but the continued conquest of the server landscape has had the side effect of making Linux malware an even greater danger. Crowdstrike has seen a 35% increase in Linux malware in 2021, with three distinct categories leading the charge: XorDDoS, Mozi, and Mirai.

PwnKit

And speaking of Linux, a pretty severe Linux vulnerability was just announced, and a working exploit has already been released. The problem is a simple one in the Polkit binary, which for this purpose, can be thought of as a sudo alternative. The important part is that it’s a setuid binary, one that elevates its own privileges to root when executed by an unprivileged user. “Now wait,” I hear you say, “That sounds like a terrible security problem!” It can be, when it goes wrong. But the simple truth is that there are times when a user needs to perform an action that would otherwise require root privileges. A simple example, ping, needs to open a raw network socket in order to function. These binaries are carefully designed to only allow limited actions, but sometimes a bug allows escaping this “sandbox”.

So what’s the story with pkexec? NULL argv. OK, Linux programming 101 time. When a program is launched on Linux, it’s passed two parameters, normally named argc and argv. These are an integer, and an array of char pointers respectively. If you’re not a programmer, then think of this as the number of arguments, and the list of arguments. This information is used to parse and handle command line options inside the program. argc is always at least one, and argv[0] will always contain the name of the binary as executed. Except, that isn’t always the case. There’s another way to launch binaries, using the execve() function. That function allows the programmer to specify the list of arguments directly, including argument 0.

So what happens if that list is just NULL? If a program was written to account for this possibility, like sudo, then all is well. pkexec, however, doesn’t include a check for an empty argv or an argc of 0. It acts as if there is an argument to read, and the way the program initialization happens in memory, it actually accesses the first environment variable instead, and treats it like an argument. It checks the system PATH for a matching binary, and rewrites what it thinks is it’s argument list, but is actually the environment variable. This means that uncontrolled text can be injected as an environment variable in pkexec, the setuid program.

That’s interesting, but not immediately useful, because pkexec clears it’s environment variables soon after the injection happens. So what sneaky trick could we use to actually exploit this? Throwing an error message. pkexec will use the gconv shared library to print an error message, and it starts by looking for the gconv-modules configuration file. This file defines which specific library files to open. The environment variable GCONV_PATH can be used to specify an alternate config file, but this environment variable is blocked when running a setuid binary. Ah, but we have a way to inject an environment variable after this happens. That’s the exploit. Prepare a payload.so that contains our arbitrary code, a fake gconv-modules file that points to the payload, and then use the NULL argv trick to inject the GCONV_PATH environment variable. Whoami? Root.

There’s a couple fascinating twists to this story. First, [Ryan Mallon] came painfully close to discovering this vulnerability in 2013. And secondly, way back in 2007, [Michael Kerrisk] reported the NULL argv quirk as a Linux kernel bug.

Attacking Random Passwords

The most secure password is one that’s randomly generated, right? Yes, but what if that random generator isn’t quite as random as it seems? Now we’re not talking about intentional backdoors this time, but the seemingly insignificant patterns that sometimes make a big difference. The enigma machine, after all, was cracked in part because it would never encode a letter as itself. [Hans Lakhan] from TrustedSec took a look at a million passwords generated by LastPass, and tried to generalize something useful from the data. Most of these passwords have either 1 or 2 digits. Note this isn’t a weakness in the algorithm, but simply the expected result of the available characters. Would there be an advantage to brute-forcing passwords with the rule that each guess must contain either one or two digits? It would certainly decrease the attack space, but it would also miss passwords that don’t fit the pattern. Would the trade-off be worth it?

The answer isn’t clear-cut. In certain circumstances, there is a slight advantage to gain from using the suggested rules. But that advantage disappears as the brute-force process continues. Either way, it’s a fascinating attempt at applying statistics to password cracking.

WordPress and Backdoor-ed Themes

One of the larger producer of WordPress themes and plugins, AccessPress, suffered a breach of their website that took an ugly turn. The problem was discovered by researchers at Jetpack, who were doing a post-mortem of different compromised site, and found malware embedded in an AccessPress theme. The initial breach happened in September 2021, so be suspicious of any content from AccessPress if downloaded between September and mid-October 2021. Note that if installed from the WordPress.org directory, these themes were safe. A list of known infected plugins and themes are available at the link above, as well as other indicators of compromise.

Bits and Bytes

There’s yet another secret token that’s being accidentally disclosed in source code, the Twitter access token. Github already does automated scanning for credentials accidentally included in repositories, but this doesn’t include Twitter tokens. [IncognitaTech] wrote a quick scanner, and found approximately 9,500 valid tokens.(Insert over 9000 meme here.) How to inform so many people of the problem? Create a bot, make a tweet, and then use the tokens to retweet. That’s sure to capture some attention.

Sonicwall SMA 100 series hardware has a series of vulnerabilities that have now been patched and disclosed. The worst is an unauthenticated buffer overflow, rating a CVSS of 9.8. These devices are relatively popular for small businesses, so keep your eyes open for potentially vulnerable hardware, and get them patched if you can.

Crypto.com suffered a breach on January 17th. They initially downplayed the incident, but have since released a statement with further details. The attack was a two-factor-authentication bypass, allowing an attacker to initiate transactions without successfully completing the normally required 2FA process. They make the claim that they caught the problem early enough to prevent any actual loss of currency, which is actually rather impressive.

Google Chrome has released an update, and this one includes fixes for some expensive bugs. Six separate reports earned researchers more than $10,000 a piece, with the top two a sweet $20K. These six, as well as a seventh bug reported internally, all appear to have the potential to be quite serious, so go update!

And finally, in the things-that-won’t-end-well category, the UK is flirting with the idea of regulating security researchers, making security research a registered trade. The most worrying part of this scheme is the idea that any unregistered researcher might be subject to criminal charges in certain circumstances. This seems like a terrible idea for obvious reasons.

15 thoughts on “This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware

    1. norton has been memeware for a few decades now. when i was a system integrator back in the 00s, i managed to convince the higher ups to remove the norton trial from the pre-install kit. we would provide links to a couple of free options instead. it was always a false sense of security as the thing would expire and the users would think they are covered. support calls dropped off significantly after that. the thing was always a timebomb, and i feel sorry for anyone who actually thought buying it was a good idea.

      1. To be honest you could say it about any antivirus software that is on the market today. I won’t be able to provide a link to that, but i recall some time ago reading an article on how antivirus software is viewed by the consumers and it could be summarized as essentially being a huge button that “cleans” your device (whatever it is supposed to mean).

        1. The grouptests at av-comparatives.org may change your mind about that first statement. There _are_ some decent av providers out there, the best of which allow home users free usage – generally paid for by their corporate version.

  1. Been running XP on the net for the past 12 years with no AV software. Yet to be zapped.
    Just because its all doom and gloom for XP being on the net it will be attacked and owned in 5 seconds , also doesnt mean that it will happen. Im still waiting…

    Somewhat offtopic with the passwords, Am so over these dumb websites out there that have restrictions on number of entered letters/digits. It is just plain stupid and dumb. “your password can not contain three consecutive letters or numbers”
    I dont understand this rule one bit.
    Surely a password of (example) “th3Foxbr0wn0001~” is far more secure than “th3Foxbr0wn01~”

    Anyone?

    1. Well, I think it depends on the ‘length’ of the password. If the site’s minimum length is 6, then 000aaa is half the password and probably easier to break. In your example, probably no big deal over a ‘long’ password.

    2. A great place to look for password security is password crackers. Look at the hashcat rules, for instance: https://hashcat.net/wiki/doku.php?id=rule_based_attack and don’t do any of that. :)

      On that topic, crackers have leet-speak substitutions as part their rulesets for like the last 20 years, so “the” and “th3” are just about equivalently secure. (I know they were examples, but still, they’re horrible.)

      As a devout user of high entropy passwords, I hate some of the rules that sites enforce sometimes — must include a funny character, caps, etc — but I understand that they’re trying to keep out the stupidest mistakes. Still, I often find my passwords rejected when they don’t include special characters.

      `head -c 8 /dev/urandom | base64` gives you strong 64 bits of entropy in 12 characters, but rarely includes any special characters. Correct horse battery staple, and diceware (https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases) can do the same, but are more memorable.

      The rules suck. They should be replaced with server-side password strength testing.

  2. What exact “reasonable theory” is there to suggest that it isn’t activism? I also find it funny that while the article clearly quotes the group (“⚠️ Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.”, which shows the inherintly political and protest nature of the incident as opposed to being an attempt to endanger someone) your remark attempts to spin it in a negative way, but in an article regarding a similar incident( https://hackaday.com/2021/08/20/this-week-in-security-breaking-apple-id-political-hacktivism-and-airtag-tracking/) you clearly label it as political hacktivism and even go as deep as explaining what their name means while also portraying the group in a different spotlight. Given how the governments of Belarus and Russia try to portray any form of civilian political activity as foreign (and i’m not talking about hacktivism, which rightfully can be classified as a crime), i find it very odd to see such double standard applied here.

    1. Also don’t take it as an attempt to deny the existence of state sponsored actors (that would be ridiculous, given the amount of related issues that have arose over the past 10 years), just not sure about this particular take.

  3. re passwords: I don’t get why people don’t use actual language more as passwords, the entropy of natural language is really high, sentences include numbers, spaces, special characters, some language specific caracters like umlauts, or accents…
    On top of this remembering sentences is easier than nonsense passwords.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.