This Week In Security: More State-Sponsored Activity, Spring4Shell

[Editor’s note: There is a second, fake iteration of this column out today. This is obviously the real column.]

An alert from CISA, combined with an unsealed pair of indictments, sheds some new light on how Russian hackers pursue high-value targets. The key malware here is Triton, essentially a rootkit designed for the Tricon safety systems, widely deployed at refineries and other infrastructure facilities. One of the early deployments of this was to a Saudi oil plant in 2017. This deployment seems to have been botched, as it caused malfunctions and shut the plant down for about a week.

The new information is confirmation that the same operators, out of the “Central Scientific Research Institute of Chemistry and Mechanics”, attempted to target US facilities with the same campaign. The Wired coverage initially struck me as odd, as it detailed how these Russian attackers researched US refineries, looking for the most promising targets. How exactly did US intelligence agencies know about the research habits of agents in Russia? The details of the indictment has the answer: They were researching US refineries by downloading papers from the US Department of Energy. As the IP addresses of this Russian research group is known and tracked, it was easy enough for US agencies to make the connection.

Lapsus$ Watch

The persistent Lapsus$ hacking group has made yet another notch on their keyboards, releasing 70 GB of source code from Globant, a global IT and development company. It appears to be source code and documentation, and while they have confirmed a breach, Globant have not confirmed whether the leaked data is real.

In related news, it’s being reported that several Lapsus$ members have been arrested in England. One of the more notable members may have been part of that arrest, but at 16 years old, this young hacker is still a minor and legally protected, so it hasn’t been announced whether he was part of the arrests. It will be interesting to see whether this has much effect on the loose collective of hackers.

Spring4Shell and Friends

If you do any Java programming, you’re probably familiar with Spring, one of the most popular frameworks for developing Java applications. The downside to the project’s popularity is that when there’s a vulnerability discovered, it shows up in a lot of places. To double your fun, there’s two CVEs, both ranked a 9.8 on the severity scale. CVE-2022-22965 is the one also known as Spring4Shell, and is a Remote Code Execution flaw. It appears to be a bypass for the fix of a much earlier flaw, CVE-2010-1622. A malicious POST request can write an arbitrary file to the web root, allowing an attacker to drop a web shell. CVE-2022-22963 is in Spring Cloud Function, and is a flaw allowing an HTTP request header to inject code to be executed. Both of these issues have been addressed in recent releases.

This has become the big story of the weekend, and there are already tools and guides for determining whether you’re vulnerable, and how to fix. One of the useful such tools is this scanner from jfrog, which will look at .jar files and detect possibly vulnerable code. We’re still early in this bug’s lifetime, but so far it seems like the exact configuration needed to be vulnerable is rather rare. On the other hand, Java applications have to be updated manually, so this vulnerability will probably have quite a long half-life.

Axie Infinity Sidechain Pilfered

A colossal cryptocurrency caper has been committed, this time against the Axie Infinity sidechain, Ronin. This chain runs parallel to the Ethereum blockchain, but loses one of its core features. Ronin isn’t decentralized, but has a small collection of nine validator nodes. An attacker managed to take over five of those nine master nodes, and make bogus transfers. The most troubling aspect of this hack may be that it went undetected for a full six days, and was only discovered when a customer tried to make a transaction, cashing out for ethereum.

Bits and Bytes

There is a published PoC for the Cisco Nexus Dashboard Fabric Controller. This is a full exploit chain that goes from unauthenticated access to the web interface to root access to the underlying machine. Infuriatingly, the core vulnerability is CVE-2017-5641, a Java deserialization flaw. Yes, this was a five-year-old vulnerability still lurking in Enterprise software from a major vendor. This is a perfect example of the half-life of Java bugs, as well as a terrible commentary on Cisco’s code quality.

Google Chrome has issued an update to fix a single flaw, CVE-2022-1096. Release 99.0.4844.84 is live. The vulnerability is a type confusion in the V8 engine, and is being exploited in the wild. Not much else is known about it, but this has the potential to be serious, so go grab that update.

Brian Krebs, [KrebsonSecurity], is being sued by Ubiquiti for his coverage of a data breach back in 2021. The crux of the suit seems to be the fact that Krebs’ informant was Nickolas Sharp, also the perpetrator of the breach. It looks like Sharp was trying to use Krebs to put pressure on Ubiquity, while he was secretly attempting to extort the company for money. As Krebs promised him anonymity before knowing he was the perpetrator, the follow-up coverage didn’t draw a connection between the two. Ubiquiti takes issue with this, calling the later coverage “intentionally misleading”. It looks like Krebs was just put in a tough spot, and decided to stick by his promise not to reveal Sharp’s identity.

4 thoughts on “This Week In Security: More State-Sponsored Activity, Spring4Shell

  1. That last note about Ubiquiti. It frustrates me when a company does stuff like that. I’ve been wanting to buy a decent security camera setup, and was eyeing up a Ubiquiti setup, but this has me wanting to look elsewhere.

  2. “The details of the indictment has the answer: They were researching US refineries by downloading papers from the US Department of Energy. As the IP addresses of this Russian research group is known and tracked, it was easy enough for US agencies to make the connection.”

    An example of one shouldn’t put complete information on the web.

    1. Given the DoE is also in charge of all things nuclear, I’m sure they are well aware and there was likely nothing too critical there. I mean, for goodness sake, they’re not even sharing how long fueling of the SLS is taking for the wet dress rehearsal to avoid sharing too much info, and that’s just NASA.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.