This Week In Security: Vulnerable Boxes, Government Responses, And New Tools

The Cyclops Blink botnet is thought to be the work of an Advanced Persistent Threat (APT) from Russia, and seems to be limited to Watchguard and Asus devices. The normal three and four letter agencies publicized their findings back in February, and urged everyone with potentially vulnerable devices to go through the steps to verify and disinfect them if needed. About a month later, in March, over half the botnet was still online and functioning, so law enforcement took a drastic step to disrupt the network. After reverse-engineering the malware itself, and getting a judge to sign off on the plan, the FBI remotely broke in to 13 of the Watchguard devices that were working as Command and Control nodes. They disinfected those nodes and closed the vulnerable ports, effectively knocking a very large chunk of the botnet offline.

The vulnerability in WatchGuard devices that facilitated the Botnet was CVE-2022-23176, a problem where an “exposed management access” allowed unprivileged users administrative access to the system. That vague description sounds like either a debugging interface that was accidentally included in production, or a flaw in the permission logic. Regardless, the problem was fixed in a May 2021 update, but not fully disclosed. Attackers apparently reversed engineered the fix, and used it to infect and form the botnet. The FBI informed WatchGuard in November 2021 that about 1% of their devices had been compromised. It took until February to publish remediation steps and get a CVE for the flaw.

This is definitely non-ideal behavior. More details and a CVE should have accompanied the fix back in May. As we’ve observed before, obscurity doesn’t actually prevent sophisticated actors from figuring out vulnerabilities, but it does make it harder for users and security professionals to do their jobs.

Zyxel Patch Available

For a look at how to better handle a similar flaw, see Zyxel’s response to CVE-2022-0342. This is a flaw in the access control logic that allows unauthenticated admin access to vulnerable devices. Zyxel has issued a CVE for the flaw, and divulged enough details for users to know whether they’re vulnerable. If you’re running firmware from before the patch, the web interface is vulnerable to takeover. This sort of flaw isn’t an isolated incident, as both Sophos and Trend Micro have also recently patched and announced similar problems.

Hydra Takedown

This week, German authorities formed the tip of the international spear, taking out the physical servers behind Hydra, a marketplace on the Tor network. All the things you can imagine were bought and sold on Hydra, and to get an idea of the scope of both the market and sting, note that 543 Bitcoins were grabbed in the takedown. No arrests have been made yet, but since Hydra also provided money laundering services, nabbing so much of the infrastructure will likely shine light on lots of illicit activities. There’s no word on how this Tor hidden service was tracked to its physical host, but it’s likely some combination of government run Tor nodes and network timing analysis to track down the infrastructure.

Spring4Shell Fallout

Spring4Shell is being exploited in the wild, with tens of thousands of attempts to trigger the vulnerability being observed by groups like CheckPoint. No word yet on how many of those attempts have been successful, but there’s sure to be some. While it’s not as serious a vulnerability as Log4Shell, at least one botnet has started spreading using the flaw.

Microsoft’s coverage of the flaw has been great, with a helpful one-liner to check for vulnerable Tomcat installs: $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0 An HTTP 400 response means that you’re likely vulnerable.

Packet Capture for the Cloud — and Everywhere Else

Here’s the situation. You’re working on a remote service that runs on Docker, and something just isn’t working right. To really understand the problem, you need to see the raw packet data. Unfortunately, it’s a complex enough service that it’s multiple Docker images running on multiple hosts. How do you capture and organize the packet data you need? There’s now a tool for that, PacketStreamer. It’s totally open source, and uses the BPF kernel framework to filter and capture packets. From there, your capture nodes forward the captured data to the central service, which reassembles the captures into a sorted log. Investigate, analyze, and review as needed.

Bits and Bytes

Remember dirty pipe? One of the fun places this bug pops up is on Android, which is great if you want to root your phone. The fix has already landed in upstream Android, and Samsung has already pushed the update to handsets. Notably the Pixel 6 is still missing the fix. That’s right, if you’re running Google’s code on Google’s hardware, you’re still vulnerable — or alternatively still able to root your device. Silver linings and all that.

Scammers have discovered the ultimate way to rub salt in a wound. You got hit by a scam and lost some money. You’re delighted when your government reaches out, with the news that there may be a chance to recover your stolen money. Just fill out the appropriate paperwork, pay the processing fee, and the Office of Property Recovery will start work on your case. Of course, the same scammer that got you the first time will just laugh, trash the bogus paperwork, and take your money for the second time.

Depending on whom you ask, smart contracts are either the future of money, the internet, and everything; or “immutable programs by programmers with sufficient hubris to assert they don’t make mistakes” (Thanks Simon!). If smart contracts are to stand the test of time, we’ll need to be able to debug and audit those contracts. There’s a good starting tutorial from [thezero], covering the basics of decompiling contract bytecode back into something readable. For bonus points, you can emulate the blockchain to single-step debug the decompiled contract code. Nifty!

One thought on “This Week In Security: Vulnerable Boxes, Government Responses, And New Tools

  1. On salt, wounds and the Office of Property Recovery:

    “… trash the bogus paperwork …”

    No, they won’t. They are going to sell the gathered data elsewhere, surely they’re a cent or two worth. I mean: a valid mail address, possibly correlated with a physical address, perhaps with a tax ID and some bank account data…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.