Malicious flash drives have come a long ways since the old days of autorun infections. It’s not an accident that Microsoft has tightened down the attack surface available of removable media. So how exactly did a malicious flash drive lead to the compromise of a European hospital? Some sophisticated firmware on the drive? A mysterious zero day? Nope, just hidden files, and an executable using the drive name and icon. Some attacker discovered that a user trying to access a flash drive, only to be presented with what looks like the same flash drive icon, will naturally try to access it again, running an
.exe in the process.
That executable runs a signed Symantec binary, included on the drive, and sideloads an OCX that hijacks the process. From there, the computer is infected, as well as any other flash drives in the machine. Part of the obfuscation technique is an odd chain of executables, executed recursively for a hundred copies. Naturally once the infection has rooted itself in a given machine, it takes commands from a C&C server, and sends certain files out to its waiting overlords. Checkpoint Research has attributed this campaign to Camaro Dragon, a name straight from the 80s that refers to a Chinese actor with an emphasis on espionage.
It may sound like an exercise, but RowPress is actually the latest DRAM attack, in the same vein as RowHammer. Where RowHammer repeatedly opened and closed a DRAM’s activation line to induce errors on a neighboring line, RowPress simply keeps the activation line opened longer than normal. And it works better than RowHammer, surprisingly. And because it’s a novel technique, it sidesteps a lot of the protections built for Rowhammer and other techniques.
One of the interesting observations is that the temperature of system memory makes a difference. Once RAM is over 80 degrees Celsius, most of the RAM tested became significantly more vulnerable to RowPress memory corruption. And while this attack has been demonstrated on real hardware, there isn’t a Proof of Concept demonstrating an Elevation of Privilege attack yet. As similar as this is to the Row Hammer attack, it’s likely that the existing attacks could be adapted. The researchers behind this paper do suggest some mitigation techniques, so future DRAM modules will likely be safer from this particular attack.
We’ve talked about RepoJacking in passing before, but this week brings a detailed report on how many GitHub repositories might be vulnerable to this attack. To refresh our memory, RepoJacking is possible when a user or organization makes a name change on GitHub. A user may have started on GitHub using a pseudonym, and made the change to a legal name. GitHub helpfully does a silent redirect, so anything pointing at the old username continues to work.
The problem is that those old usernames are not reserved, and are available for new registration. Snag a historic username, recreate the repositories, and suddenly anyone using the old link is pointing at your code. And the work done by Aquasec research suggests that around 3% of the existing GitHub repositories are vulnerable in this way. The solution here is to do what I did way back in 2016 when I changed my GitHub username, and immediate register the old username as a placeholder account.
GitHub is aware of this problem, and has made some attempts to protect popular accounts against this issue. Unfortunately those attempts are woefully inadequate, and the vast majority of repositories don’t trigger the safeguards. And the consequences can be nasty. Just consider what could happen if a popular project was repojacked, and the install script was tampered with.
Speaking of malicious GitHub repositories, researchers at VulnCheck discovered a repo containing a Signal 0-day. Except that “0-day” was actually a python malware dropper. While the code itself wasn’t particularly hard to recognize as sketchy, quite a bit of care seems to have been given to constructing a fake organization to give the malware an aura of legitimacy. High Sierra Cyber Security is a fake organization, and fake accounts borrowing names and pictures from real researchers have been set up as employees of the fake firm.
This campaign is very reminiscent of the North Korean approach, of sending similar fake research to other researchers. So far there’s no verifiable link between the two campaigns. Regardless, watch out for this particular sting.
Backup Ransoms You
An MDSec research team set their sights on ArcServe UDP, a commercial backup solution. Very quickly it became apparent that this solution had some problems, namely a trivial authentication bypass. The authentication flow sends a URL to the authenticating client that’s used for authentication. That URL can be modified in the browser, leading to a Man-in-the-Middle attack against the authentication process. One bit of information that can be captured this way is an
authUUID for the authentication account. And since there’s a
validateUserByUuid() method, it’s an instant admin account compromise.
From there, it’s possible to request the encrypted account password. And note, the password is only encrypted, not hashed. And it uses a static, universal encryption process and seed. So, MDSec wrote a decrypter in just a few lines of code, allowing the admin password to be extracted in plaintext. It’s not great, particularly if you’re relying on an ArcServe backup for Ransomware protection, since an attack can easily include the backup itself. A patch to fix these issues was released on the 27th, without crediting MDSec for the research.
Bits and bytes
Arbitrary file delete is quite effective for denial of service, but it’s not particularly usable for more interesting attacks, right? Well, Zero Day Initiative has some interesting work on that point. The setup here is an underprivileged user on a Windows machine, that has managed to pull off an arbitrary folder delete. The rest of the story is that the
Config.MSI folder can be deleted and recreated while another process is attempting and then failing a program install. By creating a new version of that folder, the system rollback state can be overwritten, leading to escalation of privilege upon the installer attempting to undo installation. Clever!
The Junos OS had a Denial of Service issue, where a Border Gateway Protocol update could cause BGP session flaps. What’s interesting is that this issue has been observed in the real world. BGP is a particularly interest protocol, since it does so much unseen heavy lifting to keep the Internet working. This sort of flaw could also be used in a bigger BGP attack, where Internet traffic is intentionally mis-routed.
And finally, that Barracuda flaw that has been in play since October 2022 gets an in-depth treatment from Mandiant. This document contains good Indicators of Compromise, as well as additional detection rules for Snort and Suricata. The scariest part of this whole story is the six months the vulnerability was being used in targeted attacks before it was discovered and patched.