There’s a trend recently, of big-name security appliances getting used in state-sponsored attacks. It looks like Cisco is the latest victim, based on a report by their own Talos Intelligence.

This particular attack has a couple of components, and abuses a couple of vulnerabilities, though the odd thing about this one is that the initial access is still unknown. The first part of the infection is Line Dancer, a memory-only element that disables the system log, leaks the system config, captures packets and more. A couple of the more devious steps are taken, like replacing the crash dump process with a reboot, to keep the in-memory malware secret. And finally, the resident installs a backdoor in the VPN service.

There is a second element, Line Runner, that uses a vulnerability to arbitrary code from disk on startup, and then installs itself onto the device. That one is a long term command and control element, and seems to only get installed on targeted devices. The Talos blog makes a rather vague mention of a 32-byte token that gets pattern-matched, to determine an extra infection step. It may be that Line Runner only gets permanently installed on certain units, or some other particularly fun action is taken.

Fixes for the vulnerabilities that allowed for persistence are available, but again, the initial vector is still unknown. There’s a vulnerability that just got fixed, that could have been such a vulnerability. CVE-2024-20295 allows an authenticated user with read-only privileges perform a command injection as root. Proof of Concept code is out in the wild for this one, but so far there’s no evidence it was used in any attacks, including the one above.

Mitel Pop From the Front Panel

The good folks at Baldur decided to go hunting for bugs in Mitel VoIP phones. These are pretty commonly used in businesses and hotel back offices. And the first brilliant find was a system compromise just from punching buttons on the phone. Under diagnostics in the menu, the diagnostic server setting is used to upload logs and system information. That setting apparently gets passed into a shell command, as an ampersand is all it takes to execute commands. You can bet that the next time I’m around a Mitel phone, I’m trying &reboot;. That’s technically protected by an admin password — which is usually set to “1234”.

But wait, there’s more. The front panel hack was useful for getting a toehold to run a debugger and other tools, but we need to go deeper. There’s a webserver on port 80, for doing device configuration. It has GET requests locked down reasonably well, but there’s a really odd quirk, that POST requests don’t have to be authorized, so long as a valid GET request has been made within the last 10 minutes. That would be something on it’s own, but even better is the fact that there are a few GET requests that trigger the timer, and don’t require authentication. The winner here is the humble favicon.

The last step was finding a buffer overflow in a routine that sets the MAC address from within the web interface. The tricky thing here is that the overflow code first gets handled by a strcat and strcpy, meaning a NULL byte ends the exploit data. It took some doing, but the team found a gadget chain that got to shellcode while walking the tightrope. They celebrated with a bit of the Imperial march.

False Flag Malware

What happens when you have a database where a user can upload arbitrary data, and an over-zealous pattern-matching anti-malware engine is running? Database deletion wasn’t on my bingo card, but here we are. It’s a literal false flag: create a fake malicious signature, to trick the anti-malware into doing the malicious thing instead. Microsoft Defender and Kaspersky EDR are the two applications called out here, though it’s likely other anti-virus programs would be subject to similar tricks. Microsoft issued a CVE and has shipped a fix, and Kaspersky rolled out some mitigations as well.

False Flag Slander

And then there was this AI-enabled false flag. A school principal was “caught” on a hot mic, expressing some concerning and racially-charged opinions about students, community members, and other school staff. The audio was leaked, the student body got wind of it, and the principle’s scalp was metaphorically called for.

But it was the school’s athletic director, with a speech-cloning service, and he has been arrested, which is sure to lead to an interesting court case. And sadly, this isn’t an isolated incident, as hoaxes have become relatively common, and this isn’t the first time an AI voice has been used maliciously. As much as we hate to say it, look for more of this to come.

Zombie Worm

What happens with a self-propagating worm gets its head cut off? Apparently it turns into a zombie worm. A strain of PlugX malware gained the ability to hop a ride on USB drives a few years back, with all of those infected machines reporting to a single C&C server. That server went offline, and researchers managed to snag the IP address. That’s important to prevent someone else raising the zombies back to unlife, but it also gives us a really interesting look into the infected machine stats.

Nigeria seems to hold the crown for the most infected machines, with India holding down second place. Some researchers have seen a Chinese theme in the data, suggesting China was patient zero, the origin of the worm, or maybe both. With researchers in control of the C&C IP, there is the possibility of issuing remote uninstall commands, but there are both legal and logistical challenges to that idea.

PSA: phpecc

And here’s a PSA for you PHP programmers. (We know you’re out there!) The phpecc library appears to have been abandoned. Statistics suggest it’s still getting over a thousand downloads a day, which isn’t great given that there are some outstanding CVEs in the codebase.

The codebase has been forked by Paragon Initiative Enterprises, P.I.E., who warn against fully trusting the code until an audit has completed. This is one to watch for a while, and be aware of the potential faults of the older versions.

Bits and Bytes

Phylum is back, reporting more malicious packages in NPM. These seem to be coming from the same threat actors as have uploaded malware before, and thought to be North Korean actors. It’s fairly straightforward, with a preinstall hook running obfuscated JS code. This one is interesting, as it seems to be going after MacOS systems. There’s also an interesting bashism that has sneaked into the malicious JS, using the logical OR || instead of an if statement. 'linux' === type || exec() Though due to a typo, it looks like this particular sample will never deploy a payload on Linux. os.type() uses the uname output, which always capitalizes Linux. Your English teacher was right! Capitalization does matter.

Earlier this month a series of CVEs against the Robot Operating System (ROS) came across my desk. I opted not to cover them, as it was a wall of CVEs with hardly any detail in any of them. I filed it away mentally, to check back later. It’s later, and I was apparently not the only observer that thought the report was quite thin on substance. It’s beginning to look like the CVEs are bogus, and the “research paper” was a hastily reworded copy of the ROS beginner tutorial. The most convincing evidence of this is that the presumably fake researchers claimed that security updates were coming soon, while core ROS developers never received reports on the CVEs.

And finally, maybe ransomware is good for one thing — keeping the lights on? Oh, no. Those lights are supposed to turn off during the day. Leiccester has had an attack of the ever-lit street lights, after a ransomware attack forced a shutdown a couple months back.