This week saw an impressive pair of takedowns pulled off by law enforcement agencies around the world. The first was the 911 S5 botnet, Which the FBI is calling “likely the world’s largest botnet ever”. Spreading via fake free VPN services, 911 was actually a massive proxy service for crooks. Most lately, this service was operating under the name “Cloud Router”. As of this week, the service is down, the web domain has been seized, and the alleged mastermind, YunHe Wang, is in custody.
The other takedown is interesting in its own right. Operation Endgame seems to be psychological warfare as well as actual arrests and seizures. The website features animated shorts, a big red countdown clock, and a promise that more is coming. The actual target was the ring that manage malware droppers — sort of middlemen between initial shellcode, and doing something useful with a compromised machine. This initial volley includes four arrests, 100+ servers disrupted, and 2,000+ domains seized.
The arrests happened in Armenia and Ukraine. The messaging around this really seems to be aimed at the rest of the gang that’s out of reach of law enforcement for now. Those criminals may still be anonymous, or operating in places like Russia and China. The unmistakable message is that this operation is coming for the rest of them sooner or later.
Checkpoint CloudGuard
And now we turn to the massive number of security and VPN appliances that got detailed exploit write-ups this week. And up first is the Watchtowr treatment of Check Point CloudGuard appliance, and the high priority information exposure CVE. This vulnerability already has a patch, so the obvious starting point is patch diffing. Thanks to a new log message in the patch, it’s pretty clear that this is actually a path traversal attack.
The vulnerable endpoint is /clients/MyCRL
, which is a file download endpoint used for fetching updates to the VPN client. Based on Check Point’s CVSS string regarding this vulnerability, that endpoint is accessible without any authentication. The thing about this endpoint is that it takes an argument, and returns the file requested based on that argument. There is a list of allowed files and folders, but the check on incoming requests uses the strstr()
C function, which simply checks whether one string contains a second.
One of the entries on this list was the CSHELL/
directory, which is the last piece of the puzzle to make for a nasty exploit. Send a POST to /clients/MyCRL
requesting aCSHELL/../../../../../../../etc/shadow
and the shadow password file is returned. This gives essentially arbitrary file read due to path traversal on a public endpoint.
Interestingly, the vendor states that the issue only affects devices with username-and-password authentication enabled, and not with the (much stronger) certificate authentication enabled.
There’s some definite weirdness going on with how the CVSS score was calculated, and how Check Point opted to disclose this. Cross-referencing from another vendor’s statement, it becomes clear that the fastest way to turn this into a full exploit is by grabbing the password hashes of users, and any legacy local users with password-only accounts can be mined for weak passwords. But make no mistake, this is an unauthorized arbitrary file read vulnerability, and the hash capture is just one way to exploit it. Attacks are ongoing, and the fix is available.
Fortinet FortiSIEM
One of my most/least favorite things to cover is trivial vulnerability patch bypasses. There’s nothing that disturbs and amuses like knowing that a Fortinet command injection in the NFS IP address was rediscovered in the NFS mount point field of the exact same endpoint.
If the botched fix wasn’t bad enough, the public disclosure was almost worse. There was over a month of lag between the disclosure and reproduction of the reported issue. Then Fortinet silently rolled out patches a couple weeks later, with no disclosure at all. The CVEs were eventually released, but then claimed to be a duplicate, and published in error. And now finally the whole story is available.
Ivanti Landesk
And rounding out the appliance vulnerabilities is this one in the Avanti Landesk, where a data flow can reach a strncpy()
call, that takes user-supplied input for the number of bytes to copy, and a fixed buffer destination. Overflowing that buffer allows for function pointer overwrite, and writing even more data into this area eventually reaches a read-only section of memory. The write attempt triggers an exception, which bounces through a few functions, and eventually calls a pointer that has already been overwritten in the attack. A bit of Return Oriented Programming (ROP) magic, and the shellcode is marked executable and jumped into, for arbitrary code execution.
The flaw does require a low-privilege user account, and the vulnerable code hasn’t been in the product since the 2021.1 release. Ivanti has issued a CVE, but since the last vulnerable release is outside its support window, there won’t be any patches published.
Bricking 600,000 Routers
This one is just odd. Last year, the US ISP Windstream had about 600,000 DSL routers crash and permanently die over three days. The theory at the time was that this was a flubbed firmware upgrade, but researchers from Lumen did some quick detective work, and managed to snag malicious binaries that were actively flowing to the Windstream network.
It turns out that those routers were infected by the Chalubo malware, although the the initial infection vector is still unknown. Given the circumstances, it’s likely due to an internal breach at Windstream, possibly even an insider attack. Chalubo is designed to enable remote access, and can be used to launch DDOS attacks, among other capabilities. It’s not typical for this malware to immediately wipe devices, leading to the speculation that the malware was used for plausible deniability, to shield the actual perpetrators. This has signs of being an insider attack, by a disgruntled admin at Windstream, though there is not any hard evidence at the moment.
Bits and Bytes
Like a bad penny, North Korea has come back up with the FakePenny malware campaign. In Microsoft’s fun APT naming scheme, this is the work of Moonstone Sleet, whose usual strategy is to backdoor popular software and spread it however they can. In a major ransomware deployment, Moonstone Sleet requested $6.6 million in Bitcoin, which is quite the step up from previous campaigns.
And lastly, Ticketmaster seems to have a 560 million user data breach on its hands. Data brokers on the Breach Forums claim to have this in a 1.3 terabyte database, and is willing to part with it for merely half-a-million dollars. There is a bit of a backstory here, as Breach Forums is run by ShinyHunters, and the whole operation was shut down by the FBI a couple weeks ago. That didn’t last long, and it looks like they’re back, and back in business.
Can anybody, anybody at all, I mean ANYBODY explain to me why paying ransomware isn’t illegal in every damn country and region in the world?
And I don’t mean a BS story but the real reason.
Because the vast majority of politicians are beholden to corporate interests. Corporations always want to pay the least amount of money which means paying ransom because actually investing in real security is more expensive. There will be no change until there are significant penalties for breaches occurring.
I think that’s a false economy. Last security webinar I was at they said almost 2/3 companies that had breaches or crypto virus were hacked again shortly after. If you can milk a cow once why not try again? And why trust a criminal to honour what they’ve agreed?
It would be cheaper from an economic and reputation standpoint to have multiple heavily encrypted backup sites but that depends on corporate risk appetite (if they’re doing cyber risk in their risk assessment at all).