Skip to content ↓ | Skip to navigation ↓

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of January 24, 2022. We’ve also included the comments from a few folks here at Tripwire VERT.

SonicWall Discloses Cause of Next-Gen Firewall Reboot Loops

SonicWall revealed that “certain firewalls running SonicOS 7.0 were not able to correctly process the signature update published on Jan. 20.” This caused devices in the company’s Gen 7 firewall series to run in a reboot loop, as reported by Bleeping Computer. After initially providing a workaround, SonicWall said that it had updated the signatures to address the issue.

Andrew Swoboda | Senior Security Researcher at Tripwire

SonicWall firewalls were put into denial-of-service-type conditions by an issue with a signature update. The firewall would check for an update, and the signature update would cause the system to reboot. Once the reboot process finished, the device would check for another signature update, and the device would reboot again. Firewalls that were affected by this needed to disable automatic updates and apply an update that SonicWall produced.

Attackers Using Malicious QR Codes to Steal Money, Warns FBI

On January 23, Bleeping Computer covered a public service announcement (PSA) that detailed an emerging attack technique. The FBI explained that malicious actors are tampering with legitimate QR codes used by businesses for payment purposes. Subsequently, the modified QR codes redirect users to malicious websites designed to steal these individuals’ personal information and/or financial details.

Andrew Swoboda | Senior Security Researcher at Tripwire

It is always important to not trust links that other people have sent you. This also includes using QR codes as a way to navigate the internet. Malicious QR codes can be used to redirect users to websites criminals. It is always important to check the link that is returned by the application before navigating to the URL.

I agree that any financial transaction should not start with a QR code. Always navigate to your banking app or banking URL by hand. Never trust that a link or QR code is accurate because malicious links are prevalent.

Linux Kernel Vulnerability Allows for Container Breakouts

CVE-2022-0185 is heap-based buffer overflow vulnerability in the “File System Context” Linux kernel that enables attackers to execute arbitrary code, produce a denial-of-service condition, and achieve out-of-bound writes. Those nefarious individuals can use such activity to escape containers in Kubernetes, reported Bleeping Computer on January 25. From there, they can access resources on the host system.

PwnKit Bug Gives Root on All Major Linux Distros

The same day that CVE-2022-0185 made headlines, Bleeping Computer covered another Linux vulnerability tracked as CVE-2021-4034. Nicknamed “PwnKit,” CVE-2021-4034 affects Polkit’s pkexec component, which is present in the default configuration of all major Linux distributions. Attackers could potentially leverage the vulnerability to gain full root privileges on a vulnerable system.

Andrew Swoboda | Senior Security Researcher at Tripwire

The PwnKit vulnerability allows an authenticated attacker to elevate their privileges. This would mean that an attacker would already have access to a vulnerable system. Unless a system is compromised, a trusted user would be able to exploit this vulnerability to elevate their privileges. Distributions have released patches to fix this vulnerability.

Apps Converts Smartphones into Security Cameras

Users can leverage a free app called “AlfredCamera Home Security” to set up a home security system. They can do so by installing the app on their current phone and older smartphones that might be scattered around the house, wrote Fast Company. In this setup, the former acts as the viewer phone, while the latter acts as the security camera.

Dylan D’Silva | Security Researcher at Tripwire

This seems to be a neat and quick way to have a wireless camera. I’m sure everyone has an old phone or two laying around.

It appears to be as simple as downloading an app (Alfred Camera) on your current phone, which would be used as the viewer phone, and the older handset, which would be used as the camera itself.

Once the app is installed on both phones, you connect them both to the same WiFi network, sign into the app, allow the app the appropriate permissions to access the camera, and then you can start viewing. Alternatively, you can also use your desktop as a viewer as well; you just sign into the app’s website.

There is a free and paid version (according the author); the free version has the following features:

  • Two-way talk
  • Record
  • Motion detection, which can auto-record so the user can review it later
  • Camera orientation which will let you rotate the image on the camera phone, flip between front- and rear-facing cameras, turn on its flashlight to better illuminate the room, and even enable a siren feature to scare off intruders.

I will try this out and see what I can get working.

Underground Web Marketplace Selling Cracked Logins for Other Crime Shops

KrebsonSecurity reported that there’s a new marketplace making waves on the dark web. Known as “Accountz Club,” this crime shop specializes in selling cracked account credentials associated with other cybercriminal services. Accountz Club is offering those logins for a fraction of their actual account balances.

Dylan D’Silva | Security Researcher at Tripwire

The Accountz Club store/website is offering an aggregation service where cybercriminals can buy access to accounts at other websites and services intended for cybercriminals including stolen credit cards, payment accounts, spamming, and even authentication cookies. Instead of having individual logins/accounts for those sites, a cybercriminal can buy access to new accounts at a fraction of the regular cost.

It’s important to note that the site states it’s selling “cracked” accounts, meaning those accounts used passwords that were easily guessed or enumerated with automated tools (such as John The Ripper, Hashcat, Brutus, Wfuzz, etc.).

One example in the article highlights that a criminal can buy access to Genesis Market, which offers stolen credentials and authentication cookies. Beyond that, it offers a custom-built web browser that can load authentication cookies from previously botted/infected PC, which basically rolls out the digital “red carpet” by bypassing the requirement to enter a username, password, and even an MFA code

What might be the most ironic thing of all is that Accountz Club does not offer any sort of additional authentication methods (think MFA), but that may be understandable given the cost to implement. Plus, as the article highlights, so few of their actual customers would provide real contact information when signing up.

Linux Malware Grew More Than a Third in 2021

Malware targeting Linux systems increased by 35% in 2021 compared to 2020, according to Schneier on Security. Certain families were more prevalent than others. For instance, XorDDoS, Mirai, and Mozi accounted for 22% of Linux threats. Mozi alone was 10 times more common last year than it was the year before.

Dylan D’Silva | Security Researcher at Tripwire

Given the rise and ever-growing popularity of Linux and its many different flavors/varieties, (A personal favorite of mine is “Elementary OS.”) it’s unsurprising that Linux-targeted malware has increased by almost mid-double digits.

Digging into the article further, it’s important to highlight that the rise in malware infections is being attributed to recruiting IoT devices to further perpetuate distributed denial-of-service (DDoS) attacks.

Most IoT devices are running stripped-down versions of Linux distros, and properly securing these devices may be an afterthought. When compromised and combined, they can be used to deliver large-scale DDoS attacks.

Beyond DDoS attacks, Linux-based IoT devices can be recruited to mine crypto, facilitate spam campaigns, serve as relays, act as CNC (Command & Control) servers, and even act as entry points to corporate networks.

One specific Linux trojan that is on the rise (123% YoY) is XorDDoS. It brute-forces vulnerable devices via SSH using port 2375 to gain password-less root access to the host.

Another Linux-based malware is called Mozi, a P2P (Peer to Peer) botnet relying on the DHT (Distributed Hash Table) lookup system to obfuscate system Command & Control communications from network traffic monitory solutions.

Based on current industry research, we should not be surprised if this trend holds steady for 2022, but more likely than not, it will continue to grow.

Privilege Escalation Vulnerabilities Fixed by McAfee

On January 21, Threatpost reported that McAfee had fixed two vulnerabilities that an attacker could have used to escalate their privileges all the way up to SYSTEM-level. The flaws affected McAfee Agent, which is used in a variety of McAfee products, in all versions prior to 5.7.5. Both weaknesses received a CVSS base criticality rating of at least 7.7, designating them as high severity.

Andrew Swoboda | Senior Security Researcher at Tripwire

The McAfee agent is subject to two local vulnerabilities. The first, CVE-2022-0166, allows users to elevate privileges by leveraging the OPENSSLDIR variable. Users with write privileges can place a specially crafted openssl.cnf in the OPENSSLDIR to execute code with SYSTEM privileges.

The second flaw, CVE-2021-31854, allows users to inject arbitrary shell code into the file cleanup.exe. Cleanup.exe is executed by running the deployment feature of the McAfee agent. This allows local attacker to obtain a SYSTEM privileges via a reverse shell.

Phishers Impersonating Facebook Messenger Friends

Finally, Finland’s National Cyber Security Centre (NCSC-FI) issued an alert about an ongoing attack campaign targeting Facebook users. In the operation, malicious actors used a compromise Facebook account to spam the victim’s friends in Messenger with requests for their phone number and an SMS-based verification number. The purpose of this ruse was to trick the target into providing their 2FA code, wrote Bleeping Computer on January 28, thus allowing the attackers to compromise their account and further perpetuate the scam.

Andrew Swoboda | Senior Security Researcher at Tripwire

People inherently trust their friends on social media, but malicious actors can pretend to be those friends. This Facebook phishing attack works by pretending to be a friend on social media. To do this, the scammer either creates an account with the necessary information or gains access to an account that already exists. Once the scammer has access to a Facebook account, they can request the phone number and verification key from the victim over Facebook messenger. The scammer can then take control of the victim’s account if the victim gives them the requested information. This process repeats itself with the newly acquired account.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups