Skip to content ↓ | Skip to navigation ↓

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of January 31, 2022. We’ve also included the comments from a few folks here at Tripwire VERT.

Update Force-Pushed to Protect QNAP NAS Devices against DeadBolt Ransomware

QNAP force-pushed a security update to customers’ network access storage (NAS) devices to protect them against DeadBolt ransomware. The threat’s operators claimed that they were using a zero-day vulnerability to hack into QNAP devices and encrypt victims’ files. Using that flaw, the ransomware actors succeeded in encrypting 3,600 devices before QNAP issued its fix, per Bleeping Computer.

Samantha Zeigler | Security Researcher at Tripwire

The QNAP zero-day exploit by DeadBolt has caused an interesting conundrum. The vulnerability was exploited quickly enough to cause thousands of people to be affected by the ransomware. While some users were willing to pay to get their files back, the company itself worked to patch the systems’ vulnerability. The decision to force the patch on all systems, including compromised ones, may have prevented the thousands affected from getting their files back. That said, this forced patch may have saved any more systems from being compromised.

BotenaGo Source Code Leaked to GitHub

Threatpost reported that someone leaked the source code of Botenago to GitHub. Anyone can now use the botnet’s code to try to enslave vulnerable Internet of Things (IoT) devices. In the process, they can also modify Botenago’s code to develop their own threats for the purpose of evading AV detection.

Samantha Zeigler | Security Researcher at Tripwire

The release of this lightweight exploit code to GitHub has allowed for wide availability to malicious actors. BotenaGo is particularly hard to detect and easy to use. That wide availability puts both Linux systems and IoT devices at higher risk for exploitation, as the code is presented in a runnable state that can easily be modified. The ease of access and usability of this code presents a concerning threat.

Malicious SMS messages, QR Code Reader Used to Target Users with Flubot and Teabot Trojans

On January 26, Threatpost wrote that security researchers have intercepted over 100,000 SMS-based text messages attempting to distribute Flubot since December 2021. Over the course of their analysis of that attack vector, the researchers detected a QR code reader targeting victims with 17 different variants of the Teabot Android trojan. The app had received over 100,000 downloads from Google’s Play Store at the time of the researchers’ discovery.

Andrew Swoboda | Senior Security Researcher at Tripwire

There are active campaigns that are trying to deliver Flubot and Teabot Trojans. Bitdefender Labs has noticed 100,000 malicious SMS messages that were trying to distribute malware. Flubot was hidden in a QR code reader that was distributed via Google’s Play sSore.

For users to be infected with these trojans, malicious applications have to be installed on their devices. Malicious actors have to entice users to install specially crafted applications to infect their devices. SMS messages were sent to users in various countries telling them to install particular applications. Once installed, the application would infect the device with the Trojan.

Over 1M Sites Vulnerable to WordPress Plugin RCE FLaw

Security researchers uncovered a remote code execution (RCE) vulnerability in versions 5.0.4 and older of Essential Addons for Elementor. This plugin which was active on over one million WordPress sites at the time of discovery, noted Bleeping Computer on January 31. Using the flaw, an unauthenticated actor can perform a local file inclusion attack to execute code on the affected site.

Andrew Swoboda | Senior Security Researcher at Tripwire

The WordPress plugin Essential Addons for Elemntor is subject to local file inclusion vulnerability. This vulnerability allows attackers to execute arbitrary code on a vulnerable system. This vulnerability exists because of improper use of user input data. The dynamic gallery and product gallery widget must be enabled to have a none token check present. Update to the latest version of the plugin to protect your site from this issue.

AWS Server Leaves 3TB of Airport Employees’ Data Exposed

ZDNet shared that an electronic security services provider left an AWS server exposed. At the time of the security incident, the server included 3TB of information dating back to 2018. The data included the personal records of airport employees in Columbia and Peru.

Dylan D’Silva | Security Researcher at Tripwire

Here is another reminder for organizations (and individuals) to have policies and procedures in place to audit how your systems are secured as well as to ensure they are following industry-standard best practices for creation and securing of cloud services. Where possible, consider having a trusted third party perform the audit to ensure that errors that might be overlooked internally are caught and remediated before they’re pushed to production or invest in automated monitoring and auditing tools to help.

Unfortunately for the company, having this unsecured and exposed AWS server violated the first key principle of Confidentiality in the cybersecurity CIA triad. What was alarming is the amount and types of data that could be accessed including ID card photos and Personally identifiable information (PII) such as names, photos, occupations, and national ID numbers. Beyond that, photographs of airline employees, planes, fueling lines, and luggage handling were also found in the bucket. Unstripped .EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations.

Critical RCE Flaw Addressed by Samba

Security researchers have discovered a critical-severity vulnerability in Samba tracked as “CVE-2021-44142.” An attacker can use the vulnerability, which is an out-of-bounds heap read/write bug, to gain the ability to remotely execute code with root privileges on vulnerable machines, Bleeping Computer wrote on January 31. The team at Samba has since released a fix for the flaw along with workarounds for admins who can’t immediately implement the security patch.

Andrew Swoboda | Senior Security Researcher at Tripwire

Samba is subject to a code execution vulnerability. CVE-2021-44142 allows attackers to execute code with root privileges. Attackers need to have write access to a file’s extended attributes to exploit this issue. This issue exists in the default configuration of the VFS module. Upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 to fix this issue.

Over $100K Bounty Awarded for Bug Report Detailing Mac Webcam Hack

Apple announced that it has awarded a bug bounty of $100,500 to a security researcher for submitting a report about a vulnerability involving Mac webcams. The issue enabled an actor to access a Mac’s webcam using a universal cross-site scripting bug (UXSS) in Safari, Threatpost pointed out on January 31. An attacker could have then leveraged that flaw as part of an attempt to gain access to the affected device’s filesystem.

Dylan D’Silva | Security Researcher at Tripwire

In a consistent reminder to keep your machines patched and up to date, this researcher exposed four (4) different zero-day bugs that could allow an attacker to gain unauthorized access to the camera on your Mac via a shared iCloud document. This bug leverages UXSS (universal cross-site scripting), which could be used as one part of an overall attack to also gain full access to every website visited by the victim. Additionally, the researcher discovered that it could also steal permissions to leverage other multimedia including the mic and screen-sharing. The flaws exist specifically within Safari 15 and iCloud Sharing as well as in a behind-the-scenes iCloud Sharing App called “ShareBear”

I read through a fully detailed write-up the researcher posted on medium.com, and for those interested in security research, it helps provide context as to how much work may (or may not) be required. But as you can see by the payout, it can be well worth the time.

I would encourage others to take 15 minutes, find the article on Medium, and read through it.

Nobelium Malware Evaded Detection for Years

According to The Hacker News, security researchers discovered that Nobelium has been using two malware families—a Linux variant of GoldMax and an implant named “TrailBlazer”—to prey upon organizations since 2019. GoldMax acts as a command and control (C&C) backdoor through which attackers can remotely execute arbitrary code on a compromised machine. This threat shares certain functionality with TrailBlazer, a modular backdoor which malicious actors can use to steal information from victim’s devices.

Dylan D’Silva | Security Researcher at Tripwire

The same threat actors behind the massive SolarWinds supply-chain hack of December 2020 have been deploying at least two new malware families as early as 2019.

The first family, which is a Linux variant of GoldMax discovered by Microsoft and FireEye in March 2021, is a Golang-based malware that acts as a C&C/C2 (Command & Control) backdoor. It establishes a secure connection with a remote server to execute arbitrary commands on the compromised host. There appear to be multiple variants of GoldMax.

The second family of malware deployed is called TrailBlazer, which is a backdoor that provides the ability for attackers to have a path for cyber espionage by obfuscating its C2 Traffic as legitimate Google Notification HTTP Requests.

Other threat vectors used to facilitate attacks include:

  • Credential hopping for obscuring lateral movement
  • Office 365 (O365) Service Principal and Application hijacking, impersonation, and manipulation; and
  • Theft of browser cookies for bypassing multi-factor authentication.

The threat actors have also demonstrated the ability to carry out multiple instances of domain credential stealing, leveraging different techniques each time.

Sugar RaaS Sets Sights on Individual Computers

As reported by Security Affairs, the cybersecurity unit at Walmart analyzed a new Ransomware-as-a-Service (RaaS) family called “Sugar.” The researchers observed that Sugar’s handlers aren’t interested in going after large enterprises like so many other RaaS operations. Instead, they’re targeting individual computers.

Dylan D’Silva | Security Researcher at Tripwire

In what is sure to become more prevalent across the cybersecurity landscape, a new ransomware family dubbed “Sugar” is being deployed as Ransomware-as-a-Service (RaaS). The cybersecurity team at Walmart discovered this in the wild in November 2021, and what sets it apart from other ransomware families is that it focuses on individual computers instead of freezing out entire domains/enterprises.

Malicious Video Conferencing App Installers Delivered by SEO Poisoning Campaign

On February 2, Bleeping Computer covered a new SEO poisoning campaign. The attackers involved in this operation began by compromising legitimate websites and using files or HTML links to redirect visitors to other web locations. Those secondary websites claimed to be hosting installers for video conferencing apps like Zoom, but they actually infected users with Batloader and Atera Agent malware.

Andrew Swoboda | Senior Security Researcher at Tripwire

A new search engine poisoning campaign for productivity tools is underway. This campaign has used the Batloader and Atera Agent malware to infect systems. Zoom, TeamViewer, and Visual Studio have been targeted by this campaign. Popular search engines have been used to direct users to the malicious installers. Once the installer is executed, the process will drop malware payloads on the device.

This type of campaign makes it necessary to verify that the link is actually from the company that makes the product. It would be wise to examine the hashes that the actual software company provides with the installers. Unless the software company’s website is compromised, then the hashes should be a good indicator of an unmodified installer.

Over Half of Infosec Pros Believe Their Cloud Security Efforts Aren’t Effective

Dark Reading shared the findings of a survey in which 55% of security professionals said that their cloud security efforts were meaningful. When asked to explain, most respondents said that they had to navigate a 20% false-positive rate. A third said that they needed to content with a false-positive rate of as much as 50%.

Samantha Zeigler | Security Researcher at Tripwire

One of the biggest threats to accurate security assessments for customers is inaccurate and missing information. As many companies move to cloud-based software, access to the security information they need is reduced as the data is hosted by other companies. Creating a product with a low defect rate and short resolution times is increasingly important. This is why we work to keep defect rates down and write coverage for CVEs as rapidly as we can to help protect our customers.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups