๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #06/2024 is out! It includes the following and much more:
โ ๐ #Juniper Support Portal Exposed Customer Device Info
โ ๐ ๐น๐ญ Major #DataBreach in #Thailand Exposes Personal Data of 20 Million Elderly Citizens
โ ๐ ๐ซ๐ท Millions at risk of fraud after massive health data hack in #France
โ ๐ ๐บ๐ธ #Verizon employee inadvertently leaks data of 63 thousand colleagues
โ ๐ ๐ฅ๏ธ #AnyDesk Hacked: Revokes Passwords, Certificates in Response
โ ๐ ๐บ๐ธ #Clorox says #cyberattack caused $49 million in expenses
โ ๐ธ ๐ #Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline
โ ๐บ๐ธ ๐ฐ US offers $10 million for tips on #Hive ransomware leadership
โ ๐จ๐ณ ๐บ๐ธ #China-backed Volt Typhoon hackers have lurked inside US #criticalinfrastructure for โat least five yearsโ
โ ๐จ๐ณ ๐ณ๐ฑ Chinese Hackers Exploited #FortiGate Flaw to Breach Dutch #Military Network
โ ๐ฎ๐ท ๐ฎ๐ฑ #Iran accelerates cyber ops against #Israel from chaotic start
โ ๐ง๐พ ๐บ๐ธ Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion #Crypto Money Laundering
โ ๐ญ๐ฐ ๐ธ #Finance worker pays out $25 million after video call with #deepfake โchief financial officerโ
โ ๐บ๐ฆ #ukraine is Creating a โCyber Diplomatโ Post
โ ๐ฉ๐ฐ #Denmark orders schools to stop sending student data to #Google
โ ๐ช๐บ โ๏ธ #EU proposes criminalizing AI-generated child sexual abuse and deepfakes
โ ๐ณ๐ฑ ๐ฐ #Uber Fined 10 Million Euros by Dutch Data Regulator
โ ๐บ๐ธ ๐ US to Roll Out Visa Restrictions on People Who Misuse #Spyware to Target Journalists, Activists
โ ๐ฆ ๐ฌ Raspberry Robin #Malware Upgrades with #Discord Spread and New Exploits
โ ๐ฆ ๐ New #macOS Backdoor Linked to Prominent Ransomware Groups
๐ฆ ๐ชฅ Surprising 3 Million Hacked #Toothbrushes Story Goes ViralโIs It True?
โ ๐จ๐ฆ ๐ฌ #Canada declares #FlipperZero public enemy No. 1 in car-theft crackdown
โ ๐ฉน #Ivanti: Patch new Connect Secure auth bypass bug immediately
โ ๐ ๐ Security flaw in a popular smart helmet allowed silent location tracking
โ ๐ฉน Critical Patches Released for New Flaws in #Cisco, #Fortinet, #VMware Products
โ ๐ ๐ง Critical Boot Loader #Vulnerability in Shim Impacts Nearly All #Linux Distros
โ ๐ โ๏ธ #Airbus App Vulnerability Introduced Aircraft Safety Risk
โ ๐ฉน #QNAP Patches High-Severity Bugs in QTS, Qsync Central
--
๐ This week's recommended reading is: "x86 Software Reverse-Engineering, Cracking, and Counter-Measure" by Stephanie Domas & Christopher Domas
--
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
Anyone with an internet-facing #fortinet#fortigate: I would recommend updating to the latest version of #fortiOS (released a couple of hours ago). Feels like something nasty coming up there...
A recent advisory from the Dutch #MIVD & #AIVD has exposed a new threat lurking within #FortiGate appliances: the #COATHANGER malware, a remote access trojan (RAT) that's as elusive as it is persistent. Here are the highlights taken from their released TLP-CLEAR advisory:
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances.
refer to the malware as COATHANGER based on a string present in the code.
It hides itself by hooking system calls that could reveal its presence.
It survives reboots and firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
high confidence that the malicious activity was conducted by a statesponsored actor from the Peopleโs Republic of China
The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
initial access occurred through exploitation of the CVE-2022-42475 vulnerability
Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices.
MIVD & AIVD refer to this RAT as COATHANGER. The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: โShe took his coat and hung it upโ.
Please note that second-stage malware like COATHANGER are used in tandem with a vulnerability: the malware is used for persistence to a victim network after the actor gained access.
The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It does so by replacing them for any process that is forced to load preload.so.
Section 3.2 of the PDF has a detailed description of how COATHANGER malware behaves and interacts.
Communication to the C2 server is done over a TLS tunnel. COATHANGER first sends the following request to the HTTP GET request to the C2 server: GET / HTTP/2nHost: www.google.comnn
The COATHANGER malware drops the following files;
/bin/smartctl or /data/bin/smartctl<br></br>/data2/.bd.key/authd<br></br>/data2/.bd.key/httpsd<br></br>/data2/.bd.key/newcli<br></br>/data2/.bd.key/preload.so<br></br>/data2/.bd.key/sh<br></br>/lib/liblog.so<br></br>
Several methods have been identified to detect COATHANGER implants. A script was released by them for automated detection HERE These include a YARA-rule, a JA3-hash, different CLI commands, file checksums and a network traffic heuristic.
Two YARA rules are provided for detection on the COATHANGER samples.
The COATHANGER implant communicates to the C2 server using TLS. This TLS connection is fingerprintable using the following JA3-hash: 339f6adf54e6076d069dcaac54fddc25
With access to the CLI of a FortiGate device, the presence of COATHANGER can be detected in three ways.
Check if the files /bin/smartctl or /data/bin/smartctl exist and inspect the timestamps of smartctl and other files in the same directory. If smartctl was modified later than the majority of other files or is not a symlink, it is likely that the smartctl binary was tampered with.
Use the following command:
fnsysctl ls -la /bin<br></br>fnsysctl ls -la /data/bin<br></br>
The following command shows a list of active TCP sockets. Whenever the FortiGate device has internet access and the malware is active, the outgoing connection will appear in the results. Check the reputation of all outgoing contection IP's.diagnose sys tcpsock
The specific version of COATHANGER that this report describes uses the process name 'httpsd' to obfuscate itself. Therefore, any suspicious outgoing connections to external IP addresses from a process called httpsd is a strong indicator of the presence of COATHANGER:
The specific version of COATHANGER that this report describes uses the process name httpsd to obfuscate itself. All active processes can be listed using the following command:fnsysctl ps
Running the following command returns all PID's named 'httpsd'
diagnose sys process pidof httpsd<br></br>
Using the retrieved process IDs from the previous command yields process information for the processes named httpsd.
diagnose sys process dump <PID><br></br>
When the process has a GID set to 90, the device is infected with COATHANGER.
Journey into an issue our team had to overcome to perform comprehensive research on #FortiGate firmware.
Get a firsthand look at the process involved in performing #security research and check out FortiCrack, which you can use to decrypt encrypted #Fortinet#FortiOS firmware images. #infosec#hacking
About 336,000 #FortiGate devices are believed to be vulnerable to #CVE-2023-27997 - even with fixes available.
This CRN story highlights the research our Capability Development team (led by Caleb Gross) has conducted into this widespread Fortinet #vulnerability.
(If you think you're affected, make sure to upgrade your firmware ASAP.)
Our team has created a tool to quickly check if a remote #FortiGate firewall is affected by the critical #vulnerability CVE-2023-27997.
This is a heap buffer overflow issue caused by an incorrect length check in the FortiGate SSL VPN, and because of FortiGateโs wide internet footprint, weโve released this tool publicly to help others protect themselves. Read how this vulnerability assessment tool works in the write-up from Caleb Gross.
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #24/2023 is out! It includes, but not only:
โ ๐บ๐ธ ๐จ๐ณ The US Navy, NATO, and #NASA are using a shady Chinese companyโs #encryption chips
โ ๐ฆ ๐ข #Ransomware Group Starts Naming Victims of #MOVEit Zero-Day Attacks
โ โ๏ธ ๐ชฃ New Supply Chain Attack Exploits Abandoned #S3Buckets to Distribute Malicious Binaries
โ โ๏ธ #XSS Vulnerabilities in #Azure Led to Unauthorized Access to User Sessions
โ ๐จ๐ณ ๐ฆ #Barracuda ESG zero-day attacks linked to suspected Chinese hackers
โ ๐ท๐บ ๐บ๐ธ Russian national arrested in Arizona, charged for alleged role in #LockBit ransomware attacks
โ ๐ท๐บ ๐บ๐ฆ Russia-backed hackers unleash new USB-based malware on #Ukraineโs military
โ ๐บ๐ธ ๐ฐ LockBit Ransomware Extorts $91 Million from U.S. Companies
โ ๐ท๐บ ๐บ๐ฆ #Microsoft identifies new hacking unit within Russian military intelligence
โ ๐ฆ Fake Researcher Profiles Spread #Malware through #GitHub Repositories as PoC Exploits
โ ๐ฃ ๐ Massive #phishing campaign uses 6,000 sites to impersonate 100 brands
โ ๐จ๐ณ Chinese Cyberspies Caught Exploiting #VMware ESXi #ZeroDay
โ ๐ฉน Microsoft #PatchTuesday, June 2023 Edition
โ โ๏ธ Microsoft: Azure Portal #outage was caused by traffic โspikeโ
โ ๐จ๐ณ ๐บ๐ธ #China's cyber now aimed at infrastructure, warns CISA boss
โ ๐ฐ๐ท ๐จ๐ณ Ex-Samsung executive alleged to have stolen tech to recreate chip plant in China
โ ๐จ๐ญ ๐๏ธ Swiss Fear Government Data Stolen in Cyberattack
โ ๐ฉน ๐ #Fortinet fixes critical RCE flaw in #Fortigate SSL-VPN devices, patch now
๐ This week's recommended reading is: "The Cyber Effect: An Expert in Cyberpsychology Explains How Technology Is Shaping Our Children, Our Behavior, and Our Values โ and What We Can Do About It" by Prof Mary Aiken
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday โฌ๏ธ