Working for an Australian company can make it difficult to be a die-hard NFL fan. Making matters worse is that most of my American colleagues are in Boston, a true nightmare for someone born and raised in New Jersey. The only thing I have to hold over their heads is that I can legally bet […]
Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.
CVE-2021-3156 sudo Vulnerability
Last week (26th January 2021) a new critical rated LinuxUnix vulnerability was made public under CVE-2021-3156. Specifically, the vulnerability is within the ‘sudo’ program, which is an abbreviation of ‘superuser do‘, well that’s how I remember it. Sudo is a powerful and fundamental program found within all Linux and Unix distributions, allowing users to execute programs with the security privileges of another user. A typical use of sudo is where you need to run a program with privilege level (i.e. administrator) access rights.
The sudo ‘heap overflow’ vulnerability was discovered by Qualys researchers, the exploit allows any unprivileged user to gain root level (i.e. administrative) privileges. Qualys has posted a blog and video which explains and demonstrates the exploitation technique, which as exploits go is fairly quick and easy to do. See CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog
The Security Concern
This vulnerability in sudo has been present for nearly 10 years, all sudo versions prior to sudo 1.9.5p2 are to be considered vulnerable. The issue is Linux is embedded everywhere, yet many systems are rarely, and even never updated. From IoT devices to internet-based services, the security of countless devices and web-based services’ are dependant upon a secure Linux account privilege model. While their Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, they sit there insecure and waiting to be hacked.
Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store.
Simple scanner turns evil
Many of the patrons had the app installed on their mobile devices for long periods of time (one user had it installed for several years). Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware! Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on December 4th, 2020.
Malicious intent
The majority of free apps on Google Play include some kind of in-app advertizing. They do this by including an ad SDK to the code of the app. Usually at the end of the app’s development. Paid-for versions simply do not have this SDK included.
Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It’s a win-win situation for everyone. Users get a free app, while the app developers and the ad SDK developers get paid.
But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive. Sometimes even landing the apps that use it in the Adware category. When this happens, it is not the app developers’ doing, but the SDK company. I explain this method to say that in the case of Barcode Scanner, this was not the case.
No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.
Bad behavior
The toughest part of malware analysis can be replicating what our users are experiencing. That wasn’t a problem with Barcode Scanner, it went into action within minutes of install. Watch the short video below to see its malicious behavior:
Removed from Play, but not from mobile device
Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. Thus, until they install a malware scanner like Malwarebytes for Android, or manually remove the app, it will continue to display ads.
Lying dormant
It is hard to tell just how long Barcode Scanner had been in the Google Play store as a legitimate app before it became malicious. Based on the high number of installs and user feedback, we suspect it had been there for years. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.
Emulators have played a part in many tech-savvy users’ lives. They introduce a level of flexibility that not only allows another system to run on top of a user’s operating system–a Windows OS running on a MacBook laptop, for example–but also allows video gamers to play games designed to work on a different platform than the one they own.
Recently, ESET revealed a campaign that targeted users of NoxPlayer, a popular Android emulator for PCs and Macs. Affected users didn’t have to visit a potentially dubious website to get malware. All they did was download the update for NoxPlayer.
What we see here is the latest example of a supply-chain attack, wherein threat actors were able to manipulate a legitimate executable file to make it behave in a way it’s not supposed to. In this case, attackers manipulated two files: Nox.exe, the main NoxPlayer file, and NoxPack.exe, the downloader of the update itself. The latter is its infection vector.
How users can get infected
Everything starts and happens at the backend where users cannot see what is really going on.
In the post, ESET explains that upon opening NoxPlayer–and before a message pops up telling users that a software update is available for download–the program queries the update server via the BigNox HTTP API to check for updates and if so, retrieves update-related information. This includes the URL where the update file is housed.
The researchers believe that certain sections of the BigNox infrastructure were compromised. It’s thought that either the attackers replaced the legitimate update file with malware, or changed the file name or download URL to point to a destination they controlled. These new download URLs mimicked the legitimate download location of the NoxPlayer update.
Malware was then executed on affected systems. Reconnaissance is pinned as the main purpose of this yet unknown malware. The researchers also observed that throughout the end of 2020 and the start of 2021, certain victims were infected with other malware.
Signs of the times
The video gaming industry isn’t exempted from any cyberattack and online risks. For years, companies within the industry have been targeted by phishing, scammers, and sometimes, malware.
Because the current pandemic has fueled the popularity of vide gaming, including how much people spend within these games, it shouldn’t surprise anyone that cybercriminals are homing in on them now more than ever. This particular attack on a gaming emulator company may seem unusual, but it aligns with the current trend.
While video gamers are enjoying their games, they should realize that they have caught the attention of cybercriminals. Similarly, video game companies should understand they are targets too. To keep the cybercriminals at bay, both will need to do their part.
Na ManageEngine, estamos desenvolvendo um dos pacotes de software de gerenciamento de TI mais abrangentes e totalmente integrados do mercado. Temos mais de 90 produtos e ferramentas gratuitas para gerenciar todas as suas necessidades de TI, incluindo gerenciamento de Active …
An international program that pays out hefty sums for the discovery of software vulnerabilities could spur greater scrutiny of applications and lead to better security.
Our thanks to BSidesSF and Conference Speakers for publishing their outstanding presentations; which originally appeared at the group’s BSidesSF 2020 Conference, and on the Organization’s YouTube Channel. Additionally, the BSidesSF 2021 Conference will take place on March 6 – 9, 2021 – with no cost to participate. Enjoy!
ThreatStack announced this week that it has integrated its observability platform for tracking cybersecurity events with the EC2 cloud service from Amazon Web Services (AWS). Chris Ford, vice president of product for ThreatStack, said the company’s namesake platform for tracking security events can now consume metadata collected from EC2 by deploying an instance of its..
ThreatStack announced this week that it has integrated its observability platform for tracking cybersecurity events with the EC2 cloud service from Amazon Web Services (AWS). Chris Ford, vice president of product for ThreatStack, said the company’s namesake platform for tracking security events can now consume metadata collected from EC2 by deploying an instance of its..
Attackers often use automation in fuzzing attacks, injection attacks, fake bots, and application DDoS attacks.
Cybercriminals targeting Web applications have grown more reliant on automated tools in their attacks, report Barracuda Networks researchers who analyzed two months of attack data.
The top five threat types were dominated by attacks deployed using automated tools, they found. Fuzzing attacks (19.46%) were most prevalent, followed by injection attacks (12.07%), fake bots (12.02%), application distributed denial-of-service (9.29%), and blocked bots (1.2%).
Automated attacks rely on bots to exploit vulnerabilities in Web applications, and there are two classes of attackers who use them. The larger amount of traffic comes from attackers who don’t try to target a specific website but deploy automated attacks at scale. Another, smaller group uses automated tools to target e-commerce websites and other sites to generate a profit.
These threats may take the form of fake bots posing as Google bots to avoid detection, or they could manifest as app DDoS attacks trying to crash a website by quietly overloading a Web app. Most attack traffic came from fuzzing, or reconnaissance, tools used to probe apps for bugs.
“You typically use fuzzing attacks as a way to test the applications and find out the bounds of the application, and then you use those results … to go and try to break the application,” says Tushar Richabadas, senior product marketing manager of Applications and Cloud Security, and leader of this research.
An attacker may try to send a large number of parameters in the URL to see how an application behaves, he explains. The app may throw an error and display a page where the attacker can learn it uses a SQL database. Knowing this, they could try a SQL injection attack and see if the app doesn’t sanitize something properly, which could help them gain access to the database.
A fuzzing attack is typically a first step in an attack, Richabadas says. With the knowledge they gain from fuzzing, an attacker can figure out how to move forward. Most attacks researchers observed against JSON APIs were testing boundary conditions, attempting to fuzz the APIs.
Injection attacks, the second most common type of automated attack, are a known classic Web application threat. Most attackers used automated tools like sqlmap to try and break into apps, and many of these attacks were “script kiddie-level noise,” the researchers write in a blog post.
This “noise” made up the bulk of attack traffic researchers analyzed, Richabadas points out.
“There [is] a small number of sophisticated attackers going off to specific sites, but they are, to an extent, an exception in the data that we saw,” he explains. “The more prevalent are lesser-skilled attackers who are just starting out. … They make up the overwhelming amount of traffic.”
These lesser-skilled attackers slowly learn how the threats work; as they persist, they start to become more specialized and go in one of two directions, Richabadas continues. Some become bug bounty hunters and pursue white-hat cybersecurity careers; some go in another direction and pursue cybercrime, where they go into creating attack tools themselves, Richabadas says.
Organizations are getting better at defending against fake bots, the third most common type of automated attack, but these bots are more prevalent today than they were a year ago, he adds.
“People are definitely waking up to the problems that bots are causing,” he says. Most major e-commerce companies, along with airlines and media publications, have begun to invest in bot management solutions. The attackers who employ fake bots likely are after information from a specific site but don’t want to be recognized or stopped, so they disguise themselves as a bot.
Application DDoS attacks were “surprisingly prevalent,” researchers found. These are different from the more talked-about volumetric DDoS attacks, which are usually intended to bring a site down and easily detectable because of their effects.
“When it comes to an application DDoS attack, it’s more subtle,” Richabadas explains. “You’ll try to find a way to overload the site’s resources without being noticed.” For example, an attacker will try to download a very large file, very slowly, or try to overload an app’s search function. The app doing all these transactions will slow down without a detectable spike in traffic.
Application DDoS attacks aren’t as widely known and most applications protect against it, so these incidents are typically targeted, he adds. The researchers couldn’t conclude why these attacks saw an increase in this type of threat.
While automated attacks are not new to the threat landscape, the operators behind them are becoming increasingly diligent, Richabadas says. “Most of this [attack] traffic that we’ve seen is noise and the signal is actually hidden,” he notes. “Attackers are getting more intelligence, and they are bypassing measures by pretending to be almost human, and so on.”
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
