At a glance.
- Thousands of Salt instances vulnerable to remote code execution.
- New Android Trojan could become an enduring threat.
- Cerberus spreads to more than three-quarters of a company's mobile devices.
- New botnet malware targeting IoT devices.
- Jumping air gaps with power supply units.
Thousands of Salt instances vulnerable to remote code execution.
Researchers at F-Secure on April 30th disclosed two high-severity vulnerabilities in Salt, an open-source management framework used to oversee and administer servers. One of the flaws (CVE-2020-11651) is an authentication bypass vulnerability, while the other (CVE-2020-11652) is a directory traversal vulnerability. F-Secure explains that the flaws "allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the "master" server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."
SaltStack, the company that maintains Salt, issued patches for the flaws the day before F-Secure published its advisory, but more than 6,000 Salt servers were still unpatched and exposed to the Internet at the time of F-Secure's publication. F-Secure stressed that "any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," and urged users to patch their systems and put them behind a firewall.
ZDNet reported on May 3rd that an attacker had exploited the flaws to gain access to the infrastructure of LineageOS, although the attack was thwarted before any damage was done. Similar hacks hit the Ghost content management platform and the Xen Orchestra web interface for Xen Server, according to Decipher. In both of these instances, the attacker installed cryptominers which were quickly detected when they overloaded server capacity.
An attacker also exploited the Salt vulnerabilities to compromise a server used by DigiCert and potentially gained access to a key used for signing Signed Certificate Timestamps (SCTs), but the Register says the attacker was focused on cryptomining and doesn't seem to have realized (or cared) what they had stumbled upon. As a precautionary measure, however, DigiCert is replacing the SCTs that were issued after the server was compromised.
Akamai says there are at least five variants of the malware used in this particular campaign, all of which appear to be dedicated to cryptomining, although it also includes the nspps remote access tool. ZDNet quotes researchers who say attackers are running automated scans to detect vulnerable Salt instances, and they expect to see ransomware gangs leveraging the flaws soon.
New Android Trojan could become an enduring threat.
Cybereason describes EventBot, a new Android banking Trojan first spotted in March 2020, that's "designed to target over 200 different banking and finance applications, the majority of which are European bank and crypto-currency exchange applications." The malware exploits Android's accessibility features and can bypass two-factor authentication. Since EventBot is so new, it's not being widely distributed yet, but the researchers found that it's using icons to pose as legitimate applications and they expect to see it begin showing up in third-party Android app stores.
Cybereason says the malware is under active development, and they've observed four different versions of it since early March. The researchers conclude that EventBot "has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications."
Cerberus spreads to more than three-quarters of a company's mobile devices.
Check Point Research found a new version of the Cerberus Android banking Trojan permeating an unnamed multinational conglomerate, infecting more than 75% of the company's devices via the organization's mobile device management (MDM) server. An MDM server acts as a centralized administrative hub to apply settings, install programs, and set policies for all of an organization's mobile devices. In this case, an attacker was able to compromise the victim's MDM server and install malware on all vulnerable devices.
The new variant of Cerberus is a remote access Trojan that controls infected devices using TeamViewer with administrative privileges. The malware locks the user out of TeamViewer and blocks them from uninstalling the application. It also has keylogging capabilities and can steal Google Authenticator codes and SMS messages to bypass multifactor authentication.
The researchers state that, while they don't know exactly what corporate resources the attackers were able to access, they do know that "every credential used from an unprotected device was reported to the C&C server" and any SMS-based multifactor authentication codes would have been intercepted. The organization had to factory-reset all of its devices in response, which the researchers note was a very expensive and time-consuming process.
New botnet malware targeting IoT devices.
Intezer discovered a new Linux-based botnet "with definitive Chinese origins" targeting servers and IoT devices. The botnet malware was dubbed "Kaiji" by researchers at MalwareMustDie, and is notable in that it's written from scratch. The malware is written in Golang and spreads by brute-forcing SSH credentials. Intezer found that it contains "an arsenal of multiple DDoS attacks such as ipspoof and synack attacks, an ssh bruteforcer module to continue the spread, and another ssh spreader which relies on hijacking local SSH keys to infect known hosts which the server has connected to in the past."
Intezer notes that the Kaiji malware highlights a trend in which malware developers are increasingly adopting the Golang programming language. Palo Alto Networks observed last year that the number of Go malware samples rose by 1944% between 2017 and 2019.
Jumping air gaps with power supply units.
Researchers at Ben-Gurion University of the Negev have discovered yet another way to exfiltrate data from air-gapped computers, this time by deploying malware that uses the computer's power supply unit to generate acoustic signals that can be recorded and translated into binary by a nearby smartphone. This attack is designed to bypass measures taken to prevent other forms of acoustic side-channel attacks, such as disabling audio hardware. It also doesn't require special privileges—a normal user account on the computer could deploy the malware, and the malware could then leak data when an administrator logged in.
In the theoretical scenario outlined by the researchers, an air-gapped system would be infected via removable media like a USB drive. The attacker would also infect a mobile device of an employee who uses that system, and the mobile device would record and translate the acoustic data and send it to the attacker over WiFi. The malware can only exfiltrate data at a maximum rate of fifty bits (6.25 bytes) per second, so the attack would be more feasible for stealing encryption keys and credentials as opposed to large files or chunks of data.
While this type of research is always interesting, it's worth noting that the risk of such an attack being conducted against the average organization is extremely low. A motivated malicious insider or a highly sophisticated attacker would generally look for much more efficient ways to steal data before considering resorting to something like this.