At a glance.
- Linux kernel vulnerability discovered, fixed.
- Ghostwriter tied to UNC1151.
- Naikon deploys new backdoor.
- Online ordering platforms breached.
- New cryptocurrency stealer.
- Genesis Market, a successful C2C vendor.
Linux kernel vulnerability discovered, fixed.
Researchers at Cisco Talos have discovered an information disclosure vulnerability (CVE-2020-28588) in the Linux kernel. An update is now available that fixes the issue. According to Shachar Menashe, VP Security, Vdoo, a specialist in product security, the vulnerability looks like an easy one to exploit:
“This newly discovered vulnerability indeed looks very actionable and easy to exploit under the right technical conditions, so we recommend affected vendors to update their kernel or apply the patch. These kinds of vulnerabilities are almost exclusively used as part of a local privilege escalation attack chain to circumvent the Linux kernel randomization (KASLR) mitigation.
"This new discovery illustrates the value of automated applicability scanning, which helps determine if a new vulnerability can be realistically exploited. In this case, we found that the vulnerability is only exploitable in devices under one of the following specific conditions:
"1. The kernel is built with CONFIG_HAVE_ARCH_TRACEHOOK (quite common)
"2. The kernel is built with CONFIG_RANDOMIZE_BASE (KASLR, less common on embedded devices)
"3. The kernel is a 32-bit kernel
"Regarding point #2, note that the vulnerability is probably not applicable on ARM 32-bit devices since a vanilla Linux ARM32 kernel does not have KASLR. Some kernel forks, such as Android, have backported the KASLR feature to 32-bit, but since the vulnerability is only relevant on Linux kernel 5.1 and later, we assume no Android devices will be affected.”
Ghostwriter tied to UNC1151.
FireEye has published an update on Ghostwriter, an influence campaign that's targeted Lithuanian, Latvian, and Polish audiences seeking to criticize NATO's activity in Eastern Europe. The researchers now believe "with high confidence" that at least some Ghostwriter activity was carried out by UNC1151, a state-sponsored cyberespionage actor. FireEye doesn't attribute UNC1151 to any nation-state, and they don't associate it with any other threat actor.
FireEye has also identified changes in Ghostwriter's messaging and targeting:
"We have observed an expansion of narratives, targeting and TTPs associated with Ghostwriter activity since we released our July 2020 report. For example, several recent operations have heavily leveraged the compromised social media accounts of Polish officials on the political right to publish content seemingly intended to create domestic political disruption in Poland rather than foment distrust of NATO. These operations, conducted in Polish and English, appear to have largely not relied on the dissemination vectors we have typically observed with previous Ghostwriter activity, such as website compromises, spoofed emails or posts from inauthentic personas. We have observed no evidence that these social media platforms were themselves in any way compromised, and instead believe account credentials were obtained using the compromised email accounts of targeted individuals."
Naikon deploys new backdoor.
Researchers at Bitdefender have discovered a new backdoor used by the China-aligned threat actor Naikon. The backdoor, dubbed "Nebulae," appears to be "used as a measure of precaution to not lose the persistence in case any signs of infections gets detected." The threat actor has been targeting the military services of Southeast Asian countries:
"During our investigation, we identified that the victims of this operation are military organizations located in Southeast Asia. The malicious activity was conducted between June 2019 and March 2021. At the beginning of the operation, the threat actors used Aria-Body loader and Nebulae as the first stage of the attack. From our observations, starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit. The purpose of this operation was cyber-espionage and data theft."
Online ordering platforms breached.
Recorded Future's Gemini Advisory reports that five online ordering platforms have been breached, exposing customer information from hundreds of restaurants. The stolen data include 343,000 payment cards, which have surfaced for sale on the dark web. The researchers explain:
"Two of the platforms — Grabull and another that Gemini will not name at this time — operate as additional third-party ordering infrastructure for hundreds of participating restaurants to complement the restaurant’s infrastructure, like regional versions of popular services such as Grubhub and DoorDash. In this second model, any of the restaurants that saw orders placed through the platforms would have indirectly had payment card data stolen as a result of the infection. The median prices of the stolen records from all 5 platforms offered for sale on the dark web ranged from $5-$10 depending on the breached online ordering platforms, and they primarily affected US-based banks."
New cryptocurrency stealer.
Palo Alto Networks' Unit 42 describes "WeSteal," a "shameless" new cryptocurrency stealer. Unlike many other commodity malware strains, WeSteal's author is very clear about the intent of the malware and makes no attempt to "hide behind meaningless Terms of Service statements that end users must not use the malware for illegitimate purposes." The malware's author charges €20 for a month's license, €50 for three months, and €125 for a year. WeSteal is effective and easy-to-use, and Unit 42 believes it will be popular with low-skilled criminals.
A look at a successful player in the criminal-to-criminal market.
Digital Shadows today published an interesting report on Genesis Market, an underground souk that caters to the criminal-to-criminal trade. The company’s researchers describe Genesis as “a fully-gated, invitation-only, English-language automated vending cart (AVC) site focused on the sale of digital fingerprints relating to a (victim) user’s computer, browser, and accounts on websites and services.” It’s been in business since 2017.
Genesis is an aggregator. It trades such information about victims’ accounts as the commonplace (and desirable) username and password, but it adds other identifiers like browser cookies, IP addresses, user-agent strings, and various operating system details. The hoods used to have to find these one by one, but Genesis offers a one-stop shop. Digital Shadows says:
"When our team discovered Genesis in March 2018, the market had been around for about five months and was still in beta mode (the owner’s words, not ours). The market claimed to be the result of research conducted across the antifraud technologies used by 283 major banks and payments systems. This interested the innovators, who began to trickle in. By April, there were more than 1,000 bots for purchase on Genesis Market."
Genesis has been more enduring than most of its competing souks. It seems to have achieved its position in the criminal market by attracting criminal influencers as early adopters, and to have largely lived up to the high reputation word-of-mouth lent it. As Digital Shadows put it:
"Reputation is critical for new criminal endeavors, and word travels fast. Genesis’ unique product offering has gained widespread popularity since its creation around 2017. Since this time, similar and competing platforms have emerged onto the cybercriminal scene like Tenebris and Richlogs (since rebranded as Underworld Market). However, Genesis remains a high-profile and trusted repository of digital fingerprints. Photon analysis from 2020 showed that Genesis commanded 65% of mentions across criminal forums."