[BCLUG] Never-before-seen malware has infected hundreds of Linux and Windows devices
Rick Moen
rick at linuxmafia.com
Wed Sep 28 22:21:21 EDT 2022
Quoting BCLUG via Discuss (discuss at lists.bclug.ca):
> New malware affecting Linux (and Windows, FreeBSD,...) machines.
>
> It seems like it hasn't spread very far, but a reminder to be careful.
I often do analyses / write-ups of these sorts of stories.
So, I'll have a go at this. After hundreds of these, I tend to be a
little jaded and cynical about these recycled security-company press
releases.
> Ars Technica has a write-up, but no word on how to determine if
> infected. Spreads through brute-forcing ssh, stealing ssh keys, and
> exploiting known CVEs.
Hmm, we'll see.
> Keep your software up-to-date.
>
> https://arstechnica.com/information-technology/2022/09/never-before-seen-malware-has-infected-hundreds-of-linux-and-windows-devices/
There is really only one question (with a subsidiary question) that
is of real interest about "malware":
1. How does it get executed?
1a. How does it then escalate process privilege (if it does so)?
Right, as per usual, the firm issuing the press release that got cribbed
to create this article, Lumen's branch "Black Lotus Labs", gave it a
flashy name, "Chaos". WTF is it? Trojan? Worm? ELF-infector?
<reading>
<reading>
<reading>
Murky. {sigh} OK, how does it get executed?
propagates through known CVEs and brute forced as well as stolen SSH keys
Let's go after the "known CVEs" razzle-dazzle.
CVE-2017-17215: Incredibly vague "remote code execution vulnerability"
against some exposed service on port 37215 of
some 2017 releases of Huawei's proprietary firmware
on one of its cheap home routers. Moral of the
story: Don't rely on cruddy proprietary software,
especially, notoriously buggy bad embedded OS
versions from five years ago.
OMG, one Web page reveals that the service is
UPnP, Universal Plug'n'Play
(https://en.wikipedia.org/wiki/Universal_Plug_and_Play),
and Huawei deliberately exposed that to Internet
traffic. Run away! Run away!
No, for Ghu's sake, run OpenWRT.
CVE-2022-30525: Certain Zyxel USG FLEX 100(W) firmware revisions,
"OS command injection". Found by someone calling
himself "Rapid 7". It's a coding error in the
"CGI program of some firewall versions". Again,
really bad embedded appliance firmware. The management
interface of the firewall appliances ought not to be
exposed to public networks in the first place. There's
no compelling reason for that.
The "unauthenticated command injection" bit affects
certain Zyxel firewall appliance boxes with
"zero touch provisioning (ZTP) support". That is
simply insane to have a public-facing firewall
appliance be set up to receive ZTP commands.
Maybe it's defensible to have that enabled for
initial configuration on a safe-isolated network
for first-time config of the device, but then you
_switch it off_.
CVE-2022-1388: This is starting to sound familiar: ForceFive's
"BIG-IP" product line of hardware and software
products have a huge security hole in their
"iControl REST API used for the management and
configuration of BIG-IP devices", permitting
bypassing of authentication and running arbitary
command execution.
"BIG-IP" is a bunch of stuff for doing automagical
deployment of large application and network
infrastructure. Whiz! Whee! Too bad they
totally suck at authentication basics. But, again,
it's insane to have something as inherently
over-complex as a REST API exposed to the Internet.
So, none of this has a damn thing to do with Linux, and actually
it could be avoided, in many cases, by using Linux instead.
Fine. Let's move on to "brute forced as well as stolen SSH keys".
Brute-forcing an sshd is kind of a sad, no-hope way barraging it with
"joe account" user/pw combinations. Stolen keys, well, if your
keys are getting stolen, you have bigger problems.
So, basically this is an attack kit that can run on a Linux box
if through terrible password policy or stolen ssh keys entry is
possible, and once there it runs a probe tool to look for other,
incompetently vulnerable target hosts.
I'm really not impressed.
More information about the Discuss
mailing list