[BCLUG] Never-before-seen malware has infected hundreds of Linux and Windows devices

Rick Moen rick at linuxmafia.com
Wed Sep 28 22:21:21 EDT 2022 

Quoting BCLUG via Discuss (discuss at lists.bclug.ca):

> New malware affecting Linux (and Windows, FreeBSD,...) machines.
> 
> It seems like it hasn't spread very far, but a reminder to be careful.

I often do analyses / write-ups of these sorts of stories.
So, I'll have a go at this.  After hundreds of these, I tend to be a
little jaded and cynical about these recycled security-company press
releases.

> Ars Technica has a write-up, but no word on how to determine if
> infected.  Spreads through brute-forcing ssh, stealing ssh keys, and
> exploiting known CVEs.

Hmm, we'll see.

> Keep your software up-to-date.
> 
> https://arstechnica.com/information-technology/2022/09/never-before-seen-malware-has-infected-hundreds-of-linux-and-windows-devices/

There is really only one question (with a subsidiary question) that
is of real interest about "malware":

1.  How does it get executed?
1a.  How does it then escalate process privilege (if it does so)?

Right, as per usual, the firm issuing the press release that got cribbed
to create this article, Lumen's branch "Black Lotus Labs", gave it a
flashy name, "Chaos".  WTF is it?  Trojan?  Worm?  ELF-infector?  

<reading>
<reading>
<reading>

Murky.  {sigh}  OK, how does it get executed?

   propagates through known CVEs and brute forced as well as stolen SSH keys

Let's go after the "known CVEs" razzle-dazzle.

CVE-2017-17215:  Incredibly vague "remote code execution vulnerability" 
                 against some exposed service on port 37215 of 
                 some 2017 releases of Huawei's proprietary firmware
                 on one of its cheap home routers.  Moral of the
                 story:  Don't rely on cruddy proprietary software, 
                 especially, notoriously buggy bad embedded OS
                 versions from five years ago.

                 OMG, one Web page reveals that the service is
                 UPnP, Universal Plug'n'Play
                 (https://en.wikipedia.org/wiki/Universal_Plug_and_Play),
                 and Huawei deliberately exposed that to Internet
                 traffic.  Run away!  Run away!

                 No, for Ghu's sake, run OpenWRT.

CVE-2022-30525:  Certain Zyxel USG FLEX 100(W) firmware revisions,
                 "OS command injection".  Found by someone calling
                 himself "Rapid 7".  It's a coding error in the 
                 "CGI program of some firewall versions".  Again,
                 really bad embedded appliance firmware.  The management
                 interface of the firewall appliances ought not to be 
                 exposed to public networks in the first place.  There's
                 no compelling reason for that. 

                 The "unauthenticated command injection" bit affects
                 certain Zyxel firewall appliance boxes with 
                 "zero touch provisioning (ZTP) support".  That is
                 simply insane to have a public-facing firewall
                 appliance be set up to receive ZTP commands.

                 Maybe it's defensible to have that enabled for
                 initial configuration on a safe-isolated network
                 for first-time config of the device, but then you
                 _switch it off_.

CVE-2022-1388:   This is starting to sound familiar:  ForceFive's 
                 "BIG-IP" product line of hardware and software 
                 products have a huge security hole in their 
                 "iControl REST API used for the management and
                 configuration of BIG-IP devices", permitting 
                 bypassing of authentication and running arbitary
                 command execution.

                 "BIG-IP" is a bunch of stuff for doing automagical
                 deployment of large application and network
                 infrastructure.  Whiz!  Whee!  Too bad they 
                 totally suck at authentication basics.  But, again,
                 it's insane to have something as inherently 
                 over-complex as a REST API exposed to the Internet.

So, none of this has a damn thing to do with Linux, and actually 
it could be avoided, in many cases, by using Linux instead.


Fine.  Let's move on to "brute forced as well as stolen SSH keys".

Brute-forcing an sshd is kind of a sad, no-hope way barraging it with
"joe account" user/pw combinations.  Stolen keys, well, if your
keys are getting stolen, you have bigger problems.

So, basically this is an attack kit that can run on a Linux box
if through terrible password policy or stolen ssh keys entry is
possible, and once there it runs a probe tool to look for other, 
incompetently vulnerable target hosts.

I'm really not impressed.

More information about the Discuss mailing list