Brief #5: Apple's TriangledB Takedown, AnyConnect Under Fire

TL;DR

• Apple Squashes TriangledB: A New Threat in Cyber Espionage
• Exploit Unleashed: Cisco AnyConnect Secure Vulnerability Under Threat
• Cryptocurrency Mining and OpenSSH Trojan Campaign: A Double Cybersecurity Threat
• Microsoft Battles Layer 7 DDoS Attacks
• NSA: BlackLotus Bootkit Patch = A False Sense of Security

Apple Squashes TriangledB: A New Threat in Cyber Espionage

• TriangledB, a spyware previously found on iPhones, is now suspected to target macOS devices, according to Kaspersky researchers.
• The spyware exploits a kernel vulnerability to gain root privileges and carries out a range of illicit activities, from data theft to geolocation tracking.
• Apple has released software updates to patch the kernel vulnerability across nearly all iPhone, iPad, Apple Watch models, and macOS computers.
• Kaspersky has released a utility, TriangleCheck, that automatically searches for TriangledB infections.

TriangledB represents a significant evolution in cyber espionage, demonstrating the increasing sophistication of threat actors. The spyware, written in Objective-C, is deployed in memory after exploiting a kernel vulnerability to gain root privileges on the target device. This approach allows the spyware to operate undetected, leaving no trace on the device after a reboot.

The spyware's capabilities are extensive, with 24 commands identified that enable a range of illicit activities. These include data theft, geolocation tracking, and process termination. The existence of a method named 'populatewithfieldsmacosonly' suggests the potential for a macOS variant of the spyware, expanding the potential target base beyond iOS devices.

Interestingly, the spyware removes itself after 30 days unless the attacker extends it, indicating a level of operational security designed to limit detection and analysis. This self-removal feature, combined with the in-memory deployment, makes TriangledB a stealthy and persistent threat.

Apple's has released patches for the kernel vulnerability across its product range and all users and organizations are advised to immediately update their devices.

Exploit Unleashed: Cisco AnyConnect Secure Vulnerability Under Threat

• A proof-of-concept (PoC) exploit code has been published for a high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure Mobility Client and Secure Client for Windows.
• The vulnerability allows a local attacker with low privileges to elevate their access and execute code with system privileges.
• The exploit takes advantage of a specific function of the Windows installer process during the software update process.
• Cisco has released security updates to address this vulnerability, urging customers to upgrade their software.

The vulnerability, tracked as CVE-2023-20178, is a significant security flaw in Cisco's AnyConnect Secure Mobility Client and Secure Client for Windows. It allows a local attacker with low privileges to escalate their access and execute code with system privileges, potentially compromising the entire system. The vulnerability lies in the client update process of the software, where improper permissions are assigned to a temporary directory created during the update process.

The exploit, published by security researcher Filip Dragovic, abuses a specific function of the Windows installer process. During the software update process, a temporary folder is created to store copies of files being modified. This allows for a rollback if the installation process is not completed. An attacker with knowledge of this temporary folder can run an exploit containing an executable file designed to start an update process but trigger a rollback midway. The exploit continuously attempts to replace the contents of the temporary folder with malicious files.

Once the update process halts, Windows attempts to restore the files in the temporary folder to their original location but instead consumes the attacker's malicious content. This results in the execution of the malicious code with system privileges.

Cisco has addressed this vulnerability in early June with the release of AnyConnect Secure Mobility Client version 4.10.07061 and Secure Client version 5.00.2075. However, the publication of the PoC exploit code increases the urgency for users to update their software to the latest versions to mitigate the risk of exploitation.

Cryptocurrency Mining and OpenSSH Trojan Campaign: A Double Cybersecurity Threat

• A new cryptocurrency mining campaign is exploiting misconfigured Docker APIs to spread a Monero (XMR) miner.
• The campaign uses a Python-based botnet called "K3chang" to scan for vulnerable Docker APIs and deploy malicious containers.
• A separate OpenSSH Trojan campaign is targeting IoT devices and Linux-based systems, exploiting weak credentials and known vulnerabilities.
• The OpenSSH Trojan campaign uses a modified version of the open-source IRC bot "ZiggyStartux" to execute commands from the C2 server and establish persistence on compromised systems.

The cryptocurrency mining campaign leverages misconfigured Docker APIs to spread a Monero miner. The attackers use a Python-based botnet, K3chang, which scans for vulnerable Docker APIs and deploys malicious containers running the XMRig miner. This campaign highlights the importance of securing Docker APIs, which, if left unprotected, can be exploited to run unauthorized containers and execute malicious activities.

In a separate but equally concerning campaign, threat actors are targeting IoT devices and Linux-based systems with an OpenSSH Trojan. This campaign exploits weak credentials and known vulnerabilities to gain unauthorized access. The threat actors use a patched version of OpenSSH that mimics the appearance and behavior of a legitimate OpenSSH server, making detection challenging. Once installed, the Trojan runs a secondary payload, a slightly modified version of the open-source IRC bot ZiggyStartux. This bot is capable of executing bash commands issued from the C2 server and possesses distributed denial of service (DDoS) capabilities.

The bot employs various mechanisms to establish persistence on compromised systems, including copying the binary to several locations on the disk and setting up cron jobs to invoke it at regular intervals.

Microsoft Battles Layer 7 DDoS Attacks

• Microsoft confirmed that recent outages to Azure, Outlook, and OneDrive web portals were caused by Layer 7 DDoS attacks from a threat actor known as Storm1359, also known as Anonymous Sudan.
• The attacks began in early June 2023, with the threat actor utilizing multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools.
• The DDoS attacks targeted Layer 7, overwhelming services with a massive volume of requests, causing the services to hang as they couldn't process them all.
• Microsoft has since hardened Layer 7 protections, including tuning Azure Web Application Firewall (WAF) to better protect customers from similar DDoS attacks.

The actor, known as Storm1359 or Anonymous Sudan, targeted Layer 7, the application layer, rather than the network or transport layers (Layer 3 or 4). This approach is more complex and harder to mitigate as it involves overwhelming services with a massive volume of requests, causing the services to hang as they cannot process them all.

The attacker used a combination of HTTP(S) flood attacks, cache bypass, and Slowloris techniques. HTTP(S)flood attacks involve sending a high load of HTTPS requests from different source IPs, causing the application backend to run out of compute resources. Cache bypass attacks attempt to overload the origin servers by sending queries against generated URLs that force the frontend layer to forward all requests to the origin. Slowloris attacks involve opening a connection to a web server, requesting a resource, and then failing to acknowledge the download or accepting it slowly, forcing the web server to keep the connection open and the requested resource in memory.

In response, Microsoft has hardened its Layer 7 protections, including tuning the Azure Web Application Firewall (WAF) to better protect customers from similar DDoS attacks.

NSA: BlackLotus Bootkit Patch = A False Sense of Security

• BlackLotus, a stealthy malware, emerged on underground forums in late 2022 with capabilities that include user access control (UAC) and secure boot bypass.
• The bootkit exploits a year-old vulnerability in Windows (CVE-2022-21894) and deploys an older vulnerable Windows boot loader to exploit the bug.
• The NSA warns that BlackLotus can be executed on fully patched systems because the vulnerable boot loaders it targets have not been added to the secure boot DBX revocation list.
• The NSA urges system administrators to take action as the available security patches may provide a false sense of security.

The BlackLotus bootkit has emerged as a significant threat to cybersecurity. It exploits a year-old vulnerability in Windows (CVE-2022-21894) and deploys an older vulnerable Windows boot loader to exploit the bug. This stealthy malware, which surfaced on underground forums in late 2022, has capabilities that include user access control (UAC) and secure boot bypass.

The National Security Agency (NSA) has issued a warning that BlackLotus can be executed on fully patched systems because the vulnerable boot loaders it targets have not been added to the secure boot DBX revocation list. This means that even systems that have been updated with the latest security patches are still vulnerable to BlackLotus attacks.

The NSA's guidance provides a blueprint for defenders to protect systems from BlackLotus. However, the agency has stressed that the available security patches may provide a false sense of security. Therefore, system administrators are urged to take action to harden their systems against this threat.