Brief #5: Apple's TriangledB Takedown, AnyConnect Under Fire

Mandos Brief, Week 25 2023: Apple tackles TriangledB, Cisco's AnyConnect vulnerability, Microsoft's fight against DDoS attacks, and NSA's warning on BlackLotus.

6 min read
mandos brief #5 - week 25 2023


Apple Squashes TriangledB: A New Threat in Cyber Espionage

TriangledB represents a significant evolution in cyber espionage, demonstrating the increasing sophistication of threat actors. The spyware, written in Objective-C, is deployed in memory after exploiting a kernel vulnerability to gain root privileges on the target device. This approach allows the spyware to operate undetected, leaving no trace on the device after a reboot.

The spyware's capabilities are extensive, with 24 commands identified that enable a range of illicit activities. These include data theft, geolocation tracking, and process termination. The existence of a method named 'populatewithfieldsmacosonly' suggests the potential for a macOS variant of the spyware, expanding the potential target base beyond iOS devices.

Interestingly, the spyware removes itself after 30 days unless the attacker extends it, indicating a level of operational security designed to limit detection and analysis. This self-removal feature, combined with the in-memory deployment, makes TriangledB a stealthy and persistent threat.

Apple's has released patches for the kernel vulnerability across its product range and all users and organizations are advised to immediately update their devices.

Exploit Unleashed: Cisco AnyConnect Secure Vulnerability Under Threat

The vulnerability, tracked as CVE-2023-20178, is a significant security flaw in Cisco's AnyConnect Secure Mobility Client and Secure Client for Windows. It allows a local attacker with low privileges to escalate their access and execute code with system privileges, potentially compromising the entire system. The vulnerability lies in the client update process of the software, where improper permissions are assigned to a temporary directory created during the update process.

The exploit, published by security researcher Filip Dragovic, abuses a specific function of the Windows installer process. During the software update process, a temporary folder is created to store copies of files being modified. This allows for a rollback if the installation process is not completed. An attacker with knowledge of this temporary folder can run an exploit containing an executable file designed to start an update process but trigger a rollback midway. The exploit continuously attempts to replace the contents of the temporary folder with malicious files.

Once the update process halts, Windows attempts to restore the files in the temporary folder to their original location but instead consumes the attacker's malicious content. This results in the execution of the malicious code with system privileges.

Cisco has addressed this vulnerability in early June with the release of AnyConnect Secure Mobility Client version 4.10.07061 and Secure Client version 5.00.2075. However, the publication of the PoC exploit code increases the urgency for users to update their software to the latest versions to mitigate the risk of exploitation.

Cryptocurrency Mining and OpenSSH Trojan Campaign: A Double Cybersecurity Threat

The cryptocurrency mining campaign leverages misconfigured Docker APIs to spread a Monero miner. The attackers use a Python-based botnet, K3chang, which scans for vulnerable Docker APIs and deploys malicious containers running the XMRig miner. This campaign highlights the importance of securing Docker APIs, which, if left unprotected, can be exploited to run unauthorized containers and execute malicious activities.

In a separate but equally concerning campaign, threat actors are targeting IoT devices and Linux-based systems with an OpenSSH Trojan. This campaign exploits weak credentials and known vulnerabilities to gain unauthorized access. The threat actors use a patched version of OpenSSH that mimics the appearance and behavior of a legitimate OpenSSH server, making detection challenging. Once installed, the Trojan runs a secondary payload, a slightly modified version of the open-source IRC bot ZiggyStartux. This bot is capable of executing bash commands issued from the C2 server and possesses distributed denial of service (DDoS) capabilities.

The bot employs various mechanisms to establish persistence on compromised systems, including copying the binary to several locations on the disk and setting up cron jobs to invoke it at regular intervals.

Microsoft Battles Layer 7 DDoS Attacks

The actor, known as Storm1359 or Anonymous Sudan, targeted Layer 7, the application layer, rather than the network or transport layers (Layer 3 or 4). This approach is more complex and harder to mitigate as it involves overwhelming services with a massive volume of requests, causing the services to hang as they cannot process them all.

The attacker used a combination of HTTP(S) flood attacks, cache bypass, and Slowloris techniques. HTTP(S)flood attacks involve sending a high load of HTTPS requests from different source IPs, causing the application backend to run out of compute resources. Cache bypass attacks attempt to overload the origin servers by sending queries against generated URLs that force the frontend layer to forward all requests to the origin. Slowloris attacks involve opening a connection to a web server, requesting a resource, and then failing to acknowledge the download or accepting it slowly, forcing the web server to keep the connection open and the requested resource in memory.

In response, Microsoft has hardened its Layer 7 protections, including tuning the Azure Web Application Firewall (WAF) to better protect customers from similar DDoS attacks.

NSA: BlackLotus Bootkit Patch = A False Sense of Security

The BlackLotus bootkit has emerged as a significant threat to cybersecurity. It exploits a year-old vulnerability in Windows (CVE-2022-21894) and deploys an older vulnerable Windows boot loader to exploit the bug. This stealthy malware, which surfaced on underground forums in late 2022, has capabilities that include user access control (UAC) and secure boot bypass.

The National Security Agency (NSA) has issued a warning that BlackLotus can be executed on fully patched systems because the vulnerable boot loaders it targets have not been added to the secure boot DBX revocation list. This means that even systems that have been updated with the latest security patches are still vulnerable to BlackLotus attacks.

The NSA's guidance provides a blueprint for defenders to protect systems from BlackLotus. However, the agency has stressed that the available security patches may provide a false sense of security. Therefore, system administrators are urged to take action to harden their systems against this threat.

Share This Post

Check out these related posts

Brief #61: Great CrowdStrike Meltdown, NSA AI security guide, dual-title CISOs, AppSec interviews

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #60: Blast-RADIUS Flaw, AI Disinformation Tool, CISO Lawsuits, Interview Tips

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #59: OpenSSH RCE Flaw, AI Jailbreak Technique, Cybersecurity Market Failure, Job Tips

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read