Brief

Brief #15: QakBot Takedown, TPM Bypass, DBJammer Attacks

Mandos Brief, Week 35 2023: dismantling of the QakBot botnet, a critical TPM vulnerability, the DBJammer ransomware campaign, severe SSH flaw in VMware.

6 min read
mandos brief #15 - week 35 2023

TL;DR


QakBot Botnet Takedown: Law Enforcement Strikes Back

On August 29, 2023, U.S. law enforcement agencies announced a significant takedown of the QakBot botnet, also known as Qbot. Operated by the financially motivated Gold Lagoon threat group, QakBot has been active since 2007 and is known for facilitating ransomware attacks. The takedown involved a technical operation where a custom Dynamic Link Library (DLL) was distributed to infected devices. This DLL contained code that could cleanly terminate the running QakBot process on the host.

The operation was unique in its approach. The DLL used a method involving a named pipe that QakBot uses for inter-process communication. A specific command, qpcmdbotshutdown, was sent via this pipe to shut down the botnet's activities. This method effectively bypassed QakBot's persistence mechanisms, ensuring the malware would not run if the host system was restarted.

The FBI also redirected traffic flowing through QakBot servers to bureau-controlled servers and downloaded a malware uninstaller file onto each infected device. The operation was global, impacting devices not just in the U.S. but also in several European countries. The Justice Department seized more than $86 million in cryptocurrency profits from QakBot operations, highlighting the financial scale of this cybercrime network.

The takedown represents a significant blow to cybercriminal operations and showcases the effectiveness of technical countermeasures combined with international cooperation.

Smashing Enter Key to Bypass TPM-Protected Full Disk Encryption

A recent advisory from Pulse Security has unveiled a critical vulnerability that allows attackers to bypass Trusted Platform Module (TPM)-protected disk encryption on Linux systems. Specifically, the vulnerability affects Ubuntu 20.04 computers that use Red Hat's Clevis and Dracut software for unattended LUKS (Linux Unified Key Setup) full disk encryption. Under normal circumstances, an attacker would only see a login prompt and would not be able to gain direct access to the encrypted system. However, the exploit involves sending rapid keypresses during the early boot process, effectively fuzzing the password input. This can be done using an Arduino board to emulate a keyboard, sending keypresses at a rate much faster than a human could. After a minute or two, the system gives up trying to unlock the disk and provides a root shell in the early boot environment. From here, the attacker can manually unlock the disk using the TPM and gain access to sensitive data. This vulnerability poses a significant risk, especially for systems that need to operate in potentially hostile environments.

MSSQL Servers Under Siege: DBJammer Campaign Unleashes Freeworld Ransomware

A new cybersecurity threat is looming over organizations that rely on Microsoft SQL (MSSQL) servers. Dubbed as the DBJammer campaign, this attack begins with threat actors brute-forcing their way into exposed MSSQL databases. Once inside, they use the servers as a beachhead to launch a variety of payloads, including Remote Access Trojans (RATs) and a new variant of Mimic ransomware known as Freeworld.

The Freeworld ransomware is particularly noteworthy for its presence in binary file names and ransomware extensions. The attackers are well-equipped, using a range of tools for system enumeration, exploitation, and credential stealing. They also make extensive system and registry modifications to impair defenses and establish persistence on the host. For instance, they disable User Account Control (UAC) remote restrictions and ensure that Network Level Authentication is not required for Remote Desktop Protocol (RDP).

The campaign is not only sophisticated in its tooling but also in its execution speed, indicating a high level of preparation and possibly signaling an ongoing, targeted operation. Given the complexity and rapid escalation of these attacks, organizations are advised to limit their MSSQL services' exposure to the internet and strengthen account credentials.

Cybercriminals Turn to Malicious AI Tools for Next-Gen Attacks

The future of cybersecurity is facing a new challenge with the rise of dark AI tools. These are AI-driven software designed for malicious activities such as phishing, malware creation, and exploiting vulnerabilities. Notable examples include WormGPT, which can create phishing emails to bypass spam filters, and FraudGPT, designed for creating malware and identifying vulnerabilities.

The underground economy is actively exploring the profitability of these tools. They are often advertised on a subscription basis, with prices ranging from €100 for one month to $700 for a year. The alarming part is that 51% of IT professionals predict that a successful cyberattack attributed to these dark AI tools is imminent within a year.

While some experts question the legitimacy of these tools, suggesting they may just be "wrapper services" that redirect to legitimate AI models, the threat they pose is real and evolving. Organizations need to be prepared for a future where cybercriminals are increasingly leveraging AI for malicious purposes.

Exploit Released for Critical VMware SSH Auth Bypass Vulnerability

A critical SSH authentication bypass vulnerability has been identified in VMware's Aria Operations for Networks, previously known as vRealize Network Insight. The flaw, designated as CVE-2023-34039, was discovered by security analysts at ProjectDiscovery Research and has been patched by VMware. The vulnerability allows remote attackers to bypass SSH authentication on unpatched appliances and gain access to the tool's command line interface (CLI).

The root cause of this issue lies in hardcoded SSH keys that VMware forgot to regenerate. This oversight makes it possible for attackers to execute low-complexity attacks without requiring user interaction. A proof-of-concept (PoC) exploit targeting versions 6.0 to 6.10 of the software has been released by Summoning Team vulnerability researcher Sina Kheirkhah.

This vulnerability is particularly alarming because it comes on the heels of another arbitrary file write vulnerability (CVE-2023-20890) that could allow attackers to gain remote code execution after obtaining admin access. Given the severity and the release of the PoC exploit, it is crucial for administrators to apply the necessary security patches immediately to prevent potential attacks.

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read