Ransomware/Malware Activity
New Evasive Linux Rootkit Activated Using "Magic Packets"
A new Linux rootkit dubbed "Syslogk" has been discovered by Avast security researchers. It was first identified due to its use of an old open-source rootkit known as "Adore-Ng" targeting Linux 2.x and 3.x systems. Rootkit malware is much more complicated to write compared to normal malicious code, meaning that it is typically attributed to highly experienced threat actor developers. Less-sophisticated threat actors are forced to reuse code found in open-source repositories such as GitHub to fill the gap caused by their lack of experience. Syslogk was created before newer Linux versions and thus cannot be run on up-to-date systems. The malware was also linked to the "Rekoobe" malware family, is known for its ability to act as a legitimate SMTP server. This allows the malware to hide as a common, legitimate service that cannot be detected through a simple port scan. Once a specifically crafted packet is received, the Rekoobe backdoor payload starts, allowing full access to the victim machine through a command-line interface. The malware author has also implemented a remote shut-off that kills the backdoor to hide itself on the network. The kill switch has multiple security features that prevent unauthorized users from shutting down the connection, such as a hardcoded key. Syslogk is early in its development stages, and it is unclear whether it will be a widespread threat or a more targeted malware strain. It's highly evasive nature likely means it will be developed in the future, adding more features and potentially updating to target newer distributions of Linux.
New Linux Malware Symbiote Targets Financial Sector in Latin America
"Symbiote," an emerging malware first detected in November of 2021, has been observed by Blackberry and Intezer researchers targeting Linux systems of financial organizations across Latin America. The main goal of the malware is to "capture credentials and to facilitate backdoor access to a victim's machine," and the researchers detailed that Symbiote "infects running processes rather than using a standalone executable file to inflict damage." Symbiote leverages the Linux feature "LD_PRELOAD" (which has been previously used by "Pro-Ocean" and "Facefish") in order to be loaded by the system's dynamic linker into all running processes, hiding its presence on the file system. The malware also cloaks its network traffic by utilizing the system's extended Berkeley Packet Filter (eBPF) feature by "injecting itself into an inspection software's process and using BPF to filter out results that would uncover its activity." Once this injection is complete, Symbiote enables its rootkit functionality to further hide its existence in the compromised system and create a backdoor for persistence as well as privileged command execution by the operators. The malware was also observed storing gained credentials in encrypted files disguised as C header files. These abilities allow for a high level of stealth and helped generate the tagline "nearly-impossible-to-detect," in which the researchers emphasized that "performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware." It is not currently known whether this malware is being used in highly targeted or large-scale attacks, but CTIX analysts will provide an update if evidence is provided in the future. A further in-depth analysis of Symbiote as well as indicators of compromise (IOCs) can be viewed in BlackBerry's report linked below.
Threat Actor Activity
Gallium Threat Actors Deploy New PingPull RAT on Compromised Devices
Chinese nation state threat actors have been deploying a new remote access trojan (RAT) on compromised target networks over the past year. These espionage-driven threat actors are a part of Gallium, a Chinese threat organization responsible for the targeting of numerous high-profile entities throughout the telecommunications, financial, and government organizations. Over the past year, Gallium threat actors have been targeting telecommunication entities throughout Australia, Vietnam, Mozambique, Malaysia, Cambodia, Afghanistan, and more. Once compromised, threat actors will unleash the "PingPull" malware, which comes in several variants: ICMP, TCP, and HTTPS. Each variant allows for threat actors to stealthily communicate to compromised devices through these protocols and a malware program disguised as a legitimate service, which prevents users from terminating the program. Commands issued between actor-controlled command-and-control (C2) nodes and the compromised device include file listings, read/write/delete files, enumerating storage volumes, and execute additional commands from the terminal.
Vulnerabilities
Microsoft Adds New Safeguards that Officially Mitigate the "SynLapse" Azure Vulnerability
UPDATE to 5/10/2022 FLASH UPDATE: Microsoft has added security patch improvements recommended by Orca Security researchers to a critical command injection vulnerability originally fixed in April 2022, dubbed “SynLapse.” This flaw impacts the Azure cloud platform’s Data Factory and Synapse Pipelines and, if exploited, could allow an attacker running jobs in these environments to perform remote code execution (RCE) across the shared Integration Runtime (IR). Successful exploitation allows malicious attackers to pilfer sensitive data like service certificates/keys, passwords, and API tokens, allowing for a complete takeover of other tenants’ Synapse cloud environments. The flaw, tracked as CVE-2022-29972, specifically exists in the third-party Open Database Connectivity (ODBC) driver utilized for establishing a connection with Azure Data Factory and Azure Synapse Pipelines. Although this flaw was patched in April, cybersecurity researchers were quickly able to repeatedly bypass the security fixes, forcing Microsoft to urge customers to implement a manual mitigation technique alongside the patch by configuring a Managed Virtual Network isolating their workspaces from the internet. At this time, Microsoft has incorporated two (2) permanent safeguards which mitigate threat actor workarounds. The first safeguard is placing the shared IRs within ephemeral sandboxed VMs so that, even if an attacker successfully executes code, it would never be shared between two (2) tenants and would prevent the attacker from being able to access the sensitive data. The second safeguard is to limit access to the internal management server API by using scoped tokens, which would prevent threat actors from using the certificate to elevate their privileges and, in turn, prevent access to other tenants’ information. CTIX analysts urge all Data Factory and Synapse users to update to the latest stable version immediately.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.