FritzFrog Botnet is Back, Spreads with Exploitation of Web Vulnerabilities

The research from Akamai Labs uncovers a version of FritzFrog malware, armed with a set of exploitation capabilities. In the report they pay a lot of attention to its Log4Shell vulnerability exploitation, which is performed in a rather unusual manner. Upon the discovery of this flaw, all corporations were concentrated on patching main elements of the network infrastructure. At the same time, all the internal network components based off the Apache’s Log4j were mostly ignored, as they are less likely to be attacked. Well, until now.

By abusing the lack of input sanitization during logging, FritzFrog is able to make the target to execute the arbitrary code. Prior to it, malware scans for the vulnerable network assets by searching on ports 9000, 8090 and 8888. To make the vulnerable app instance execute the malicious code, malware spams it with HTTP requests with the said code injected into the request header. This way, the threat ensures that at least one command will make its way to the logs and will be further executed.

Aside from the Log4Shell flaw, the malware also gained the ability to exploit the PwnKit – a flaw in polkit, the privileges control utility present in the majority of Linux distributions. Abusing this flaw, FritzFrog makes itself run with highest privileges possible, shall it detect less than max privileges level assigned upon execution.

What is FritzFrog?

FritzFrog is a rather old malware sample, which has been traced since March 2020. Being a peer-to-peer botnet tool, it quickly gained a significant number of attacks. Though all this rapid success was only to cease the activity in September 2020. In December of the same year it resurrected with even more violent activity – and appears to be active ever since.

Since its first days, it was using SSH brute forcing for self-propagation. It is actually surprising how many hosts open to Internet connections have weak login credentials even today. After the successful exploitation, FritzFrog was starting to scan thousands of other IP addresses, seeking for other weakly protected servers. Aside from self-propagation, the malware is capable of delivering other malware, providing remote access to the infected environment, and performing DDoS attacks.

Protection Against SSH-Targeting Malware

Besides having a rather unique spreading approach, FritzFrog infection vectors are nothing new. Attacking weakly protected servers through brute forcing is a several-decades-old tactic, and both of the vulnerabilities are from 2021. Patches for both flawed software packages are available – update them, and FritzFrog will have much less chances to get in, along with other software.

Methods to counteract SSH brute force are well known and easy to implement, too. Either set the instances to accept only trusted connections, or make them work on a different port. Strong passwords will add to overall security, but will not solve the server overload due to the enormous amount of login requests during a brute force attack. All security measures should work together – this makes them much more effective.

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

Now that OpenSSL 3.0.7 has been officially released, it turned out that fixes were released for two serious vulnerabilities at once, and the critical bug rating was revised, and it is no longer considered as such.

Version 3.0.7 fixed two vulnerabilities at once (CVE-2022-3602 and CVE-2022-3786) affecting OpenSSL versions 3.0.0 and higher (from 3.0.0 to 3.0.6).

Critical status should have been CVE-2022-3602, which is an arbitrary 4-byte stack buffer overflow that can cause crashes or lead to arbitrary code execution (RCE).

Ultimately, this vulnerability was rated high severity since according to the rules, a critical bug should affect widespread configurations, and only instances of OpenSSL 3.0 and later are vulnerable to CVE-2022-3602.

The second issue, CVE-2022-3786, can be exploited by a potential attacker through malicious email addresses and is capable of causing a denial of service through a buffer overflow.

Despite the assurances of the developers, some information security experts and vendors were quick to equate the discovery of a vulnerability in OpenSSL with the sensational Log4Shell problem, discovered in 2021 in the Log4J library.

Bleeping Computer notes that such a panic is premature: according to Censys, only about 7,000 systems running vulnerable versions of OpenSSL can be found on the network (among more than 1,793,000 unique hosts), and according to Shodan, there are about 16 such instances.

Cloud security company Wiz.io analysed deployments in major cloud environments (such as AWS, GCP, Azure, OCI, and Alibaba Cloud) and also reports that only 1.5% of all OpenSSL instances are affected by the latest vulnerability.

A separate page dedicated to CVE-2022-3602 and all related data was launched by well-known information security expert Marcus Hutchins. He explains that the problem occurs when validating an X.509 certificate and can be used to execute code using a malicious TLS certificate remotely. However, exploitation requires the malicious TLS certificate to be signed by a trusted CA.

The National Cybersecurity Center of the Netherlands has already begun compiling a list of products that are either affected or not affected by the latest bug.

It is worth saying that Akamai analysts have classified Redhat Enterprise Linux 9, Ubuntu 22.04+, CentOS Stream9, Kali 2022.3, Debian 12 and Fedora 36 distributions as vulnerable. The company’s experts have already published OSQuery and YARA rules that should help security specialists detect vulnerable products.

The post OpenSSL Patches Released and Critical Vulnerability Turns Out to be Not So Critical appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions.

Issue CVE-2022-42889 was disclosed earlier this week. Apache Commons Text is an open-source Java library for manipulating character strings. And back in March 2022, GitHub Security Lab expert Alvaro Muñoz discovered that the library was vulnerable to an RCE vulnerability related to unreliable data handling and variable interpolation.

Apache Commons developers last week, with the release of version 1.10.0, where the problematic interpolators were disabled.

Since many developers and organizations use Apache Commons Text, and the vulnerability even affects versions of the library released back in 2018, some experts warned that the problem could become a new Log4Shell. As a result, CVE-2022-42889 was named Text4Shell or Act4Shell, but it soon became clear that such concerns were most likely unnecessary.

In particular, analysts from Rapid7 published their analysis of the problem. They explained that not all library versions from 1.5 to 1.9 are vulnerable, and the potential for exploitation is associated with the version of the JDK used. They also note that it is not entirely correct to compare the new vulnerability with Log4Shell.

The researchers tested the PoC exploits on various versions of the JDK, and it worked without warning only on versions 9.0.4, 10.0.2, and 1.8.0_341. However, it should be noted that an updated PoC exploit has already been presented that works on all vulnerable versions, and it turned out that JDK 15+ versions are also affected by the bug.

Sophos experts also agreed with colleagues’ point of view, who said that the vulnerability is dangerous, but at present, it is not as easy to use it on vulnerable servers as Log4Shell. And even Munoz himself, who discovered the bug, also explained that, despite the similarity to Log4Shell, the new vulnerability is likely to be widespread and much less dangerous.

This is also the opinion of the Apache security team, who stated that the scale of the problem is not comparable to Log4Shell, and string interpolation is a documented feature. That is, it is unlikely that applications using the library will inadvertently pass unsafe input without validation.

However, despite all these reports of specialists, Defiant analysts warned that hackers have already begun to exploit CVE-2022-42889. The company has monitored 4,000,000 sites since the issue was disclosed (October 17) and now reports that it has detected hacking attempts that originate from approximately 40 IP addresses and began on October 18. So far, it is only about intelligence.

It should also be noted that the Apache Commons Text library remains vulnerable even after updating to version 1.10.0, and the exploitation of the problem “depends on how it is used and there are no guarantees in the unsafe use of the library inside your product or a borrowed package.”

The post New Vulnerability in Apache Commons Text Is Already Being Attacked by Hackers appeared first on Gridinsoft Blog.

The patch can be used to escape the container and escalate privileges, allowing an attacker to take control of the underlying host.

Let me remind you that in December last year, shortly after cybersecurity researchers alarmed about problems in Apache Log4j, Amazon released emergency patches that fix bugs in various environments, including servers, Kubernetes, Elastic Container Service (ECS) and Fargate. The purpose of hotpatches was to quickly fix vulnerabilities while system administrators transited their applications and services to a secure version of Log4j.

Let me also remind you that soon after the discovery of vulnerabilities, real attacks on the Log4Shell were recorded. Moreover, the experts also found out that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions.

However, as Palo Alto Networks has now found out, the patches were not very successful and could, among other things, lead to the capture of other containers and client applications on the host.

The experts showed a video demonstrating an attack on the supply chain with the malicious container image and usage of an earlier patch. Similarly, compromised containers can be used to “escape” and take over the underlying host. Palo Alto Networks decided not to share details about this exploit yet, so that attackers could not use it.

In the next step, elevated privileges could be used by a malicious java process to escape the container and take full control of the compromised server.

Users are advised to update to the corrected version of the hotpatch as soon as possible in order to prevent exploitation of related bugs.

The post Amazon Patch for Log4Shell allowed privilege escalation appeared first on Gridinsoft Blog.

The problem was originally discovered while catching bugs on Minecraft servers, but the Log4j library is present in almost all corporate applications and Java servers. For example, it can be found in almost all enterprise products released by the Apache Software Foundation, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo. Log4j is also actively used in open-source projects such as Redis, Elasticsearch, Elastic Logstash or Hydra.

I also said that Log4j vulnerability threatens 35,000 Java packages.

Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, although they may not even know about it. Information security experts immediately warned that the solutions of such giants as Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and probably thousands of other companies could be vulnerable to Log4Shell.

It was previously revealed that the first patch for the original problem CVE-2021-44228 (version 2.15) only introduced a new RCE vulnerability CVE-2021-45046 to Log4j, which received 9 points out of 10 on the CVSS vulnerability rating scale.

Because of this, administrators were strongly advised to use only the current version 2.16 and follow further developments on the Log4j update page. The fact is that in Log4j version 2.15, two more less dangerous vulnerabilities were found (CVE-2021-4104 and CVE-2021-42550), which were also eliminated only with the release of version 2.16.

Unfortunately, version 2.16 didn’t last long either. Last weekend, Log4j version 2.17 was released, as a serious denial of service (DoS) issue was detected in the last release, which received the identifier CVE-2021-45105 (7.5 on the CVSS scale). The bug is related to the fact that Log4j does not always protect against infinite recursion during lookup evaluation.

At the same time, experts urge not to panic and not to rush to abandon the use of Log4j at all.

The post Another vulnerability found in Log4j, this time it is a denial of service appeared first on Gridinsoft Blog.

The patch was released as part of the 2.15.0 release.

The vulnerability was named Log4Shell and scored 10 out of 10 points on the CVSS vulnerability rating scale. The bug allows remote arbitrary code execution (RCE). Yesterday’s information security researcher aggravated the problem, p0rz9 published a PoC exploit on Twitter, and the vulnerability can be exploited remotely, and this does not require special technical skills.

The problem was originally discovered while searching for bugs on Minecraft servers, but Log4j is present in almost all corporate applications and Java servers. For example, the library can be found in almost all enterprise products the Apache Software Foundation released, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open-source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra, and others.

Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, but may even know about it. Information security specialists already report that solutions of giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and probably thousands of other companies may be vulnerable to Log4Shell.

p0rz9 wrote that CVE-2021-44228 could only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. KnownSec 404 Team reports that Log4j 2.15.0 has set this parameter to true to prevent attacks. Log4j users who have upgraded to version 2.15.0 and then set the flag to false will again be vulnerable to attacks.

Moreover, Log4j users who have not updated, but have set the flag to true, will still be able to block attacks even on older versions.

Unfortunately, this also means that all older versions are at risk, where this parameter is set to false by default. That is, all previous releases of Log4j, starting with 2.10.0, are vulnerable.

According to experts from Bad Packets and Greynoise, several cybercriminals are already scanning the network in search of applications that may be vulnerable to Log4Shell, which means that there is almost no time left to install patches.

Let me remind you that I also talked about the fact that the IIS bug with worm potential poses a threat to WinRM servers.

The post 0-day In Log4j Library Poses A Threat To Many Applications & Servers appeared first on Gridinsoft Blog.