Backdoor in XZ Compromised Numerous Linux Systems

The story around the backdoor in XZ data compression tool is nothing short of marvelous, from both ends, and may probably be screened in future. A guy under the nickname Jia Tan was making his way to the status of project administrator since 2021. Typically for any tech savvy open-source project user, he started offering his fixes for bugs and new functions. Allegedly by creating a huge number of bug reports, the guy forced the manager to seek for an aide, with Jia being the best candidate at that moment.

This long road was needed to hide a tiny, deeply concealed backdoor (CVE-2024-3094) that is not even available from the public GitHub repository. The catch actually hides within the version that goes to the dependent project, mainly major Linux distributions. Files responsible for the backdoor initiation appear as test ones. This explains why it took so long: to avoid detection, Jia Tan was forced into adding each piece gradually, making it look like a development routine. A proper special operation, one may say.

The resulting flaw allowed for the unauthenticated SSH access to any machine. The only condition here is the infected XZ package and SSH usage. This, in turn, endangers thousands of servers that system administrators quite commonly connect through this protocol. Linux is a backbone of cloud servers, and having such a backdoor access effectively means leaking all the data they store.

More of the special operation things surfaced during the ongoing investigation. Shortly after Jia pushed the malicious fixes, numerous XZ update requests popped up in feedback hubs of different Linux distributions. Investigators suppose that either Jia Tan or his associates posted these comments. Some of the distros adhered to them and pulled the infected version, effectively installing the malware into their product.

How Was It Discovered?

The way the backdoor was discovered, on the other hand, sounds more like a miracle. Andres Freund, the developer, noticed that the SSH authentication takes 500ms longer than usual. Also, the operation started taking more CPU power than it used to, which intrigued Anders to search for a new bug. Searches quickly led him to the updated XZ version, and consequently to the backdoor built into it.

Andres Freund released his notification regarding the malicious changes on March 29, 2024. It is still unclear how long these changes were live, but Linux distributions were using them in release versions since early March. Among them are the following distros and versions:

Mitigations and Fixes

Upon discovering the backdoor code, the project maintainers instantly took down the GitHub repository. Though, further research showed that there was no need for this. As I’ve mentioned, malicious code was hidden in test files, mainly used in dependent projects like distributions. This, however, did not make the task any easier.

Together with the developers and maintainers of affected distros, Andres Freund elaborated both the list of affected versions and possible mitigations. Users should downgrade to the versions that do not contain malicious code, or upgrade to ones where it is already gone. At the same time, the investigation keeps going, as this supply chain attack can have more severe effects.

The post XZ Utils Backdoor Discovered, Threating Linux Servers appeared first on Gridinsoft Blog.

Vmmem Process Explained

Vmmem process is commonly found in Windows 10/11 or Windows Server with Hyper-V functionality enabled. The Windows Hypervisor Platform is a feature in Windows that enables virtualization, which allows users to run virtual machines. Vmmem, also known as the Virtual Machine Memory Process, manages the memory usage of virtual machines running on the system. It helps allocate and manage the memory resources the virtual machines require, ensuring efficient utilization of the underlying hardware ¹.

During the operation of virtual machines, vmmem.exe may consume CPU and memory resources. The amount of system resources allocated by vmmem.exe depends on the number and activity of the virtual machines running on the system. It is important to note that vmmem.exe is a legitimate Windows process, not a virus or malware. However, if you experience high CPU or memory usage attributed to vmmem.exe, it could indicate resource-intensive actions happening on virtual machines, or misconfigurations that need to be addressed.

What is the Vmmemwsl.exe process?

Vmmemwsl.exe is a stand-alone version of the original Vmmem process that handles the virtualization tasks related to the Windows Subsystem for Linux (WSL). Akin to the “classic” variant, it starts as soon as you start the virtual machine using WSL calls (WSL2 to be more specific). Such differentiation is needed due to the separate layer of compatibility with Linux machines that appeared in Windows back in 2016. You may need to run one during the development process or for testing purposes.

How to Resolve Vmmem High Memory and CPU Usage?

If you are using virtual machines and find the resource usage of vmmem.exe to be excessive, there are several options for you to stick to:

Restart WSL from Command Prompt

WSL (Windows Subsystem for Linux) is integral to Windows 10/11, offering virtualization solutions for users. Among other options, it is the most widely used one, so much so the use of Windows built-in virtualization is almost synonymous to WSL. That being said, it can occasionally contribute to the vmmem high usage issue due to improper setup or operational glitches.

As the most common troubleshooting advice goes, the first step to do in case of any problem is to reboot the thing. Restarting the VM can restore normal operations and fix the excessive memory usage. Here is how you can do it:

1. Open Command Prompt as an administrator by typing “cmd” in the search bar, right-clicking Command Prompt, and selecting “Run as administrator.“

2. Execute the following command to shut down WSL:

wsl --shutdown

If the command doesn’t work, navigate to the following location in File Explorer:

C:\Users\your-username\.wslconfig

Create a new text file and add the following code:

[wsl2] guiApplications=false

4. Save the file and reboot your PC. Monitor vmmem’s RAM usage in Task Manager after the reboot. The actions from above should stop the VM from running, so you won’t see it pop up again. If you still need to use Linux utilities, you can always start using the WSL service. If the issue persists though, you can run the guide above to stop it.

1.Search for Windows PowerShell in the start menu, right-click, and select “Run as administrator.”

2. Execute the following command to restart the WSL service:

Restart-Service LxssManager

Vmmemwsl.exe Process High CPU & Memory – Fix Guide

Fixing high system resource consumption that comes from vmmemwsl.exe is done through the selection of console commands. It is common to see vmmemwsl process to keep running even after shutting down related environments. At the same time, users complain about this process staying active regardless of their commands and actions. Let’s see how to stop it.

First method I’ve picked is through killing the process using Commadn Prompt. It is likely the most effective one, as it solves even problematic cases – when the WSL process hangs and does not respond, requiring the system reboot to stop working.

Run Command Prompt with Administrator privileges. There, you need to find the ID of the vmmemwsl.exe process. Type the following command:

Tasklist /fo table

There, find the vmmemwsl process and copy its exact name. It may differ from one instance to another, so copying instead of direct typing makes the naming in the following command the most accurate:

TASKKILL /IM %paste_process_name_here% /F

This will stop the process immediately, without any excuses, data saving, or else. Open Task Manager to confirm that the issue is solved. Main downside of this effective method is that it completely ignores data saving and other procedures that help to avoid the issues or malfunctions. If vmmemwsl.exe stopped responding, and you have some unsaved data you are not willing to sacrifice, then try the other method.

One more method is about a graceful shutdown of the WSL though the PowerShell command. Run the PowerShell as administrator and type the following command:

Cmd wsl --shutdown

In this case, shutdown will happen in a normal order, but if something is wrong with the deep VM config, the method may not work. On the other hand, it saves data, so it is always worth trying.

Adjust Virtual Machine Memory Allocation

High CPU and memory usage by vmmem may result from excessive RAM allocation to virtual machines. Adjusting virtual machine settings can help mitigate this issue. To configure RAM for a virtual machine on Hyper-V, please open Hyper-V Manager. In the list of virtual machines, select the desired VM. Then right-click the VM and select “Settings”.

In the left pane, select “Memory“. Next, in the “RAM” field, enter the desired amount of memory.

(Optional) Enable dynamic memory:

Select the “Use dynamic memory” checkbox.

Enter the minimum and maximum amount of memory and click “OK”.

Disable Running Virtual Machines

If previous methods fail to address vmmem high memory usage on Windows 10, consider terminating running virtual machines.

1. Open Windows PowerShell as an administrator by searching for “powershell” in the search bar and running it as an administrator. Here, execute the following command to display a list of running virtual machines:

wsl -l -v

3. Identify the running virtual machines and terminate them using the following command:

wsl -t kali-linux

Note: Replace “kali-linux” with the name of the running virtual machine on your system.

If you’re not using virtual machines actively but experiencing excessive resource usage from vmmem.exe, you have a few options:

Stop or suspend virtual machines. You can free up system resources when not using specific virtual machines by stopping or suspending them through virtualization management software or the Hyper-V Manager in Windows.

Disable Hyper-V. If you aren’t using any virtualization features or virtual machines on your system, consider disabling Hyper-V to prevent vmmem.exe from running and using system resources. This process requires administrative privileges and can be done by accessing the “Turn Windows features on or off” settings.

It’s essential to consider the impact on virtual machines before reducing or disabling vmmem.exe, as it may affect their functionality or performance. So, assess your specific requirements before making adjustments.

The post Vmmem High Memory and CPU Usage appeared first on Gridinsoft Blog.

What is a Shim Bootloader?

Shim serves as a small, open-source bootloader, crucial for facilitating the Secure Boot process on computers leveraging the Unified Extensible Firmware Interface (UEFI). It is signed with a Microsoft key, which is widely accepted by UEFI motherboards to verify the boot process’s integrity.

The vulnerability, discovered by Microsoft’s Bill Demirkapi, is found in Shim’s handling of HTTP boot operations. It allows for out-of-bounds write operations through manipulated HTTP responses.

Shim RCE Vulnerability Uncovered

The exploitation of CVE-2023-40547 (CVSS score: 9.8) involves creating specially crafted HTTP requests that lead to an out-of-bounds write. This flaw can be exploited in various ways, including remote code execution, network-adjacent, and local attacks. For instance, a remote attacker could intercept HTTP boot traffic through a Man-in-the-Middle attack. Meanwhile, a local attacker could modify EFI variables or use a live Linux USB. These actions could alter the boot process and allow the execution of privileged code.

The ability to execute code before the operating system loads presents a significant threat. It allows attackers to deploy stealthy bootkits that can undermine the security of the compromised system. This level of access grants attackers the ability to bypass traditional security controls and maintain persistent, undetected presence on the affected system.

Red Hat Fixes Shim RCE Flaw

In response to this vulnerability, RedHat issued a fix on December 5, 2023. Users of Shim, including major Linux distributions like Red Hat, Debian, Ubuntu, and SUSE, are urged to update to the latest version of Shim (v15.8), which addresses CVE-2023-40547 and other vulnerabilities. Additionally, users must update the UEFI Secure Boot DBX (revocation list). This update is necessary to prevent the execution of vulnerable Shim versions. It also ensures that the patched version is signed with a valid Microsoft key.

Linux becomes a more and more viable target for different malware families. Sure, it has been predominant in APT attacks for quite some time, as it is a backbone of server infrastructure. Though, an increased number of Linux malware in the form of ransomware, spyware and rootkits appear over the last few years, which is a rather worrying trend. The vulnerability like the one I’ve described above is nothing to mess around with – it may and will be exploited, sooner or later.

The post Shim Bootloader Vulnerability Affects Linux Systems appeared first on Gridinsoft Blog.

Apache ActiveMQ Vulnerability Allows for RCE

Analysts from TrendMicro warn about an active exploitation of an ActiveMQ vulnerability, discovered back in late October 2023. CVE-2023-46604 allows for remote code execution due to the failure of class type validation. Typically for RCE vulnerabilities, it received a high CVSS score of 9.8/10. Apache warned its clients, released fixes and recommendations regarding supplementary software that is related to the successful exploitation.

Despite the fast reaction from the company, hackers managed to start using this vulnerability for malicious purposes. As it usually happens, companies hesitate with updates, especially when they are not exploited at the moment. And it is completely understandable – for large corporations, who are the main ActiveMQ users, installing updates is always a pain in the neck. But now, there is a chain of successful exploitation – a great stimulus towards getting the latest software version.

ActiveMQ Vulnerability Exploited in the Wild

As the same research says, the known exploitation cases were aiming at the installation of Kinsing malware. This Linux threat is also known under the name of h2miner – which already says enough about its capabilities. Aside from Kinsing, hackers were using another, unnamed miner. Other reports say that CVE-2023-46604 exploitation is primarily done by the threat actor that stands behind HelloKitty ransomware.

Still, the 9.8 score for this vulnerability is not just to scare people. Being an RCE vulnerability, it can help with delivering any other malware to the target environment, depending on the wish of the attacker. It is great luck that the detected exploitation cases were mostly related to coin miners. There is always a chance that the very next attack will introduce ransomware, spyware, or their mix.

Available CVE-2023-46604 Mitigations

Back on October 24, 2023, Apache released a lineup of recommendations for ActiveMQ users. The main one though was concentrated on updating the protocol brokers to the versions where the breach is patched.

List of versions with the vulnerability fixed:

The company offers no temporal mitigations, which leaves 0 ways to circumvent patching. However, several other approaches will provide you with better exploitation protection.

Extended Detection and Response solutions (XDR) are the cornerstone of modern corporate cybersecurity. When joined by SOAR and SIEM systems, XDR allows detecting, stopping and blocking all further attempts of a cyberattack within the entire environment. Policies like zero trust will enhance protection against exploitation even further, weeding out attempts to use well-known and trusted software in the attack.

The post Apache ActiveMQ Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

What is OverlayFS?

OverlayFS in Linux is a unified file system used in Docker containers. Its function – modify files without changing the base filesystem. OverlayFS allows one directory tree to be overlaid on top of another with restricted read-only access. Changes are saved to the top layer, making it ideal for Live CDs and other uses. Unlike other file systems, actions go straight to the underlying file system, resulting in a simple and efficient implementation.

However, it can also be a security risk, allowing users to perform unintended operations on other filesystems. Multiple vulnerabilities have been found in OverlayFS, using the same primitives to bypass basic Linux security restrictions. Ubuntu’s OverlayFS has significant flaws that allow the creation of executables that can escalate privileges to root. Researchers found it possible to craft an executable file with “scoped” file capabilities and trick the Ubuntu kernel. Thus it copies it to a different location with “unscoped” capabilities, granting anyone who executes it root-like privileges. Ubuntu’s recently discovered vulnerability has the same flow as a 2020 Linux kernel vulnerability, and it’s unclear how Ubuntu became vulnerable to an already addressed issue.

GameOver(lay) Vulnerabilities Set Up Ubuntu Users

Researchers have discovered two Ubuntu Linux operating system vulnerabilities that could grant attackers elevated privileges. The two bugs affect OverlayFS, a widely used Linux file system. The vulnerabilities are named GameOver(lay) and are tracked as CVE-2023-2640 and CVE-2023-32629 and have a high CVSS score of 7.8. By the way, these issues are unique to Ubuntu, just one of the versions of Linux. They are related to Ubuntu’s changes in 2018 to its version of the OverlayFS module, specifically the setting of extended attributes that define user permissions. It’s important to note that while these vulnerabilities are easy to exploit, they require local user access, which should limit the attack surface. However, Ubuntu patched the vulnerabilities on July 24, 2023, and users are strongly encouraged to update their kernels.

About CVE-2023-2640 and CVE-2023-32629

In simple terms, GameOver(lay) enables the creation of an executable file with scoped file capabilities and tricks the Ubuntu Kernel into moving it to a different location with unscoped capabilities. It allows anyone who runs it to gain root-like privileges. Here are two vulnerabilities summarized:

CVE-2023-2640 – In Ubuntu kernels with both c914c0e27eb0 and “UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs,” a non-privileged user can set privileged extended attributes on mounted files, causing them to be set on upper files without proper security checks.

CVE-2023-32629 – There is a local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data, which skips permission checks when calling ovl_do_setxattr on Ubuntu kernels. GameOver(lay) allows an attacker to create an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting root-like privileges to anyone who executes it.

The post GameOver(lay) Vulnerabilities Endanger 40% of Ubuntu Users appeared first on Gridinsoft Blog.

Let me remind you that we also said that Google Offers up to $91,000 for Linux Kernel Vulnerabilities, and also that Experts list 15 most attacked Linux vulnerabilities.

Infiltrating all running processes, the malware acts as a system-wide parasite, leaving no noticeable signs of infection, so it is difficult to detect Symbiote even with careful and in-depth study.

The development of Symbiote is believed to have started in November 2021, after which the attackers mainly used the malware to attack the financial sector in Latin America, including banks such as Banco do Brasil and Caixa.

Instead of a regular executable file, Symbiote is a shared object (SO) library that is loaded into running processes using the LD_PRELOAD function so that the dynamic linker will load malware into all running processes and infect the host. This approach was previously used by other malware, including Pro-Ocean and Facefish. Also, these actions help the malware get priority over other SOs.

Thus, with the help of the libc and libpcap functions, Symbiote can perform various actions to hide its presence in the system. For example, hide parasitic processes, hide files deployed with malware, and so on.

In addition to hiding its presence in the file system, Symbiote is also able to hide its network traffic using the Berkeley Packet Filter (BPF). This is done by injecting malware into the process and using BPF to filter the results that reveal its activity.

According to the researchers, Symbiote is now mainly used to automatically collect credentials from hacked devices (via libc read). The fact is that the theft of administrator credentials opens the way for attackers to unhindered lateral movement and gives unrestricted access to the entire system.

In addition, Symbiote provides its operators with remote SHH access to the infected machine via PAM, which allows attackers to gain root privileges.

The post Information Security Experts Told About The Linux Malware Symbiote That Is Almost Undetectable appeared first on Gridinsoft Blog.

In total, two vulnerabilities were discovered (CVE-2022-29799 and CVE-2022-29800) and united under the common name Nimbuspwn.

Problems are found in the networkd-dispatcher component of many Linux distributions, which dispatches network status changes and can run various scripts to respond to the new status. When the computer system is turned on, networkd-dispatcher starts with superuser rights.

By the way, we wrote that Google Offers up to $91,000 for Linux Vulnerabilities …hey, Microsoft guy, Google money are here!

The discovered vulnerabilities combine directory traversal, symbolic link race, and the TOCTOU (time-of-check time-of-use) error. After examining the networkd-dispatcher source code, Microsoft researcher Jonathan Bar Or noticed that the “_run_hooks_for_state” component implements the following logic:

• Finds the list of available scripts by using the get_script_list method to call a separate scripts_in_path method to return all files stored in the “/etc/networkd-dispatcher/.d” directory.
• Sorts the list of scripts.
• Runs each script with a subprocess.Popen process and provides custom environment variables.

You might also be interested in the following information: Experts list 15 most attacked Linux vulnerabilities.

Run_hooks_for_state exposes Linux systems to the directory traversal vulnerability (CVE-2022-29799) because none of the functions it uses properly clean up the states used to build the correct script path from malicious input. Hackers can use the vulnerability to get out of the “/etc/networkd-dispatcher” directory.

Run-hooks_for_state also contains a CVE-2022-29800 vulnerability that makes systems vulnerable to a TOCTOU race condition as a certain amount of time elapses between detecting scripts and running them. An attacker could use this vulnerability to replace scripts that networkd-dispatcher believes belong to the root user, with malicious scripts.

The researcher also found several processes running as the systemd-network user, which is allowed to use the bus name needed to run arbitrary code from writable locations.

Vulnerable processes include several gpgv plugins that run when apt-get is installed or updated, and the Erlang Port Mapper daemon, which allows arbitrary code to be run in some scripts.

The vulnerability in networkd-dispatcher was fixed, but it is not known when and in what version. Linux users are strongly advised to upgrade to the latest version.

The post Vulnerabilities in Linux Allow Gaining Superuser Rights appeared first on Gridinsoft Blog.

In November last year, Google already increased the size of payments: then the company tripled rewards for exploits for previously unknown bugs in the Linux kernel. The idea was that people would be able to discover new ways to exploit the kernel, in particular related to Kubernetes running in the cloud. Then the researchers were asked to compromise the Google kCTF (Kubernetes Capture The Flag) cluster and get a “flag” in the context of the competition.

NOTE: Let me remind you that we wrote that Apple paid $100,000 for macOS camera and microphone hack, and also that Zerodium offers up to $400,000 for exploits for Microsoft Outlook.

Google reports that the bug-finding program has been a success, receiving nine reports in three months and disbursing more than $175,000 to researchers. During this time, five 0-day vulnerabilities and two exploits for fresh 1-day bugs were discovered. According to Google, thanks to the bug bounty, three of these issues have already been fixed and detailed, including CVE-2021-4154, CVE-2021-22600 (patch), and CVE-2022-0185 (report).

As a result, the program will be extended until at least the end of 2022, and will also undergo a number of changes. Whereas in November it was decided that experts would receive a reward of up to $50,337 for critical vulnerabilities (depending on the severity of the problem), the maximum reward has now been increased to $91,337.

The sum of payments depends on several factors: whether the problem found is a 0-day vulnerability, whether it requires unprivileged user namespaces, whether it uses some new methods of exploitation. Each of these points comes with a bonus of $20,000, which ultimately raises the payout for a working exploit to $91,337.

The post Google Offers up to $91,000 for Linux Kernel Vulnerabilities appeared first on Gridinsoft Blog.

On average, companies took 52 days to fix bugs, while three years ago they needed an average of 80 days. Thus, almost all vendors fixed the vulnerabilities within the industry standard of 90 days.

According to statistics collected for 2019-2021 and based on 376 zero-day vulnerabilities discovered by Google Project Zero experts, 26% of the problems related to Microsoft products, 23% to Apple and 16% to Google. That is, the three software giants accounted for 65% of all detected problems, and, according to experts, this well reflects the complexity and volume of their software products, which inevitably have “white spots” that even numerous security engineers miss.

Overall, the report named Linux, Mozilla, and Google as the best in terms of timely release of patches, while Oracle, Microsoft, and Samsung were named as the worst.

Recall, by the way, that we wrote that 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues.

In the highly competitive field of mobile OS, iOS and Android go hand in hand: the former has an average bug fix time of 70 days, while the latter has 72 days.

In the browser category, Chrome outperforms all competitors with an average bug fix period of 29.9 days, while Firefox comes in second with 37.8 days. Apple, in third place, took twice as long to fix bugs in WebKit, taking an average of 72.7 days.

Google Project Zero experts explain:

You might also be interested in reading what Google says that a quarter of all 0-day vulnerabilities are new variations of old problems.

READ ALSO: Zero Day Attacks – How To Prevent Them? What does a zero day attack mean? Or is there a way to avoid this danger?

The post Google analysts noticed that software vendors began to fix Zero-day vulnerabilities faster appeared first on Gridinsoft Blog.

The issue has ID CVE-2021-26084 and allows an unauthenticated attacker to remotely execute commands on a vulnerable server.

The issue has been reported to be dangerous for all versions of Confluence Server and Data Center.

After the patch was released, the researcher who found the vulnerability presented a detailed description of it, attaching a PoC exploit to his report.

The exploit written in PHP turned out to be easy to use and really allows executing commands on the target server. Attackers can use this to upload other malware, web shells, or launch programs to a vulnerable server.

Shortly after the publication of the report and the exploit, security experts began to report that cybercriminals and information security researchers were actively scanning the network in search of vulnerable Confluence servers. For example, experts at Bad discovered that attackers from different countries were exploiting servers to download and run PowerShell and Linux shell scripts. Thus, hackers try to install miners on servers running Windows and Linux.

While the attacks currently mostly target mining cryptocurrencies, the researchers warn that there is no reason for attackers not to exploit this vulnerability for other purposes, including more sophisticated attacks. This is also warned by the US Cyber Command, which expects that the situation will only continue to deteriorate:

Let me also remind you that the Atlassian vulnerability was included in the list of 15 most attacked Linux vulnerabilities.

The post Atlassian Confluence vulnerability was exploited to install miners appeared first on Gridinsoft Blog.