SANS NewsBites

International Law Enforcement Operations Take Down Malware Dropper and Huge Botnet; Google Fixes Eighth Chrome Zero0-day This Year

May 31, 2024  |  Volume XXVI - Issue #42

Top of the News


2024-05-30

Europol Led International Effort to Takedown Malware Dropper Infrastructure

An internal law enforcement operation has disrupted the infrastructure for multiple malware droppers. Operation Endgame, as it has been named, involved searchers at 16 locations, the shutdown of more than 100 servers, the seizure of more than 2,000 domains, and four arrests.

Editor's Note

So ends season one of Operation Endgame; season two promises to be exciting - but maybe not for everyone. The Endgame site includes a contact page if you wish to contribute information about suspects in their operation, as well as an ominous warning to think about (y)our next move with a 4.5-day countdown timer. As these sixteen organizations continue to work together to take out botnets and droppers, the implication is the contact link may not only be used to gathering tips but also for criminals to self-report.

Lee Neely
Lee Neely

It's a one-two punch from law enforcement in this installment of SANS NewsBites. First, the 911 S5 botnet is shuttered and now Operation Endgame. There are similarities between these two criminal enterprises Ð they used free software as bait, and both enabled the larger cybercriminal enterprise. Kudos to international law enforcement for the take-down.

Curtis Dukes
Curtis Dukes

This is the first time I've seen an operation with commercials, trailers, seasons, or episodes. I'm not sure what that was about, but operation-endgame.com is kind of wild. It's trying to send a message to people who are young and online all the time not to do this.

Moses Frost
Moses Frost

It is becoming clear that cyber law enforcement requires expensive coordination and cooperation but is both necessary and effective.

William Hugh Murray
William Hugh Murray

2024-05-30

International Law Enforcement Effort Dismantles Largest Botnet Ever

An international law enforcement effort led by the US Department of Justice (DoJ) disrupted what FBI Director Christopher Wray has called likely the world's largest botnet ever. The operation is believed to have infected more than 19 million devices. One individual has been arrested for allegedly deploying malware as well as creating and operating a related residential proxy service known as 911 S5.

Editor's Note

The "911 S5" botnet was largely built by offering "free" VPN services, which provided the promised services while adding malware, often bundled with other products users were enticed to install. Wang monetized the botnet by selling access to the infected IP addresses. The botnet infected residential systems in nearly 200 countries and was used to facilitate everything from financial fraud and identity theft to child exploitation, including multiple schemes to bypass export controls to make fraudulent purchases or claims using in-country systems. The botnet closed down in July 2022 after being outed in a news story, only to re-emerge ten days later as "Cloud Router," Other brands used by this botnet include MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN and ShineVPN. If you think you may have been part of the botnet, follow the guidance on the FBI's 911-s5 site (httpos://www.fbi.gov/911S5) to identify, shutdown and remove it from your system.

Lee Neely
Lee Neely

The adage, 'nothing is free' seems appropriate here. Basically, the so-called free VPN service came at a cost. That is, it allowed unsuspecting user devices to be used as a proxy service. What's interesting is that Mr. Wang had been 'outed' almost two years ago - law enforcement works; it just takes a bit of time.

Curtis Dukes
Curtis Dukes

2024-05-29

Google Patches Yet Another Chrome Zero-day

Google has updated Chrome to fix a zero-day a type confusion vulnerability in the Chrome V8 JavaScript engine. This is the fourth Chrome zero-day that Google has addressed in May alone, and the eighth so far this year. On May 23, Google updated the Chrome stable channel to 125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux to address the flaw.

Editor's Note

Restart Google Chrome at least once a day, and check chrome://settings/help at least once a week to make sure that your version is up to date.

Johannes Ullrich
Johannes Ullrich

CVE-2024-52754, Chromium V8 Type Confusion flaw, has a CVSS 3 score of 8.8, and is in the NIST KEV catalog with a due date of June 18th. With the frequency of Chrome/Chromium updates, we're getting pretty good at making sure folks are updating their corporate browsers, don't forget to encourage folks to update their home systems as well, particularly if you're a BYOD shop.

Lee Neely
Lee Neely

Chrome has been under the vulnerability microscope these past two years. Unless things change, Chrome will end the year well ahead of last year's record for zero-day vulnerabilities. As a reminder, get into the habit of closing your Chrome browser at the end of the day to enable auto-updates.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-05-30

Researchers Describe Incident that Bricked 600,000 SOHO Routers

Researchers from Lumen Technologies Black Lotus Labs have published a report describing an event in October 2023 that bricked 600,000 small office/home office (SOHO) routers over a three-day period. All the affected routers were connected to a single autonomous system number (ASN) associated with an unnamed ISP. The researchers have identified a remote access Trojan (RAT) named Chalubo as the payload responsible for the bricking.

Editor's Note

This incident is odd and interesting for a number of reasons. First of all, it was not talked about much at all when it happened. At least I do not remember hearing about it. Secondly, there are few attacks that have "bricked" modems and routers in the past. Some Mirai variants attempted to, and were called "brickerbot" by some, but a simple reboot or worst case factory reset recovered the device. I can't wait to hear more details from the investigation to find out what the root cause was.

Johannes Ullrich
Johannes Ullrich

Recovery from Chalubo required hardware replacement of the SOHO routers as it likely corrupted their firmware. To protect SOHO routers, make sure that they are not reliant on default passwords, that management interfaces are not exposed to the internet, firmware is kept updated. If you're not seeing firmware updates, make sure you're still on a supported platform and the update services are properly configured.

Lee Neely
Lee Neely

The malware in question here has some interesting properties, but I'm a bit lost on how the analysis works.

Moses Frost
Moses Frost

SOHO Routers continue to be a risk. They require more management than they can be expected to get. However, "bricked" is better than being co-opted into botnets.

William Hugh Murray
William Hugh Murray

2024-05-30

NIST Awards Contract to Help NVD with Incoming CVE Processing

The US National Institute of Standards and Technology (NIST) has chosen a contractor to provide additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. Additionally, NIST expects to clear the backlog of unprocessed CVEs by the end of the fiscal year with the help of the Cybersecurity and Infrastructure Security Agency (CISA).

Editor's Note

Good to hear that NIST is tackling this issue and is getting NVD back on track. The NVD database is one of these underappreciated critical building blocks of too many security programs and tools.

Johannes Ullrich
Johannes Ullrich

The ever-increasing volume of vulnerabilities which haven't been enriched (analyzed) is distressing when you're trying to assess vulnerabilities. This contract indicates that NIST is not only getting back on track, but also not handing over the reins of the NVD. Beyond this contract, they are also implementing automation to improving process, with an expected date of September 2024 to be back on track. On top of that they are already ingesting CVE 5.0 and 5.1 formatted records hourly. They moved to the 5.0 JSON format back in November and started supporting 5.1 May 20th.

Lee Neely
Lee Neely

2024-05-29

Internet Archive and Wayback Machine Experiencing DDoS Attack

The Internet Archive and their Wayback Machine are dealing with a distributed denial-of-service (DDoS) attack that began on Sunday, May 26. Since then, service has been inconsistent; the Internet Archive is taking steps to harden their defenses.

Editor's Note

On the one hand, the Internet Archive is being sued by the publishing and recording industries for copyright infringement, while on the other hand they are victim to an intense DDoS attack. The archive includes the Wayback Machine, which holds the history of over 866 billion web pages. While the technical problem of shoring up defenses to survive the attack will succeed, the lawsuits may put them under. Make sure you're prepared to separate and delegate technical and legal problems to support staff moving forward to deliver services to customers who are largely unaware of either.

Lee Neely
Lee Neely

2024-05-29

Seattle Library Systems Disrupted by Ransomware Attack

On Saturday, May 25, the Seattle Public Library became aware of a ransomware event affecting [their] technology systems. As of Wednesday morning, the library's website and some of their digital services were available. Wi-Fi, printing services, public computers, e-book access, and the loaning system were unavailable.

Editor's Note

Libraries continue to be a target for attackers. Seattle has restored their online services, although some applications may need to be refreshed or reloaded to synchronize with the service's data. Their ability to loan print books and other physical material continues, albeit you should bring your physical library card. A good example of highlighting services that can continue despite the recovery efforts and offline services.

Lee Neely
Lee Neely

2024-05-28

Christie's Says Attackers Compromised Data

Christie's auction house has confirmed data were stolen in a cybersecurity event disclosed earlier this month. The incident disrupted the availability of Christie's online bidding system. Christie's announcement follows threats from a ransomware group that they would leak the stolen data if the ransom demand were not paid.

Editor's Note

This attack serves as a good reminder that businesses have a responsibility in protecting client data. Often that data is considered PII and likely results in a violation of various data privacy laws. Organizations should revisit their data policies with an eye towards minimal retention of client data.

Curtis Dukes
Curtis Dukes

The RansomHub gang is taking credit for the attack, and they have now entered the "taunting" phase of negotiations as Christie's is determined to not pay a ransom/extortion fee. Christie's states there was a limited amount of personal data about some customers accessed, and no financial data was compromised. They are in the process of notifying regulators, agencies and affected clients.

Lee Neely
Lee Neely

2024-05-28

SAV-RX Notifying Customers Months After Breach

Sav-Rx Prescription Services has begun notifying 2.8 million customers that their data were compromised in a cybersecurity incident last fall. The breach took place in early October, 2023. Sav-Rx said that the intruders accessed non-clinical systems and exfiltrated data. Sav-Rx is a subsidiary of A&A Services.

Editor's Note

Ugh eight months to notify customers that their PII had likely been pilfered. Simply put, that's not reasonable even if there were assurances [assume from the ransomware gang] that the data acquired was destroyed and not further disseminated. I guess the good news in all of this is that SAV-RX has NOW instituted a patching cycle and network segmentation.

Curtis Dukes
Curtis Dukes

While the breach happened in October, investigation/restoration wasn't completed until April 30th, after which notifications started. In today's climate eight months is far too long to delay customer notifications. Work with your parties to line up not only response scenarios, but also timelines which include timely notifications. Not only for customer expectations, but also regulators are closing the timelines for reporting a material breach as well.

Lee Neely
Lee Neely

2024-05-30

BBC Data Breach Compromised Employee Data

The BBC has notified more than 25,000 current and former employees that their personal information was compromised when cyber intruders accessed a database holding information related to a BBC Pension Scheme. The cloud-hosted database did not contain financial information or access credentials. The BBCÕs information security team detected the intrusion on May 21.

Editor's Note

The BBC states the information included personal information of some pension members including names, National Insurance numbers, and dates of birth. The action here is to make sure that you're validating access control on cloud or externally facing storage systems for configuration drift. Better you find and correct than have your incident response team or a malicious actor notify you.

Lee Neely
Lee Neely

2024-05-30

Check Point Offers Hotfixes for Actively Exploited Flaw in Security Gateways

Check Point has acknowledged that a zero-day information exposure vulnerability in their Check Point Security Gateways is being actively exploited. Check Point released hotfixes for the issue earlier this week. Researchers at Watchtowr did a deep dive into the issue.

Editor's Note

CVE-2024-24919 has a CVSS 3.0 score of 8.6 and given that this flaw is extremely easy to exploit, I would skip straight to verify vulnerable devices the deploy the hotfix; it will take 5-10 minutes to deploy and requires you to reboot the security gateway. Check Point has a script "check-for-CVED-2024-24919.sh" you can run on your security management server to identify vulnerable gateways. After you've deployed the hotfix, you need to take additional steps including changing local passwords and regenerating HTTPS and SSH certificates.

Lee Neely
Lee Neely

My understanding of the current risk profile is social engineering, old but un-patched vulnerabilities, with newly discovered vulnerabilities running a distant third. Patching is taking months, not hours or days. While vendors get points for responsibility for quick fixes, they have little impact on global risk.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Is that It? Finding the Unknown: Correlations Between Honeypot Logs and PCAPs

https://isc.sans.edu/diary/Is+that+It+Finding+the+Unknown+Correlations+Between+Honeypot+Logs+PCAPs+Guest+Diary/30962

Files with TGZ Extension used as malspam attachments

https://isc.sans.edu/diary/Files+with+TXZ+extension+used+as+malspam+attachments/30958

Feeding MISP with OSSEC

https://isc.sans.edu/diary/Feeding+MISP+with+OSSEC/30968

Michael Dunkin: Detecting Cypher Injection with Open-Source Network Intrusion Detection

https://www.sans.edu/cyber-research/detecting-cypher-injection-with-open-source-network-intrusion-detection/

Checkpoint VPN

https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/

Checkpoint warns of password bruteforcing

https://blog.checkpoint.com/security/enhance-your-vpn-security-posture?campaign=checkpoint&eid=guvrs&advisory=1

Checkpoint 0-Day

https://blog.checkpoint.com/security/enhance-your-vpn-security-posture

The Pumpkin Eclipse

https://blog.lumen.com/the-pumpkin-eclipse/

Preventing SQL Injection with Python

https://www.youtube.com/watch?v=1cQy9N1Xndk

ShrinkLocker: Turning BitLocker into ransomware

https://securelist.com/ransomware-abuses-bitlocker/112643/

iconv buffer overflow PoC 2024-2961

https://github.com/ambionics/cnext-exploits/

PoC Exploit for CVE-2024-23108 in Fortinet FortiSIEM

https://www.horizon3.ai/attack-research/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/

PoC for Apple Priv. Escalation bug CVE-2024-27842

https://github.com/wangtielei/POCs/tree/main/CVE-2024-27842

Google 0-Day

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html

Google Stops Trusting Globaltrust CA

https://groups.google.com/a/ccadb.org/g/public/c/wRs-zec8w7k/m/G_9QprJ2AQAJ

Okta warns of Credential Stuffing Against Customer Identity Cloud

https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks

Brute Forcing Old Bitcoin Wallet Password

https://www.youtube.com/watch?v=o5IySpAkThg