Cybercriminals are targeting Linux-based servers running Microsoft’s Azure public cloud environment that are vulnerable to flaws after Microsoft didn’t automatically apply a patch on affected clients in its infrastructure.

Recorded Future reports that the attacks began the night of Sept. 16 after a exploit proof-of-concept was published on GitHub. It was noted that about 10 malicious bot servers have been searching the internet for vulnerable systems. In addition, Cado Security researchers in a blog post also noted a tweet from cybersecurity researcher German Fernandez, who found that the infamous DDoS Mirai botnet – known for taking advantage of insecure Internet of Things (IoT) devices – also is exploiting OMIGOD.

The flaws include CVE-2021-38647, which is a remote code execution bug, and three privileged escalation vulnerabilities: CVE-2021-8648, CVE-2021-38645 and CVE-2021-38649. Ohfeld wrote that the researchers offered a conservative estimate that thousands of Azure customers and millions of endpoints are impacted by the flaws.

“Supply chain cyber attacks have disrupted everyday life and dominated headlines this year,” he wrote. “One of the biggest challenges in preventing them is that our digital supply chain is not transparent. If you don’t know what’s hidden in the services and products you use every day, how can you manage the risk?”

Microsoft was quick to issue fixes to the four vulnerabilities in its September release of security updates, and the vulnerabilities put a spotlight on the risk to supply chains that Microsoft open-source code represents, particularly for organizations using cloud computing services since Microsoft let go its Beta testing teams and community Beta testers that used to volunteer their time.

With OMIGOD, the issue relates to the app called Open Management Infrastructure (OMI), which is embedded in many Azure services and is sponsored by Microsoft open-source OMI project in collaboration with The Open Group.

When users enable any of these popular services, OMI is silently installed on their Virtual Machine by Azure, running at the highest privileges possible. This happens without customers’ explicit consent or knowledge. Users simply click agree to log collection during setup and they have unknowingly opted in to the Microsoft application. Because Azure provides virtually no public documentation about OMI, most customers have never heard of it and are unaware that this attack surface exists in their environment.

The OMI agent operates as root (the highest privileges any users can have) and with it using a Unix socket or through an HTTP API has unlimited control. In Linux, and Unix based environments, the use of Root for any application is discouraged, and this should be the Microsoft default as well, especially when the app is exposed to internet access, but it is not the case as OMI shows. With OMI being so poorly implemented bad actors can easily gain control of the servers.

“This vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it,” Ohfeld wrote in a technical blog. Thus, an exposed port with such access privilege's is a holy grail for malicious attackers, and with OMI, one simple exploit provides attackers with access to new targets, execute commands at the highest privileges, and possibly spread exponentially to new target machines.

Recorded Future noted that Microsoft addressed the bug by developing version 1.6.8.1 of the OMI client and releasing it on GitHub, but didn’t automatically install the update on OMI clients in its infrastructure, essentially leaving tens of thousands of servers vulnerable. The company also took three days to replace the OMI client version inside its available Azure Linux VM images.

The cybersecurity firm said a query on the Shodan search engine found more than 15,600 Azure Linux servers connected to the internet, all with possible exposure, and these are just the ones known.

Recommendations

1. Immediately implementing the OMI patch.
2. Remove it if it is unneeded
3. Check and confirm all applications exposed to the internet
4. Scan and check all server files, access controls, ports and privilege's as well as check your user accounts and groups.

A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines. According to SentinelLabs, hackers are lowering rates of detection by using an infection chain for the campaign that also includes the use of a signed dropper with a backdoored version of the Windows utility wextract.exe to embed the ZLoader payload itself.

ZLoader is not new, but tis exploit addition is. It has been noted as typical a banking trojan which implements web injection to steal cookies, passwords and any sensitive information. It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware.

ZLoader Infection Chain Starts with Google AdWords To target victims, the malware is spread from a fake Google advertisement (published through Google AdWords) for various software; the lures include Discord, Java plugins, Microsoft’s TeamViewer and Zoom.

For example, when someone Googles “Team Viewer download” a fake advert appears in AdWords (advert has already been taken down, but it does indicate that diligence is need to make sure the URL and company is correct for any downloads), an advertisement shown by Google on the search engine, that redirects the clicker to a fake TeamViewer site under the attacker’s control. From there, the user can be tricked into downloading a fake installer in a signed MSI format. Current versions have a signed timestamp of Aug. 23, but this is likely to change as it is exposed.

SentinelLabs advise that “It appears that the cybercriminals managed to obtain a valid certificate issued by Flyintellect Inc., a Software company in Brampton, Canada”; “[t]he company was registered on 29 June 2021, suggesting that the threat actor possibly registered the company for the purpose of obtaining those certificates”.

Bypassing and disabling Windows Defender check The downloaded and legitimately signed .MSI file is of course not an installer for legitimate software, but is rather the first-stage dropper for the malware. It runs an installation wizard that creates the following directory: C:Program Files (x86)Sun Technology NetworkOracle Java SE, and saves a .BAT file appropriately called “setup.bat” and then executes the built-in Windows cmd.exe function to execute that file. Users often see the flash of a cmd prompt as Microsoft often use it during windows updates, so do not suspect anything. The executed .BAT then begins stage two and downloads a second-stage dropper that initiates the third stage of infection by executing a script called “updatescript.bat”.

The third stage dropper contains logic impairment to shutdown defenses of the machine by disabling all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender.

Once completed, stage four is executed with the download of the .EXE from URL (hxxxURL://pornofilmspremium.com/tim.exe) which is saved and executed through the Windows explorer.exe function.

At this point the attacker is able to break the parent/child correlation often used by endpoint detection and response (EDRs). As the The tim.exe binary is actually a backdoored version of the legitimate Windows utility wextract.exe but with the hackers additional code, hackers can now legitimately execute the malicious batch file with the name “tim.bat” that runs a short script to download the final ZLoader DLL payload, with the name tim.dll. This final payload is executed using the legitimate Windows function regsvr32, which allows the attackers to proxy the execution of the DLL through a signed binary by Microsoft and execute the functions to exploit the machine.

Tim.bat also downloads another script, called “nsudo.bat” to perform multiple operations to elevate privileges on the system and impair defenses as follows:

1. It checks if the current context of execution is privileged by verifying the access to the SYSTEM hive.
2. It implements an auto elevation VBScript that aims to run an elevated process in order to make system changes.

The snippet of the script in charge of the UACPrompt feature is as follows:

:UACPrompt
  echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%getadmin.vbs"
  set params = %*:"="
  echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%getadmin.vbs"
"%temp%getadmin.vbs"
  del "%temp%getadmin.vbs"
  exit /B

3. Once the elevation occurs, the script is run with elevated privileges to perform the steps of disabling Windows Defender on a persistent basis by making sure that the “WinDefend” service is deleted at the next boot through the utility NSudo, and completely disables Microsoft’s User Account Control (UAC) security.

The nsudo.bat script also completely disables UAC by setting the following registry key to 0 (zero):

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA

4. After executing these functions it forces a system restart, so that the changes take place and users are unaware.

The purpose of the exploits is to tie the machine into the botnet for bitcoin mining and other operations including DDos attack's as the following extract of DDos URL's show:

@https://commerzbank.de @https://.de//entry* @https://.de/banking-/portal?* @https://.de/banking-/portal;* @https://.de/portal/portal @https://.de/privatkunden/ @https://.deabmelden* @https://.de/de/home @https://.de/en/home @https://.de/fi/home @https://banking.sparda.de @https://banking.sparda- @https://banking.sparda.de/wps/loggedout.jsp @https://meine.deutsche-bank.de/trxm/db* @https://banking.berliner-bank.de/trxm* @https://meine.norisbank.de/trxm/noris @https://targobank.de @https://banking4.anz.com/IBAU/BANKAWAY @https://banking.westpac.com.au/ @https://www1.my.commbank.com.au/netbank/Portfolio/Home/ @https://ibanking.stgeorge.com.au/ibank/ @https://ibanking.banksa.com.au/ibank/ @https://ibanking.bankofmelbourne.com.au/ibank/ @https://online.macquarie.com.au/ @https://ob.cua.com.au/ib/ @https://banking.bendigobank.com.au/banking @https://internetbanking.suncorpbank.com.au/ @https://www.ing.com.au/securebanking/ @https://ib.nab.com.au/ @https://online.beyondbank.com.au/ @https://ib.greater.com.au @www.independentreserve.com @www.coinspot.com.au

Google advise that if you come across any advert that redirects you should report it via the following:

https://support.google.com/google-ads/contact/vio_other_aw_policy https://safebrowsing.google.com/safebrowsing/report_phish/

Recommendations

1. At all time use an adblocker software to aid in disruption of this exploit.

I realize Google will not be happy about this, but until the system is fixed from such exploits, it is better to be safe. Google should consider formal verification, not just address location verification for advertisers. Perhaps verifying and monitoring advertising URLS may also be something they should consider?

2. Do not click on ads. Manually go to the advertisers company rather than clicking on the advert.

Again Google will be unhappy as this is their revenue source. But until its fixed, and confirmed safe, AdWords is currently just another tool in the hackers toolbox

3. Verify the domain name and download link before clicking on a URL. Don't assume it is correct.

What is it? Spook.js is a new transient execution side channel attack which targets the Chrome web browser. We show that despite Google's attempts to mitigate Spectre by deploying Strict Site Isolation, information extraction via malicious JavaScript code is still possible in some cases.

In more detail, Spook.js is a fresh side channel attack that works on modern hardware to overcome Google Chrome/Chromium based browsers Site Isolation Protections. The purpose of the aforementioned protections is to prevent each browser tab from being able to see each others memory/storage allocation.

The reason that this is an issue is for example if you are doing something sensitive in one tab, like managing your bank account online, and a separate tab and/or windows you have a different site open that is infected with the spook.js vulnerability. the infected page can potentially read the information from the other tab, such as your banking page.

More specifically, an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password), especially when they are autofilled. Further the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs/executes a malicious extension (say when accessing a website with the exploit active).

Spook.js Demo 1 - Attacking Credential Managers

The underlying vulnerability spook.js exploits though is a previously revealed and currently unresolved hardware issue with all modern CPUs dating back at least 10-15 years ago or so. All CPUs come with a task scheduler that attempts to predict what tasks to run when. if manipulated, said task scheduler can be exploited by using timed attacks on the scheduler to determine what's in memory at the time of the attack.

While this sounds scary, it just means that when browsing sites of a sensitive nature it should be the only tab open on the PC on any chromium browser as long as the sensitive site is open.

This affects all forms of chromium browsers: MS Edge, Opera, Chrome, and others using the chromium code.

Current protection may exist in: Firefox, however, great caution should be used as further testing is on going to confirm, as the advanced settings show mitigation not a fix. So we recommend that the same recommendations below should be used in Firefox also.

Web developers can protect their sites against this exploit, but it is unclear as to when everyone will update the code, and there is no way to confirm if it has been done, so it is best to protect rathe than risk.

The exploit exist on both desktop and mobile devices, so you are not protected just by using your phone.

Recommendations

Be sure your browser is fully patched. Then follow these rules when using any browser.

1. Close all browsers to a clean start (as chrome stays active in the background if not fully closed, this is a must) when using anything that requires login information to your sensitive data (office file systems, banking, etc).
2. Do not open any other tab or browser while working in the risk sensitive environment
3. Close the browser when finished and start a fresh browser for research (being sure to close it if you need to access secure resources).
4. Disable autofill, and remove all autofill usernames and passwords.

BadAlloc is the name for a related group of RTOS (Real Time Operating System) vulnerabilities that target 25 platforms, with 23 related vulnerabilities. The result of the vulnerability being exploited varies based upon the target device/platform, but can vary from high hardware usage, limiting the operations of said affected device, to device firmware crashes and reboots. The vulnerability exploits a flaw in memory allocation within the device to achieve the above fault.

The error occurs in a range of IoT and ROT devices as well as Blackberry devices used in maritime and other government operations. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices, and in our review on the dark web, has been linked to malware designed to connect additional CPU power to bitcoin mining.

The issue was discovered in April 2021, but many devices still remain unpatched after the August 17 report at Cert USA. Many of the devices unpatched have mitigation responses that recommend to isolate the unit from the internet or simply take it offline until a patch is released or it is replaced.

Cert USA states:

• Apply available vendor updates.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
• Also recognize VPN is only as secure as its connected devices.

We would add:

1. Replace the device if possible
2. IoT devices with this vulnerability have been linked to exploit attacks for bitcoin malware, and care should be taken to reset the device to factory defaults once secured to be absolutely sure the system is clean.

This discovery has been credited by CISA to David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52.

Here is a listing of the affected operating systems and their status:

Amazon FreeRTOS, Version 10.4.1 Update available

Apache Nuttx OS, Version 9.1.0 Update available

ARM CMSIS-RTOS2, versions prior to 2.1.3 Update in progress

ARM Mbed OS, Version 6.3.0 Update available

ARM mbed-ualloc, Version 1.3.0 no longer supported and no fix will be issued

BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier Update available

BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262 Update available

BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304 Update available

Cesanta Software Mongoose OS, v2.17.0 Update available

eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 Update available

Google Cloud IoT Device SDK, Version 1.0.2 Update available

Media Tek LinkIt SDK, versions prior to 4.6.1 Vendor will directly provide the fix, fix not available for free users

Micrium OS, Versions 5.10.1 and prior Update available

Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00 Update available

NXP MCUXpresso SDK, versions prior to 2.8.2 Update available

NXP MQX, Versions 5.1 and prior Update available

Redhat newlib, versions prior to 4.0.0 Update available

RIOT OS, Version 2020.01.1 Update available

Samsung Tizen RT RTOS, versions prior 3.0.GBB Update available

TencentOS-tiny, Version 3.1.0 Update available

Texas Instruments CC32XX, versions prior to 4.40.00.07 Update available

Texas Instruments SimpleLink MSP432E4XX Update available

Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 Update available

Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 Update available

Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 Update available

Texas Instruments SimpleLink MSP432E4 No update currently planned

Uclibc-NG, versions prior to 1.0.36 Update available

Windriver VxWorks, prior to 7.0 Update in progress

Zephyr Project RTOS, versions prior to 2.5 Update available

HAProxy is a free to use server load balancing application or software addon. JFrog Security reported on September 7 2021, that a vulnerability in an Integer Overflow existed in versions 2.0 through 2.5 in the htx_add_header() and htx_add_trailer() due to a missing length check on the header name that makes it possible for an attacker to bypass all configured http-request HAProxy ACLs, and possibly other ACLs, to conduct an HTTP Request Smuggling attack. This attack allows an adversary to “smuggle” HTTP requests to the backend server, without the proxy server being aware of it.

The smuggled requests have various impacts, depending on HAProxy’s configuration and the backend web server configuration. It is reported that the execution of the vulnerability can or may:

• Bypass security controls, including any ACLs defined in HAProxy
• Gain unauthorized access to sensitive data
• Execute unauthorized commands or modifying data
• Hijack user sessions
• Exploit a reflected XSS vulnerability without user interaction

HTTP Request smuggling is based on interfering with the processing of HTTP requests between the frontend (i.e. HAProxy on a router) and the backend (being the server hosting the destination). An attacker typically exploits this technique by sending a specially crafted request that includes an additional request in its body. During a successful attack, the inner request is smuggled through the frontend, that considers it as only the request’s body, but in fact consist of an additional function hidden to the HAproxy frontend and is executed as a normal request by the backend.

In most cases, the smuggling technique is done by supplying both the Content-Length and Transfer-Encoding headers with contradicting lengths in the same request and aiming for parsing inconsistencies between the frontend and backend servers. In the original authors case, however, the attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request – specifically – in the logic that deals with Content-Length headers.

An important enabler condition that makes this class of attacks possible is that when the frontend server forwards HTTP requests to the backend, it uses the same established TCP connection instead of wasting time on opening and closing sockets. The requests are sent "back to back" and it is up to the backend server to decide where a request ends and the next one begins.

In our testing, the function can be protected against if the parse then reaches a server properly configured. However, where the server is a direct connection, ie no properly configured Apache or NGNIX, a direct Microsoft server port, then the execution is still possible.

As advised by HAProxy, the best solution is to upgrade to version 2.0.25, 2.2.17, 2.3.14 or 2.4.4 CVE-2021-40346, which provides a patch for such activity by adding size checks for the name and value lengths.

However, for security reasons HTTP traffic should by default be redirected to HTTPS, even if that needs to be done on the end server. This redirect will assist to remove the hidden execution where the patch above cannot be applied.

Recommendations If HAproxy cannot be immediately upgraded, HAProxy should have port 80 added as a https-redirect to rule "scheme https", or in the alternative, when accessing the end server, Apache or NGNIX redirect to HTTPS.

Where HAproxy cannot be upgraded at all, and a Https redirect is also not possible, due to say, vender firmware, the end server should be removed from HAProxy and the port dedicated in its connection to the end server until the hardware containing the firmware can be replaced. Even if this means web redetecting for clients.