This Week in Cyber 04 August 2023

Uncovered P2PInfect Worm Attacks Redis Servers Using Previously Unknown Breach Techniques

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented methods to breach vulnerable Redis servers and form a botnet. Researchers from Cado Security reported that the malware compromises Redis instances by exploiting the replication feature, using the SLAVEOF command to enable replication on exposed Redis servers. Initially documented by Palo Alto Networks Unit 42, the Rust-based malware exploits a critical Lua sandbox escape vulnerability (CVE-2022-0543) to gain a foothold into Redis instances. The campaign is believed to have started on or after June 29, 2023. However, the latest discovery reveals that the threat actors are leveraging multiple exploits for initial access. The malware establishes a peer-to-peer botnet, treating each infected server as a node that connects to others, avoiding reliance on a centralized C2 server. It exhibits worming behaviour, expanding its reach by brute-forcing SSH servers and exploiting the Lua sandbox escape vulnerability or the SLAVEOF command for Redis servers. Upon successful breach, the malware deploys next-stage payloads, allowing it to modify iptables firewall rules, self-upgrade, and potentially deploy cryptocurrency miners once the botnet reaches a certain size. The identity and motive of the threat actors remain unknown, and the purpose of P2PInfect is unclear as it does not align with known cryptojacking groups. The researchers noted that P2PInfect is well-designed, utilizing sophisticated replication and C2 techniques. The use of Rust enhances code portability across platforms while making static code analysis more challenging.

Exploitation of Windows Search Feature by Hackers for Remote Access Trojans Installation

Unknown malicious actors are exploiting a legitimate Windows search feature to compromise targeted systems using remote access trojans. The attack technique revolves around the "search-ms:" URI protocol handler, which enables custom local searches, and the "search:" application protocol on Windows. The attacker’s direct users to websites that exploit the "search-ms" functionality using JavaScript, which triggers searches on attacker-controlled servers. The attackers create deceptive emails with hyperlinks or HTML attachments redirecting users to compromised websites. When users click on the links, they receive a warning asking to open Windows Explorer. If approved, the search results display remotely hosted malicious shortcut files disguised as trustworthy icons. This technique conceals the fact that users are accessing remote files, leading them to unknowingly execute malicious code. Clicking on one of the shortcut files executes a rogue dynamic-link library (DLL) using the "regsvr32.exe" utility. Alternatively, shortcut files run PowerShell scripts that download additional payloads while displaying a decoy PDF document to deceive victims. The infections result in the installation of the AsyncRAT and Remcos RAT, allowing threat actors to take remote control of hosts, steal sensitive information, and sell access to other attackers. As Microsoft tightens security on various initial access vectors, attackers may increasingly exploit the URI protocol handler method to evade traditional security defences and distribute malware. To avoid falling victim to such attacks, users should refrain from clicking on suspicious URLs or downloading files from unknown sources.

Critical Vulnerability Uncovered in Metabase Business Intelligence Software - Immediate Update Essential

Metabase, a widely used business intelligence and data visualization software, has encountered a critical security flaw that could potentially lead to pre-authenticated remote code execution on affected installations. Users of Metabase are urged to update to the latest version as a precautionary measure. The vulnerability, tracked as CVE-2023-38646, impacts open-source editions earlier than 0.46.6.1 and Metabase Enterprise versions prior to 1.46.6.1. If exploited, an unauthorized attacker could run arbitrary commands on the Metabase server with the same privileges, compromising the system's security. The issue has been addressed in older versions as well, such as 0.45.4.1 and 1.45.4.1, 0.44.7.1 and 1.44.7.1, and 0.43.7.2 and 1.43.7.2. Although there's no evidence of active exploitation in the wild, data from the Shadowserver Foundation indicates that a significant number of Metabase instances (5,488 out of 6,936) are still vulnerable as of July 26, 2023. Most of these instances are located in the US, India, Germany, France, the UK, Brazil, and Australia. The vulnerability's root cause is attributed to an issue in the JDBC connection of the API endpoint "/api/setup/validate," which allows a malicious actor to gain a reverse shell on the system using a specially crafted request exploiting an SQL injection flaw in the H2 database driver. Users unable to apply the patches immediately are advised to take precautionary measures, including blocking requests to the /api/setup endpoint, isolating the Metabase instance from the production network, and monitoring for suspicious requests to the vulnerable endpoint.

Decoy Dog: Emerging Malware Poses Serious Risks to Corporate Networks

The recently discovered malware named Decoy Dog is an advanced version of the open-source remote access trojan (RAT) known as Pupy RAT. Security researchers from Infoblox have conducted a deeper analysis of Decoy Dog and found it to possess powerful, previously unknown capabilities. One significant feature is the ability to transfer victims to another controller, allowing communication with compromised machines while remaining undetected for extended periods. Some victims have been actively communicating with a Decoy Dog server for over a year. Decoy Dog introduces new functionalities not present in Pupy RAT, such as executing arbitrary Java code on the client and connecting to emergency controllers using a mechanism similar to a traditional DNS domain generation algorithm (DGA). This allows the Decoy Dog domains to respond to replayed DNS queries from breached clients. The origins of Decoy Dog are uncertain, but it is suspected to be operated by nation-state hackers, who have shown swift adjustments to their attack infrastructure in response to previous disclosures. Despite limited knowledge about the underlying victim systems and vulnerabilities exploited, Decoy Dog poses an ongoing and serious threat. The malware leverages the domain name system (DNS) for command-and-control (C2), making DNS-based defences crucial in protecting against it. Infoblox urges the need for vigilance, as the actors behind Decoy Dog are likely to adapt to new reporting. The researchers are particularly curious about the motive behind modifying Pupy RAT for their C2 operations, as other options are available. Understanding the rationale behind Decoy Dog's creation may shed light on how the actors will react to defence measures in the future.