Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

TP-Link Routers Targeted by Chinese APT

Checkpoint researchers have revealed a campaign, aimed at European foreign affairs entities, which they have linked to a Chinese state-sponsored APT they refer to as Camaro Dragon, and which has similar TTP's to a previously-identified APT named Mustang Panda.

The campaign utilises malicious firmware implants for TP-Link routers. The implants have several malicious components including a custom backdoor named Horse Shell which provides the attackers with persistent access and enables lateral movement into compromised networks. This technique, of compromising Internet-facing network devices and modifying their software or firmware, is a long-standing favourite of Chinese APT's.

The Checkpoint article provides an analysis of the Horse Shell backdoor, which is a MIPS32 ELF implant, written in C++. Its main capabilities are:

• A remote shell which allows execution of arbitrary shell commands on the infected device
• File transfer to and from the infected device
• A SOCKS proxy, allowing relay of communication between infected devices

The shell is firmware-agnostic, and can be integrated into the firmware of devices from different vendors, although the exploit which is used for initial access is not yet clear.

Cohen, Itay, Radoslaw Madej, et. al., The Dragon Who Sold His Camaro: Analyzing Custom Router Implant, technical report, 16 May 2023. Available online at https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/.

Four RCE Vulns in Cisco Small Business Series Switches

Cisco has released an advisory warning of four critical RCE vulnerabilities in the web-based user interface of products in their Small Business Series switches. The vulnerabilities are:

• CVE-2023-20159 (CVSS score 9.8): A stack buffer overflow
• CVE-2023-20160 (CVSS score: 9.8): An unauthenticated BSS buffer overflow
• CVE-2023-20161 (CVSS score: 9.8): An unauthenticated stack buffer overflow
• CVE-2023-20024 (CVSS score: 8.6): An unauthenticated heap buffer overflow

The following products are affected:

• 250 Series Smart Switches
• 350 Series Managed Switches
• 350X Series Stackable Managed Switches
• 550X Series Stackable Managed Switches
• Business 250 Series Smart Switches
• Business 350 Series Managed Switches
• Small Business 200 Series Smart Switches
• Small Business 300 Series Managed Switches
• Small Business 500 Series Stackable Managed Switches

The 220 Series and Business 220 Series smart switches are not affected.

Cisco has released free software updates which fix these vulnerabilities, and Cisco customers are advised to update as soon as possible.

Cisco, Cisco Small Business Series Switches Buffer Overflow Vulnerabilities, security advisory, 17 May 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.