Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Linux Variant of P2PInfect Uses Different Initial Access Vector

A couple of weeks ago we covered a new worm which was spreading between systems running the Redis NoSQL database. A Windows version of P2PInfect was discovered by Palo Alto's Unit 42, who established that it was exploiting CVE-22-0543, a Lua sandbox escape vulnerability with a CVSS 3 score of 10.0. P2PInfect got its name because it builds a peer-to-peer command and control network, and we pointed out that this "would make it much more difficult to sinkhole and bring down, especially if it can grow further". And, as expected, it is growing further.

Researchers at Cado Security Labs have discovered a Linux variant of P2PInfect, which uses a different vector for initial access.

An important feature of Redis is its support for replication, which allows nodes configured as followers to acts as replicas of a leader, with the goal of high availability and failover. P2P exploits this capability by connecting to an Internet-exposed Redis instance and issuing the SLAVEOF command to make it a replica of their malicious leader. The attacker can then use the MODULE LOAD command to load a malicious .so (shared object - the Linux equivalent to a DLL) file which creates a reverse shell, allowing remote command execution on the compromised host. From there, it connects its C2 server to retrieve and install the primary payload.

P2PInfect also attempts initial access via a cron unauthenticated RCE mechanism - but this is less successful than the SLAVEOF technique.

The main payload is a backdoor, written in a combination of C and Rust. It then sets about reconfiguring the system, installing an additional SSH public key to allow persistent access, renaming binaries so that their use will escape detection, and adding firewall rules to allow it to join the threat actor's botnet. The botnet itself is well designed, serving payloads via HTTP, and using TLS for command and control via signed messages, with certificates for both server and client ends of a connection. And although some of the payload filenames suggest cryptomining, there was no evidence of cryptomining activity, although this may be started at a later date.

The Cado Security Labs blog provides a full analysis of the worm code, as well as IOC's and a YARA rule for detection.

Bill, Nate and Matt Muir, Cado Security Labs Encounter Novel Malware, Redis P2Pinfect, blog post, 31 July 2023. Available online at https://www.cadosecurity.com/redis-p2pinfect/.

Yet Another WordPress Plugin Is Vulnerable

One massive benefit of using WordPress as a content management system is its rich ecosystem of plugins which make it an easy platform for customization. But along with these plugins comes the need to secure code from developers who, or may not, be fully up to speed on secure web coding techniques.

Specialist WordPress security firm Patchstack has disclosed multiple vulnerabilities in the Ninja Forms plugin:

CVE-2023-37979 - a POST-based reflected cross-site scripting (XSS) vuln that allows privilege escalation (CVSS 3 score: 7.1)

CVE-2023-38386 - a broken access control vuln in the form submissions export feature affecting Subscriber role

CVE-2023-38393 - a broken access control vuln in the form submissions export feature affecting Contributor role

For those who are interested, the Patchstack blog post provides an analysis of the vulnerable code, but users - and there are over 900,000 active installations - should update the Ninja Forms plugin to at least version 3.6.26.

Muhammad, Rafie, Multiple High Severity Vulnerabilities in Ninja Forms Plugin, blog post, 27 July 2023. Available online at https://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.