Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mirai Derivative Exploits Android TV's

Russian anti-malware company Dr. Web reports the identification of a new family of trojans that compromises Android TV devices, either during firmware updates or when applications for watching pirated video content are installed. This new backdoor sports advanced DDoS attack capabilities by using code from the Mirai botnet trojan.

Dubbed Android.Pandora.2, the trojan seems to be a modification of the Android.Pandora.10 backdoor (also known as Android.Backdoor.334). It targets low-end Android TV set-top boxes such as the Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3. An analysed sample arrived as a malicious formware update - released in December 2015 (!) - for the MTX HTV BOX HTV3 device and has likely been deployed to a number of websites. Other samples target Spanish-speaking users via apps for streaming pirated movies and TV shows, via domains with names like 'youcine', 'magistv', 'latinatv' and 'unitv' this variant has a different installation process and is identified as Android.Pandora.4.

The main malware is a file called /system/bin/pandoraspearrk, which joins the infected system to a DDoS botnet; it is monitored by a process called /system/bin/supervisord which will restart it if it is killed. It also installs its own copies of the busybox shell and curl. Once installed and running, the trojan will accept commands to start and stop various DDoS attacks, open a reverse shell, mount partitions in RW mode, etc.

This malware illustrates the dangers posed by IoT device users who know just enough to side-load their devices with code from dubious sources but not enough to secure them; they may well get cheap functionality and access to pirated content, but their devices can become useful platforms for attackers interested in bigger fish.

Dr. Web, Pandora's box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes, news release, 6 September 2023. Available online at https://news.drweb.com/show/?lng=en&i=14743.

Apache Project Vulnerabilities

Two Apache projects are causing problems in the enterprise world.

The first is Apache RocketMQ, a distributed messaging and streaming middleware system, which has triggered action from CISA by adding CVE-2023-33246 to its list of known exploited vulnerabilities. Several components of RocketMQ, including NameServer, Broker and Controller are often exposed via an extranet but lack permission verification; an attacker can exploit this by using the 'update configuration' function to execute commands with privileges of the RocketMQ system account. Alternatively, they can also achieve remote command execution by forging RocketMQ protocol messages.

Affected users should upgrade to RocketMQ version 5.1.1 or above, or RocketMQ version 4.9.6 or above.

Meanwhile, researchers at Horizon3.ai warn of vulnerabiliities in Apache Superset, a popular Python open source data exploration and visualization tool based on the Flask web framework. A previous vulnerability, CVE-2023-27524 (also discovered by Horizon3.ai) could allow an attacker to obtain the Flask SECRET_KEY value and thereby obtain admin privileges, but this was mostly fixed in Superset 2.1.0. The two new high-severity vulnerabilities, CVE-2023-39265 and CVE-2023-37941, allow further exploitation - in some cases after using CVE-2023-27524 or other means of obtaining admin privileges, but in others from non-admin accounts.

CVE-2023-39265 allows a bypass of URI checking in the Superset UI, which would normally block connection to its own metadata database (which is SQLite, by default). The checks will fail if the supplied URI includes both the dialect and driver name, e.g.

sqlite+pysqlite:////app/superset_home/superset.db

After connecting to the metadata store, an attacker can then access it via SQLLab, allow database exploration, querying  and updates. The same vulnerability also applies to database connection information imported from files, allowing control of arbitrary SQLite metadata databases. In fact, if Superset is configured to use MySQL for the metadata database, it is also possible to obtain credentials for the database and also connect to it through the Superset UI.

CVE-2023-37941 extends this attack chain further, allowing remote code execution by an attacker with access to the metadata database. Vulnerable versions of Superset use Python's pickle package to store some configuration data, and the attacker can insert an arbitrary pickle payload into the database and then trigger its deserialization and execution.

These vulnerabilities are fixed in Superset version 2.1.1, and users should upgrade immediately.

CISA, CISA Adds One Known Vulnerability to Catalog, cybersecurity advisory, 6 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-adds-one-known-vulnerability-catalog.

Sunkavally, Naveen, Apache Superset Part II: RCE, Credential Harvesting and More, blog post, 6 September 2023. Available online at https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/.

Multiple Nation State Actors Exploit Zoho ManageEnging ServiceDesk Plus

Back in June, we reported on an campaign conducted by China-affiliated threat actor VANGUARD PANDA (also known as Volt Typhoon), exploiting Zoho ManageEngine ADSelfService Plus in order to obtain initial access, after which they deployed webshells and made use of living-off-the-land techniques to avoid leaving behind detectable artifacts which could be used as IOC's.

Now the US Cybersecurity & Infrastructure Security Agency, FBI and Cyber National Mission Force have published a joint cybersecurity advisory providing information on an incident which appears to be related. The agencies confirmed that a nation-state advanced persistent threat exploited CVE-2022-47966 (an RCE vuln related to yet another Apache project, xmlsec) to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network of an aviation sector entity. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

The joint advisory provides a full, detailed analysis of initial access vectors and post-exploitation activities, including the tools the threat actor used, along with a mapping to MITRE ATT&CK techniques, detection methods and suggested mitigations.

CISA, Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475, cybersecurity advisory, 7 September 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.