Baron Samedit – the newest sudo bug gives attackers root-level access

Baron Samedit is the newest major vulnerability impacting a large number of the Linux ecosystems. The bug is not a new development – it has been hiding in plain sight for nearly ten years. That’s quite a long time, fortunately, it has been patched already. More information will provide the article below.

Baron Samedit – 10-year-old Sudo vulnerability impacts most Linux distributions today

The vulnerability Baron Samedit (CVE-2021-3156) was discovered by security auditing firm Qualys two weeks ago and was patched on January 27 with the release of Sudo v1.9.5p2.

The Baron Samedit bug can be exploited by an attacker who has gained access to a low-privileged account to gain root access, even if the account isn’t listed in /etc/sudoers – a config file that controls which users are allowed access to su or sudo commands in the first place. The vulnerability could be abused by botnet operators in the second stage of an attack to help intruders easily gain root access and full control over a hacked server. These types of botnets targeting Linux systems through brute-force attacks are quite common these days.

A memory line…

While there have been two other Sudo security flaws disclosed over the past two years, the bug disclosed today is the one considered the most dangerous of all three. The two previous bugs, CVE-2019-14287 (known as the -1 UID bug) and CVE-2019-18634 (known as the pwfeedback bug), were hard to exploit because they required complex and non-standard sudo setups.

Things are different for the bug disclosed today, which Qualys said impacts all Sudo installs where the sudoers file (/etc/sudoers) is present – which is usually found in most default Linux+Sudo installs.

Making matters worse, the bug also has a long tail. Qualys said the bug was introduced in the Sudo code back in July 2011, effectively impacting all Sudo versions released over the past ten years. The Qualys team said they were able to independently verify the vulnerability and develop multiple exploit variants for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).

Source

LogoKit, a new cybercrime tool dynamically creates phishing pages in real-time

Researchers from RiskIQ have discovered a new phishing kit dubbed LogoKit that dynamically composes phishing content

LogoKit has a modular structure that makes it easy to implement a Phishing-as-a-Service model. This toolkit, unlike other ones, is an embeddable set of JavaScript functions. The kit uses specially crafted URLs containing the email address of the recipient. Crafted URLs sent to victims typically contain their email as a location hash. For example, phishingpage[.]site/login.html#victim@company.com. The location hash is then broken down into slices. The slice’s delimiter is the ‘@’ symbol, allowing the script to extract the user’s/company’s domain to fetch the logo – from a third-party service like Clearbit or Google’s favicon database.  

Image: RiskIQ

After performing validation to ensure data is entered and a valid email address is present, some LogoKits will fake a user out by initially telling them that their password is incorrect, prompting them to enter the password again. It will then redirect the victim to their corporate domain. While LogoKit will indicate to victims that the password is invalid, the script still performs an AJAX request to the attacker-controlled domain/resource to perform additional tasks, such as sending the credentials to the attacker’s email.

RiskIQ spotted more than seven hundred unique domains running with LogoKit in the last thirty days. Threat actors targeted multiple services including MS SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges.

Is there a way to detect the LogoKit?

Threat actors using LogoKit typically like to stick with common object storage and application deployment platforms. In using these widely used services, blocking LogoKit can become quite tricky. For example, blocking Amazon’s object storage outright would likely lead to numerous availability issues for legitimate web browsing. The following legitimate services have been observed in use by LogoKit actors:

glitch.me: Application Deployment Platform
appspot.com: Google Cloud Platform
web.app: Google Firebase
firebaseapp.com: Google Firebase
storage.googleapis.com: Google Cloud Storage
firebasestorage.googleapis.com: Google Firebase Storage
s3.amazonaws.com: Amazon S3 Object Storage
csb.app: Google CodeSandbox
website.yandexcloud.net: Yandex Static Hosting
github.io: GitHub Static Page Hosting
digitaloceanspaces.com: DigitalOcean Object Storage
oraclecloud.com: Oracle Object Storage

While LogoKit can often be found using legitimate hosting services, RiskIQ has also observed compromised web sites – many of them running WordPress – to be hosting LogoKit variants.

Source: 1 | 2

Avaddon ransomware gang is using DDoS attacks to force a victim to pay a ransom

So far, only SunCrypt and RagnarLocker operators were spotted utilizing DDoS attacks against victims’ networks or websites as an extra tool to force them to pay a ransom. Why? Many victims could restore data from backups and do not bother contacting the attackers. 

Now the Avaddon ransomware gang joins them and is using DDoS attacks to force victims to contact them, negotiate and pay a ransom. 

It’s not at all surprising to see threat actors combining ransomware and DDoS attacks: DDoS is cheap, easy and in some cases may help convince some companies that speedy payment is the least painful option. The more pressure the criminals can put companies under, the better their chances of extracting payment” – said Brett Callow, Emsisoft threat analyst, who shared this development. 

Houston, we may have a problem. When Maze introduced a double-extortion strategy, other ransomware gangs quickly adopted the method. It is still too soon to tell if threat actors will adopt DDoS attacks similarly but it is definitely a very easy method that gives them additional advantage. 

Source

Hezbollah’s cyber unit hacked into telecoms and ISPs

A Hezbollah-affiliated threat actor – Lebanese Cedar has been linked to intrusions at telco operators and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, the Palestinian Authority, and the UAE.

The year-long hacking campaign started in early 2020 and was discovered by Israeli cyber-security firm ClearSky. The company identified at least 250 web servers that have been hacked by the Lebanese Cedar group. It seems that the attacks aimed to gather intelligence and steal the company’s databases, containing sensitive data – including call records and private data of clients. 

The attacks followed a simple pattern. Lebanese Cedar operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers, after which they deployed exploits to gain access to the server and install a web shell for future access. Then the group used these web shells for attacks on a company’s internal network, from where they exfiltrated private documents. 

Image: ClearSky

The hackers used vulnerabilities such as: CVE-2019-3396 in Atlassian Confluence, CVE-2019-11581 in Atlassian Jira, CVE-2012-3152 in Oracle Fusion.

Once they gained access to these systems, the attackers deployed web shells, such as ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source tool named JSP file browser (which can also function as a web shell).

Once inside the target networks, the attackers deployed the Explosive remote access trojan (RAT), a malware exclusively used by the Lebanese Cedar group in past attacks.

Furthermore, researchers also said that attackers made mistakes in their operation and often reused files between intrusions. This allowed Clearsky to track the attacks across the globe and link them to the group.

Some victims’ names went public – some of the group’s better-known victims include Vodafone Egypt, Etisalat UAE, SaudiNet in Saudi Arabia, and Frontier Communications in the US.

Source

Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Shazam Vulnerability Could Have Exposed User Locations (Latest Hacking News)
2. DreamBus botnet targets enterprise apps running on Linux servers (ZDNet)
3. Beware – A New Wormable Android Malware Spreading Through WhatsApp (The Hacker News)
4. DanaBot Malware Roars Back into Relevancy (Threat Post)
5. Nvidia Squashes High-Severity Jetson DoS Flaw (Threat Post)
6. Xanthe Cryptomining Botnet Attack Targeting Docker Installations (LatestHackingNews)
7. Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild (The Hacker News)
8. Emotet botnet disrupted in global operation (WeLiveSecurity)
9. Google researcher discovers new iOS security system (ZDNet)
10. Italy CERT Warns of a New Credential Stealing Android Malware (The Hacker News)