America’s Most Wanted: Exploit Edition
Thursday May 14th 2020

This week, we’re going to take a look at:

  • Evil Maid Thunderspies your Backplane
  • America’s Most Wanted Exploits
  • SaltStack RCE Exploits
  • Hidden Cobra Malware

Evil Maid Thunderclaps Back with Thunderspy

Thunderspy is the new hotness in physical exploits targeting Intel’s Thunderbolt port. It takes less than five minutes to execute and impacts any Windows or Linux PC manufactured before 2019.

Released by Eindhoven University of Technology researcher Björn Ruytenberg, Thunderspy involves unscrewing the physical backplate of a machine, attaching a device momentarily to reprogram the firmware, and reattaching the backplate (if you really want to).

Thunderbolt provides fast speeds of data transfer to external devices by allowing more direct access to a computer’s memory than other ports. This vulnerability in Thunderbolt Security Levels enables Thunderspy to perform direct memory access (DMA) attacks.

No immediate fix is available other than disabling the Thunderbolt port completely. Users are advised to adjust their Thunderbolt’s “security levels” to disallow access from untrusted devices, but Thunderspy can bypass these security settings.

Thunderspy iterates on the work of other Thunderbolt researchers. In response to earlier exploits like PCILeech, Intel introduced Security Levels with Thunderbolt 2 to protect against DMA attacks.

Other recent attacks, like Thunderclap, work within Thunderbolt’s “Security Levels” ecosystem and do not break Thunderbolt access control. However, Thunderspy goes beyond these initiatives to break Thunderbolt hardware and protocol security. This is the first attack on Intel’s Security Levels.

In addition, Intel’s response to Thunderclap stated, “Existing security options for the Thunderbolt interface also allow you to whitelist trusted Thunderbolt devices to help protect your systems from malicious peripherals” as a remedy to Thunderclap. Thunderspy completely breaks these security options.

Check out their process on YouTube. It’s some real mission impossible stuff. I’d bet two dollars the NSA has been doing this for years.

America’s Most Wanted Exploits

US-CERT released an advisory sharing the top ten most exploited vulnerabilities from 2016-2019 by both state-sponsored and non-state-sponsored cyber actors. They are as follows:

  1. CVE-2017-11882
  2. CVE-2017-0199
  3. CVE-2017-5638
  4. CVE-2012-0158
  5. CVE-2019-0604
  6. CVE-2017-0143
  7. CVE-2018-4878
  8. CVE-2017-8759
  9. CVE-2015-1641
  10. CVE-2018-7600

In addition to the top 10 vulnerabilities from 2016 to 2019, US-CERT disclosed that
sophisticated foreign actors are routinely exploiting CVE-2019-19781 and CVE-2019-11510 in 2020.

SaltStack RCE Exploit PoCs

Recently, a critical SaltStack vulnerability (CVE-2020-11651) was disclosed and patched. If you’re running SaltStack, you should be patched or, at the very least, confirmed that it is not externally accessible. We are now seeing multiple proofs of concepts (1 2 3) for CVE-2020-11651 released. This exploit takes advantage of a bug in SaltStack before 2019.2.4 and 3000 before 3000.2. If executed correctly, it allows a remote attacker to gain access without authentication by retrieving user tokens from the Salt master or by running arbitrary commands on Salt minions.

In addition, jasperla published a proof of concept (PoC) targeting CVE-2020-11652, a bug from the same process that allows access to some methods that improperly sanitize paths. The exploit script is written in Python and can allegedly be used to access the file system and schedule commands on the Salt master and all connected minions.

All PoCs were written in Python. At the time of writing, these PoCs have a combined 50+ forks. Perch customers utilizing the Emerging Threats IDS signatures have coverage for CVE-2020-11651.

Hidden Cobra Malware

On May 12, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) identified three new malware strains believed to have been used in North Korea’s government-sponsored campaign “HIDDEN COBRA.”

The FBI believes that the threat actors are using the malware variants in conjunction with proxy servers to maintain persistence on victim networks and further network exploitation. The detected malware variants were identified as “COPPERHEDGE,” “TAINTEDSCRIBED,” and “PEBBLEDASH,” and possess different functions and purposes that can be abused by the attackers to compromise the target organization. COPPERHEDGE, a remote access trojan (RAT), runs arbitrary commands, performs system reconnaissance, and exfiltrates data.

To bypass authentication and secure persistence, “TAINTEDSCRIBE” and “PEBBLEDASH” are used as backdoors on the compromised system, receiving and executing the attacker’s commands. At the time of this writing, it’s unclear what entities have been affected, or how the attack is launched.

ZDNet reports the US Cyber Command has uploaded samples for the three malware strains on its VirusTotal account. There are a few things you can do to prevent malware infection and a subsequent breach:

  • Maintain up-to-date antivirus signatures and engines
  • Keep operating system patches up-to-date
  • Restrict users’ permissions to install and run unwanted software applications
  • Enforce a strong password policy and implement regular password changes
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content
  • Provide intensive phishing and social engineering training to the employees
  • Disable unnecessary services on agency workstations and servers
  • Monitor your network and logs for threats

ShinnyHunters breach Chatbooks, Zoosk, Styleshare, and More

Photo print service Chatbooks notified customers of a breach involving exfiltrated user data. Data for 15 million ChatBooks users is now for sale in underground marketplaces. Those records for sale are just a portion of the 73 million user records advertised by the ShinyHunters threat actor. The actor provided a sample of ChatBooks data that contained email addresses, hashed passwords (SHA-512), social media access tokens, and personally identifiable information.

There was no evidence that payment or credit card information and photos were present on the database. ChatBooks is the first ShinyHunters victim to admit their users’ data was included in the 73m records. Other potential victims include: Zoosk, Styleshare, Home Chef, Minted, Chronicle of Higher Education, GGuMim, Mindful, Bhinneka, and StarTribune.

If you’re a Chatbooks user or a user of any of these other sites and have used the same passwords elsewhere, you should change them. The passwords were hashed but not salted. It’s only a matter of time before the rainbow tables are put to work, and a cleartext password list is released. That cleartext password and email list will become useful for credential stuffing.

That wraps up the threat report for this week. Check back next week for more!

- Paul

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn