Intel Reports

Activity Summary - Week Ending on 29 June 2023:

• Red Sky Alliance identified 521 connections from new IP’s checking in with our Sinkholes
• 1,573 ‘new’ Botnets hits
• Condi Botnet
• IOCs
• US Cyber Strategy Not Good
• Petro-Canada
• plugwalkjoe
• 5 Years in Prison
• Jordan Cyber

Red Sky Alliance Compromised (C2) IP’s  

On 28 June 2023, Red Sky Alliance identified 521 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 28 June 2023, analysts identified 1,573 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

Condi Botnet: Buy or Rent.  While pivoting from the Command and Control (C2) domain cdn2[.]duc3k[.]com in one of the malware samples, researchers found a sibling domain admin[.]duc3k[.]com that previously displayed the message "contact @zxcr9999 telegram”.  A quick search revealed a Telegram channel, Condi Network, advertising a Condi botnet with capabilities matching those observed in our sample (Figure 1).[1]

Figure 1: Advertisement for “private version” of Condi on Telegram

The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code (Figure 2).

Figure 2: DDoS-as-a-Service and sale of malware source code.

Below is a technical analysis of the ARM malware sample 509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084 in the following sections:

Killing off the Competition:  This malware employs several techniques to keep itself running in an infected system.  At the same time, it also prevents infections from other botnets by attempting to terminate their processes.

Typical to Mirai-based botnets, this malware cannot survive a system reboot. Because of this, it deletes the following binaries used to shut down or reboot the system.

• /usr/sbin/reboot
• /usr/bin/reboot
• /usr/sbin/shutdown
• /usr/bin/shutdown
• /usr/sbin/poweroff
• /usr/bin/poweroff
• /usr/sbin/halt
• /usr/bin/halt

It also reads the /proc/<PID>/status for each running process and compares the Name field to the following strings to kill any processes with matching names:

• /bin/busybox
• /bin/systemd
• /usr/bin
• test
• /tmp/condi
• /tmp/zxcr9999
• /tmp/condinetwork
• /var/condibot
• /var/zxcr9999
• /var/CondiBot
• /var/condinet
• /bin/watchdog

Researchers assess that the developer intended to kill off older versions of Condi currently running on an infected device together with selected system processes.  However, the implementation is flawed as the Name field only contains the executable names of processes and not their full paths.  Additionally, it kills any processes with binary filenames containing the following extensions commonly used by other botnets:

• x86
• x86_64
• arm
• arm5
• arm6
• arm7
• mips
• mipsel
• sh4
• ppc

It also generates a random string of at least ten characters from the custom alphanumeric character set "lvrvup9w0zwi6nuqf0kilumln8ox5vgv@" and attempts to kill any process with this string in its command line, however it is near certain this process will not exist.  Which process the malware developer intended to terminate with this code is unclear.  Finally, it generates two numbers (one between 12 and 32, the other between 12 and 20) and kills any processes with a command line length matching either number.  Killing off random processes based on their command line length is likely to wreak havoc and prevent the infected device from functioning correctly if the malware happens to terminate system processes.

Botnet Propagation:  Unlike most DDoS botnets, this sample does not propagate by trying different credentials. Instead, it embeds a simple scanner modified from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or 8080 (commonly used for HTTP servers) and then sends a hardcoded exploitation request (Figure 3) to download and execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t, which will infect the device with Condi if it is a vulnerable TP-Link Archer AX21 device.

Figure 3: CVE-2023-1389 exploitation request

The remote shell script is typical of Mirai-based loaders that try to download and execute binaries of each architecture in turn (Figure 4).  The first command-line argument provided to the malware binary, ”0days”, in this case, is referred to as “id” (“source” in the original Mirai code), which DDoS botnet operators commonly use to identify the method used to replicate the malware.

Figure 4: Shell script downloader with “0days” source

While the sample we analyzed only contained the scanner for CVE-2023-1389, other Condi botnet samples were also seen exploiting other vulnerabilities to propagate. The publicly available source code for older versions also includes scanners for known vulnerabilities exploited by other Mirai variants.  Researchers also observed shell scripts hosted on the same IP with different sources in the execution commands. Figure 5 shows a script with an “adb” source, which refers to Android Debug Bridge (ADB).

Figure 5: Shell script downloader with "adb” source

Researchers found source code for an older version of Condi that scans for devices with an open Android Debug Bridge port (TCP/5555), so it is possible that the botnet is currently being propagated via this means.

C2 Protocol and Command List:  The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.  The initial registration packet sent by the bot to the C2 contains the bytes \x33\x66\x99, commonly associated with Moobot, another Mirai variant.  These bytes are followed by a one-byte length of the “id”.  In the case of Condi, "id” defaults to “c” if none was specified, or in our case, of an infection via CVE-2023-1389, “0days”. This signals the C2 server that the malware is ready to receive commands.

The first three bytes of the C2 response indicate the command for the Condi bot:

1. \x99\x66\x33: Likely to check if the malware is still active, in which case the malware sends a packet to C2 with \x66\x99\x66\x04 followed by “ping”
2. \x99\x66\x66: Terminate the bot
3. \x33\x66\x66: Start the webserver for serving malware binaries
4. \x33\x66\x33: Update binaries served by the webserver
5. \x33\x66\x99: Send the webserver port. Malware responds with \x66\x99\x66 followed by a length of the next string and “CondiiNeett webserv:<PORT>"
6. \x66\x66\x99: Sets an unused lockdownflag, which might indicate a feature in development.

Once it receives the \x33\x66\x66 command used to start the webserver, this malware downloads bot binaries from a hardcoded IP and port.  After that, it starts a basic HTTP server on a random port number above 1024 to host these binaries. GET, POST, and HEAD requests to this server for the /arm, /arm7, /mips, /mipsel, /x86_64, /sh4, /ppc, and /m68k URLs will serve these binaries if they were downloaded previously.  This HTTP server masquerades as a legitimate Apache HTTP server by responding with the “Server: Apache” header when any URLs are requested.

From then on, the threat actor can issue the \x33\x66\x33 command to download the latest binaries from the same hardcoded IP and port so that the webserver serves the most updated version of the malware.  If the first byte of the C2 response is not \x33, \x66, or \x99, the bot parses it as an attack command in the same way as Mirai.  Below is this sample's list of attack functions and a description of the implemented attack method.

• attack_tcp_syn: Similar to Mirai’s TCP SYN flood
• attack_tcp_ack: Similar to Mirai’s TCP ACK flood
• attack_tcp_socket: TCP flood using 5000 threads against a single targeted IP
• attack_tcp_thread: TCP flood using 100 threads shared among targeted IPs
• attack_tcp_bypass: Similar to Mirai’s TCP STOMP flood
• attack_udp_plain: Similar to Mirai’s UDP PLAIN flood
• attack_udp_thread: Similar to attack_udp_plain, but uses two threads per target IP
• attack_udp_smart: Similar to attack_udp_plain with extra error handling for connection failures

As the attack methods are consistent with the descriptions in the Telegram advertisement (Figure 1), this particular sample was likely built by the bot developer or someone with access to the malware source code.  This sample did not contain any HTTP attack methods observed in older Condi versions.

Conclusion:  Malware campaigns, especially botnets, are always looking for ways to expand.  Exploiting recently discovered (or published) vulnerabilities has always been one of their favored methods, as we highlighted above for the Condi botnet.  Thus, it is strongly recommended to always apply the latest security patches and updates as soon as possible.

Researchers have provided IPS signatures against attacks exploiting the following vulnerability:

• CVE-2023-1389: TP-Link.Archer.AX21.Unauthenticated.Command.Injection

IOCs

Files

091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f
291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144
449ad6e25b703b85fb0849a234cbb62770653e6518cf1584a94a52cca31b1190
4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1526fd22ee1d749e5a
509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084
593e75b5809591469dbf57a7f76f93cb256471d89267c3800f855cabefe49315
5e841db73f5faefe97e38c131433689cb2df6f024466081f26c07c4901fdf612
cbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f400522f22ab91d2772
ccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbdc3f24cd0fb20458cc
e7a4aae413d4742d9c0e25066997153b844789a1409fd0aecce8cc6868729a15
f7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d64389914f882d67cf

Download URLs

• hxxp://85[.]217[.]144[.]35/arm
• hxxp://85[.]217[.]144[.]35/arm5
• hxxp://85[.]217[.]144[.]35/arm6
• hxxp://85[.]217[.]144[.]35/arm7
• hxxp://85[.]217[.]144[.]35/m68k
• hxxp://85[.]217[.]144[.]35/mips
• hxxp://85[.]217[.]144[.]35/mpsl
• hxxp://85[.]217[.]144[.]35/ppc
• hxxp://85[.]217[.]144[.]35/sh4
• hxxp://85[.]217[.]144[.]35/x86
• hxxp://85[.]217[.]144[.]35/x86_64
• hxxp://85[.]217[.]144[.]35/abc3.sh
• hxxp://cdn2[.]duc3k[.]com/t

C2s

• 85[.]217[.]144[.]35
• cdn2[.]duc3k[.]com

GLOBAL TRENDS:

US - With the news cycle dominated by the latest developments regarding the classified documents indictment of former President Donald Trump and President Joe Biden’s son, Hunter, reaching a plea deal with federal prosecutors over his failure to pay roughly $1 million in taxes and falsifying information in the process of purchasing a handgun, some very important news regarding the overall security of America has consistently flown under the radar so far this year.[2]  Security has seemingly been far from top of mind for the administration, as evidenced by the utter disregard for the security of the southern border, where according to a document titled “Biden’s border crisis is the worst in American History,” prepared by the Senate Republican Conference, “In Fiscal Year 2021 alone, US Customs and Border Protection experienced 1.7 million encounters with aliens at the southern border, the highest number ever recorded in a single year.”  Most Americans living outside of border states are well aware of this issue however, as according to a May 2023 Reuters/Ipsos poll, only 26% said they approved of Biden’s handling of immigration.  That’s mainly because the news is consistently reporting on the physical border crisis, unlike the issues facing our digital borders, which has reached zero hour. Unfortunately, the average citizen is blissfully ignorant of the fact that there are literally 560,000 thousand new pieces of malware are created daily.  This includes viruses, adware, Trojans, keyloggers, and crypto miners, which are all developed to steal data, currency, conduct spying operations, or disrupt critical infrastructure.

The Biden administration has largely failed in the first half of 2023 in properly addressing these threats, as recent reports indicate that multiple US government departments and several hundred private and public entities have recently be victimized as part of a slew of new Russian-based hacks.  The attacks were enabled in part, due to vulnerabilities in MOVEit software.  According to the executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA), “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” while noting, “we (CISA) are working urgently to understand impacts and ensure timely remediation.”

The US Department of Energy was among the more high-profile victims of the attacks.  According to a spokesperson for the agency, “The Department (of Energy) has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”

The Russian ransomware gang known as CL0P has claimed responsibility for the attacks.  The hackers gave their victims until last Wednesday to contact them regarding ransom payments.  They then began listing alleged victims on their dark web site. Among the alleged victims are Oak Ridge Associated Universities, Georgia’s state-wide university system, British Airways, the Shell Oil Company, and State governments in Minnesota and Illinois.

The software maker behind the exploited MOVEit applications, Progress Software, recently discovered a second vulnerability in their software which they’re actively working to fix.  “We have communicated with customers on the steps they need to take to further secure their environments and we have also taken MOVEit Cloud offline as we urgently work to patch the issue,” the company said in a statement.

Much like the SolarWinds attack, it will likely be months or even years before we know the full extent of this wave of Russian cyber-attacks, but this is only the latest example of the Biden administration failing rise to the challenge regarding America’s cyber defenses.  Among the attacks against the US this year were espionage operations carried out by a Vietnamese hacking group, a North Korean cybergang targeting American cybersecurity research firms, and Chinese state-sponsored hackers attacking “critical” cyber infrastructure in several industries, including government and communications organizations.

The US government must lead the world on the cyber issue.  Especially as hackers seem to be indiscriminately attacking anyone they can.  Big-Tech must do its part as well, especially as 2023 has seen a rise in “Malvertising” via Google Ads.  One thing the average American can do to protect themselves online is exercising basic safety measures like using an ad-blocker to avoid malware laced advertising.  But on the international level, the ongoing cyberwars necessitate increased cooperation.  One of the most promising recent developments is the bi-partisan Abraham Accords Cybersecurity Cooperation Act.  Born out of groundbreaking Trump administration diplomacy, the act is a major step towards enhanced international communication in real time to mitigate damages from largescale cyber-attacks.  Cybersecurity is just another matter where Joe Biden has failed.  Luckily for America, for the time being America has merely bent and not broken in the cybersphere. Whether or not we can hold the fort through the next year and a half of Biden remains to be seen.

Canada - Petro-Canada has confirmed on Monday it has been hit by a cyber-attack, after saying on the weekend its mobile app and the website were “temporarily unavailable.”  On 24 June, Petro-Canada said, “Logging into Petro-Points from our app and website is temporarily unavailable. We’re working hard to resolve the issue and apologize for the inconvenience.”   The company’s app lets customers collect Petro-Points, start car washes and also charge electric vehicles. Those relying on the company’s EV charging network were in for a rude awakening during their road trips on the weekend.[3]

On 26 June, Petro-Canada announced, “Petro-Canada is a Suncor business and together, we’re responding to a cybersecurity incident.  While our sites are open, you may experience disruptions to some services.  “Right now, some of our sites can only accept cash and our app and Petro-Points login are unavailable.  Car washes may also be unavailable at some locations.  What matters most to us is you and your safety.  Thanks for your support and understanding as we work to keep you moving.”

Parent company Suncor said over the weekend it “experienced a cyber security incident,” noting it is “taking measures and working with third-party experts to investigate and resolve the situation and has notified appropriate authorities.”  Suncor said, “At this time, we are not aware of any evidence that customer, supplier, or employee data has been compromised or misused as a result of this situation.  While we work to resolve the incident, some transactions with customers and suppliers may be impacted,” concluded Calgary-based Suncor.

The incident has disabled payments at gas pumps with debit or credit cards, while also disabled the Petro Points system as well.  Many customers with Season Pass for car washes voiced anger at the inconvenience of not being able to get car washes.

UK - A British man who hacked high profile Twitter accounts as part of a Bitcoin scam has been jailed in the US.  Joseph O'Connor, from Liverpool, hijacked more than 130 accounts in July 2020, including those of Barack Obama, Joe Biden and Elon Musk.  The 24-year-old pleaded guilty to hacking charges last month. 

Last week, he was sentenced to five years for cyber-crimes, according to the United States Attorney's Office in the southern district of New York.  The hacking was part of a major Bitcoin scam that generated tweets asking followers to send Bitcoin to an account, promising to double their money.  As a result of the fraud, an estimated 350 million Twitter users viewed suspicious tweets from official accounts of some of the platform's biggest users, including Apple, Uber, Kanye West and Bill Gates.  Thousands were duped into believing that a crypto giveaway was real.[4]

Twitter hack: What went wrong?  O'Connor, who went by the alias PlugwalkJoe, was extradited from Spain to the US in April and last month pleaded guilty to hacking charges that carried a total maximum sentence of more than 70 years.  Three other men have been charged over the scam, with US teenager Graham Clark pleading guilty to his part in the deception in 2021.  The hackers telephoned a small number of Twitter employees with a believable tale to convince them to hand over their internal login details - which eventually granted them access to Twitter's administrative tools.  They managed to use social engineering tricks - more akin to conmen than high-level cyber-criminals - to get access to the powerful internal control panel at the site.  In a statement, US Assistant US Attorney described O'Connor's actions as "flagrant and malicious", saying he had "harassed, threatened and extorted his victims, causing substantial emotional harm."  The US justice department also said O'Connor admitted other hacking crimes including gaining access to a high-profile TikTok account and stalking a minor.  He was also ordered to pay almost $800,000 in forfeiture, the US justice department said.

Jordan - The National Cybersecurity Center of Jordan has issued a proposed draft for a national cybersecurity framework.  With the consultation period open, Jordan said the draft encompasses a collection of procedures, controls, mechanisms, and standards that institutions must adopt and implement.  The framework's intention is to keep pace with international practices to develop the defense system for cybersecurity at a national level for all public and private institutions.  It will also act as a guide to confront cyber threats efficiently and effectively, and mitigate the impact "resulting from the realization of various cyber risks through the development of technical, human and administrative capabilities in institutions."  Its objective is to enhance the security of Jordan's cyber systems and elevate the level of information protection, according to Jordan News.  While the framework will enforce mandatory standards, Jordan stated that the cybersecurity center actively participates in drafting legislation, controls, and regulatory frameworks to mitigate cyberattacks.[5]

[1] https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389?lctg=141970831

[2] https://www.bizpacreview.com/2023/06/26/new-russian-cyber-attacks-prove-biden-cyber-strategy-failing-halfway-through-2023-1372011/

[3] https://www.iphoneincanada.ca/2023/06/26/petro-canada-cyber-attack/

[4] https://news.yahoo.com/twitter-hack-joseph-oconnor-jailed-070513401.html

[5] https://www.darkreading.com/dr-global/jordanian-cyber-leaders-cybersecurity-framework-development