Intel Reports

Activity Summary - Week Ending on 3 August 2023:

• Red Sky Alliance identified 2,493 connections from new IP’s checking in with our Sinkholes
• Linode[.]com hit 39x
• 99 ‘new’ Botnets hits
• Zyxel
• IoT
• China & Clouds
• Water Systems
• SCADA
• Field Instrumentation

 Red Sky Alliance Compromised (C2) IP’s  

On 19 July 2023, Red Sky Alliance identified 2,493 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 19 July 2023, analysts identified 99 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

 Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Zyxel and Dark.IoT - In June 2023, FortiGuard Labs detected the propagation of several DDoS botnets exploiting the Zyxel vulnerability (CVE-2023-28771). This vulnerability is characterized by a command injection flaw affecting multiple firewall models that could potentially allow an unauthorized attacker to execute arbitrary code by sending a specifically crafted packet to the targeted device. The severity of this flaw, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. Zyxel released a security advisory regarding this vulnerability on April 25, 2023. Subsequently, the Cybersecurity and Infrastructure Security Agency (CISA) added this security flaw to its Known Exploited Vulnerabilities (KEV) catalog in May.  Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia.[1]

Since the publication of the exploit module, there has been a sustained surge in malicious activity. Analysis conducted by FortiGuard Labs has identified a significant increase in attack bursts starting from May, as depicted in the trigger count graph shown in Figure 1.  Researchers also identified multiple botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that employs customized DDoS attack methods. In this article, we will provide a detailed explanation of the payload delivered through CVE-2023-28771 and associated botnets.

Figure 1: Botnet’s attacking activity

Exploitation and Propagation - Based on our observations over the past month, we have noted that these attacks originate from distinct IP addresses: 193[.]32[.]162[.]190, 109[.]205[.]213[.]30, 109[.]207[.]200[.]42, 109[.]207[.]200[.]47 and 109[.]207[.]200[.]44. These attacks specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices. The attackers utilize tools such as curl or wget to download scripts for further actions. Below, you can find the corresponding traffic capture illustrating these activities.

Figure 2: Attacking traffic capture

The script files obtained in these attacks exclusively download files tailored for the MIPS architecture, indicating a highly specific target. In Figure 3, the script downloads a file named "lolmips" from the IP address 92[.]118[.]39[.]16 and saves it as ".zw". Subsequently, it executes with the "zywall" parameter indicating its connection to the Zyxel firewall vulnerability. The script file shown in Figure 4 was downloaded from 171[.]22[.]136[.]15, which has been associated with the Rapperbot malware. However, we observed this script being forwarded to 171[.]22[.]136[.]18, where it dropped additional MIPS files for subsequent actions. The script files in Figure 5 exhibit similar code patterns despite originating from different server IP addresses. These scripts employ the "rm -rf" command to remove the ".zw" file from the temporary folder and save the current file as "/tmp/a". Notably, the execution files display resemblances. It appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices. In the following sections, we introduce the botnets we have identified as spreading via CVE-2023-28771 over the past month.

Figure 3: Script files on 6/7

Figure 4: Script files on 6/13

Figure 5: Script files of similar botnets from 6/8 to 6/27

Technical Analysis – Botnet Observed on 6/7 - Based on the C2 server list, which includes numerous domains with the ".lib" extension, including some used in previous versions, we identified this variant as Dark.IoT. Dark.IoT first emerged in 2021 and has established itself as a prolific botnet that extends its targeting beyond IoT devices. It updated its C2 server in April with "raw.pastebin.com," and we encountered a newer version in June. One prominent feature of Dark.IoT is the presence of the data string "pte8cjbdwrmn57g4i6qual20s1k3vfoh," which generates random alphanumeric strings during the setup process. The corresponding function can be seen in Figure 6.

Figure 6: Alphanumeric string function

Dark.IoT employs the ChaCha20 algorithm to encrypt its configuration. During the decryption process, it first performs an XOR operation on the 32-byte decryption key with the value 0x55. Subsequently, it utilizes this modified key along with a nonce to invoke the ChaCha20 decryption function. The code responsible for this decryption process is displayed in Figure 7.

Figure 7: Decryption function

Upon successful decryption, the identified C2 servers are as follows. (Notably, the last two servers, namely "routercontroller[.]geek" and "dvrcontroller[.]libre," have been newly added in this version. Dark.IoT utilizes the OpenNIC server with the IP address "147.182.243.49" for DNS resolution and establishes communication with the C2 servers.)

• raw[.]pastebin[.]com
• hoz[.]1337[.]cx
• babaroga[.]lib
• dragon[.]lib
• blacknurse[.]lib
• tempest[.]lib
• routercontroller[.]geek
• dvrcontroller[.]libre

Figure 8 illustrates the victim's keep-alive message, identified as "GET / HTTP/1.1\r\n\r\n". Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of this DDoS attack traffic is shown below.

Figure 8: C2 traffic session

Technical Analysis –Botnet on 6/13 - This particular botnet, derived from a Mirai variant, features encoded configurations and a collection of XOR keys. It employs an index-based method to decode the data retrieved from the ".rodata" section. As an illustration, when the index is set to 0, the corresponding key value is 0xCE (calculated as 0x2E ^ 0x0E ^ 0x16 ^ 0xF8), as depicted in Figure 10.

Figure 9: The list of XOR keys for decoding data

Figure 10: Decoded data of index 0

After execution, the program prints "listening tun0" in the console. It then utilizes the XOR decoding function shown in Figure 11 to obtain the C2 servers. The victim system subsequently sends a hard-coded hex value of 0x17b99063 and appends the victim's public IP address. The captured C2 traffic is displayed in Figures 12 and 13.

Figure 11: Decoded C2 hosts

Figure 12: C2 traffic session

Figure 13: First packet and keep-alive session

Technical Analysis – Botnet Observed on 6/26 - As mentioned in the initial section, this campaign has demonstrated a pattern of frequent updates within a short timeframe. Our initial discovery of this botnet took place on May 25, 2023. But our analysis identified a similar environment-checking process across different samples. The sample obtained on May 25 did not contain a clear string indicating its C2 domain. However, after June, we observed a change in the domain structure, with the C2 domains now prefixed with "new.” For the remainder of this section, we will concentrate on the sample collected on June 26 and provide the derived findings.

Figure 14: C2 domains from 6/15(left) and 6/26(right)

Initially, the botnet verifies whether a specific parameter is present. If the parameter is absent, it assigns the value "unknown" and continues with the execution.

Figure 15: Check parameter’s count

Next, the botnet retrieves self-information from the "/proc/self/maps" file to perform additional checks on the execution path. It ensures that the execution path is not "/lib", "/sbin/", or "/usr/". If the checking fails, the execution is immediately aborted, and the botnet terminates itself.

Figure 16: Check environment

Afterward, the botnet proceeds by generating a random integer using "time()" and "pid()" for the forked process. The code responsible for this process is presented in Figure 17.

Figure 17: Generating a random number

Before connecting with the C2 server, the malware initializes all DDoS attack functions. This botnet encompasses a total of 11 methods, namely udpflood, synflood, greflood, ackflood, tcpflood, tcp2flood, udp2flood, socketflood, udpconnflood, wraflood, and vseflood.

Figure 18: Initiate DDoS methods

The initial packet transmitted to the server contains parameters derived from the script file obtained via CVE-2023-28771. This packet is prefixed with "TCP Connect," shown in Figure 19, which provides a detailed representation of this communication. The C2 server issues commands that the botnet handles using a switch case structure, incorporating the following capabilities:

• case 0: make initial connection
• case 1: sleep
• case 2: send keep-alive signal
• case 3: read further command or launch DDoS attack
• case 4: close connection

Figure 19: C2 Traffic session

By examining the attack method names, we were able to trace back to another sample associated with the C2 domain "djk38zbdhqpdlshfb[.]shinji[.]app." Additionally, we discovered a Telegram group called "SHINJI.APP | Katana botnet" that is actively involved in updating the botnet's methods and performing maintenance tasks. The botnet's owner has recently updated its methods, as demonstrated in Figure 20, where the method names align with those found in the MIPS execution file.

Figure 20: The updated methods from the owner

Conclusion - Targeting vulnerable devices has always been a primary objective for threat actors, and the prevalence of remote code execution attacks poses a major concern for IoT devices and Linux servers. The presence of exposed vulnerabilities in devices can lead to significant risks. Once an attacker gains control over a vulnerable device, they can incorporate it into their botnet, enabling them to execute additional attacks, such as DDoS. To effectively address this threat, it is crucial to prioritize the application of patches and updates whenever possible. Taking proactive measures to ensure the security of these devices is highly recommended.

Researchers provide the following IPS signature against attacks exploiting the vulnerability discussed in this report:

• CVE-2023-28771: Firmware.error.message.Command.Injection

IOCs

d618c817e6a93193a499126156a1f7e888008dacdb247a769fd69ce4c0c87b67
a6729c047d776294fa21956157eec0b50efa7447b8e2834b05be31080767006f
729f2fa4d037912a360cb7c4e2c37765da0c38725451600f0258109b672f615e
2c55674e938e7618f7c9273e3da61ce7aeab3dc5626b7b8b4e3fc7cc95d0436f
928d8ccd71edda5891068d703603ba0b70687f746c9da73afa6692b274ea757c
6137a30d8eb932d25664ced747424b15072e676b5d4d27d5b8f3b84f48344217
0c394849ce4f636cc79cc84389b66a0dbdaf14a61a6d87302e807f2153bc6c2b
2fe13ee992cf00778bcc92dc3732305114dca1700dedca7c29342216df236644
034cdcb42d1d7b921b4732230bbdcb4089107490a30b8cd7a62e67b657e33d26
3d69c780fefa0c3a34190989d43268a272004f0623d3e596bc0c92e1744832c9
79f69993110688372a5898d05f1141b7f44f3f5f55cd50b6a493c1d33af141c8
c68211116bbc43c2fe0aba8b598b88b218adc0d995311a4e7030de8acd48076e
51becb81d6bdfe79111974c05f2e4a20a8825a872a92df86cbc98517100b031a
42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2dfb1ae2bf0bf0db48
85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d1d01f2f9471d20150
12c65cfd227d393fd338223eb50140571760de04ef0a21fe3c4636e1bfaf4966
f82f5ec551f9ac3bb5a3b1ace5dd21c35239bd983fd9a36e0e7c07bfb48a3fdd
28fa9225db6d42084123989712313489e255376134f8e77f07b77c345a026304
312022da42ab6df882c44d984f9aceea7f08e217a5ca8ca985c533a1af399cee

GLOBAL TRENDS:

China – The following article is an opinion piece by Weapons and Strategy publication.  Microsoft's cloud computing system was recently hacked by a Chinese group called Storm-0558.  The attacks were described as impressive and stealthy.  The Microsoft cloud platform hosts commercial and government clients, including the US Department of Defense (DoD).  According to what we know so far, which admittedly isn't much, Chinese hackers got into the Microsoft cloud system in April 2023 and were able to operate there undetected until mid-June.  In other words, for at least six weeks the Chinese spies had a free lunch at the expense of American security.[2] 

Chinese hacking of American cyber assets is nothing new.  So far, despite strong efforts, the DoD and other government organizations (particularly the Department of Energy which is in charge of nuclear weapons) have been routinely hacked.  A clear example is that some 50 gigabytes of sensitive information on the F-35 stealth jet fighter was vacuumed up by China, making it far easier for them to design their J-20 stealth jet.   Unfortunately, what we know about is only the tip of the iceberg.  It is difficult to discover hacking in the best of circumstances.  Cloud and network operators also don't want to know they have been hacked because they face losing billions of dollars in business.  And the US government also does not want the public to know it has lost billions of investment dollars paid for by US taxpayers.  Worst of all, US security always takes a hit when computer networks, including the cloud, are compromised.

It is important to know that the latest compromise was completely predictable.  Back in 2018 the author served on a panel of experts at Hudson Institute.  This panel discussed the Pentagon's then-plan to put all DoD data on a single cloud platform run by Amazon's Jeff Bezos.  In part thanks to the serious questions that were raised at the time, the Pentagon finally backed off a single cloud data repository and opted for breaking up DoD's cloud computing into a number of separate cloud contracts.  That decision helped, a little, in spreading around the risk, but it also introduced other problems.  For example, consider that the Microsoft platform combines commercial with government data.  Consider also that because the government data, in this case apparently emails, were not classified, stringent security rules requiring cleared personnel, did not apply.

The US government's division between classified and unclassified computing is a misnomer.  Lots of sensitive technology, for example, is unclassified.  If that information gets into the hands of a bad actor, such as China, US national security is compromised.  DoD has come up with a new category called "Sensitive But Not Classified (SBU)."  The idea behind it is to apply stricter disclosure rules for SBU information.  Unfortunately, there is no rulebook that says how to identify SBU information.  When it comes to emails that are ostensibly unclassified, there are no rules whatsoever.  If you apply this to cloud computing, it means that Defense Department information in the cloud, even SBU, is not any better protected than commercial information.  The problem with commercially operated cloud systems is the personnel working on them are, very often, foreigners. American high-tech companies hire thousands of foreign employees, bringing them to the US under a special visa waiver program known as H1-B.  The problem is bigger than foreign workers.  Auditing for security, something DoD is supposed to perform for its computers, does not apply to commercial platforms that are not under DoD control.

In 2018, researchers pointed out that the hardware used in both DoD and commercial computers mostly came from Asia.  That, we warned, created a risk that entry points for hackers could come because of compromised hardware.  At that time, experts were aware that many commercial network routers had backdoors in them because they were made in China, or used Chinese components where dangerous microcode could be inserted at the point of manufacture.  Researchers also pointed out that the Defense Department used commercial hardware across the spectrum of DoD operations including deployed military systems.'

Today it has even grown worse.  The head of Raytheon recently said that the company depended on critical parts from Asia, including China, for its sensitive defense products.  What is true for Raytheon no doubt applies to all US defense manufacturers and many foreign producers too.  Whether we will actually get a full report on what hacker group Storm-0558 depends on whether forensics can piece together the whole story on the one hand, and whether the government and Microsoft really want to reveal what happened?  Meanwhile Microsoft says that it has "mitigated" the hacking intrusion after it was discovered.  Microsoft also says that 25 organizations, including "governments" had been hacked. The hack extended to unnamed European government agencies.  The Microsoft hack was not discovered by the company but by the government.  The government says, "We continue to hold the procurement providers of the US Government to a high security threshold."  But even if the full damage is not revealed, or whether the compromise is somehow swept under the rug, the fact remains that national security information is as much at risk in 2023 as it was in 2018 and many years before that.

It would be a good idea to get the best brains together to figure out a better way to protect US National Security.  That would take real leadership and a willingness to have skeptics in the mix in any major initiative.  Unfortunately in the past, these reviews involved government officials with a vested interest in not changing anything, and industry mostly interested in collecting on government contracts.  Surely, we can do better.  The truth is we need to redefine how we protect cloud networks and expand security coverage if the government wants to support commercial cloud computing.

US Water - There have been more than 130 control system cyber incidents in water/wastewater utilities. Like Oldsmar and Discovery Bay, most of these incidents have occurred in small water utilities. Many of these incidents were not publicly disclosed, nor were the utilities required to disclose these incidents. Additionally, some of the real cases that were made public were later discounted such as the 2011 Illinois Water Hack where a small water utility had a water pump damaged from remote access into the SCADA system from Russia.

As Charles Dickens stated, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, …” This aptly describes the responses to the January 15, 2021, Discovery Bay, California, and February 5, 2021, Oldsmar, Florida, water system “hacks” to the OT cyber security community including the government.

It was the best of times for the OT cyber security community - The OT cyber security community was chomping at the bit to have a SCADA hack involving critical infrastructure made public so it wouldn’t be a “not if, but when, when being now” scenario. The Oldsmar “hack” was identified and made public through the Pinellas County sheriff’s news conference. The supposed “hack” involved the use of TeamViewer, a remote access tool which the OT cyber security community knew, even if they didn’t know how a water treatment facility worked – the epoch of incredulity. The major OT cyber security players provided their expertise on the “hack”. Examples included Eric Chein from Symantec, now Broadcom, was quoted as saying: “These are the targets we worry about. This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in.” Dragos issued a report: “Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack” including details of the event which were not correct. Even some of the key individuals making national cyber security policy got involved: “Frankly, they got very lucky,” retired Adm. Mark Montgomery, executive director of the federal Cyberspace Solarium Commission, told ProPublica. “They shouldn’t celebrate like Tom Brady winning the Super Bowl,” he says. “They didn’t win a game. They averted a disaster through a lot of good fortune.” Eventually EPA used the Oldsmar case for their water/wastewater cyber security requirements. The quick disclosure also met the need for expeditious cyberattack reporting (even though it was not a cyberattack). None of these organizations have addressed the fact that Oldsmar was not a cyberattack, but operator error.

It was the worst of times for the OT cyber security community - Obviously, expeditious reporting doesn’t count when it comes to the FBI. Moreover, the Discovery Bay hack was similar to the Australian water hack in 2000. In the Australian case, the hacker was caught following the 46th time he remotely opened the sewage discharge valves on a traffic stop. Truly, the age of foolishness.

Similarities in the two facilities - Both served small towns of almost the same size, used well water, had external SCADA support, used TeamViewer, used similar types of control systems, used similar chemicals, and could be operated manually.

Similarities in the two incidents - Both incidents involved incredible scenarios. For Oldsmar, a setting was changed that was beyond the capability of the control system.  A properly designed system would not have allowed a value out-of-range to be set.  The system would also have logged the user and time the value was input. For Discovery Bay, the SCADA software and associated displays were unavailable which shouldn’t happen with the back-up capabilities.

Differences in the two incidents - Oldsmar turned out not to have been a cyberattack, but caused when someone with remote access mistyped a value the program accepted even though it was egregiously out of range of the equipment. The operator was able to catch the mistake before anything further transpired. It is not clear how the operator error reached the Sheriff’s office, but it is a small town. As Oldsmar had local SCADA/I&C support, the county sheriff had precedence and could make a public announcement and did so without further detailed verification.

The other incident involved deliberate human misconduct.  Discovery Bay contracted the operation of the water treatment facility to a private supplier of water services with headquarters in Boston, Massachusetts.  For this reason, the FBI was involved, so there was no public announcement until the indictment of the Instrumentation and Control Systems (I&C) technician Rambler Gallo was issued June 27, 2023. The Discovery Bay hack can be viewed as “Living off the Land” by a possibly disgruntled I&C technician. As such, Gallo’s attack couldn’t be found from IT or OT network monitoring until the SCADA software was uninstalled. As Gallo’s core responsibilities were maintaining all field instrumentation and Programmable Logic Controllers (PLCs) used to control electromechanical processes, including instrumentation calibration, equipment upgrades, SCADA and SCADA upgrades, troubleshooting, and PLC improvement, he had full access to the field instrumentation and SCADA system. Specifically, Gallo had permission to install remote access software, TeamViewer, to his “corporate” laptop to remotely monitor and control the water treatment system. However, he also surreptitiously loaded the remote software onto his personal laptop. He then used his remote access to uninstall the commercial SCADA software, Ignition, running in the utility control room leaving the utility with no view or control of the process while at the same time maintaining view and control from his personal laptop. He was then able to remotely change or modify instrumentation (e.g., process sensors, actuators, valves, etc.) as well as control system configurations and logic. Gallo also demonstrated that engineers and technicians can compromise control systems without needing external network expertise. According to a confidential report compiled by the Northern California Regional Intelligence Center (NCRIC), the hack was not discovered until the following day, January 16, 2021. The facility subsequently changed its passwords and reinstalled the programs. “No failures were reported as a result of this incident and no individuals in the city reported illness from water-related failures,” the report noted. Yet, it took 2½ years for the information to become public.

No requirements available - Neither AWWA, EPA, or CISA cyber security guidance or requirements are designed to address Insider security threats.  As mentioned, Gallo had access to all field instrumentation which has no cyber security and is not addressed by water cyber security guidance. The Oldsmar case was an operator mistake that was accepted by the locally designed SCADA system. This showed a significant design flaw in the SCADA system that could allow an egregiously large number to be accepted. It is unclear if the SCADA system had appropriate logging to identify who input the out-of-bounds value. It also exposes a question about “credible disclosure” to law enforcement. In both instances, if the SCADA and/or instrumentation were compromised in a manner that resulted in the systems “being in a credible range”, the impact may not have been identified by monitoring the OT networks and would have needed engineering input. Just like other infrastructures, the water/wastewater cyber security focus is on the Internet Protocol (IP) network issues and OT network personnel ignoring the other cyber vulnerable systems. The cyber incident reporting requirements addressed in the National Cyber Security Plan and other government and industry documents don’t address the FBI non-disclosure protocols and the recent Security and Exchange Commission (SEC) cyber disclosure requirements. From a personal perspective, I remember in 2001 when the Chinese cyber attacked the California Independent System Operator (CAL ISO), the FBI prevented CAL ISO from making any disclosure of the event. Another case that was similar to Oldsmar was the 2013 PG&E Metcalf substation attack on the transformers. Since it appeared to be a local event, the Santa Clara County sheriff went public with details on the event until the FBI got involved and stopped any further public discussions. What kind of calamity will it take for people to wake up and get the right people involved?

[1] https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771?lctg=141970831

[2] https://weapons.substack.com/p/microsoft-cloud-compromised-by-chinese/