Intel Reports

Activity Summary - Week Ending on 19 October 2023:

• Red Sky identified 35,152 connections from ‘new’ unique IP addresses
• Montreal Cyber Co. hit 1,009
• 39 ‘new’ Botnets hits
• IZ1H9 Campaign
• CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382
• D-Link Exploit
• Affected Platforms: Linux
• Storm-1133 Group
• Israeli Security Cyber/Physical Attacks

Red Sky Alliance Compromised (C2) IP’s 

On 18 October 2023, Red Sky Alliance identified 35,152 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 18 October 2023, analysts identified 39 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

IZ1H9 Campaign - In September 2023, the FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits.  Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.

Based on the trigger counts recorded by IPS signatures, it is evident that peak exploitation occurred on 6 September, with trigger counts ranging from the thousands to even tens of thousands.  

This highlights the campaign's capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs.[1]  In the below report, analysts elaborate on how this threat leverages new vulnerabilities to control affected devices, along with the details of IZ1H9.

Figure 1: Telemetry

Exploit Payloads - Four payloads, CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, target D-Link vulnerabilities. These critical-severity vulnerabilities can allow remote attackers to deliver command injection via a crafted request.

Figure 2: D-Link exploit payload

Another exploit, CVE-2019-19356, targets Netis WF2419.  It focuses on exploiting a Remote Code Execution (RCE) vulnerability through the tracert diagnostic tool because of a lack of user input sanitizing. The payload injects in parameter “tools_ip_url” and contains the “User-Agent: Dark” header used in the Dark.IoT Botnet.

Figure 3: Netis WF2419 exploit payload

The campaign also seeks to exploit vulnerabilities discovered in 2021, including CVE-2021-36380, which affect Sunhillo SureLine versions before 8.7.0.1.1, CVE-2021-33544/33548/33549/33550/33551/33552/33553/33554, which allow arbitrary command execution within the parameters of various pages on Geutebruck products, and CVE-2021-27561/27562, which affect Yealink Device Management (DM) 3.6.0.20.

Figure 4: Sunhillo/Geutebruck/Yealink exploit payload

The next exploit targets the Zyxel device’s /bin/zhttpd/ component vulnerability.  If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack on Zyxel EMG3525/VMG1312 before V5.50.

Figure 5: Zyxel exploit payload

The threat actor has also incorporated vulnerabilities discovered in 2023 into their exploit payload list. CVE-2023-1389 specifically targets TP-Link Archer AX21 (AX1800), while CVE-2023-23295 impacts Korenix JetWave wireless AP.

Figure 6: TP-Link/Korenix exploit payload

CVE-2022-40475/25080/25079/25081/25082/25078/25084/25077/25076/38511/25075/25083 collectively represent a set of related vulnerabilities that focus on TOTOLINK routers.

Figure 7: TOTOLINK exploit payload

The last one is an unclear exploit payload.  It targets “/cgi-bin/login.cgi” and injects a payload in the “key” parameter.  A similar vulnerability affects the Prolink PRC2402M router, but it is missing a few parameters to achieve remote code execution.  It is unclear if the IZ1H9 campaign misused this payload or if they intended to target other devices.

Figure 8: Exploit payload targets login.cgi

Shell Script Downloader - The injected payload in the above vulnerabilities intends to get a shell script downloader “l.sh” from hxxp://194[.]180[.]48[.]100.  When the script is executed, it begins by deleting logs to conceal its actions.  It then downloads and executes various bot clients to cater to diverse Linux architectures. In the final step, the shell script downloader obstructs network connections on multiple ports.  This is achieved by altering the device's iptables rules, as illustrated in Figure 9.

Figure 9: Shell script downloader "l.sh"

Malware Analysis - IZ1H9, a Mirai variant, infects Linux-based networked devices, especially IoT devices, turning them into remote-controlled bots for large-scale network attacks. The XOR key to decode configuration is 0xBAADF00D, shown in Figure 10.

Figure 10: Decoding configuration

The additional payload downloader URLs can be extracted from the decoded configuration in Figure 11, namely hxxp://2[.]56[.]59[.]215/i.sh and hxxp://212[.]192[.]241[.]72/lolol.sh. Both were employed in May 2023.

Figure 11: Partial decoded configuration

IZ1H9 also includes a data section with pre-set login credentials for brute-force attacks.  The XOR decoding key is 0x54, shown in Figure 12, and the decoded data is in Figure 13.

Figure 12: XOR decoding for login credentials

Figure 13: Decoded login credentials

As for the C2 communication, victims first send a check-in message with the parameter “l.expl” to the C2 server “194[.]180[.]48[.]101:5034,” and it responds with a keep-alive message “\x00\x00.”  Once the compromised devices receive a command from the C2 server, shown in Figure 14, they parse the packet to determine the DDoS attack method, target host, and packet count, if specified, before launching the attack.  The message structure is as follows:

• \x00\x28: Message packet length
• \x0c: TCP SYN Attack
• \x02: The following contains two options
• \x08\x12: Target + length
• \x68\x74\x74\x70\x73\x3a\x2f\x2f … \x69\x73: https://…is
• \x18\x04: Packet numbers + length
• \x35\x30\x30\x30: 5000 packets

Figure 14: C2 communication

Figure 15: TCP SYN flood attack

Figure 16: DDoS attacking methods

Conclusion - IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers.  The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands.

What amplifies the impact of the IZ1H9 Campaign are the rapid updates to the vulnerabilities it exploits.  Once an attacker gains control of a vulnerable device, they can incorporate these newly compromised devices into their botnet, enabling them to launch further attacks like DDoS attacks and brute-force.

IOCs

URLs:

194[.]180[.]48[.]100
2[.]56[.]59[.]215
212[.]192[.]241[.]72

Files:

c8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e0517e2ca722238f63
1e15d7cd0b4682a86620b3046548bdf3f39c969324a85755216c2a526d784c0d
7b9dce89619c16ac7d2e128749ad92444fe33654792a8b9ed2a3bce1fee82e6a
b5daf57827ced323a39261a7e19f5551071b5095f0973f1397d5e4c2fcc39930
b523ea86ebfd666153078593476ca9bd069d6f37fa7846af9e53b1e01c977a17
8d07f15dd7d055b16d50cb271995b768fdd3ca6be121f6a35b61b917dfa33938
34628bcfc40218095c65678b52ce13cea4904ce966d0fd47e691c3cb039871ec
afc176f7b692a5ff93c7c66eee4941acf1b886ee9f4c070faf043b16f7e65c11
df9ee47c783fbe8c3301ed519033fc92b05d7fd272d35c64b424a7e46c6da43b
737ba9e84b5166134d491193be3305afa273733c35c028114d8b1f092940b9a3
0aa9836174f231074d4d55c819f6f1570a24bc3ed4d9dd5667a04664acb57147

GLOBAL TRENDS:

Storm-1133 Group in Gaza - As the world's focus remains fixed on the escalating Israel-Hamas war, a digital battlefield emerges in the shadows.  Behind the scenes of this traditional warfare, hackers have launched disruptive cyberattacks in support of both sides.  War hackers are silent and dangerously disruptive.  The reality is stark: If hacker groups can target critical infrastructure in Israel, similar attacks could potentially be directed toward other nations, including the United States.[2]

The Israel-Hamas conflict has taken a concerning twist with the involvement of several hacker groups.  Following the major attack initiated by Hamas, which led to mass casualties, the firing of thousands of rockets and Israel's retaliatory declaration of war, hacktivist groups have intensified their cyber efforts.  While some of these might be state-sponsored operations, the majority are independent entities taking sides in the conflict.

Shortly after the war's onset, various hacking groups made their move.  Anonymous Sudan, for instance, quickly targeted Israel's emergency warning systems and even major media outlets like the Jerusalem Post, a significant English-language daily newspaper in the region.  Meanwhile, the pro-Hamas group, Cyber Av3ngers, set their sights on pivotal infrastructures like Israel's power grid organization, Noga, and the Israel Electric Corp.  Of course, amidst the chaos, it's hard to separate fact from fiction. While many of these attacks have employed distributed denial-of-service (DDoS) strategies, some claims by these hacktivist groups might be inflated. Notably, allegations from Iran-linked hackers about targeting Israel's Iron Dome air defense system seem exaggerated.  Killnet and Anonymous Sudan, both associated with Russia, are notorious for their disruptive capabilities.  Previously, they've targeted tech giants like Microsoft, X (previously Twitter) and Telegram with massive DDoS attacks.

Microsoft's recent Digital Defense Report has shed light on a new player: Storm-1133.  This Gaza-based threat group has been linked to cyberattacks that target Israeli organizations in the defense, energy and telecommunications sectors. Microsoft's assessment suggests that this group is working in tandem with the interests of Hamas.[3]

Amid the cyber onslaught that's targeting Israeli systems, pro-Israel groups aren't sitting idle.  ThreatSec, a pro-Israel group, is rumored to have struck Gaza's ISPs (internet service providers). Compromising an ISP can be disruptive, affecting vast numbers of users and potentially hindering communication and services.  Meanwhile, some hacktivists from India are reportedly targeting Palestinian government websites.  Such attacks can disrupt official operations and convey political or ideological messages.

If hackers can target Israel, one of the most technologically advanced nations in the world, then it can happen to the US and its citizens as well.  That is why we all need to be on our guard for cyberattacks.  How do you do this?  By installing antivirus protection on all your devices. Having good antivirus software on your devices will alert you of any malware in your system, warn you against clicking on any malicious links in phishing emails, and ultimately protect you from being hacked.  It's clear that the Israel-Hamas conflict has evolved into a multi-faceted war with digital battles being waged alongside the physical ones.  As these hacker groups demonstrate their capabilities by disrupting key infrastructure, it's a sobering reminder of the vulnerabilities that exist even in the most advanced nations.  These hacker groups are showing just how easily they can mess with major systems, and honestly, it's kind of alarming.  Battles today aren't just about who's got the bigger army; it's also about who's got the better hackers.  And that impacts everyone, everywhere.

Israeli Security - Cyber hackers are hitting critical websites and compromising Israel's emergency alert systems as the war intensifies.  Cyber hackers are hitting critical websites and compromising Israel's emergency alert systems as the war intensifies.  “If we contextualize these parties, Iran, Israel, the United States, we have other malicious hackers coming in from Russia and Iran targeting Israel right now. But there's been a history of cyber warfare between these countries,” said a Cybersecurity and Privacy Attorney.  “If you look back, we have Stuxnet targeting Iran's nuclear system.  We have a recent attack in the last three years from Iran targeting Israel's water supply.  So now we see this physical war, this terrified physical war, jump to the cyber atmosphere.”

Cyber warfare has reached a new level with hackers.  They have attacked telegram, Israel's electric grid, even a rocket alert application and a website that aids groups trying to bring humanitarian aid to the region.  “Fortunately, Israel has some of the best cyber capabilities in the entire world, including its renowned Pegasus surveillance system.  We still see malicious hackers, especially from Russia and Iran targeting the electric grid in Israel, targeting a citizen alert systems, rocket systems that tell citizens when there are rockets in the air, and then also missile defense systems,” she said.  "This is to be expected.”

[1] https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits?lctg=141970831

[2] https://www.msn.com/en-us/news/world/how-hackers-are-waging-digital-battle-in-israel-hamas-conflict/ar-AA1i7k6p

[3] https://kutv.com/news/nation-world/cyber-attacks-on-the-rise-as-hackers-compromise-israels-security-hamas-palestine-iran-united-states-national-security-agency-russia-cyber-warfare-war