Tag Archive for: Kernel

BlackCat ransomware takes control of protected computers via new kernel driver

/in


A new kernel driver was discovered from a February 2023 BlackCat ransomware incident that leverages a separate user client executable as a way to control, pause and kill various processes on target endpoints of security agents deployed on protected computers.

In a May 22 blog post, Trend Micro researchers said they believe that the new kernel driver was an updated version that inherited the main functionality from samples disclosed in previous research in December 2022 by Mandiant, Sophos, and Sentinel One.

The three companies published a coordinated disclosure that malicious kernel drivers were being signed through several Microsoft hardware developer accounts. The joint researchers said these profiles had been used in a number of cyberattacks that included ransomware incidents. Microsoft subsequently revoked several Microsoft hardware developer accounts that were abused in these attacks.

Trend Micro’s researchers explained that malicious actors use different approaches to sign their malicious kernel drivers. In this case, the attackers tried to deploy the old driver disclosed by Mandiant, but because this driver had already been known and detected, the threat actors deployed another kernel driver signed by a stolen or leaked cross-signing certificate. The kernel driver typically gets used during the evasion phase, say the Trend researchers.

The recent activity of the BlackCat ransomware group signals a disturbing escalation in the cyber threat landscape, said Craig Jones, vice president of security operations at Ontinue. Jones said by exploiting signed kernel drivers, this raises the stakes in an ongoing high-stakes game of “digital cat and mouse” between cyber criminals and those tasked with thwarting their attempts.

“One of the intriguing aspects of this incident is the fact that the ransomware operators are using malicious kernel drivers signed through Microsoft’s portals or using stolen certificates,” said Jones. “This offers them privileged-level access to the systems they attack and lets them bypass security protocols. It also indicates a high level of sophistication and a solid understanding of Windows system operations. They are essentially used to manipulate and…

Source…

New Android updates patch kernel bug exploited in spyware attacks

/in


This month’s Android security updates patched a high-severity vulnerability that allowed attackers to install commercial spyware on Android devices.

Hackers exploited the security flaw (CVE-2023-0266) as a zero-day in a spyware campaign. This campaign targeted Samsung Android phones as part of a complex chain of multiple zero-days and n-days.

The exploit chain also included a zero-day (CVE-2022-4262) in the Chrome web browser and a Chrome sandbox escape. In addition, there were vulnerabilities in the Mali GPU Kernel Driver and the Linux Kernel.

What Google TAG says about it

The Android security team has warned that the CVE-2023-0266 vulnerability may be under limited, targeted exploitation. Google TAG had linked the attacks to the Spanish spyware vendor Variston. This vendor is known for its Heliconia exploit framework that targets the Windows platform.

The vulnerability is a weakness in the Linux Kernel subsystem that could result in privilege escalation without requiring user interaction.

According to the Google TAG report, attackers deployed a spyware suite on compromised devices that could decrypt and extract data from chat and browser apps.

The Android security team wants users to update ASAP

In response to the threat, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-0266 to the Known Exploited Vulnerabilities list a day after the published Google TAG report.

Federal Civilian Executive Branch Agencies (FCEB) were given until April 20 to secure all vulnerable Android devices against attacks that could target the bug. This month’s Android security updates also address dozens of other high-severity privilege escalation issues in the OS and various components.

On top of that, the Android security team published the May Pixel Update Bulletin on Monday, which addresses flaws in supported Pixel devices and Qualcomm components. Android users must update their devices as soon as possible to protect against potential attacks.

Also read: This is how to keep mobile devices safe in the workplace


Source…

Linux fixes maximum-severity kernel vulnerability

/in


Linux has issued an update to address a kernel-level security vulnerability that affected server message block (SMB) servers.

The remote code execution (RCE) flaw allowed unauthenticated users to execute kernel-level code and received the maximum possible severity rating on the common vulnerability reporting system (CVSS).

Most businesses and enterprise users are believed to be safe from any potential exploitation given that the vulnerability only affected the lesser-used KSMBD module rather than the more popular Samba suite.

Specifically, the vulnerability lies in the processing of SMB2_TREE_DISCONNECT commands – packet requests sent by the client to request access to a given share on a server.

“The issue results from the lack of validating the existence of an object prior to performing operations on the object,” read the public advisory posted by the Zero Day Initiative (ZDI). “An attacker can leverage this vulnerability to execute code in the context of the kernel.”

The type of vulnerability is classified as a ‘use-after-free’ flaw and these are somewhat common in software, albeit severe, since they often allow for code execution and replacement.

Use-after-free vulnerabilities relate to issues in the allocation of dynamic memory in applications.

Dynamic memory involves continuous reallocation of blocks of data within a program and when headers don’t properly check which sections of dynamic memory are available for allocation, it can allow an attacker to place their own code where data has been cleared.

Security researcher Shir Tamari likened the ramifications of a potential exploit – the leaking of a server’s memory – to that of Heartbleed, the 2014 vulnerability that allowed users to view data on any website using OpenSSL.

“KSMBD is new; most users still use Samba and are not affected,” he added. “Basically, if you are not running SMB servers with KSMBD, enjoy your weekend.”

According to the ZDI, the issue was discovered by a quartet of researchers working at the Thalium Team, a division of Thales focused on threat intelligence, vulnerability research, and red team development.

The researchers alerted the Linux Foundation to the flaw on 26 July 2022 and the…

Source…

CISA: Urgent patching needed for actively exploited Linux kernel flaw

/in


SecurityWeek reports that federal agencies have been ordered by the Cybersecurity and Infrastructure Security Agency to remediate within three weeks a Linux kernel bug, tracked as CVE-2021-3493, which has been added to the agency’s Known Exploited Vulnerabilities Catalog following active exploitation by the new stealthy Linux malware Shikitega.

Linux-based IoT devices and endpoints have been targeted by the Shikitega malware, which abuses CVE-2021-3493 and CVE-2021-4034, also known as PwnKit, to facilitate privilege escalation. However, only Ubuntu has so far been observed to be impacted by the Linux kernel vulnerability.

Despite requiring only federal agencies to apply patches for the flaw until Nov. 10, the CISA has urged all organizations across the U.S. immediately address the vulnerability and other bugs included in its KEV catalog.

CISA has also updated its KEV catalog to include a recent flaw impacting Zimbra systems, which has only been addressed following active exploitation by threat actors.

Source…